Skip to content

Commit

Permalink
Merge pull request moby#23425 from runcom/authz-race
Browse files Browse the repository at this point in the history
pkg: authorization: lock when lazy loading
  • Loading branch information
vdemeester authored Jun 13, 2016
2 parents f0193e2 + d1b7e83 commit 5338ae7
Show file tree
Hide file tree
Showing 4 changed files with 44 additions and 28 deletions.
1 change: 0 additions & 1 deletion integration-cli/docker_cli_authz_unix_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,6 @@ func (s *DockerAuthzSuite) TearDownTest(c *check.C) {
func (s *DockerAuthzSuite) SetUpSuite(c *check.C) {
mux := http.NewServeMux()
s.server = httptest.NewServer(mux)
c.Assert(s.server, check.NotNil, check.Commentf("Failed to start an HTTP Server"))

mux.HandleFunc("/Plugin.Activate", func(w http.ResponseWriter, r *http.Request) {
b, err := json.Marshal(plugins.Manifest{Implements: []string{authorization.AuthZApiImplements}})
Expand Down
49 changes: 31 additions & 18 deletions pkg/authorization/authz_unix_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
package authorization

import (
"bytes"
"encoding/json"
"io/ioutil"
"net"
Expand All @@ -14,17 +15,17 @@ import (
"os"
"path"
"reflect"
"testing"

"bytes"
"strings"
"testing"

"github.com/docker/docker/pkg/plugins"
"github.com/docker/go-connections/tlsconfig"
"github.com/gorilla/mux"
)

const pluginAddress = "authzplugin.sock"
const (
pluginAddress = "authz-test-plugin.sock"
)

func TestAuthZRequestPluginError(t *testing.T) {
server := authZPluginTestServer{t: t}
Expand All @@ -36,7 +37,7 @@ func TestAuthZRequestPluginError(t *testing.T) {
request := Request{
User: "user",
RequestBody: []byte("sample body"),
RequestURI: "www.authz.com",
RequestURI: "www.authz.com/auth",
RequestMethod: "GET",
RequestHeaders: map[string]string{"header": "value"},
}
Expand All @@ -50,10 +51,10 @@ func TestAuthZRequestPluginError(t *testing.T) {
}

if !reflect.DeepEqual(server.replayResponse, *actualResponse) {
t.Fatalf("Response must be equal")
t.Fatal("Response must be equal")
}
if !reflect.DeepEqual(request, server.recordedRequest) {
t.Fatalf("Requests must be equal")
t.Fatal("Requests must be equal")
}
}

Expand All @@ -67,7 +68,7 @@ func TestAuthZRequestPlugin(t *testing.T) {
request := Request{
User: "user",
RequestBody: []byte("sample body"),
RequestURI: "www.authz.com",
RequestURI: "www.authz.com/auth",
RequestMethod: "GET",
RequestHeaders: map[string]string{"header": "value"},
}
Expand All @@ -82,10 +83,10 @@ func TestAuthZRequestPlugin(t *testing.T) {
}

if !reflect.DeepEqual(server.replayResponse, *actualResponse) {
t.Fatalf("Response must be equal")
t.Fatal("Response must be equal")
}
if !reflect.DeepEqual(request, server.recordedRequest) {
t.Fatalf("Requests must be equal")
t.Fatal("Requests must be equal")
}
}

Expand All @@ -98,6 +99,7 @@ func TestAuthZResponsePlugin(t *testing.T) {

request := Request{
User: "user",
RequestURI: "someting.com/auth",
RequestBody: []byte("sample body"),
}
server.replayResponse = Response{
Expand All @@ -111,10 +113,10 @@ func TestAuthZResponsePlugin(t *testing.T) {
}

if !reflect.DeepEqual(server.replayResponse, *actualResponse) {
t.Fatalf("Response must be equal")
t.Fatal("Response must be equal")
}
if !reflect.DeepEqual(request, server.recordedRequest) {
t.Fatalf("Requests must be equal")
t.Fatal("Requests must be equal")
}
}

