merge with develop

docker_enforcer.py

@@ -208,8 +208,13 @@ def authz_response():
 @app.route("/AuthZPlugin.AuthZReq", methods=['POST'])
 def authz_request():
     app.logger.debug("New AuthZ Request: {}".format(request.data))
-    json_data = json.loads(request.data.decode(request.charset))
-    url = parse.urlparse(json_data["RequestUri"])
+    try:
+        json_data = json.loads(request.data.decode(request.charset))
+        url = parse.urlparse(json_data["RequestUri"])
+    except Exception as e:
+        app.logger.error("Error while trying to parse incoming message, resolving to default action. Error was: {}"
+                         .format(e))
+        return get_default_response()
     json_data["ParsedUri"] = url
     if config.log_authz_requests:
         log_authz_req(json_data)
@@ -229,6 +234,11 @@ def authz_request():
     return to_formatted_json(json.dumps({"Allow": True}))
 
 
+def get_default_response():
+    resp = {"Allow": True} if config.default_allow else {"Allow": False, "Msg": "Denied as default action"}
+    return to_formatted_json(json.dumps(resp))
+
+
 def log_authz_req(json_data):
     user_info = json_data["User"] if 'UserAuthNMethod' in json_data else '[unknown]'
     app.logger.info("[AUTHZ_REQ] New auth request: user: {}, method: {}, uri: {}"

dockerenforcer/config.py

@@ -4,7 +4,7 @@
 import copy
 from typing import Dict
 
-version = "0.8.4"
+version = "0.8.5"
 
 
 class Mode(Enum):
@@ -32,6 +32,7 @@ def __init__(self) -> None:
         self.immediate_periodical_start: bool = bool(os.getenv('IMMEDIATE_PERIODICAL_START', 'False') == 'True')
         self.stop_on_first_violation: bool = bool(os.getenv('STOP_ON_FIRST_VIOLATION', 'True') == 'True')
         self.log_authz_requests: bool = bool(os.getenv('LOG_AUTHZ_REQUESTS', 'False') == 'True')
+        self.default_allow: bool = bool(os.getenv('DEFAULT_ACTION_ALLOW', 'True') == 'True')
         self.version: str = version
         self.white_list_separator: str = "|"
 

dockerenforcer/docker_helper.py

@@ -34,7 +34,7 @@ def __init__(self, cid: str, params: Dict[str, Any], metrics: Dict[str, Any], po
         self.owner: str = owner
 
     def __str__(self, *args, **kwargs) -> str:
-        return self.params['Name'] if self.params['Name'] else self.cid
+        return self.params.get('Name', self.cid)
 
 
 class DockerHelper:

readme.md

@@ -10,6 +10,7 @@ stop containers running on a single host, but not obeying rules configured by th
 * [How - Configuring and Running](#how-configuring-and-running)
   * [Preparing the rules file](#preparing-the-rules-file)
   * [Configuration options](#configuration-options)
+  * [Running custom code for whitelist evaluation](running-custom-code-for-whitelist-evaluation)
   * [Running additional actions when a rule violation is detected](#running-additional-actions-when-a-rule-violation-is-detected)
   * [Filtering docker API requests](#filtering-docker-api-requests)
   * [Run modes](#run-modes)
@@ -139,6 +140,8 @@ checking all the rules and have all the violations, not only the first one, logg
 - "LOG_AUTHZ_REQUESTS=False" - log all incoming docker API requests received in Authz mode. This logs
 username (if available - only when TLS auth is used), HTTP method and URI for each received authorization
 request. Of course, works only in Authz plugin mode.
+- "DEFAULT_ACTION_ALLOW=True" - if any request is malformed and can't be parsed and evaluated, docker
+enforcer allows this request if set to `True` and denies when `False`
 - "WHITE_LIST=docker-enforcer,docker_enforcer" - pipe ('|') separated list of container name based white
 list definitions, which allow to define a whitelist based on a container name. Each definition can be
 (like in a sample value: "docker.\*,docker-enforcer|steal socket,docker.\*|steal socket"):

test/test_api.py

@@ -143,6 +143,26 @@ def test_killed_check_api_log(self):
         self.assertEqual(det["violated_rule"], "must have memory limit")
         self.assertEqual(det["owner"], "client")
 
+    def test_handles_empty_when_default_action_accept(self):
+        config.default_allow = True
+        res = self.app.post('/AuthZPlugin.AuthZReq', data=ApiTestHelper.authz_req_empty)
+        self._check_response(res, True)
+
+    def test_handles_empty_when_default_action_deny(self):
+        config.default_allow = False
+        res = self.app.post('/AuthZPlugin.AuthZReq', data=ApiTestHelper.authz_req_empty)
+        self._check_response(res, False, "Denied as default action")
+
+    def test_handles_malformed_when_default_action_accept(self):
+        config.default_allow = True
+        res = self.app.post('/AuthZPlugin.AuthZReq', data=ApiTestHelper.authz_req_malformed)
+        self._check_response(res, True)
+
+    def test_handles_malformed_when_default_action_deny(self):
+        config.default_allow = False
+        res = self.app.post('/AuthZPlugin.AuthZReq', data=ApiTestHelper.authz_req_malformed)
+        self._check_response(res, False, "Denied as default action")
+
 
