mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
75c353f0ad
Each plug-in operates as a separate service, and registers with Docker through general (plug-ins API) [https://blog.docker.com/2015/06/extending-docker-with-plugins/]. No Docker daemon recompilation is required in order to add / remove an authentication plug-in. Each plug-in is notified twice for each operation: 1) before the operation is performed and, 2) before the response is returned to the client. The plug-ins can modify the response that is returned to the client. The authorization depends on the authorization effort that takes place in parallel [https://github.com/docker/docker/issues/13697]. This is the official issue of the authorization effort: https://github.com/docker/docker/issues/14674 (Here)[https://github.com/rhatdan/docker-rbac] you can find an open document that discusses a default RBAC plug-in for Docker. Signed-off-by: Liron Levin <liron@twistlock.com> Added container create flow test and extended the verification for ps
220 lines
5.2 KiB
Go
220 lines
5.2 KiB
Go
package authorization
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"github.com/docker/docker/pkg/plugins"
|
|
"github.com/docker/docker/pkg/tlsconfig"
|
|
"github.com/gorilla/mux"
|
|
"io/ioutil"
|
|
"log"
|
|
"net"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"os"
|
|
"path"
|
|
"reflect"
|
|
"testing"
|
|
)
|
|
|
|
const pluginAddress = "authzplugin.sock"
|
|
|
|
func TestAuthZRequestPlugin(t *testing.T) {
|
|
|
|
server := authZPluginTestServer{t: t}
|
|
go server.start()
|
|
defer server.stop()
|
|
|
|
authZPlugin := createTestPlugin(t)
|
|
|
|
request := Request{
|
|
User: "user",
|
|
RequestBody: []byte("sample body"),
|
|
RequestURI: "www.authz.com",
|
|
RequestMethod: "GET",
|
|
RequestHeaders: map[string]string{"header": "value"},
|
|
}
|
|
server.replayResponse = Response{
|
|
Allow: true,
|
|
Msg: "Sample message",
|
|
}
|
|
|
|
actualResponse, err := authZPlugin.AuthZRequest(&request)
|
|
|
|
if err != nil {
|
|
t.Fatalf("Failed to authorize request %v", err)
|
|
}
|
|
|
|
if !reflect.DeepEqual(server.replayResponse, *actualResponse) {
|
|
t.Fatalf("Response must be equal")
|
|
}
|
|
if !reflect.DeepEqual(request, server.recordedRequest) {
|
|
t.Fatalf("Requests must be equal")
|
|
}
|
|
}
|
|
|
|
func TestAuthZResponsePlugin(t *testing.T) {
|
|
|
|
server := authZPluginTestServer{t: t}
|
|
go server.start()
|
|
defer server.stop()
|
|
|
|
authZPlugin := createTestPlugin(t)
|
|
|
|
request := Request{
|
|
User: "user",
|
|
RequestBody: []byte("sample body"),
|
|
}
|
|
server.replayResponse = Response{
|
|
Allow: true,
|
|
Msg: "Sample message",
|
|
}
|
|
|
|
actualResponse, err := authZPlugin.AuthZResponse(&request)
|
|
|
|
if err != nil {
|
|
t.Fatalf("Failed to authorize request %v", err)
|
|
}
|
|
|
|
if !reflect.DeepEqual(server.replayResponse, *actualResponse) {
|
|
t.Fatalf("Response must be equal")
|
|
}
|
|
if !reflect.DeepEqual(request, server.recordedRequest) {
|
|
t.Fatalf("Requests must be equal")
|
|
}
|
|
}
|
|
|
|
func TestResponseModifier(t *testing.T) {
|
|
|
|
r := httptest.NewRecorder()
|
|
m := NewResponseModifier(r)
|
|
m.Header().Set("h1", "v1")
|
|
m.Write([]byte("body"))
|
|
m.WriteHeader(500)
|
|
|
|
m.Flush()
|
|
if r.Header().Get("h1") != "v1" {
|
|
t.Fatalf("Header value must exists %s", r.Header().Get("h1"))
|
|
}
|
|
if !reflect.DeepEqual(r.Body.Bytes(), []byte("body")) {
|
|
t.Fatalf("Body value must exists %s", r.Body.Bytes())
|
|
}