Expand Down Expand Up @@ -158,7 +160,7 @@ func TestDrainBody(t *testing.T) {
t.Fatalf("Body must be copied, actual length: '%d'", len(body))
}
if closer == nil {
t.Fatalf("Closer must not be nil")
t.Fatal("Closer must not be nil")
}
modified, err := ioutil.ReadAll(closer)
if err != nil {
Expand Down Expand Up @@ -229,8 +231,10 @@ type authZPluginTestServer struct {
// start starts the test server that implements the plugin
func (t *authZPluginTestServer) start() {
r := mux.NewRouter()
os.Remove(pluginAddress)
l, _ := net.ListenUnix("unix", &net.UnixAddr{Name: pluginAddress, Net: "unix"})
l, err := net.Listen("unix", pluginAddress)
if err != nil {
t.t.Fatal(err)
}
t.listener = l
r.HandleFunc("/Plugin.Activate", t.activate)
r.HandleFunc("/"+AuthZApiRequest, t.auth)
Expand All @@ -257,14 +261,23 @@ func (t *authZPluginTestServer) stop() {
// auth is a used to record/replay the authentication api messages
func (t *authZPluginTestServer) auth(w http.ResponseWriter, r *http.Request) {
t.recordedRequest = Request{}
body, _ := ioutil.ReadAll(r.Body)
body, err := ioutil.ReadAll(r.Body)
if err != nil {
t.t.Fatal(err)
}
r.Body.Close()
json.Unmarshal(body, &t.recordedRequest)
b, _ := json.Marshal(t.replayResponse)
b, err := json.Marshal(t.replayResponse)
if err != nil {
t.t.Fatal(err)
}
w.Write(b)
}

func (t *authZPluginTestServer) activate(w http.ResponseWriter, r *http.Request) {
b, _ := json.Marshal(plugins.Manifest{Implements: []string{AuthZApiImplements}})
b, err := json.Marshal(plugins.Manifest{Implements: []string{AuthZApiImplements}})
if err != nil {
t.t.Fatal(err)
}
w.Write(b)
}
20 changes: 12 additions & 8 deletions pkg/authorization/plugin.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
package authorization

import "github.com/docker/docker/pkg/plugins"
import (
"sync"

"github.com/docker/docker/pkg/plugins"
)

// Plugin allows third party plugins to authorize requests and responses
// in the context of docker API
Expand Down Expand Up @@ -33,6 +37,7 @@ func NewPlugins(names []string) []Plugin {
type authorizationPlugin struct {
plugin *plugins.Plugin
name string
once sync.Once
}

func newAuthorizationPlugin(name string) Plugin {
Expand Down Expand Up @@ -72,12 +77,11 @@ func (a *authorizationPlugin) AuthZResponse(authReq *Request) (*Response, error)
// initPlugin initializes the authorization plugin if needed
func (a *authorizationPlugin) initPlugin() error {
// Lazy loading of plugins
if a.plugin == nil {
var err error
a.plugin, err = plugins.Get(a.name, AuthZApiImplements)
if err != nil {
return err
var err error
a.once.Do(func() {
if a.plugin == nil {
a.plugin, err = plugins.Get(a.name, AuthZApiImplements)
}
}
return nil
})
return err
}
2 changes: 1 addition & 1 deletion pkg/plugins/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ func (c *Client) callWithRetry(serviceMethod string, data io.Reader, retry bool)
return nil, err
}
retries++
logrus.Warnf("Unable to connect to plugin: %s:%s, retrying in %v", req.URL.Host, req.URL.Path, timeOff)
logrus.Warnf("Unable to connect to plugin: %s%s: %v, retrying in %v", req.URL.Host, req.URL.Path, err, timeOff)
time.Sleep(timeOff)
continue
}
Expand Down

0 comments on commit 5338ae7

Please sign in to comment.