docker_leash package¶
Subpackages¶
Submodules¶
docker_leash.action_mdocker_leasher module¶
Action¶
-
class
Action
(method, query)[source]¶ Bases:
object
Variables: - method – HTTP method used
- query – unparsed query
- name – parsed name (i.e.: containersList, imagesBuild, …)
- version – API version call, if present
- querystring – parsed querystring
- namespace_name – (i.e.: containers, images, …)
-
_Action__namespace
= None¶
-
_namespace_map
= {'images': <class 'docker_leash.action_mapper.Image'>}¶
-
_r_parse
= <_sre.SRE_Pattern object>¶
-
method
= None¶
-
name
= None¶
-
namespace
¶ Initialize and return a Namespace object when required
Return type: Namespace instance
-
namespace_name
= None¶
-
classmethod
namespace_register
(arg)[source]¶ A decorator to register Namespace for a given namespace name
If no namespace name is provided, it will be derivated from the class name.
Parameters:
-
query
= None¶
-
querystring
= None¶
-
version
= None¶
-
class
Image
(action)[source]¶ Bases:
docker_leash.action_mapper.Namespace
Proof of concept for Namespace subclasses
docker_leash.checks_list module¶
Checks¶
-
class
Checks
[source]¶ Bases:
object
The
Checks
class is responsible for storing and deduplicating the checks to be launched.Variables: docker_leash.checks_list.Checks.checks (list) – The check list. -
static
_structure_convert
(data)[source]¶ An internal helper that will convert structure from the configuration to a better internal format.
Parameters: data (dict) – The check to append. It is a dictionary with a single key / value. Returns: The reformatted test and arguments. Return type: dict
-
add
(data)[source]¶ Add a check to the list.
If the same check is already in the list, it will silently be discarded.
Parameters: data (dict) – The check to append.
-
checks
= None¶ list: Internal storage of the checks to be applied.
-
static
docker_leash.config module¶
Config¶
-
class
Config
(groups=None, policies=None)[source]¶ Bases:
object
The
Config
class is responsible for storing application groups and policies read from the datastore.It has some handy functions to extract values from the configuration. It can respond to questions such as:
- “Which are the groups for a user?”
- “Which policies user belong to?”
- “Which tests are enabled for a user?”
Variables: Parameters: -
static
_default_rule
(rule)[source]¶ Construct a default rule
Parameters: rule (dict) – The current parsed rule Returns: A Checks
containing only the default ruleReturn type: Checks
-
_get_policy_by_member
(username, policies)[source]¶ Extract the policies for a user name.
- Return the concerned policies:
- If the user match in a group
- If the user is None, and “members” contains “Anonymous”
- Else return None
Parameters: Returns: The policies for username
Return type:
-
static
_match_host
(hostname, host_rules)[source]¶ Validate if a hostname match hosts regex list
Parameters: Returns: True if hostname match host rules
Return type: Raises: ConfigurationException – if the host rules are invalid.
-
static
_match_rules
(action, actions)[source]¶ Extract the checks for an action.
First match for exact comparison, then for the “any” keyword, and finally for “parents” action name.
Parameters: - action (docker_leash.action_mapper.Action) – The current action
- actions (dict) – The actions from the policies
Returns: The filtered actions list
Return type: ~docker_leash.checks_list.Checks
-
get_rules
(payload)[source]¶ Return the rules for a payload.
Parameters: payload (str) – The current payload. Returns: The rules concerned by the payload. Return type: list
-
groups
= None¶ The loaded groups
-
policies
= None¶ The loaded policies
docker_leash.exceptions module¶
Exceptions used in Docker Leash Server
-
exception
ConfigurationException
(value=None)[source]¶ Bases:
docker_leash.exceptions.DockerLeashException
Exception for configuration errors.
Used when configuration files are invalid.
-
exception
DockerLeashException
(value=None)[source]¶ Bases:
exceptions.BaseException
Base for all Leash Server Errors.
-
exception
InvalidRequestException
(value=None)[source]¶ Bases:
docker_leash.exceptions.DockerLeashException
Exception for invalid payload.
Used when payload is invalid or incomplete.
-
exception
NoSuchCheckModuleException
(value=None)[source]¶ Bases:
docker_leash.exceptions.DockerLeashException
Exception for non existent check module.
Used when a check is configured by not existent or loadable.
Bases:
docker_leash.exceptions.DockerLeashException
Exception for unauthorized action.
All
docker_leash.checks
modules must return this exception in order to deny the action to the user.
docker_leash.leash_server module¶
Leash server plugin for docker.
This module is responsible for dispatching HTTP requests.
-
activate
()[source]¶ Return implemented event system.
It is used internally by the Docker daemon to indicate which event system is concerned by the plugin. In the case of this plugin, it return authz.
See the official docker documentation.
Request:
GET /Plugin.Activate HTTP/1.1 Host: example.com Accept: application/json
Response:
HTTP/1.1 200 OK Vary: Accept Content-Type: application/json { "Implements": ["authz"] }
Resheader Content-Type: application/json Status 200: valid response Return type: flask.Response
-
authz_request
()[source]¶ Process a request for authorization.
This is one of the main feature of this plugin. Depending on the configuration, the system, will allow or deny a request.
For a specific user, if no configuration match the RequestMethod and the RequestUri, then the default action is to deny the request.
