Commit graph

62 commits

Author SHA1 Message Date
Kir Kolyshkin
9b0097a699 Format code with gofmt -s from go-1.11beta1
This should eliminate a bunch of new (go-1.11 related) validation
errors telling that the code is not formatted with `gofmt -s`.

No functional change, just whitespace (i.e.
`git show --ignore-space-change` shows nothing).

Patch generated with:

> git ls-files | grep -v ^vendor/ | grep .go$ | xargs gofmt -s -w

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2018-09-06 15:24:16 -07:00
Vincent Demeester
3845728524
Update tests to use gotest.tools 👼
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2018-06-13 09:04:30 +02:00
Kir Kolyshkin
7d62e40f7e Switch from x/net/context -> context
Since Go 1.7, context is a standard package. Since Go 1.9, everything
that is provided by "x/net/context" is a couple of type aliases to
types in "context".

Many vendored packages still use x/net/context, so vendor entry remains
for now.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2018-04-23 13:52:44 -07:00
Anusha Ragunathan
ff6a103067
Merge pull request #36778 from odg0318/master
Using authorization plugin, I changed Content-Type check routine.
2018-04-12 17:39:38 -07:00
Brian Goff
74f8e47352 Limit authz response buffer
When the authz response buffer limit is hit, perform a flush.
This prevents excessive buffer sizes, especially on large responses
(e.g. `/containers/<id>/archive` or `/containers/<id>/export`).

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-04-11 15:36:36 -04:00
odg0318
6ac73d34e4 If Content-Type is application/json;charset=UTF-8, RequestBody is empty.
Signed-off-by: odg0318 <odg0318@gmail.com>
2018-04-05 04:03:45 -04:00
Daniel Nephin
6be0f70983 Automated migration using
gty-migrate-from-testify --ignore-build-tags

Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-03-16 11:03:43 -04:00
Daniel Nephin
4f0d95fa6e Add canonical import comment
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-02-05 16:51:57 -05:00
Kenfe-Mickael Laventure
ddae20c032
Update libcontainerd to use containerd 1.0
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2017-10-20 07:11:37 -07:00
Daniel Nephin
f7f101d57e Add gosimple linter
Update gometalinter

Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-09-12 12:09:59 -04:00
Brian Goff
ebcb7d6b40 Remove string checking in API error handling
Use strongly typed errors to set HTTP status codes.
Error interfaces are defined in the api/errors package and errors
returned from controllers are checked against these interfaces.

Errors can be wraeped in a pkg/errors.Causer, as long as somewhere in the
line of causes one of the interfaces is implemented. The special error
interfaces take precedence over Causer, meaning if both Causer and one
of the new error interfaces are implemented, the Causer is not
traversed.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2017-08-15 16:01:11 -04:00
Derek McGowan
1009e6a40b
Update logrus to v1.0.1
Fixes case sensitivity issue

Signed-off-by: Derek McGowan <derek@mcgstyle.net>
2017-07-31 13:16:46 -07:00
Josh Soref
39bcaee47b
Spelling fixes
* additional
* ambiguous
* anonymous
* anything
* application
* because
* before
* building
* capabilities
* circumstances
* commit
* committer
* compresses
* concatenated
* config
* container
* container's
* current
* definition
* delimiter
* disassociates
* discovery
* distributed
* doesnotexist
* downloads
* duplicates
* either
* enhancing
* enumerate
* escapable
* exactly
* expect
* expectations
* expected
* explicitly
* false
* filesystem
* following
* forbidden
* git with
* healthcheck
* ignore
* independent
* inheritance
* investigating
* irrelevant
* it
* logging
* looking
* membership
* mimic
* minimum
* modify
* mountpoint
* multiline
* notifier
* outputting
* outside
* overridden
* override
* parsable
* plugins
* precedence
* propagation
* provided
* provides
* registries
* repositories
* returning
* settings
* should
* signals
* someone
* something
* specifically
* successfully
* synchronize
* they've
* thinking
* uninitialized
* unintentionally
* unmarshaling
* unnamed
* unreferenced
* verify

Signed-off-by: Josh Soref <jsoref@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-07-03 13:13:09 -07:00
Raja Sami
f1eb0c0ebb Increase test Coverage of pkg/authorization
Signed-off-by: Raja Sami <raja.sami@tenpearls.com>
2017-06-23 12:35:46 +05:00
David Sheets
24264697c5 authz: remove and hide unused and local-only methods respectively
Signed-off-by: David Sheets <dsheets@docker.com>
2017-06-13 13:51:11 +01:00
David Sheets
7da3986297 authz: eliminate race during plugin removal from middleware
Also, this removes the use of a questionable golang range feature which
corrects for mutation of a slice during iteration over that slice. This
makes the filter operation easier to read and reason about.