|
|
if r.Code != 500 {
|
|
t.Fatalf("Status code must be correct %d", r.Code)
|
|
}
|
|
}
|
|
|
|
func TestResponseModifierOverride(t *testing.T) {
|
|
|
|
r := httptest.NewRecorder()
|
|
m := NewResponseModifier(r)
|
|
m.Header().Set("h1", "v1")
|
|
m.Write([]byte("body"))
|
|
m.WriteHeader(500)
|
|
|
|
overrideHeader := make(http.Header)
|
|
overrideHeader.Add("h1", "v2")
|
|
overrideHeaderBytes, err := json.Marshal(overrideHeader)
|
|
if err != nil {
|
|
t.Fatalf("override header failed %v", err)
|
|
}
|
|
|
|
m.OverrideHeader(overrideHeaderBytes)
|
|
m.OverrideBody([]byte("override body"))
|
|
m.OverrideStatusCode(404)
|
|
m.Flush()
|
|
if r.Header().Get("h1") != "v2" {
|
|
t.Fatalf("Header value must exists %s", r.Header().Get("h1"))
|
|
}
|
|
if !reflect.DeepEqual(r.Body.Bytes(), []byte("override body")) {
|
|
t.Fatalf("Body value must exists %s", r.Body.Bytes())
|
|
}
|
|
if r.Code != 404 {
|
|
t.Fatalf("Status code must be correct %d", r.Code)
|
|
}
|
|
}
|
|
|
|
// createTestPlugin creates a new sample authorization plugin
|
|
func createTestPlugin(t *testing.T) *authorizationPlugin {
|
|
plugin := &plugins.Plugin{Name: "authz"}
|
|
var err error
|
|
pwd, err := os.Getwd()
|
|
if err != nil {
|
|
fmt.Println(err)
|
|
os.Exit(1)
|
|
}
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
|
|
plugin.Client, err = plugins.NewClient("unix:///"+path.Join(pwd, pluginAddress), tlsconfig.Options{InsecureSkipVerify: true})
|
|
|
|
if err != nil {
|
|
t.Fatalf("Failed to create client %v", err)
|
|
}
|
|
|
|
return &authorizationPlugin{name: "plugin", plugin: plugin}
|
|
}
|
|
|
|
// AuthZPluginTestServer is a simple server that implements the authZ plugin interface
|
|
type authZPluginTestServer struct {
|
|
listener net.Listener
|
|
t *testing.T
|
|
// request stores the request sent from the daemon to the plugin
|
|
recordedRequest Request
|
|
// response stores the response sent from the plugin to the daemon
|
|
replayResponse Response
|
|
}
|
|
|
|
// start starts the test server that implements the plugin
|
|
func (t *authZPluginTestServer) start() {
|
|
r := mux.NewRouter()
|
|
os.Remove(pluginAddress)
|
|
l, err := net.ListenUnix("unix", &net.UnixAddr{Name: pluginAddress, Net: "unix"})
|
|
if err != nil {
|
|
t.t.Fatalf("Failed to listen %v", err)
|
|
}
|
|
t.listener = l
|
|
|
|
r.HandleFunc("/Plugin.Activate", t.activate)
|
|
r.HandleFunc("/"+AuthZApiRequest, t.auth)
|
|
r.HandleFunc("/"+AuthZApiResponse, t.auth)
|
|
t.listener, err = net.Listen("tcp", pluginAddress)
|
|
server := http.Server{Handler: r, Addr: pluginAddress}
|
|
server.Serve(l)
|
|
}
|
|
|
|
// stop stops the test server that implements the plugin
|
|
func (t *authZPluginTestServer) stop() {
|
|
|
|
os.Remove(pluginAddress)
|
|
|
|
if t.listener != nil {
|
|
t.listener.Close()
|
|
}
|
|
}
|
|
|
|
// auth is a used to record/replay the authentication api messages
|
|
func (t *authZPluginTestServer) auth(w http.ResponseWriter, r *http.Request) {
|
|
|
|
t.recordedRequest = Request{}
|
|
|
|
defer r.Body.Close()
|
|
body, err := ioutil.ReadAll(r.Body)
|
|
json.Unmarshal(body, &t.recordedRequest)
|
|
b, err := json.Marshal(t.replayResponse)
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
w.Write(b)
|
|
|
|
}
|
|
|
|
func (t *authZPluginTestServer) activate(w http.ResponseWriter, r *http.Request) {
|
|
|
|
b, err := json.Marshal(plugins.Manifest{Implements: []string{AuthZApiImplements}})
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
w.Write(b)
|
|
}
|