|
| 1 | +/* |
| 2 | + Copyright 2019 Cesanta Software Ltd. |
| 3 | +
|
| 4 | + Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | + you may not use this file except in compliance with the License. |
| 6 | + You may obtain a copy of the License at |
| 7 | +
|
| 8 | + https://www.apache.org/licenses/LICENSE-2.0 |
| 9 | +
|
| 10 | + Unless required by applicable law or agreed to in writing, software |
| 11 | + distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | + See the License for the specific language governing permissions and |
| 14 | + limitations under the License. |
| 15 | +*/ |
| 16 | + |
| 17 | +package authn |
| 18 | + |
| 19 | +import ( |
| 20 | + "fmt" |
| 21 | + "os/exec" |
| 22 | + |
| 23 | + "github.com/cesanta/glog" |
| 24 | + rpc "github.com/hashicorp/go-plugin" |
| 25 | + |
| 26 | + "github.com/cesanta/docker_auth/auth_server/api" |
| 27 | + shared "github.com/cesanta/docker_auth/auth_server/plugin" |
| 28 | + plugin "github.com/cesanta/docker_auth/auth_server/plugin/authn" |
| 29 | +) |
| 30 | + |
| 31 | +type RPCAuthnConfig struct { |
| 32 | + Command string `yaml:"command"` |
| 33 | + Args []string `yaml:"args"` |
| 34 | +} |
| 35 | + |
| 36 | +func (c *RPCAuthnConfig) Validate() error { |
| 37 | + if c.Command == "" { |
| 38 | + return fmt.Errorf("command is not set") |
| 39 | + } |
| 40 | + |
| 41 | + if _, err := exec.LookPath(c.Command); err != nil { |
| 42 | + return fmt.Errorf("no such command: %s: %w", c.Command, err) |
| 43 | + } |
| 44 | + |
| 45 | + return nil |
| 46 | +} |
| 47 | + |
| 48 | +type RPCAuthn struct { |
| 49 | + client *rpc.Client |
| 50 | + impl plugin.Authenticator |
| 51 | +} |
| 52 | + |
| 53 | +func (c *RPCAuthn) Authenticate(username string, password api.PasswordString) (bool, api.Labels, error) { |
| 54 | + req := &plugin.AuthenticateRequest{ |
| 55 | + Username: username, |
| 56 | + Password: string(password), |
| 57 | + } |
| 58 | + resp, err := c.impl.Authenticate(req) |
| 59 | + switch { |
| 60 | + case err == nil: |
| 61 | + return true, api.Labels(resp), nil |
| 62 | + case shared.IsError(err, shared.ErrUnauthorized): |
| 63 | + return false, nil, nil |
| 64 | + case shared.IsError(err, shared.ErrUnacceptable): |
| 65 | + return false, nil, api.NoMatch |
| 66 | + default: |
| 67 | + return false, nil, err |
| 68 | + } |
| 69 | +} |
| 70 | + |
| 71 | +func (c *RPCAuthn) Stop() { |
| 72 | + if c.client != nil { |
| 73 | + c.client.Kill() |
| 74 | + } |
| 75 | +} |
| 76 | + |
| 77 | +func (c *RPCAuthn) Name() string { |
| 78 | + return "rpc" |
| 79 | +} |
| 80 | + |
| 81 | +func NewRPCAuthn(cfg *RPCAuthnConfig) (*RPCAuthn, error) { |
| 82 | + glog.Infof("RPC authenticator: %s", cfg) |
| 83 | + |
| 84 | + conn := &rpc.ClientConfig{ |
| 85 | + HandshakeConfig: plugin.Handshake, |
| 86 | + Plugins: plugin.PluginMap, |
| 87 | + Cmd: exec.Command(cfg.Command, cfg.Args...), |
| 88 | + } |
| 89 | + client := rpc.NewClient(conn) |
| 90 | + |
| 91 | + rpcClient, err := client.Client() |
| 92 | + if err != nil { |
| 93 | + client.Kill() |
| 94 | + return nil, err |
| 95 | + } |
| 96 | + |
| 97 | + raw, err := rpcClient.Dispense(plugin.PluginNetRPC) |
| 98 | + if err != nil { |
| 99 | + client.Kill() |
| 100 | + return nil, err |
| 101 | + } |
| 102 | + |
| 103 | + impl, ok := raw.(plugin.Authenticator) |
| 104 | + if !ok { |
| 105 | + client.Kill() |
| 106 | + return nil, fmt.Errorf("no authenticator plugin provided: %T", impl) |
| 107 | + } |
| 108 | + |
| 109 | + result := &RPCAuthn{ |
| 110 | + client: client, |
| 111 | + impl: impl, |
| 112 | + } |
| 113 | + |
| 114 | + return result, nil |
| 115 | +} |
0 commit comments