Docker authorization plug-in infrastructure enables extending the functionality of the Docker daemon with respect to user authorization. The infrastructure enables registering a set of external authorization plug-in. Each plug-in receives information about the user and the request and decides whether to allow or deny the request. Only in case all plug-ins allow accessing the resource the access is granted.

Each plug-in operates as a separate service, and registers with Docker through general (plug-ins API) [https://blog.docker.com/2015/06/extending-docker-with-plugins/]. No Docker daemon recompilation is required in order to add / remove an authentication plug-in. Each plug-in is notified twice for each operation: 1) before the operation is performed and, 2) before the response is returned to the client. The plug-ins can modify the response that is returned to the client. The authorization depends on the authorization effort that takes place in parallel [https://github.com/docker/docker/issues/13697]. This is the official issue of the authorization effort: https://github.com/docker/docker/issues/14674 (Here)[https://github.com/rhatdan/docker-rbac] you can find an open document that discusses a default RBAC plug-in for Docker. Signed-off-by: Liron Levin <liron@twistlock.com> Added container create flow test and extended the verification for ps
2015-11-12 13:06:47 +02:00 · 2015-11-12 13:06:47 +02:00 · ccdb366aa5
commit ccdb366aa5
parent cd655d8b48
6 changed files with 741 additions and 0 deletions
--- a/authorization/authz_test.go
+++ b/authorization/authz_test.go
@ -0,0 +1,220 @@
+package authorization
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/docker/docker/pkg/plugins"
+	"github.com/docker/docker/pkg/tlsconfig"
+	"github.com/gorilla/mux"
+	"io/ioutil"
+	"log"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path"
+	"reflect"
+	"testing"
+)
+
+const pluginAddress = "authzplugin.sock"
+
+func TestAuthZRequestPlugin(t *testing.T) {
+
+	server := authZPluginTestServer{t: t}
+	go server.start()
+	defer server.stop()
+
+	authZPlugin := createTestPlugin(t)
+
+	request := Request{
+		User:           "user",
+		RequestBody:    []byte("sample body"),
+		RequestURI:     "www.authz.com",
+		RequestMethod:  "GET",
+		RequestHeaders: map[string]string{"header": "value"},
+	}
+	server.replayResponse = Response{
+		Allow: true,
+		Msg:   "Sample message",
+	}
+
+	actualResponse, err := authZPlugin.AuthZRequest(&request)
+
+	if err != nil {
+		t.Fatalf("Failed to authorize request %v", err)
+	}
+
+	if !reflect.DeepEqual(server.replayResponse, *actualResponse) {
+		t.Fatalf("Response must be equal")
+	}
+	if !reflect.DeepEqual(request, server.recordedRequest) {
+		t.Fatalf("Requests must be equal")
+	}
+}
+
+func TestAuthZResponsePlugin(t *testing.T) {
+
+	server := authZPluginTestServer{t: t}
+	go server.start()
+	defer server.stop()
+
+	authZPlugin := createTestPlugin(t)
+
+	request := Request{
+		User:        "user",
+		RequestBody: []byte("sample body"),
+	}
+	server.replayResponse = Response{
+		Allow: true,
+		Msg:   "Sample message",
+	}
+
+	actualResponse, err := authZPlugin.AuthZResponse(&request)
+
+	if err != nil {
+		t.Fatalf("Failed to authorize request %v", err)
+	}
+
+	if !reflect.DeepEqual(server.replayResponse, *actualResponse) {
+		t.Fatalf("Response must be equal")
+	}
+	if !reflect.DeepEqual(request, server.recordedRequest) {
+		t.Fatalf("Requests must be equal")
+	}
+}
+
+func TestResponseModifier(t *testing.T) {
+
+	r := httptest.NewRecorder()
