| package authorization // import "github.com/docker/docker/pkg/authorization" |
| |
| import ( |
| "crypto/x509" |
| "encoding/json" |
| "encoding/pem" |
| ) |
| |
| const ( |
| // AuthZApiRequest is the url for daemon request authorization |
| AuthZApiRequest = "AuthZPlugin.AuthZReq" |
| |
| // AuthZApiResponse is the url for daemon response authorization |
| AuthZApiResponse = "AuthZPlugin.AuthZRes" |
| |
| // AuthZApiImplements is the name of the interface all AuthZ plugins implement |
| AuthZApiImplements = "authz" |
| ) |
| |
| // PeerCertificate is a wrapper around x509.Certificate which provides a sane |
| // encoding/decoding to/from PEM format and JSON. |
| type PeerCertificate x509.Certificate |
| |
| // MarshalJSON returns the JSON encoded pem bytes of a PeerCertificate. |
| func (pc *PeerCertificate) MarshalJSON() ([]byte, error) { |
| b := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: pc.Raw}) |
| return json.Marshal(b) |
| } |
| |
| // UnmarshalJSON populates a new PeerCertificate struct from JSON data. |
| func (pc *PeerCertificate) UnmarshalJSON(b []byte) error { |
| var buf []byte |
| if err := json.Unmarshal(b, &buf); err != nil { |
| return err |
| } |
| derBytes, _ := pem.Decode(buf) |
| c, err := x509.ParseCertificate(derBytes.Bytes) |
| if err != nil { |
| return err |
| } |
| *pc = PeerCertificate(*c) |
| return nil |
| } |
| |
| // Request holds data required for authZ plugins |
| type Request struct { |
| // User holds the user extracted by AuthN mechanism |
| User string `json:"User,omitempty"` |
| |
| // UserAuthNMethod holds the mechanism used to extract user details (e.g., krb) |
| UserAuthNMethod string `json:"UserAuthNMethod,omitempty"` |
| |
| // RequestMethod holds the HTTP method (GET/POST/PUT) |
| RequestMethod string `json:"RequestMethod,omitempty"` |
| |
| // RequestUri holds the full HTTP uri (e.g., /v1.21/version) |
| RequestURI string `json:"RequestUri,omitempty"` |
| |
| // RequestBody stores the raw request body sent to the docker daemon |
| RequestBody []byte `json:"RequestBody,omitempty"` |
| |
| // RequestHeaders stores the raw request headers sent to the docker daemon |
| RequestHeaders map[string]string `json:"RequestHeaders,omitempty"` |
| |
| // RequestPeerCertificates stores the request's TLS peer certificates in PEM format |
| RequestPeerCertificates []*PeerCertificate `json:"RequestPeerCertificates,omitempty"` |
| |
| // ResponseStatusCode stores the status code returned from docker daemon |
| ResponseStatusCode int `json:"ResponseStatusCode,omitempty"` |
| |
| // ResponseBody stores the raw response body sent from docker daemon |
| ResponseBody []byte `json:"ResponseBody,omitempty"` |
| |
| // ResponseHeaders stores the response headers sent to the docker daemon |
| ResponseHeaders map[string]string `json:"ResponseHeaders,omitempty"` |
| } |
| |
| // Response represents authZ plugin response |
| type Response struct { |
| // Allow indicating whether the user is allowed or not |
| Allow bool `json:"Allow"` |
| |
| // Msg stores the authorization message |
| Msg string `json:"Msg,omitempty"` |
| |
| // Err stores a message in case there's an error |
| Err string `json:"Err,omitempty"` |
| } |