Revert "Update authz plugin list on failure."

riyazdf · riyazdf · commit a64fc8eea326 · 2016-11-03T15:49:21.000-07:00
This reverts commit fae904a. Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go
@@ -52,8 +52,6 @@ type Ctx struct {
 }
 
 // AuthZRequest authorized the request to the docker daemon using authZ plugins
-// Side effect: If the authz plugin is invalid, then update ctx.plugins, so that
-// the caller(middleware) can update its list and stop retrying with invalid plugins.
 func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
 	var body []byte
 	if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize {
@@ -85,14 +83,11 @@ func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
 		}
 	}
 
-	for i, plugin := range ctx.plugins {
+	for _, plugin := range ctx.plugins {
 		logrus.Debugf("AuthZ request using plugin %s", plugin.Name())
 
 		authRes, err := plugin.AuthZRequest(ctx.authReq)
 		if err != nil {
-			if err == ErrInvalidPlugin {
-				ctx.plugins = append(ctx.plugins[:i], ctx.plugins[i+1:]...)
-			}
 			return fmt.Errorf("plugin %s failed with error: %s", plugin.Name(), err)
 		}
 
@@ -105,8 +100,6 @@ func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
 }
 
 // AuthZResponse authorized and manipulates the response from docker daemon using authZ plugins
-// Side effect: If the authz plugin is invalid, then update ctx.plugins, so that
-// the caller(middleware) can update its list and stop retrying with invalid plugins.
 func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
 	ctx.authReq.ResponseStatusCode = rm.StatusCode()
 	ctx.authReq.ResponseHeaders = headers(rm.Header())
@@ -115,14 +108,11 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
 		ctx.authReq.ResponseBody = rm.RawBody()
 	}
 
-	for i, plugin := range ctx.plugins {
+	for _, plugin := range ctx.plugins {
 		logrus.Debugf("AuthZ response using plugin %s", plugin.Name())
 
 		authRes, err := plugin.AuthZResponse(ctx.authReq)
 		if err != nil {
-			if err == ErrInvalidPlugin {
-				ctx.plugins = append(ctx.plugins[:i], ctx.plugins[i+1:]...)
-			}
 			return fmt.Errorf("plugin %s failed with error: %s", plugin.Name(), err)
 		}
 
diff --git a/pkg/authorization/middleware.go b/pkg/authorization/middleware.go
@@ -2,7 +2,6 @@ package authorization
 
 import (
 	"net/http"
-	"strings"
 	"sync"
 
 	"github.com/Sirupsen/logrus"
@@ -60,11 +59,6 @@ func (m *Middleware) WrapHandler(handler func(ctx context.Context, w http.Respon
 
 		if err := authCtx.AuthZRequest(w, r); err != nil {
 			logrus.Errorf("AuthZRequest for %s %s returned error: %s", r.Method, r.RequestURI, err)
-			if strings.Contains(err.Error(), ErrInvalidPlugin.Error()) {
-				m.mu.Lock()
-				m.plugins = authCtx.plugins
-				m.mu.Unlock()
-			}
 			return err
 		}
 
@@ -78,11 +72,6 @@ func (m *Middleware) WrapHandler(handler func(ctx context.Context, w http.Respon
 
 		if err := authCtx.AuthZResponse(rw, r); errD == nil && err != nil {
 			logrus.Errorf("AuthZResponse for %s %s returned error: %s", r.Method, r.RequestURI, err)
-			if strings.Contains(err.Error(), ErrInvalidPlugin.Error()) {
-				m.mu.Lock()
-				m.plugins = authCtx.plugins
-				m.mu.Unlock()
-			}
 			return err
 		}
 
diff --git a/pkg/authorization/plugin.go b/pkg/authorization/plugin.go
@@ -1,20 +1,12 @@
 package authorization
 
 import (
-	"errors"
 	"sync"
 
 	"github.com/docker/docker/pkg/plugingetter"
 	"github.com/docker/docker/pkg/plugins"
 )
 
