Merge pull request #2 from qnib/user

allow for --user to be overwritten, not yet w/ unix-socket credentials

main.go

@@ -59,6 +59,11 @@ var (
  Usage: "File holding line-separated regex-patterns to be allowed (comments allowed, use #)",
  EnvVar: "DOXY_PATTERN_FILE",
  }
+ pinUserFlag = cli.StringFlag{
+ Name: "pin-user",
+ Usage: "Overwrite `--user` with given value",
+ EnvVar: "DOXY_PIN_USER",
+ }
  deviceFileFlag = cli.StringFlag{
  Name: "device-file",
  Value: proxy.DEVICE_FILE,
@@ -74,10 +79,12 @@ func EvalOptions(cfg *config.Config) (po []proxy.ProxyOption) {
  po = append(po, proxy.WithDockerSocket(dockerSock))
  debug, _ := cfg.Bool("debug")
  po = append(po, proxy.WithDebugValue(debug))
- devMaps, _ := cfg.String("device-mappings")
  gpu, _ := cfg.Bool("gpu")
  po = append(po, proxy.WithGpuValue(gpu))
+ devMaps, _ := cfg.String("device-mappings")
  po = append(po, proxy.WithDevMappings(strings.Split(devMaps,",")))
+ pinUser, _ := cfg.String("pin-user")
+ po = append(po, proxy.WithPinUserValue(pinUser))
  return
 }
 
@@ -148,6 +155,7 @@ func main() {
  patternFileFlag,
  proxyPatternKey,
  bindAddFlag,
+ pinUserFlag,
  }
  app.Action = RunApp
  app.Run(os.Args)

proxy/main.go

@@ -48,10 +48,10 @@ var (
 )
 
 type Proxy struct {
- dockerSocket, newSocket string
- debug, gpu bool
- patterns []string
- bindMounts,devMappings []string
+ dockerSocket, newSocket, pinUser string
+ debug, gpu  bool
+ patterns  []string
+ bindMounts,devMappings  []string
 }
 
 func NewProxy(opts ...ProxyOption) Proxy {
@@ -64,6 +64,7 @@ func NewProxy(opts ...ProxyOption) Proxy {
  newSocket: options.ProxySocket,
  debug: options.Debug,
  gpu: options.Gpu,
+ pinUser: options.PinUser,
  patterns: options.Patterns,
  bindMounts: options.BindMounts,
  devMappings: options.DevMappings,
@@ -81,7 +82,7 @@ func (p *Proxy) GetOptions() map[string]interface{} {
 }
 
 func (p *Proxy) Run() {
- upstream := NewUpstream(p.dockerSocket, p.patterns, p.bindMounts, p.devMappings, p.gpu)
+ upstream := NewUpstream(p.dockerSocket, p.patterns, p.bindMounts, p.devMappings, p.gpu, p.pinUser)
  sigc := make(chan os.Signal, 1)
  signal.Notify(sigc, os.Interrupt, os.Kill, syscall.SIGTERM)
  l, err := ListenToNewSock(p.newSocket, sigc)
@@ -94,6 +95,7 @@ func (p *Proxy) Run() {
  }
  n.UseHandler(upstream)
  log.Printf("Serving proxy on '%s'", p.newSocket)
+
  if err = http.Serve(l, n); err != nil {
  panic(err)
  }

proxy/options.go

@@ -3,6 +3,7 @@ package proxy
 type ProxyOptions struct {
  DockerSocket string
  ProxySocket string
+ PinUser string
  Debug,Gpu bool
  Patterns []string
  BindMounts []string
@@ -12,6 +13,7 @@ type ProxyOptions struct {
 var defaultProxyOptions = ProxyOptions{
  DockerSocket: DOCKER_SOCKET,
  ProxySocket: PROXY_SOCKET,
+ PinUser: "",
  Debug: false,
  Gpu: false,
  Patterns: []string{},
@@ -21,6 +23,11 @@ var defaultProxyOptions = ProxyOptions{
 
 type ProxyOption func(*ProxyOptions)
 
+func WithPinUserValue(pu string) ProxyOption {
+ return func(o *ProxyOptions) {
+ o.PinUser = pu
+ }
+}
 func WithDockerSocket(s string) ProxyOption {
  return func(o *ProxyOptions) {
  o.DockerSocket = s

proxy/proxy.go

@@ -21,13 +21,14 @@ import (
 
 // UpStream creates upstream handler struct
 type UpStream struct {
- Name string
- proxy http.Handler
+ Name  string
+ proxy  http.Handler
  // TODO: Kick out separat config options and use more generic one
- allowed []*regexp.Regexp
- bindMounts []string
- devMappings  []string
+ allowed  []*regexp.Regexp
+ bindMounts  []string
+ devMappings []string
  gpu bool
+ pinUser string
 }
 
 // UnixSocket just provides the path, so that I can test it
@@ -64,21 +65,23 @@ func newReverseProxy(dial func(network, addr string) (net.Conn, error)) *httputi
 }
 
 // NewUpstream returns a new socket (magic)
-func NewUpstream(socket string, regs []string, binds []string, devs []string, gpu bool) *UpStream {
+func NewUpstream(socket string, regs []string, binds []string, devs []string, gpu bool, pinUser string) *UpStream {
  us := NewUnixSocket(socket)
  a := []*regexp.Regexp{}
  for _, r := range regs {
  p, _ := regexp.Compile(r)
  a = append(a, p)
  }
- return &UpStream{
+ upstream := &UpStream{
  Name: socket,
  proxy: newReverseProxy(us.connectSocket),
  allowed: a,
  bindMounts: binds,
  devMappings: devs,
  gpu: gpu,
+ pinUser: pinUser,
  }
+ return upstream
 }
 
 
@@ -97,11 +100,24 @@ func (u *UpStream) ServeHTTP(w http.ResponseWriter, req *http.Request) {
  http.Error(w, fmt.Sprintf("Only GET requests are allowed, req.Method: %s", req.Method), 400)
  return
  }*/
+ /*
+ // Hijack the connection to inspect who called it
+ hj, ok := w.(http.Hijacker)
+ if !ok {
+ http.Error(w, "webserver doesn't support hijacking", http.StatusInternalServerError)
+ return
+ }
+ conn, _, err := hj.Hijack()
+ if err != nil {
+ http.Error(w, err.Error(), http.StatusInternalServerError)
+ return
+ }*/
  // Read the body
  body, err := ioutil.ReadAll(req.Body)
  if err != nil {
  fmt.Println(err.Error())
  }
+ //syscall.GetsockoptUcred(int(fd), syscall.SOL_SOCKET, syscall.SO_PEERCRED)
  //fmt.Printf("%v\n", hostConfig.Mounts)
  // And now set a new body, which will simulate the same data we read:
  req.Body = ioutil.NopCloser(bytes.NewBuffer(body))
@@ -125,6 +141,15 @@ func (u *UpStream) ServeHTTP(w http.ResponseWriter, req *http.Request) {
  config.Env = append(config.Env, "PATH=/usr/local/nvidia/bin:/usr/local/cuda/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin")
  config.Env = append(config.Env, "LD_LIBRARY_PATH=/usr/local/nvidia/")
  }
+ if u.pinUser != "" {
+ // TODO: Should depend on calling user from syscall.GetsockoptUcred()
+ if config.User != "" {
+ fmt.Printf("Overwrite User with '%s', was '%s'\n", u.pinUser, config.User)
+ } else {
+ fmt.Printf("Overwrite User with '%s'\n", u.pinUser)
+ }
+ config.User = u.pinUser
+ }
  for _, bMount := range u.bindMounts {
  if bMount == "" {
  continue