docker: Index | Files

package authorization

import ""


Package Files

api.go authz.go middleware.go plugin.go response.go


const (
    // AuthZApiRequest is the url for daemon request authorization
    AuthZApiRequest = "AuthZPlugin.AuthZReq"

    // AuthZApiResponse is the url for daemon response authorization
    AuthZApiResponse = "AuthZPlugin.AuthZRes"

    // AuthZApiImplements is the name of the interface all AuthZ plugins implement
    AuthZApiImplements = "authz"

func GetPluginGetter Uses

func GetPluginGetter() plugingetter.PluginGetter

GetPluginGetter gets the plugingetter

func SetPluginGetter Uses

func SetPluginGetter(pg plugingetter.PluginGetter)

SetPluginGetter sets the plugingetter

type Ctx Uses

type Ctx struct {
    // contains filtered or unexported fields

Ctx stores a single request-response interaction context

func NewCtx Uses

func NewCtx(authZPlugins []Plugin, user, userAuthNMethod, requestMethod, requestURI string) *Ctx

NewCtx creates new authZ context, it is used to store authorization information related to a specific docker REST http session A context provides two method: Authenticate Request: Call authZ plugins with current REST request and AuthN response Request contains full HTTP packet sent to the docker daemon

Authenticate Response: Call authZ plugins with full info about current REST request, REST response and AuthN response The response from this method may contains content that overrides the daemon response This allows authZ plugins to filter privileged content

If multiple authZ plugins are specified, the block/allow decision is based on ANDing all plugin results For response manipulation, the response from each plugin is piped between plugins. Plugin execution order is determined according to daemon parameters

func (*Ctx) AuthZRequest Uses

func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error

AuthZRequest authorized the request to the docker daemon using authZ plugins

func (*Ctx) AuthZResponse Uses

func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error

AuthZResponse authorized and manipulates the response from docker daemon using authZ plugins

type Middleware Uses

type Middleware struct {
    // contains filtered or unexported fields

Middleware uses a list of plugins to handle authorization in the API requests.

func NewMiddleware Uses

func NewMiddleware(names []string, pg plugingetter.PluginGetter) *Middleware

NewMiddleware creates a new Middleware with a slice of plugins names.

func (*Middleware) RemovePlugin Uses

func (m *Middleware) RemovePlugin(name string)

RemovePlugin removes a single plugin from this authz middleware chain

func (*Middleware) SetPlugins Uses

func (m *Middleware) SetPlugins(names []string)

SetPlugins sets the plugin used for authorization

func (*Middleware) WrapHandler Uses

func (m *Middleware) WrapHandler(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error

WrapHandler returns a new handler function wrapping the previous one in the request chain.

type PeerCertificate Uses

type PeerCertificate x509.Certificate

PeerCertificate is a wrapper around x509.Certificate which provides a sane encoding/decoding to/from PEM format and JSON.

func (*PeerCertificate) MarshalJSON Uses

func (pc *PeerCertificate) MarshalJSON() ([]byte, error)

MarshalJSON returns the JSON encoded pem bytes of a PeerCertificate.

func (*PeerCertificate) UnmarshalJSON Uses

func (pc *PeerCertificate) UnmarshalJSON(b []byte) error

UnmarshalJSON populates a new PeerCertificate struct from JSON data.

type Plugin Uses

type Plugin interface {
    // Name returns the registered plugin name
    Name() string

    // AuthZRequest authorizes the request from the client to the daemon
    AuthZRequest(*Request) (*Response, error)

    // AuthZResponse authorizes the response from the daemon to the client
    AuthZResponse(*Request) (*Response, error)

Plugin allows third party plugins to authorize requests and responses in the context of docker API

type Request Uses

type Request struct {
    // User holds the user extracted by AuthN mechanism
    User string `json:"User,omitempty"`

    // UserAuthNMethod holds the mechanism used to extract user details (e.g., krb)
    UserAuthNMethod string `json:"UserAuthNMethod,omitempty"`

    // RequestMethod holds the HTTP method (GET/POST/PUT)
    RequestMethod string `json:"RequestMethod,omitempty"`

    // RequestUri holds the full HTTP uri (e.g., /v1.21/version)
    RequestURI string `json:"RequestUri,omitempty"`

    // RequestBody stores the raw request body sent to the docker daemon
    RequestBody []byte `json:"RequestBody,omitempty"`

    // RequestHeaders stores the raw request headers sent to the docker daemon
    RequestHeaders map[string]string `json:"RequestHeaders,omitempty"`

    // RequestPeerCertificates stores the request's TLS peer certificates in PEM format
    RequestPeerCertificates []*PeerCertificate `json:"RequestPeerCertificates,omitempty"`

    // ResponseStatusCode stores the status code returned from docker daemon
    ResponseStatusCode int `json:"ResponseStatusCode,omitempty"`

    // ResponseBody stores the raw response body sent from docker daemon
    ResponseBody []byte `json:"ResponseBody,omitempty"`

    // ResponseHeaders stores the response headers sent to the docker daemon
    ResponseHeaders map[string]string `json:"ResponseHeaders,omitempty"`

Request holds data required for authZ plugins

type Response Uses

type Response struct {
    // Allow indicating whether the user is allowed or not
    Allow bool `json:"Allow"`

    // Msg stores the authorization message
    Msg string `json:"Msg,omitempty"`

    // Err stores a message in case there's an error
    Err string `json:"Err,omitempty"`

Response represents authZ plugin response

type ResponseModifier Uses

type ResponseModifier interface {

    // RawBody returns the current http content
    RawBody() []byte

    // RawHeaders returns the current content of the http headers
    RawHeaders() ([]byte, error)

    // StatusCode returns the current status code
    StatusCode() int

    // OverrideBody replaces the body of the HTTP reply
    OverrideBody(b []byte)

    // OverrideHeader replaces the headers of the HTTP reply
    OverrideHeader(b []byte) error

    // OverrideStatusCode replaces the status code of the HTTP reply
    OverrideStatusCode(statusCode int)

    // FlushAll flushes all data to the HTTP response
    FlushAll() error

    // Hijacked indicates the response has been hijacked by the Docker daemon
    Hijacked() bool

ResponseModifier allows authorization plugins to read and modify the content of the http.response

func NewResponseModifier Uses

func NewResponseModifier(rw http.ResponseWriter) ResponseModifier

NewResponseModifier creates a wrapper to an http.ResponseWriter to allow inspecting and modifying the content

Package authorization imports 17 packages (graph) and is imported by 292 packages. Updated 2020-04-15. Refresh now. Tools for package owners.