Browse code
Clean up authz integration-cli test
- Order the flow of the handlers more cleanly--read req, do actions,
write response.
- Add "always allowed" endpoints to handle `/_ping` and `/info` usage
from the test framework/daemon start/restart management
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Phil Estes authored on 2016/02/20 03:12:39Showing 1 changed files
| ... | ... |
@@ -30,6 +30,10 @@ const ( |
| 30 | 30 |
containerListAPI = "/containers/json" |
| 31 | 31 |
) |
| 32 | 32 |
|
| 33 |
+var ( |
|
| 34 |
+ alwaysAllowed = []string{"/_ping", "/info"}
|
|
| 35 |
+) |
|
| 36 |
+ |
|
| 33 | 37 |
func init() {
|
| 34 | 38 |
check.Suite(&DockerAuthzSuite{
|
| 35 | 39 |
ds: &DockerSuite{},
|
| ... | ... |
@@ -74,12 +78,6 @@ func (s *DockerAuthzSuite) SetUpSuite(c *check.C) {
|
| 74 | 74 |
}) |
| 75 | 75 |
|
| 76 | 76 |
mux.HandleFunc("/AuthZPlugin.AuthZReq", func(w http.ResponseWriter, r *http.Request) {
|
| 77 |
- if s.ctrl.reqRes.Err != "" {
|
|
| 78 |
- w.WriteHeader(http.StatusInternalServerError) |
|
| 79 |
- } |
|
| 80 |
- b, err := json.Marshal(s.ctrl.reqRes) |
|
| 81 |
- c.Assert(err, check.IsNil) |
|
| 82 |
- w.Write(b) |
|
| 83 | 77 |
defer r.Body.Close() |
| 84 | 78 |
body, err := ioutil.ReadAll(r.Body) |
| 85 | 79 |
c.Assert(err, check.IsNil) |
| ... | ... |
@@ -96,16 +94,20 @@ func (s *DockerAuthzSuite) SetUpSuite(c *check.C) {
|
| 96 | 96 |
} |
| 97 | 97 |
|
| 98 | 98 |
s.ctrl.requestsURIs = append(s.ctrl.requestsURIs, authReq.RequestURI) |
| 99 |
- }) |
|
| 100 | 99 |
|
| 101 |
- mux.HandleFunc("/AuthZPlugin.AuthZRes", func(w http.ResponseWriter, r *http.Request) {
|
|
| 102 |
- if s.ctrl.resRes.Err != "" {
|
|
| 100 |
+ reqRes := s.ctrl.reqRes |
|
| 101 |
+ if isAllowed(authReq.RequestURI) {
|
|
| 102 |
+ reqRes = authorization.Response{Allow: true}
|
|
| 103 |
+ } |
|
| 104 |
+ if reqRes.Err != "" {
|
|
| 103 | 105 |
w.WriteHeader(http.StatusInternalServerError) |
| 104 | 106 |
} |
| 105 |
- b, err := json.Marshal(s.ctrl.resRes) |
|
| 107 |
+ b, err := json.Marshal(reqRes) |
|
| 106 | 108 |
c.Assert(err, check.IsNil) |
| 107 | 109 |
w.Write(b) |
| 110 |
+ }) |
|
| 108 | 111 |
|
| 112 |
+ mux.HandleFunc("/AuthZPlugin.AuthZRes", func(w http.ResponseWriter, r *http.Request) {
|
|
| 109 | 113 |
defer r.Body.Close() |
| 110 | 114 |
body, err := ioutil.ReadAll(r.Body) |
| 111 | 115 |
c.Assert(err, check.IsNil) |
| ... | ... |
@@ -120,6 +122,16 @@ func (s *DockerAuthzSuite) SetUpSuite(c *check.C) {
|
| 120 | 120 |
if strings.HasSuffix(authReq.RequestURI, containerListAPI) {
|
| 121 | 121 |
s.ctrl.psResponseCnt++ |
| 122 | 122 |
} |
| 123 |
+ resRes := s.ctrl.resRes |
|
| 124 |
+ if isAllowed(authReq.RequestURI) {
|
|
| 125 |
+ resRes = authorization.Response{Allow: true}
|
|
| 126 |
+ } |
|
| 127 |
+ if resRes.Err != "" {
|
|
| 128 |
+ w.WriteHeader(http.StatusInternalServerError) |
|
| 129 |
+ } |
|
| 130 |
+ b, err := json.Marshal(resRes) |
|
| 131 |
+ c.Assert(err, check.IsNil) |
|
| 132 |
+ w.Write(b) |
|
| 123 | 133 |
}) |
| 124 | 134 |
|
| 125 | 135 |
err := os.MkdirAll("/etc/docker/plugins", 0755)
|
| ... | ... |
@@ -130,6 +142,16 @@ func (s *DockerAuthzSuite) SetUpSuite(c *check.C) {
|
| 130 | 130 |
c.Assert(err, checker.IsNil) |
| 131 | 131 |
} |
| 132 | 132 |
|
| 133 |
+// check for always allowed endpoints to not inhibit test framework functions |
|
| 134 |
+func isAllowed(reqURI string) bool {
|
|
| 135 |
+ for _, endpoint := range alwaysAllowed {
|
|
| 136 |
+ if strings.HasSuffix(reqURI, endpoint) {
|
|
| 137 |
+ return true |
|
| 138 |
+ } |
|
| 139 |
+ } |
|
| 140 |
+ return false |
|
| 141 |
+} |
|
| 142 |
+ |
|
| 133 | 143 |
// assertAuthHeaders validates authentication headers are removed |
| 134 | 144 |
func assertAuthHeaders(c *check.C, headers map[string]string) error {
|
| 135 | 145 |
for k := range headers {
|