See also
Function
authz_response()
for response authentication.See also
Request:
GET /AuthZPlugin.AuthZReq HTTP/1.1 Host: example.com Accept: application/json { "User": "mal", "AuthenticationMethod": "TLS", "RequestMethod": "POST", "RequestUri": "/v1.32/containers/json", "RequestHeaders": "<base64 encoded string>", "RequestBody": "<base64 encoded string>" }
Response:
HTTP/1.1 200 OK Vary: Accept Content-Type: application/json { "Allow": "true", "Msg": "Authorization granted", "Err": "Authorization granted" }
Reqheader Accept: application/json <json string User: The user identification <json string AuthenticationMethod: The authentication method used <json enum RequestMethod: The HTTP method (GET/DELETE/POST) <json string RequestUri: The HTTP request URI including API version (e.g., /v1.32/containers/json) <json map[string]string RequestHeaders: Request headers as key value pairs (without the authorization header) <json []byte RequestBody: Raw request body >json bool Allow: Boolean value indicating whether the request is allowed or denied >json string Msg: Authorization message (will be returned to the client in case the access is denied) >json string Err: Error message. Will be returned to the client in case the plugin encounter an error. The string value supplied may appear in logs, so should not include confidential information. Resheader Content-Type: application/json Status 200: valid response Status 400: malformed request Status 422: invalid parameters Return type: flask.Response
-
authz_response
()[source]¶ Process a response for authorization.
This is one of the main feature of this plugin. Depending on the configuration, the system, will allow or deny a request.
Warning
In the current version, we don’t check any parameter, and always accept the request.
In contrast to
authz_response()
, this endpoint is called after the action has been processed by the docker daemon. The request payload contains additional fields representing the response from the daemon.See also
Function
authz_request()
for request authentication.See also
Check the official docker documentation.
Request:
GET /AuthZPlugin.AuthZReq HTTP/1.1 Host: example.com Accept: application/json { "User": "mal", "AuthenticationMethod": "TLS", "RequestMethod": "POST", "RequestUri": "/v1.32/containers/json", "RequestHeaders": "<base64 encoded string>", "RequestBody": "<base64 encoded string>", "ResponseStatusCode": "200", "ResponseHeaders": "<base64 encoded string>", "ResponseBody": "<base64 encoded string>" }
Response:
HTTP/1.1 200 OK Vary: Accept Content-Type: application/json { "Allow": "true", "Msg": "Authorization granted", "Err": "Authorization granted" }
Reqheader Accept: application/json <json string User: The user identification <json string AuthenticationMethod: The authentication method used <json enum RequestMethod: The HTTP method (GET/DELETE/POST) <json string RequestUri: The HTTP request URI including API version (e.g., /v1.32/containers/json) <json map[string]string RequestHeaders: Request headers as key value pairs (without the authorization header) <json []byte RequestBody: Raw request body <json int ResponseStatusCode: Status code from the docker daemon <json map[string]string ResponseHeaders: Response headers as key value pairs <json []byte ResponseBody: Raw docker daemon response body >json bool Allow: Boolean value indicating whether the request is allowed or denied >json string Msg: Authorization message (will be returned to the client in case the access is denied) >json string Err: Error message. Will be returned to the client in case the plugin encounter an error. The string value supplied may appear in logs, so should not include confidential information. Resheader Content-Type: application/json Status 200: valid response Status 400: malformed request Status 422: invalid parameters Return type: flask.Response
docker_leash.payload module¶
Payload¶
-
class
Payload
(payload=None)[source]¶ Bases:
object
The
Payload
class is responsible for decoding and storing the current analyzed request.Variables: Parameters: -
static
_decode_base64
(payload)[source]¶ Decode some parts of the payload from base64 to dict.
Parameters: payload (dict) – The payload to fully base64 decode. Returns: The fully decoded payload. Return type: dict
-
static
_get_headers
(payload)[source]¶ Extract the Headers from the payload.
Parameters: payload (dict) – The payload to extract URI. Returns: The Headers. Return type: dict
-
static
_get_method
(payload)[source]¶ Extract the Method from the payload.
Parameters: payload (dict) – The payload to extract method. Returns: The method name. Return type: str or None Raises: InvalidRequestException – if the payload is missing RequestMethod.
-
static
_get_uri
(payload)[source]¶ Extract the URI from the payload.
Parameters: payload (dict) – The payload to extract URI. Returns: The URI. Return type: str or None
-
static
_get_username
(payload)[source]¶ Extract the User from the payload.
If the user is not connected (i.e.: anonymous), the value is an empty string.
Parameters: payload (dict) – The payload to extract username. Returns: The username. Return type: str or None
-
data
= None¶ The full request payload
-
headers
= None¶ The request Headers
-
host
= ''¶ The request Headers
-
method
= None¶ The request HTTP method
-
uri
= None¶ The request URI
-
user
= None¶ The connected user
-
static
docker_leash.processor module¶
Processor¶
-
class
Processor
[source]¶ Bases:
object
The
Processor
class is responsible for launching all thedocker_leash.checks
defined in the configuration for the triplet User, RequestMethod and RequestUri.-
static
_process
(payload, check)[source]¶ Instanciate the requested action and launch
docker_leash.checks.base.BaseCheck.run()
Parameters: Raises: - UnauthorizedException – if the check denied the request.
- NoSuchCheckModuleException – if the check doesn’t exists.
-
config
= None¶ The currently loaded rules.
-
load_config
()[source]¶ Load rules from defined files in the global configuration.
Look for path in that order: path in config file, /etc/docker-leash/, /config/ and docker-leash module directory.
-
run
(body=None)[source]¶ Check if the request is accepted or denied.
The request will be passed to all configured
docker_leash.checks
for the tripletdocker_leash.payload.Payload.user
+docker_leash.payload.Payload.method
+docker_leash.payload.Payload.uri
. If onedocker_leash.checks
sub-modules deny the action, then the whole request is declared as denied.Parameters: Raises: - UnauthorizedException – if the check denied the request.
- NoSuchCheckModuleException – if the check doesn’t exists.
-
static
Module contents¶
A remote AuthZ plugin to enforce granular rules for a Docker multiuser environment