c28fc06e00
This patches avoids registering (and calling) the same plugin more than
once. Using an helper map which indexes by name guarantees this and keeps
the order.
The behavior of overriding the same name in a flag is consistent with,
for instance, the `docker run -v /test -v /test` flag which register
the volume just once.
Adds integration tests.
Without this patch:
```
Dec 20 19:34:52 localhost.localdomain docker[9988]:
time="2015-12-20T19:34:52.080901676+01:00" level=debug msg="Calling
GET
/v1.22/info"
Dec 20 19:34:52 localhost.localdomain docker[9988]:
time="2015-12-20T19:34:52.081213202+01:00" level=debug msg="AuthZ
request using plugin docker-novolume-plugin"
Dec 20 19:34:52 localhost.localdomain docker[9988]:
time="2015-12-20T19:34:52.081268132+01:00" level=debug
msg="docker-novolume-plugin implements: authz"
Dec 20 19:34:52 localhost.localdomain docker[9988]:
time="2015-12-20T19:34:52.081699788+01:00" level=debug msg="AuthZ
request using plugin docker-novolume-plugin"
Dec 20 19:34:52 localhost.localdomain docker[9988]:
time="2015-12-20T19:34:52.081762507+01:00" level=debug
msg="docker-novolume-plugin implements: authz"
Dec 20 19:34:52 localhost.localdomain docker[9988]:
time="2015-12-20T19:34:52.082092480+01:00" level=debug msg="GET
/v1.22/info"
Dec 20 19:34:52 localhost.localdomain docker[9988]:
time="2015-12-20T19:34:52.628691038+01:00" level=debug msg="AuthZ
response using plugin docker-novolume-plugin"
Dec 20 19:34:52 localhost.localdomain docker[9988]:
time="2015-12-20T19:34:52.629880930+01:00" level=debug msg="AuthZ
response using plugin docker-novolume-plugin"
```
With this patch:
```
Dec 20 19:37:32 localhost.localdomain docker[16620]:
time="2015-12-20T19:37:32.376523958+01:00" level=debug msg="Calling
GET
/v1.22/info"
Dec 20 19:37:32 localhost.localdomain docker[16620]:
time="2015-12-20T19:37:32.376715483+01:00" level=debug msg="AuthZ
request using plugin docker-novolume-plugin"
Dec 20 19:37:32 localhost.localdomain docker[16620]:
time="2015-12-20T19:37:32.376771230+01:00" level=debug
msg="docker-novolume-plugin implements: authz"
Dec 20 19:37:32 localhost.localdomain docker[16620]:
time="2015-12-20T19:37:32.377698897+01:00" level=debug msg="GET
/v1.22/info"
Dec 20 19:37:32 localhost.localdomain docker[16620]:
time="2015-12-20T19:37:32.951016441+01:00" level=debug msg="AuthZ
response using plugin docker-novolume-plugin"
```
Also removes a somehow duplicate debug statement (leaving only the
second one as it's a loop of plugin's manifest):
```
Dec 20 19:52:30 localhost.localdomain docker[25767]:
time="2015-12-20T19:52:30.544090518+01:00" level=debug
msg="docker-novolume-plugin's manifest: &{[authz]}"
Dec 20 19:52:30 localhost.localdomain docker[25767]:
time="2015-12-20T19:52:30.544170677+01:00" level=debug
msg="docker-novolume-plugin implements: authz"
```
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
273 lines
8.5 KiB
Go
273 lines
8.5 KiB
Go
// +build !windows
|
|
|
|
package main
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"os"
|
|
"strings"
|
|
|
|
"github.com/docker/docker/pkg/authorization"
|
|
"github.com/docker/docker/pkg/integration/checker"
|
|
"github.com/docker/docker/pkg/plugins"
|
|
"github.com/go-check/check"
|
|
)
|
|
|
|
const (
|
|
testAuthZPlugin = "authzplugin"
|
|
unauthorizedMessage = "User unauthorized authz plugin"
|
|
errorMessage = "something went wrong..."
