Commit graph

27 commits

Author SHA1 Message Date
Akihiro Suda
7fb7a477d7 [nit] integration-cli: obey Go's naming convention
No substantial code change.

 - Api         --> API
 - Cli         --> CLI
 - Http, Https --> HTTP, HTTPS
 - Id          --> ID
 - Uid,Gid,Pid --> UID,PID,PID
 - Ipam        --> IPAM
 - Tls         --> TLS (TestDaemonNoTlsCliTlsVerifyWithEnv --> TestDaemonTLSVerifyIssue13964)

Didn't touch in this commit:
 - Git: because it is officially "Git": https://git-scm.com/
 - Tar: because it is officially "Tar": https://www.gnu.org/software/tar/
 - Cpu, Nat, Mac, Ipc, Shm: for keeping a consistency with existing production code (not changable, for compatibility)

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2016-09-30 01:21:05 +00:00
Yong Tang
9cb8fb6ea0 Fix AuthZ plugins headers change issue
This fix tries to address the issue raised in 25927 where
the HTTP headers have been chaged when AUthZ plugin is in
place.

This issue is that in `FlushAll` (`pkg/authorization/response.go`),
the headers have been written (with `WriteHeader`) before all the
headers have bee copied.

This fix fixes the issue by placing `WriteHeader` after.

A test has been added to cover the changes.`

This fix fixes 25927

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-08-23 21:08:23 -07:00
Antonio Murdaca
d1b7e8373b authz: cleanups
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-06-12 17:23:19 +02:00
allencloud
c1be45fa38 fix typos
Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-06-02 17:17:22 +08:00
Vincent Demeester
f87053b9c3
Use dockerd instead of docker daemon in integration-cli
Updating `integration-cli/daemon.go` to use `dockerd` instead of `docker
daemon` to start up the daemon.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2016-05-26 13:14:35 +02:00
Antonio Murdaca
9613acbe5c integration-cli: test load/import with authz plugins
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-05-04 18:45:22 +02:00
Liron Levin
526abc00b1 Fix authorization issue - when request is denied return forbbiden exist code (403).
- Return 403 (forbidden) when request is denied in authorization flows
(including integration test)
- Fix #22428
- Close #22431

Signed-off-by: Liron Levin <liron@twistlock.com>
2016-05-02 19:14:48 +03:00
Liron Levin
3c157713b3 Extend Docker authorization with TLS user information
Currently Docker authorization framework does not use any user
information, which already available in the Docker context for TLS
connection.
The purpose of this CR is to complete the existing authz work by adding
the basic client certificate details (SUBJECT_NAME) and authentication
method (TLS) to the authz request.

We think this should be the default behavior when no extended
authorization module is specified (currently WIP under #20883).

Signed-off-by: Liron Levin <liron@twistlock.com>
2016-03-27 15:53:55 +03:00
Phil Estes
4781d5c4fb Unskip authz events test after fixes
Now that the various fixes are all committed, let's see if this gets
less flaky now.

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2016-02-20 20:19:54 -06:00
Antonio Murdaca
076b3558fc Merge pull request #20509 from estesp/cleanup-authz-test
Clean up authz integration-cli test
2016-02-20 12:10:29 +01:00
Phil Estes
fe015c5ce0 Allow post-start load of busybox to remove restarts
The restarts in the authz plugin test suite seems to be causing
flakiness in CI, and can be avoided by separating the daemon start and
busybox image load.

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2016-02-19 18:44:36 -06:00
Arnaud Porterie
b9195cd6d4 Merge pull request #20464 from cpuguy83/fix_events_flakiness
Fix events test flakiness.
2016-02-19 15:39:27 -08:00
Arnaud Porterie
6e0f873f05 Temporarily skip TestAuthZPluginAllowEventStream
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
2016-02-19 10:32:05 -08:00
Phil Estes
074561b0ec Clean up authz integration-cli test
- Order the flow of the handlers more cleanly--read req, do actions,
  write response.
- Add "always allowed" endpoints to handle `/_ping` and `/info` usage
  from the test framework/daemon start/restart management

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2016-02-19 10:12:39 -08:00
Brian Goff
abbf2aa6dd Fix events test flakiness.
Since channel is getting a send instead of a close now, this can cause
random issues ranging through the list of channels if the channel is
unbuffered since the send may be blocked.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2016-02-18 16:10:29 -05:00
Brian Goff
4cf9b725f2 Fix flakey TestAuthZPluginAllowEventStream
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2016-02-18 10:19:19 -05:00
Victor Vieux
99a396902f fix common misspell
Signed-off-by: Victor Vieux <vieux@docker.com>
2016-02-11 15:49:36 -08:00
Stefan Scherer
36a974a1a6 Fix TestAuthZPluginAllowEventStream for multiarch
Signed-off-by: Stefan Scherer <scherer_stefan@icloud.com>
2016-02-10 07:28:50 +01:00
Liron Levin
5ffc810df2 Fix 19575: Docker events doesn't work with authorization plugin
To support the requirement of blocking the request after the daemon
responded the authorization plugin use a `response recorder` that replay
the response after the flow ends.

This commit adds support for commands that hijack the connection and
flushes data via the http.Flusher interface. This resolves the error
with the event endpoint.