-var (
-	// ErrInvalidPlugin indicates that the plugin cannot be used. This is
-	// because the plugin was not found or does not implement necessary
-	// functionality
-	ErrInvalidPlugin = errors.New("invalid plugin")
-)
-
 // Plugin allows third party plugins to authorize requests and responses
 // in the context of docker API
 type Plugin interface {
@@ -110,7 +102,7 @@ func (a *authorizationPlugin) initPlugin() error {
 				plugin, e = plugins.Get(a.name, AuthZApiImplements)
 			}
 			if e != nil {
-				err = ErrInvalidPlugin
+				err = e
 				return
 			}
 			a.plugin = plugin.Client()

Original file line number	Diff line number	Diff line change
`@@ -52,8 +52,6 @@ type Ctx struct {`
`52`	`52`	`}`
`53`	`53`
`54`	`54`	`// AuthZRequest authorized the request to the docker daemon using authZ plugins`
`55`		`-// Side effect: If the authz plugin is invalid, then update ctx.plugins, so that`
`56`		`-// the caller(middleware) can update its list and stop retrying with invalid plugins.`
`57`	`55`	`func (ctx Ctx) AuthZRequest(w http.ResponseWriter, r http.Request) error {`
`58`	`56`	`var body []byte`
`59`	`57`	`if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize {`
`@@ -85,14 +83,11 @@ func (ctx Ctx) AuthZRequest(w http.ResponseWriter, r http.Request) error {`
`85`	`83`	`}`
`86`	`84`	`}`
`87`	`85`
`88`		`- for i, plugin := range ctx.plugins {`
	`86`	`+ for _, plugin := range ctx.plugins {`
`89`	`87`	`logrus.Debugf("AuthZ request using plugin %s", plugin.Name())`
`90`	`88`
`91`	`89`	`authRes, err := plugin.AuthZRequest(ctx.authReq)`
`92`	`90`	`if err != nil {`
`93`		`- if err == ErrInvalidPlugin {`
`94`		`- ctx.plugins = append(ctx.plugins[:i], ctx.plugins[i+1:]...)`
`95`		`- }`
`96`	`91`	`return fmt.Errorf("plugin %s failed with error: %s", plugin.Name(), err)`
`97`	`92`	`}`
`98`	`93`
`@@ -105,8 +100,6 @@ func (ctx Ctx) AuthZRequest(w http.ResponseWriter, r http.Request) error {`
`105`	`100`	`}`
`106`	`101`
`107`	`102`	`// AuthZResponse authorized and manipulates the response from docker daemon using authZ plugins`
`108`		`-// Side effect: If the authz plugin is invalid, then update ctx.plugins, so that`
`109`		`-// the caller(middleware) can update its list and stop retrying with invalid plugins.`
`110`	`103`	`func (ctx Ctx) AuthZResponse(rm ResponseModifier, r http.Request) error {`
`111`	`104`	`ctx.authReq.ResponseStatusCode = rm.StatusCode()`
`112`	`105`	`ctx.authReq.ResponseHeaders = headers(rm.Header())`
`@@ -115,14 +108,11 @@ func (ctx Ctx) AuthZResponse(rm ResponseModifier, r http.Request) error {`
`115`	`108`	`ctx.authReq.ResponseBody = rm.RawBody()`
`116`	`109`	`}`
`117`	`110`
`118`		`- for i, plugin := range ctx.plugins {`
	`111`	`+ for _, plugin := range ctx.plugins {`
`119`	`112`	`logrus.Debugf("AuthZ response using plugin %s", plugin.Name())`
`120`	`113`
`121`	`114`	`authRes, err := plugin.AuthZResponse(ctx.authReq)`
`122`	`115`	`if err != nil {`
`123`		`- if err == ErrInvalidPlugin {`
`124`		`- ctx.plugins = append(ctx.plugins[:i], ctx.plugins[i+1:]...)`
`125`		`- }`
`126`	`116`	`return fmt.Errorf("plugin %s failed with error: %s", plugin.Name(), err)`
`127`	`117`	`}`
`128`	`118`