|
|
containerListAPI = "/containers/json"
|
|
)
|
|
|
|
func init() {
|
|
check.Suite(&DockerAuthzSuite{
|
|
ds: &DockerSuite{},
|
|
})
|
|
}
|
|
|
|
type DockerAuthzSuite struct {
|
|
server *httptest.Server
|
|
ds *DockerSuite
|
|
d *Daemon
|
|
ctrl *authorizationController
|
|
}
|
|
|
|
type authorizationController struct {
|
|
reqRes authorization.Response // reqRes holds the plugin response to the initial client request
|
|
resRes authorization.Response // resRes holds the plugin response to the daemon response
|
|
psRequestCnt int // psRequestCnt counts the number of calls to list container request api
|
|
psResponseCnt int // psResponseCnt counts the number of calls to list containers response API
|
|
requestsURIs []string // requestsURIs stores all request URIs that are sent to the authorization controller
|
|
}
|
|
|
|
func (s *DockerAuthzSuite) SetUpTest(c *check.C) {
|
|
s.d = NewDaemon(c)
|
|
s.ctrl = &authorizationController{}
|
|
}
|
|
|
|
func (s *DockerAuthzSuite) TearDownTest(c *check.C) {
|
|
s.d.Stop()
|
|
s.ds.TearDownTest(c)
|
|
s.ctrl = nil
|
|
}
|
|
|
|
func (s *DockerAuthzSuite) SetUpSuite(c *check.C) {
|
|
mux := http.NewServeMux()
|
|
s.server = httptest.NewServer(mux)
|
|
c.Assert(s.server, check.NotNil, check.Commentf("Failed to start a HTTP Server"))
|
|
|
|
mux.HandleFunc("/Plugin.Activate", func(w http.ResponseWriter, r *http.Request) {
|
|
b, err := json.Marshal(plugins.Manifest{Implements: []string{authorization.AuthZApiImplements}})
|
|
c.Assert(err, check.IsNil)
|
|
w.Write(b)
|
|
})
|
|
|
|
mux.HandleFunc("/AuthZPlugin.AuthZReq", func(w http.ResponseWriter, r *http.Request) {
|
|
if s.ctrl.reqRes.Err != "" {
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
}
|
|
b, err := json.Marshal(s.ctrl.reqRes)
|
|
c.Assert(err, check.IsNil)
|
|
w.Write(b)
|
|
defer r.Body.Close()
|
|
body, err := ioutil.ReadAll(r.Body)
|
|
c.Assert(err, check.IsNil)
|
|
authReq := authorization.Request{}
|
|
err = json.Unmarshal(body, &authReq)
|
|
c.Assert(err, check.IsNil)
|
|
|
|
assertBody(c, authReq.RequestURI, authReq.RequestHeaders, authReq.RequestBody)
|
|
assertAuthHeaders(c, authReq.RequestHeaders)
|
|
|
|
// Count only container list api
|
|
if strings.HasSuffix(authReq.RequestURI, containerListAPI) {
|
|
s.ctrl.psRequestCnt++
|
|
}
|
|
|
|
s.ctrl.requestsURIs = append(s.ctrl.requestsURIs, authReq.RequestURI)
|
|
})
|
|
|
|
mux.HandleFunc("/AuthZPlugin.AuthZRes", func(w http.ResponseWriter, r *http.Request) {
|
|
if s.ctrl.resRes.Err != "" {
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
}
|
|
b, err := json.Marshal(s.ctrl.resRes)
|
|
c.Assert(err, check.IsNil)
|
|
w.Write(b)
|
|
|
|
defer r.Body.Close()
|
|
body, err := ioutil.ReadAll(r.Body)
|
|
c.Assert(err, check.IsNil)
|
|
authReq := authorization.Request{}
|
|
err = json.Unmarshal(body, &authReq)
|
|
c.Assert(err, check.IsNil)
|
|
|
|
assertBody(c, authReq.RequestURI, authReq.ResponseHeaders, authReq.ResponseBody)
|
|
assertAuthHeaders(c, authReq.ResponseHeaders)