 class ApiInfoTest(unittest.TestCase):
     def setUp(self):

test/test_helpers.py

@@ -101,6 +101,10 @@ def get_verdicts(self):
 
 
 class ApiTestHelper:
+    # empty request
+    authz_req_empty = b''
+    # malformed request
+    authz_req_malformed = b'{"Request'
     # docker run -it alpine sh
     authz_req_plain_run = b'{"RequestMethod":"POST","RequestUri":"/v1.30/containers/create","RequestBody":"eyJIb3N0bmFtZSI6IiIsIkRvbWFpbm5hbWUiOiIiLCJVc2VyIjoiIiwiQXR0YWNoU3RkaW4iOnRydWUsIkF0dGFjaFN0ZG91dCI6dHJ1ZSwiQXR0YWNoU3RkZXJyIjp0cnVlLCJUdHkiOnRydWUsIk9wZW5TdGRpbiI6dHJ1ZSwiU3RkaW5PbmNlIjp0cnVlLCJFbnYiOltdLCJDbWQiOlsic2giXSwiSW1hZ2UiOiJhbHBpbmUiLCJWb2x1bWVzIjp7fSwiV29ya2luZ0RpciI6IiIsIkVudHJ5cG9pbnQiOm51bGwsIk9uQnVpbGQiOm51bGwsIkxhYmVscyI6e30sIkhvc3RDb25maWciOnsiQmluZHMiOm51bGwsIkNvbnRhaW5lcklERmlsZSI6IiIsIkxvZ0NvbmZpZyI6eyJUeXBlIjoiIiwiQ29uZmlnIjp7fX0sIk5ldHdvcmtNb2RlIjoiZGVmYXVsdCIsIlBvcnRCaW5kaW5ncyI6e30sIlJlc3RhcnRQb2xpY3kiOnsiTmFtZSI6Im5vIiwiTWF4aW11bVJldHJ5Q291bnQiOjB9LCJBdXRvUmVtb3ZlIjpmYWxzZSwiVm9sdW1lRHJpdmVyIjoiIiwiVm9sdW1lc0Zyb20iOm51bGwsIkNhcEFkZCI6bnVsbCwiQ2FwRHJvcCI6bnVsbCwiRG5zIjpbXSwiRG5zT3B0aW9ucyI6W10sIkRuc1NlYXJjaCI6W10sIkV4dHJhSG9zdHMiOm51bGwsIkdyb3VwQWRkIjpudWxsLCJJcGNNb2RlIjoiIiwiQ2dyb3VwIjoiIiwiTGlua3MiOm51bGwsIk9vbVNjb3JlQWRqIjowLCJQaWRNb2RlIjoiIiwiUHJpdmlsZWdlZCI6ZmFsc2UsIlB1Ymxpc2hBbGxQb3J0cyI6ZmFsc2UsIlJlYWRvbmx5Um9vdGZzIjpmYWxzZSwiU2VjdXJpdHlPcHQiOm51bGwsIlVUU01vZGUiOiIiLCJVc2VybnNNb2RlIjoiIiwiU2htU2l6ZSI6MCwiQ29uc29sZVNpemUiOlswLDBdLCJJc29sYXRpb24iOiIiLCJDcHVTaGFyZXMiOjAsIk1lbW9yeSI6MCwiTmFub0NwdXMiOjAsIkNncm91cFBhcmVudCI6IiIsIkJsa2lvV2VpZ2h0IjowLCJCbGtpb1dlaWdodERldmljZSI6bnVsbCwiQmxraW9EZXZpY2VSZWFkQnBzIjpudWxsLCJCbGtpb0RldmljZVdyaXRlQnBzIjpudWxsLCJCbGtpb0RldmljZVJlYWRJT3BzIjpudWxsLCJCbGtpb0RldmljZVdyaXRlSU9wcyI6bnVsbCwiQ3B1UGVyaW9kIjowLCJDcHVRdW90YSI6MCwiQ3B1UmVhbHRpbWVQZXJpb2QiOjAsIkNwdVJlYWx0aW1lUnVudGltZSI6MCwiQ3B1c2V0Q3B1cyI6IiIsIkNwdXNldE1lbXMiOiIiLCJEZXZpY2VzIjpbXSwiRGV2aWNlQ2dyb3VwUnVsZXMiOm51bGwsIkRpc2tRdW90YSI6MCwiS2VybmVsTWVtb3J5IjowLCJNZW1vcnlSZXNlcnZhdGlvbiI6MCwiTWVtb3J5U3dhcCI6MCwiTWVtb3J5U3dhcHBpbmVzcyI6LTEsIk9vbUtpbGxEaXNhYmxlIjpmYWxzZSwiUGlkc0xpbWl0IjowLCJVbGltaXRzIjpudWxsLCJDcHVDb3VudCI6MCwiQ3B1UGVyY2VudCI6MCwiSU9NYXhpbXVtSU9wcyI6MCwiSU9NYXhpbXVtQmFuZHdpZHRoIjowfSwiTmV0d29ya2luZ0NvbmZpZyI6eyJFbmRwb2ludHNDb25maWciOnt9fX0K","RequestHeaders":{"Content-Length":"1425","Content-Type":"application/json","User-Agent":"Docker-Client/17.06.0-ce (linux)"}}\n'
     # docker run -it alpine sh