Signed-off-by: David Sheets <dsheets@docker.com>
2017-06-13 13:51:07 +01:00
Anusha Ragunathan
38de272bd4 When authz plugin is disabled, remove from authz middleware chain.
When the daemon is configured to run with an authorization-plugin and if
the plugin is disabled, the daemon continues to send API requests to the
plugin and expect it to respond. But the plugin has been disabled. As a
result, all API requests are blocked. Fix this behavior by removing the
disabled plugin from the authz middleware chain.

Tested using riyaz/authz-no-volume-plugin and observed that after
disabling the plugin, API request/response is functional.

Fixes #31836

Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
2017-03-22 12:07:39 -07:00
Diego Romero
48b8f54876 Fixed a typo within pkg/authorization/api.go
Signed-off-by: Diego Romero <idiegoromero@gmail.com>
2017-01-17 21:51:16 -05:00
Aaron Lehmann
428600108c plugingetter: Avoid all caps for constant declarations
Go style calls for mixed caps instead of all caps:
https://golang.org/doc/effective_go.html#mixed-caps

Change LOOKUP, ACQUIRE, and RELEASE to Lookup, Acquire, and Release.

This vendors a fork of libnetwork for now, to deal with a cyclic
dependency issue. The change will be upstream to libnetwork once this is
merged.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2017-01-04 10:19:04 -08:00
Ben Firshman
f0d55cd081
Rename Remote API to Engine API
Implementation of https://github.com/docker/docker/issues/28319

Signed-off-by: Ben Firshman <ben@firshman.co.uk>
2016-11-22 12:49:38 +00:00
Riyaz Faizullabhoy
a64fc8eea3 Revert "Update authz plugin list on failure."
This reverts commit fae904af02.

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-11-03 15:49:21 -07:00
Antonio Murdaca
1452c1cc71
pkg/authorization: send request's TLS peer certificates to plugins
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-10-31 17:37:19 +01:00
Anusha Ragunathan
fae904af02 Update authz plugin list on failure.
When daemon fails to load an authz plugin, it should be removed from
the plugin list. Else the plugin is retried on every request and
response, resulting in undesired behavior (eg. daemon panic)

Signed-off-by: Anusha Ragunathan <anusha@docker.com>
2016-10-28 11:16:06 -07:00
YuPengZTE
fa378413f8 Fix the typo of URLs
Signed-off-by: YuPengZTE <yu.peng36@zte.com.cn>
2016-10-19 17:46:27 +08:00
Sebastiaan van Stijn
194f04bbbe Merge pull request #27267 from ezrasilvera/plugin_fix
Call the AuthZRes function also when the daemon  returns error
2016-10-18 21:53:43 -07:00
Tibor Vass
8658748ef7 Merge pull request #27293 from anusha-ragunathan/use-pluginv2-authz
Make authz use pluginv2
2016-10-13 00:28:43 +02:00
Alexander Morozov
a616cf3b88 pkg/authorization: make it goroutine-safe
It was racy on config reload

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2016-10-11 16:31:45 -07:00
Anusha Ragunathan
c5393ee147 Make authorization plugins use pluginv2.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
2016-10-11 13:09:28 -07:00
Ezra Silvera
5a8ff40254 Call the AuthZRes function also when the daemon returns error
Signed-off-by: Ezra Silvera <ezra@il.ibm.com>
2016-10-11 09:53:30 +03:00
Yong Tang
9cb8fb6ea0 Fix AuthZ plugins headers change issue
This fix tries to address the issue raised in 25927 where
the HTTP headers have been chaged when AUthZ plugin is in
place.

This issue is that in `FlushAll` (`pkg/authorization/response.go`),
the headers have been written (with `WriteHeader`) before all the
headers have bee copied.

This fix fixes the issue by placing `WriteHeader` after.

