Don't dump authz request when body is too large
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This commit is contained in:
Brian Goff
parent
cb3454b895
commit
0ec7cb1db9
1 changed files with 23 additions and 20 deletions
|
|
@ -1,16 +1,19 @@
|
||||||
package authorization
|
package authorization
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"bufio"
|
||||||
"bytes"
|
"bytes"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"io/ioutil"
|
|
||||||
"net/http"
|
"net/http"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/Sirupsen/logrus"
|
"github.com/Sirupsen/logrus"
|
||||||
|
"github.com/docker/docker/pkg/ioutils"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const maxBodySize = 1048576 // 1MB
|
||||||
|
|
||||||
// NewCtx creates new authZ context, it is used to store authorization information related to a specific docker
|
// NewCtx creates new authZ context, it is used to store authorization information related to a specific docker
|
||||||
// REST http session
|
// REST http session
|
||||||
// A context provides two method:
|
// A context provides two method:
|
||||||
|
|
@ -52,18 +55,12 @@ type Ctx struct {
|
||||||
func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
|
func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
|
||||||
var body []byte
|
var body []byte
|
||||||
if sendBody(ctx.requestURI, r.Header) {
|
if sendBody(ctx.requestURI, r.Header) {
|
||||||
var (
|
if r.ContentLength < maxBodySize {
|
||||||
err error
|
var err error
|
||||||
drainedBody io.ReadCloser
|
body, r.Body, err = drainBody(r.Body)
|
||||||
)
|
|
||||||
drainedBody, r.Body, err = drainBody(r.Body)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
defer drainedBody.Close()
|
|
||||||
body, err = ioutil.ReadAll(drainedBody)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -126,15 +123,21 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
|
||||||
|
|
||||||
// drainBody dump the body, it reads the body data into memory and
|
// drainBody dump the body, it reads the body data into memory and
|
||||||
// see go sources /go/src/net/http/httputil/dump.go
|
// see go sources /go/src/net/http/httputil/dump.go
|
||||||
func drainBody(b io.ReadCloser) (io.ReadCloser, io.ReadCloser, error) {
|
func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
|
||||||
var buf bytes.Buffer
|
bufReader := bufio.NewReaderSize(body, maxBodySize)
|
||||||
if _, err := buf.ReadFrom(b); err != nil {
|
newBody := ioutils.NewReadCloserWrapper(bufReader, func() error { return body.Close() })
|
||||||
|
|
||||||
|
data, err := bufReader.Peek(maxBodySize)
|
||||||
|
if err != io.EOF {
|
||||||
|
// This means the request is larger than our max
|
||||||
|
if err == bufio.ErrBufferFull {
|
||||||
|
return nil, newBody, nil
|
||||||
|
}
|
||||||
|
// This means we had an error reading
|
||||||
return nil, nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
if err := b.Close(); err != nil {
|
|
||||||
return nil, nil, err
|
return data, newBody, nil
|
||||||
}
|
|
||||||
return ioutil.NopCloser(&buf), ioutil.NopCloser(bytes.NewReader(buf.Bytes())), nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// sendBody returns true when request/response body should be sent to AuthZPlugin
|
// sendBody returns true when request/response body should be sent to AuthZPlugin
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue