-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathplugin.go
87 lines (71 loc) · 2 KB
/
plugin.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
package main
import (
"encoding/json"
"fmt"
"io/ioutil"
"regexp"
"github.com/docker/go-plugins-helpers/authorization"
)
// Rule defines an allowed action by defining method and path pattern of a
// Docker Remote API.
// see https://docs.docker.com/engine/reference/api/docker_remote_api/
type Rule struct {
Method string `json:"method"`
Pattern string `json:"pattern"`
}
// matches checks if given method equals to Rule's method and if the given URI
// matches the Rule's pattern
func (r *Rule) matches(method string, uri string) bool {
matched := false
if methodMatched, _ := regexp.MatchString(r.Method, method); methodMatched {
// TODO take care of errors!
matched, _ = regexp.MatchString(r.Pattern, uri)
}
return matched
}
// sesame implements the Plugin inteface of Docker authorization API and manages
// authorization usign RuleSets
type sesame struct {
rules map[string][]Rule
}
// newPlugin creates a new Sesame plugin.
// It first loads the rules and then registers the unix socket.
func newPlugin(rulesPath string) (*sesame, error) {
var plugin sesame
// Read the rules and decode them
content, err := ioutil.ReadFile(rulesPath)
if err != nil {
return nil, err
}
err = json.Unmarshal(content, &plugin.rules)
if err != nil {
return nil, err
}
// We're gut to go!
return &plugin, nil
}
func (p *sesame) AuthZReq(req authorization.Request) authorization.Response {
user := req.User
method := req.RequestMethod
uri := req.RequestURI
if rules, ok := p.rules[user]; ok {
for _, rule := range rules {
if rule.matches(method, uri) {
return authorization.Response{Allow: true}
}
}
} else {
return authorization.Response{
Allow: false,
Msg: fmt.Sprintf("User '%s' not found!", user),
}
}
return authorization.Response{
Allow: false,
Msg: fmt.Sprintf("User '%s' forbidden to %s on %s!", user, method, uri),
}
}
func (p *sesame) AuthZRes(req authorization.Request) authorization.Response {
// Our decision is final!
return authorization.Response{Allow: true}
}