A test has been added to cover the changes.`

This fix fixes 25927

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-08-23 21:08:23 -07:00
Liron Levin
4192fe9c06 Enable to dynamically reload authorization plugins via daemon.config
Following #22729, enable to dynamically reload/remove the daemon
authorization plugins (via standard reloading mechanism).
https://docs.docker.com/engine/reference/commandline/daemon/#daemon-
configuration-file

Daemon must store a reference to the authorization middleware to refresh
the plugin on configuration changes.

Signed-off-by: Liron Levin <liron@twistlock.com>
2016-07-30 14:59:07 +03:00
Vincent Demeester
40044cb18f Merge pull request #24963 from allencloud/fix-typos
fix typos
2016-07-25 09:39:48 +02:00
lixiaobing10051267
d6556a6ef7 Func name wrong in notes of response.go
Signed-off-by: lixiaobing10051267 <li.xiaobing1@zte.com.cn>
2016-07-23 16:03:27 +08:00
allencloud
4e959ef2f7 fix typos
Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-07-23 11:32:23 +08:00
Doron Podoleanu
6bec735c91 Use const http status code instead of just numbers see #24783
Signed-off-by: Doron Podoleanu <doronp@il.ibm.com>
2016-07-19 10:40:20 +03:00
Tibor Vass
f37117045c plugins: experimental support for new plugin management
This patch introduces a new experimental engine-level plugin management
with a new API and command line. Plugins can be distributed via a Docker
registry, and their lifecycle is managed by the engine.
This makes plugins a first-class construct.

For more background, have a look at issue #20363.

Documentation is in a separate commit. If you want to understand how the
new plugin system works, you can start by reading the documentation.

Note: backwards compatibility with existing plugins is maintained,
albeit they won't benefit from the advantages of the new system.

Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
2016-06-14 14:20:27 -07:00
Vincent Demeester
5338ae7133 Merge pull request #23425 from runcom/authz-race
pkg: authorization: lock when lazy loading
2016-06-13 23:20:37 +02:00
Antonio Murdaca
d1b7e8373b authz: cleanups
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-06-12 17:23:19 +02:00
Antonio Murdaca
ceb9c5a88b pkg: authorization: lock when lazy loading
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-06-12 17:19:43 +02:00
Yong Tang
a72b45dbec Fix logrus formatting
This fix tries to fix logrus formatting by removing `f` from
`logrus.[Error|Warn|Debug|Fatal|Panic|Info]f` when formatting string
is not present.

This fix fixes #23459.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-06-11 13:16:55 -07:00
allencloud
c1be45fa38 fix typos
Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-06-02 17:17:22 +08:00
Akihiro Suda
f437e2d148 Fix racy tests in pkg/authorization
Fix #23012

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2016-06-01 03:25:56 +00:00
Antonio Murdaca
6a96684442 pkg: authorization: cleanup tests
- do use use log pkg
- do not t.Fatal in goroutine
- cleanups

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-05-08 14:18:38 +02:00
allencloud
3f77baf2ce fix typos
Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-05-06 18:23:11 +08:00
Liron Levin
526abc00b1 Fix authorization issue - when request is denied return forbbiden exist code (403).
- Return 403 (forbidden) when request is denied in authorization flows
(including integration test)
- Fix #22428
- Close #22431

Signed-off-by: Liron Levin <liron@twistlock.com>
2016-05-02 19:14:48 +03:00
David Calavera
8d3467626e
Move middleware to interfaces.
This makes separating middlewares from the core api easier.
As an example, the authorization middleware is moved to
it's own package.

Initialize all static middlewares when the server is created, reducing
allocations every time a route is wrapper with the middlewares.

Signed-off-by: David Calavera <david.calavera@gmail.com>
2016-04-11 09:19:27 -07:00
Alexander Morozov
07b568cb53 pkg: cleanup some unused code
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2016-03-31 11:39:59 -07:00
Jessica Frazelle
0e025b4bb1
fix variables that werent being called
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-03-17 13:19:55 -07:00
David Calavera
1a63023450 Call plugins with custom transports.
Small refactor to be able to use custom transports
to call remote plugins.

Signed-off-by: David Calavera <david.calavera@gmail.com>
2016-03-02 12:54:53 -05:00
Brian Goff
abbb16d7ab Merge pull request #20602 from twistlock/20508_authz_plugin_corrupt_body
Fix #20508 - Authz plugin enabled with large text/JSON POST payload corrupts body
2016-02-29 10:43:02 -05:00