Signed-off-by: Liron Levin <liron@twistlock.com>
2016-02-05 22:30:01 +02:00
Tibor Vass
5c630ea7c3 Rename authz to authorization for greater clarity
Signed-off-by: Tibor Vass <tibor@docker.com>
2016-01-13 14:15:37 -05:00
Antonio Murdaca
bb8e1dc8fa integration-cli: fix --net=none build
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2015-12-24 16:36:37 +01:00
Antonio Murdaca
c28fc06e00 pkg: authorization: do not register the same plugin
This patches avoids registering (and calling) the same plugin more than
once. Using an helper map which indexes by name guarantees this and keeps
the order.
The behavior of overriding the same name in a flag is consistent with,
for instance, the `docker run -v /test -v /test` flag which register
the volume just once.
Adds integration tests.

Without this patch:
```
Dec 20 19:34:52 localhost.localdomain docker[9988]:
time="2015-12-20T19:34:52.080901676+01:00" level=debug msg="Calling
GET
/v1.22/info"
Dec 20 19:34:52 localhost.localdomain docker[9988]:
time="2015-12-20T19:34:52.081213202+01:00" level=debug msg="AuthZ
request using plugin docker-novolume-plugin"
Dec 20 19:34:52 localhost.localdomain docker[9988]:
time="2015-12-20T19:34:52.081268132+01:00" level=debug
msg="docker-novolume-plugin implements: authz"
Dec 20 19:34:52 localhost.localdomain docker[9988]:
time="2015-12-20T19:34:52.081699788+01:00" level=debug msg="AuthZ
request using plugin docker-novolume-plugin"
Dec 20 19:34:52 localhost.localdomain docker[9988]:
time="2015-12-20T19:34:52.081762507+01:00" level=debug
msg="docker-novolume-plugin implements: authz"
Dec 20 19:34:52 localhost.localdomain docker[9988]:
time="2015-12-20T19:34:52.082092480+01:00" level=debug msg="GET
/v1.22/info"
Dec 20 19:34:52 localhost.localdomain docker[9988]:
time="2015-12-20T19:34:52.628691038+01:00" level=debug msg="AuthZ
response using plugin docker-novolume-plugin"
Dec 20 19:34:52 localhost.localdomain docker[9988]:
time="2015-12-20T19:34:52.629880930+01:00" level=debug msg="AuthZ
response using plugin docker-novolume-plugin"
```

With this patch:
```
Dec 20 19:37:32 localhost.localdomain docker[16620]:
time="2015-12-20T19:37:32.376523958+01:00" level=debug msg="Calling
GET
/v1.22/info"
Dec 20 19:37:32 localhost.localdomain docker[16620]:
time="2015-12-20T19:37:32.376715483+01:00" level=debug msg="AuthZ
request using plugin docker-novolume-plugin"
Dec 20 19:37:32 localhost.localdomain docker[16620]:
time="2015-12-20T19:37:32.376771230+01:00" level=debug
msg="docker-novolume-plugin implements: authz"
Dec 20 19:37:32 localhost.localdomain docker[16620]:
time="2015-12-20T19:37:32.377698897+01:00" level=debug msg="GET
/v1.22/info"
Dec 20 19:37:32 localhost.localdomain docker[16620]:
time="2015-12-20T19:37:32.951016441+01:00" level=debug msg="AuthZ
response using plugin docker-novolume-plugin"
```

Also removes a somehow duplicate debug statement (leaving only the
second one as it's a loop of plugin's manifest):
```
Dec 20 19:52:30 localhost.localdomain docker[25767]:
time="2015-12-20T19:52:30.544090518+01:00" level=debug
msg="docker-novolume-plugin's manifest: &{[authz]}"
Dec 20 19:52:30 localhost.localdomain docker[25767]:
time="2015-12-20T19:52:30.544170677+01:00" level=debug
msg="docker-novolume-plugin implements: authz"
```

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2015-12-23 21:08:40 +01:00
Antonio Murdaca
5a64c8027e authZ: more fixes
- fix naming and formatting
- provide more context when erroring auth
- do not capitalize errors
- fix wrong documentation
- remove ugly remoteError{}

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2015-12-18 16:29:01 +01:00
Antonio Murdaca
46e3a249a1 pkg: authorization: add Err to tweak response status code
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2015-12-17 11:08:47 +01:00
Antonio Murdaca
baba1a8493 reorder imports with goimports
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2015-12-16 16:50:25 +01:00
Liron Levin
de4ffdfe48 Change authz plugin argument name
Signed-off-by: Liron Levin <liron@twistlock.com>
2015-12-11 20:59:15 +02:00
Liron Levin
75c353f0ad Docker authorization plug-in infrastructure enables extending the functionality of the Docker daemon with respect to user authorization. The infrastructure enables registering a set of external authorization plug-in. Each plug-in receives information about the user and the request and decides whether to allow or deny the request. Only in case all plug-ins allow accessing the resource the access is granted.
Each plug-in operates as a separate service, and registers with Docker
through general (plug-ins API)
[https://blog.docker.com/2015/06/extending-docker-with-plugins/]. No
Docker daemon recompilation is required in order to add / remove an
authentication plug-in. Each plug-in is notified twice for each
operation: 1) before the operation is performed and, 2) before the
response is returned to the client. The plug-ins can modify the response
that is returned to the client.

The authorization depends on the authorization effort that takes place
in parallel [https://github.com/docker/docker/issues/13697].

This is the official issue of the authorization effort:
https://github.com/docker/docker/issues/14674

(Here)[https://github.com/rhatdan/docker-rbac] you can find an open
document that discusses a default RBAC plug-in for Docker.

Signed-off-by: Liron Levin <liron@twistlock.com>
Added container create flow test and extended the verification for ps
2015-12-08 17:34:15 +02:00