forked from TrueCloudLab/distribution
2c3d738a05
The auth package has been updated to use "golang.org/x/net/context" for passing information between the application and the auth backend. AccessControllers should now set a "auth.user" context value to a AuthUser struct containing a single "Name" field for now with possible, optional, values in the future. The "silly" auth backend always sets the name to "silly", while the "token" auth backend will set the name to match the "subject" claim of the JWT. Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
95 lines
2.6 KiB
Go
95 lines
2.6 KiB
Go
// Package silly provides a simple authentication scheme that checks for the
|
|
// existence of an Authorization header and issues access if is present and
|
|
// non-empty.
|
|
//
|
|
// This package is present as an example implementation of a minimal
|
|
// auth.AccessController and for testing. This is not suitable for any kind of
|
|
// production security.
|
|
package silly
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/docker/distribution/auth"
|
|
"golang.org/x/net/context"
|
|
)
|
|
|
|
// accessController provides a simple implementation of auth.AccessController
|
|
// that simply checks for a non-empty Authorization header. It is useful for
|
|
// demonstration and testing.
|
|
type accessController struct {
|
|
realm string
|
|
service string
|
|
}
|
|
|
|
var _ auth.AccessController = &accessController{}
|
|
|
|
func newAccessController(options map[string]interface{}) (auth.AccessController, error) {
|
|
realm, present := options["realm"]
|
|
if _, ok := realm.(string); !present || !ok {
|
|
return nil, fmt.Errorf(`"realm" must be set for silly access controller`)
|
|
}
|
|
|
|
service, present := options["service"]
|
|
if _, ok := service.(string); !present || !ok {
|
|
return nil, fmt.Errorf(`"service" must be set for silly access controller`)
|
|
}
|
|
|
|
return &accessController{realm: realm.(string), service: service.(string)}, nil
|
|
}
|
|
|
|
// Authorized simply checks for the existence of the authorization header,
|
|
// responding with a bearer challenge if it doesn't exist.
|
|
func (ac *accessController) Authorized(ctx context.Context, accessRecords ...auth.Access) (context.Context, error) {
|
|
req, err := auth.RequestFromContext(ctx)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if req.Header.Get("Authorization") == "" {
|
|
challenge := challenge{
|
|
realm: ac.realm,
|
|
service: ac.service,
|
|
}
|
|
|
|
if len(accessRecords) > 0 {
|
|
var scopes []string
|
|
for _, access := range accessRecords {
|
|
scopes = append(scopes, fmt.Sprintf("%s:%s:%s", access.Type, access.Resource.Name, access.Action))
|
|
}
|
|
challenge.scope = strings.Join(scopes, " ")
|
|
}
|
|
|
|
return nil, &challenge
|
|
}
|
|
|
|
return context.WithValue(ctx, "auth.user", auth.UserInfo{Name: "silly"}), nil
|
|
}
|
|
|
|
type challenge struct {
|
|
realm string
|
|
service string
|
|
scope string
|
|
}
|
|
|
|
func (ch *challenge) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
header := fmt.Sprintf("Bearer realm=%q,service=%q", ch.realm, ch.service)
|
|
|
|
if ch.scope != "" {
|
|
header = fmt.Sprintf("%s,scope=%q", header, ch.scope)
|
|
}
|
|
|
|
w.Header().Set("Authorization", header)
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
}
|
|
|
|
func (ch *challenge) Error() string {
|
|
return fmt.Sprintf("silly authentication challenge: %#v", ch)
|
|
}
|
|
|
|
// init registers the silly auth backend.
|
|
func init() {
|
|
auth.Register("silly", auth.InitFunc(newAccessController))
|
|
}
|