|
|
|
|
// Count only container list api
|
|
if strings.HasSuffix(authReq.RequestURI, containerListAPI) {
|
|
s.ctrl.psResponseCnt++
|
|
}
|
|
})
|
|
|
|
err := os.MkdirAll("/etc/docker/plugins", 0755)
|
|
c.Assert(err, checker.IsNil)
|
|
|
|
fileName := fmt.Sprintf("/etc/docker/plugins/%s.spec", testAuthZPlugin)
|
|
err = ioutil.WriteFile(fileName, []byte(s.server.URL), 0644)
|
|
c.Assert(err, checker.IsNil)
|
|
}
|
|
|
|
// assertAuthHeaders validates authentication headers are removed
|
|
func assertAuthHeaders(c *check.C, headers map[string]string) error {
|
|
for k := range headers {
|
|
if strings.Contains(strings.ToLower(k), "auth") || strings.Contains(strings.ToLower(k), "x-registry") {
|
|
c.Errorf("Found authentication headers in request '%v'", headers)
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// assertBody asserts that body is removed for non text/json requests
|
|
func assertBody(c *check.C, requestURI string, headers map[string]string, body []byte) {
|
|
|
|
if strings.Contains(strings.ToLower(requestURI), "auth") && len(body) > 0 {
|
|
//return fmt.Errorf("Body included for authentication endpoint %s", string(body))
|
|
c.Errorf("Body included for authentication endpoint %s", string(body))
|
|
}
|
|
|
|
for k, v := range headers {
|
|
if strings.EqualFold(k, "Content-Type") && strings.HasPrefix(v, "text/") || v == "application/json" {
|
|
return
|
|
}
|
|
}
|
|
if len(body) > 0 {
|
|
c.Errorf("Body included while it should not (Headers: '%v')", headers)
|
|
}
|
|
}
|
|
|
|
func (s *DockerAuthzSuite) TearDownSuite(c *check.C) {
|
|
if s.server == nil {
|
|
return
|
|
}
|
|
|
|
s.server.Close()
|
|
|
|
err := os.RemoveAll("/etc/docker/plugins")
|
|
c.Assert(err, checker.IsNil)
|
|
}
|
|
|
|
func (s *DockerAuthzSuite) TestAuthZPluginAllowRequest(c *check.C) {
|
|
err := s.d.Start("--authz-plugin=" + testAuthZPlugin)
|
|
c.Assert(err, check.IsNil)
|
|
s.ctrl.reqRes.Allow = true
|
|
s.ctrl.resRes.Allow = true
|
|
|
|
// Ensure command successful
|
|
out, err := s.d.Cmd("run", "-d", "--name", "container1", "busybox:latest", "top")
|
|
c.Assert(err, check.IsNil)
|
|
|
|
// Extract the id of the created container
|
|
res := strings.Split(strings.TrimSpace(out), "\n")
|
|
id := res[len(res)-1]
|
|
assertURIRecorded(c, s.ctrl.requestsURIs, "/containers/create")
|
|
assertURIRecorded(c, s.ctrl.requestsURIs, fmt.Sprintf("/containers/%s/start", id))
|
|
|
|
out, err = s.d.Cmd("ps")
|
|
c.Assert(err, check.IsNil)
|
|
c.Assert(assertContainerList(out, []string{id}), check.Equals, true)
|
|
c.Assert(s.ctrl.psRequestCnt, check.Equals, 1)
|
|
c.Assert(s.ctrl.psResponseCnt, check.Equals, 1)
|
|
}
|
|
|
|
func (s *DockerAuthzSuite) TestAuthZPluginDenyRequest(c *check.C) {
|
|
err := s.d.Start("--authz-plugin=" + testAuthZPlugin)
|
|
c.Assert(err, check.IsNil)
|
|
s.ctrl.reqRes.Allow = false
|
|
s.ctrl.reqRes.Msg = unauthorizedMessage
|
|
|
|
// Ensure command is blocked
|
|
res, err := s.d.Cmd("ps")
