mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
4192fe9c06
Following #22729, enable to dynamically reload/remove the daemon authorization plugins (via standard reloading mechanism). https://docs.docker.com/engine/reference/commandline/daemon/#daemon- configuration-file Daemon must store a reference to the authorization middleware to refresh the plugin on configuration changes. Signed-off-by: Liron Levin <liron@twistlock.com>
92 lines
2.1 KiB
Go
92 lines
2.1 KiB
Go
package authorization
|
|
|
|
import (
|
|
"sync"
|
|
|
|
"github.com/docker/docker/pkg/plugins"
|
|
)
|
|
|
|
// Plugin allows third party plugins to authorize requests and responses
|
|
// in the context of docker API
|
|
type Plugin interface {
|
|
// Name returns the registered plugin name
|
|
Name() string
|
|
|
|
// AuthZRequest authorizes the request from the client to the daemon
|
|
AuthZRequest(*Request) (*Response, error)
|
|
|
|
// AuthZResponse authorizes the response from the daemon to the client
|
|
AuthZResponse(*Request) (*Response, error)
|
|
}
|
|
|
|
// newPlugins constructs and initializes the authorization plugins based on plugin names
|
|
func newPlugins(names []string) []Plugin {
|
|
plugins := []Plugin{}
|
|
pluginsMap := make(map[string]struct{})
|
|
for _, name := range names {
|
|
if _, ok := pluginsMap[name]; ok {
|
|
continue
|
|
}
|
|
pluginsMap[name] = struct{}{}
|
|
plugins = append(plugins, newAuthorizationPlugin(name))
|
|
}
|
|
return plugins
|
|
}
|
|
|
|
// authorizationPlugin is an internal adapter to docker plugin system
|
|
type authorizationPlugin struct {
|
|
plugin *plugins.Client
|
|
name string
|
|
once sync.Once
|
|
}
|
|
|
|
func newAuthorizationPlugin(name string) Plugin {
|
|
return &authorizationPlugin{name: name}
|
|
}
|
|
|
|
func (a *authorizationPlugin) Name() string {
|
|
return a.name
|
|
}
|
|
|
|
func (a *authorizationPlugin) AuthZRequest(authReq *Request) (*Response, error) {
|
|
if err := a.initPlugin(); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
authRes := &Response{}
|
|
if err := a.plugin.Call(AuthZApiRequest, authReq, authRes); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return authRes, nil
|
|
}
|
|
|
|
func (a *authorizationPlugin) AuthZResponse(authReq *Request) (*Response, error) {
|
|
if err := a.initPlugin(); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
authRes := &Response{}
|
|
if err := a.plugin.Call(AuthZApiResponse, authReq, authRes); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return authRes, nil
|
|
}
|
|
|
|
// initPlugin initializes the authorization plugin if needed
|
|
func (a *authorizationPlugin) initPlugin() error {
|
|
// Lazy loading of plugins
|
|
var err error
|
|
a.once.Do(func() {
|
|
if a.plugin == nil {
|
|
plugin, e := plugins.Get(a.name, AuthZApiImplements)
|
|
if e != nil {
|
|
err = e
|
|
return
|
|
}
|
|
a.plugin = plugin.Client()
|
|
}
|
|
})
|
|
return err
|
|
}
|