+	m := NewResponseModifier(r)
+	m.Header().Set("h1", "v1")
+	m.Write([]byte("body"))
+	m.WriteHeader(500)
+
+	m.Flush()
+	if r.Header().Get("h1") != "v1" {
+		t.Fatalf("Header value must exists %s", r.Header().Get("h1"))
+	}
+	if !reflect.DeepEqual(r.Body.Bytes(), []byte("body")) {
+		t.Fatalf("Body value must exists %s", r.Body.Bytes())
+	}
+	if r.Code != 500 {
+		t.Fatalf("Status code must be correct %d", r.Code)
+	}
+}
+
+func TestResponseModifierOverride(t *testing.T) {
+
+	r := httptest.NewRecorder()
+	m := NewResponseModifier(r)
+	m.Header().Set("h1", "v1")
+	m.Write([]byte("body"))
+	m.WriteHeader(500)
+
+	overrideHeader := make(http.Header)
+	overrideHeader.Add("h1", "v2")
+	overrideHeaderBytes, err := json.Marshal(overrideHeader)
+	if err != nil {
+		t.Fatalf("override header failed %v", err)
+	}
+
+	m.OverrideHeader(overrideHeaderBytes)
+	m.OverrideBody([]byte("override body"))
+	m.OverrideStatusCode(404)
+	m.Flush()
+	if r.Header().Get("h1") != "v2" {
+		t.Fatalf("Header value must exists %s", r.Header().Get("h1"))
+	}
+	if !reflect.DeepEqual(r.Body.Bytes(), []byte("override body")) {
+		t.Fatalf("Body value must exists %s", r.Body.Bytes())
+	}
+	if r.Code != 404 {
+		t.Fatalf("Status code must be correct %d", r.Code)
+	}
+}
+
+// createTestPlugin creates a new sample authorization plugin
+func createTestPlugin(t *testing.T) *authorizationPlugin {
+	plugin := &plugins.Plugin{Name: "authz"}
+	var err error
+	pwd, err := os.Getwd()
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	plugin.Client, err = plugins.NewClient("unix:///"+path.Join(pwd, pluginAddress), tlsconfig.Options{InsecureSkipVerify: true})
+
+	if err != nil {
+		t.Fatalf("Failed to create client %v", err)
+	}
+
+	return &authorizationPlugin{name: "plugin", plugin: plugin}
+}
+
+// AuthZPluginTestServer is a simple server that implements the authZ plugin interface
+type authZPluginTestServer struct {
+	listener net.Listener
+	t        *testing.T
+	// request stores the request sent from the daemon to the plugin
+	recordedRequest Request
+	// response stores the response sent from the plugin to the daemon
+	replayResponse Response
+}
+
+// start starts the test server that implements the plugin
+func (t *authZPluginTestServer) start() {
+	r := mux.NewRouter()
+	os.Remove(pluginAddress)
+	l, err := net.ListenUnix("unix", &net.UnixAddr{Name: pluginAddress, Net: "unix"})
+	if err != nil {
+		t.t.Fatalf("Failed to listen %v", err)
+	}
+	t.listener = l
+
+	r.HandleFunc("/Plugin.Activate", t.activate)
+	r.HandleFunc("/"+AuthZApiRequest, t.auth)
+	r.HandleFunc("/"+AuthZApiResponse, t.auth)
+	t.listener, err = net.Listen("tcp", pluginAddress)
+	server := http.Server{Handler: r, Addr: pluginAddress}
+	server.Serve(l)
+}
+
+// stop stops the test server that implements the plugin
+func (t *authZPluginTestServer) stop() {
+
+	os.Remove(pluginAddress)
+
+	if t.listener != nil {
+		t.listener.Close()
+	}
+}
+
+// auth is a used to record/replay the authentication api messages
+func (t *authZPluginTestServer) auth(w http.ResponseWriter, r *http.Request) {
+
+	t.recordedRequest = Request{}
+
+	defer r.Body.Close()
+	body, err := ioutil.ReadAll(r.Body)
+	json.Unmarshal(body, &t.recordedRequest)
+	b, err := json.Marshal(t.replayResponse)
+	if err != nil {
+		log.Fatal(err)
+	}
+	w.Write(b)
+
+}
+
+func (t *authZPluginTestServer) activate(w http.ResponseWriter, r *http.Request) {
+
+	b, err := json.Marshal(plugins.Manifest{Implements: []string{AuthZApiImplements}})
+	if err != nil {
+		log.Fatal(err)
+	}
+	w.Write(b)
+}