|
|
c.Assert(err, check.NotNil)
|
|
c.Assert(s.ctrl.psRequestCnt, check.Equals, 1)
|
|
c.Assert(s.ctrl.psResponseCnt, check.Equals, 0)
|
|
|
|
// Ensure unauthorized message appears in response
|
|
c.Assert(res, check.Equals, fmt.Sprintf("Error response from daemon: authorization denied by plugin %s: %s\n", testAuthZPlugin, unauthorizedMessage))
|
|
}
|
|
|
|
func (s *DockerAuthzSuite) TestAuthZPluginDenyResponse(c *check.C) {
|
|
err := s.d.Start("--authz-plugin=" + testAuthZPlugin)
|
|
c.Assert(err, check.IsNil)
|
|
s.ctrl.reqRes.Allow = true
|
|
s.ctrl.resRes.Allow = false
|
|
s.ctrl.resRes.Msg = unauthorizedMessage
|
|
|
|
// Ensure command is blocked
|
|
res, err := s.d.Cmd("ps")
|
|
c.Assert(err, check.NotNil)
|
|
c.Assert(s.ctrl.psRequestCnt, check.Equals, 1)
|
|
c.Assert(s.ctrl.psResponseCnt, check.Equals, 1)
|
|
|
|
// Ensure unauthorized message appears in response
|
|
c.Assert(res, check.Equals, fmt.Sprintf("Error response from daemon: authorization denied by plugin %s: %s\n", testAuthZPlugin, unauthorizedMessage))
|
|
}
|
|
|
|
func (s *DockerAuthzSuite) TestAuthZPluginErrorResponse(c *check.C) {
|
|
err := s.d.Start("--authz-plugin=" + testAuthZPlugin)
|
|
c.Assert(err, check.IsNil)
|
|
s.ctrl.reqRes.Allow = true
|
|
s.ctrl.resRes.Err = errorMessage
|
|
|
|
// Ensure command is blocked
|
|
res, err := s.d.Cmd("ps")
|
|
c.Assert(err, check.NotNil)
|
|
|
|
c.Assert(res, check.Equals, fmt.Sprintf("Error response from daemon: plugin %s failed with error: %s: %s\n", testAuthZPlugin, authorization.AuthZApiResponse, errorMessage))
|
|
}
|
|
|
|
func (s *DockerAuthzSuite) TestAuthZPluginErrorRequest(c *check.C) {
|
|
err := s.d.Start("--authz-plugin=" + testAuthZPlugin)
|
|
c.Assert(err, check.IsNil)
|
|
s.ctrl.reqRes.Err = errorMessage
|
|
|
|
// Ensure command is blocked
|
|
res, err := s.d.Cmd("ps")
|
|
c.Assert(err, check.NotNil)
|
|
|
|
c.Assert(res, check.Equals, fmt.Sprintf("Error response from daemon: plugin %s failed with error: %s: %s\n", testAuthZPlugin, authorization.AuthZApiRequest, errorMessage))
|
|
}
|
|
|
|
func (s *DockerAuthzSuite) TestAuthZPluginEnsureNoDuplicatePluginRegistration(c *check.C) {
|
|
c.Assert(s.d.Start("--authz-plugin="+testAuthZPlugin, "--authz-plugin="+testAuthZPlugin), check.IsNil)
|
|
|
|
s.ctrl.reqRes.Allow = true
|
|
s.ctrl.resRes.Allow = true
|
|
|
|
out, err := s.d.Cmd("ps")
|
|
c.Assert(err, check.IsNil, check.Commentf(out))
|
|
|
|
// assert plugin is only called once..
|
|
c.Assert(s.ctrl.psRequestCnt, check.Equals, 1)
|
|
c.Assert(s.ctrl.psResponseCnt, check.Equals, 1)
|
|
}
|
|
|
|
// assertURIRecorded verifies that the given URI was sent and recorded in the authz plugin
|
|
func assertURIRecorded(c *check.C, uris []string, uri string) {
|
|
var found bool
|
|
for _, u := range uris {
|
|
if strings.Contains(u, uri) {
|
|
found = true
|
|
break
|
|
}
|
|
}
|
|
if !found {
|
|
c.Fatalf("Expected to find URI '%s', recorded uris '%s'", uri, strings.Join(uris, ","))
|
|
}
|
|
}
|