Merge pull request #2 from qnib/user

allow for --user to be overwritten, not yet w/ unix-socket credentials

Author: ChristianKniep

main.go

@@ -59,6 +59,11 @@ var (
 		Usage: "File holding line-separated regex-patterns to be allowed (comments allowed, use #)",
 		EnvVar: "DOXY_PATTERN_FILE",
 	}
+	pinUserFlag = cli.StringFlag{
+		Name:  "pin-user",
+		Usage: "Overwrite `--user` with given value",
+		EnvVar: "DOXY_PIN_USER",
+	}
 	deviceFileFlag = cli.StringFlag{
 		Name:  "device-file",
 		Value: proxy.DEVICE_FILE,
@@ -74,10 +79,12 @@ func EvalOptions(cfg *config.Config) (po []proxy.ProxyOption) {
 	po = append(po, proxy.WithDockerSocket(dockerSock))
 	debug, _ := cfg.Bool("debug")
 	po = append(po, proxy.WithDebugValue(debug))
-	devMaps, _ := cfg.String("device-mappings")
 	gpu, _ := cfg.Bool("gpu")
 	po = append(po, proxy.WithGpuValue(gpu))
+	devMaps, _ := cfg.String("device-mappings")
 	po = append(po, proxy.WithDevMappings(strings.Split(devMaps,",")))
+	pinUser, _ := cfg.String("pin-user")
+	po = append(po, proxy.WithPinUserValue(pinUser))
 	return
 }
 
@@ -148,6 +155,7 @@ func main() {
 		patternFileFlag,
 		proxyPatternKey,
 		bindAddFlag,
+		pinUserFlag,
 	}
 	app.Action = RunApp
 	app.Run(os.Args)

proxy/main.go

@@ -48,10 +48,10 @@ var (
 )
 
 type Proxy struct {
-	dockerSocket, newSocket string
-	debug, gpu 				bool
-	patterns 				[]string
-	bindMounts,devMappings	[]string
+	dockerSocket, newSocket, pinUser 	string
+	debug, gpu 							bool
+	patterns 							[]string
+	bindMounts,devMappings				[]string
 }
 
 func NewProxy(opts ...ProxyOption) Proxy {
@@ -64,6 +64,7 @@ func NewProxy(opts ...ProxyOption) Proxy {
 		newSocket: options.ProxySocket,
 		debug: options.Debug,
 		gpu: options.Gpu,
+		pinUser: options.PinUser,
 		patterns: options.Patterns,
 		bindMounts: options.BindMounts,
 		devMappings: options.DevMappings,
@@ -81,7 +82,7 @@ func (p *Proxy) GetOptions() map[string]interface{} {
 }
 
 func (p *Proxy) Run() {
-	upstream := NewUpstream(p.dockerSocket, p.patterns, p.bindMounts, p.devMappings, p.gpu)
+	upstream := NewUpstream(p.dockerSocket, p.patterns, p.bindMounts, p.devMappings, p.gpu, p.pinUser)
 	sigc := make(chan os.Signal, 1)
 	signal.Notify(sigc, os.Interrupt, os.Kill, syscall.SIGTERM)
 	l, err := ListenToNewSock(p.newSocket, sigc)
@@ -94,6 +95,7 @@ func (p *Proxy) Run() {
 	}
 	n.UseHandler(upstream)
 	log.Printf("Serving proxy on '%s'", p.newSocket)
+
 	if err = http.Serve(l, n); err != nil {
 		panic(err)
 	}

proxy/options.go

@@ -3,6 +3,7 @@ package proxy
 type ProxyOptions struct {
 	DockerSocket 	string
 	ProxySocket 	string
+	PinUser			string
 	Debug,Gpu 			bool
 	Patterns 		[]string
 	BindMounts		[]string
@@ -12,6 +13,7 @@ type ProxyOptions struct {
 var defaultProxyOptions = ProxyOptions{
 	DockerSocket: DOCKER_SOCKET,
 	ProxySocket: PROXY_SOCKET,
+	PinUser: "",
 	Debug: false,
 	Gpu: false,
 	Patterns: []string{},
@@ -21,6 +23,11 @@ var defaultProxyOptions = ProxyOptions{
 
 type ProxyOption func(*ProxyOptions)
 
+func WithPinUserValue(pu string) ProxyOption {
+	return func(o *ProxyOptions) {
+		o.PinUser = pu
+	}
+}
 func WithDockerSocket(s string) ProxyOption {
 	return func(o *ProxyOptions) {
 		o.DockerSocket = s

proxy/proxy.go

@@ -21,13 +21,14 @@ import (
 
 // UpStream creates upstream handler struct
 type UpStream struct {
-	Name  string
-	proxy http.Handler
+	Name  		string
+	proxy 		http.Handler
 	// TODO: Kick out separat config options and use more generic one
-	allowed []*regexp.Regexp
-	bindMounts []string
-	devMappings 	[]string
+	allowed 	[]*regexp.Regexp
+	bindMounts 	[]string
+	devMappings []string
 	gpu 		bool
+	pinUser 	string
 }
 
 // UnixSocket just provides the path, so that I can test it
@@ -64,21 +65,23 @@ func newReverseProxy(dial func(network, addr string) (net.Conn, error)) *httputi
 }
 
 // NewUpstream returns a new socket (magic)
-func NewUpstream(socket string, regs []string, binds []string, devs []string, gpu bool) *UpStream {
+func NewUpstream(socket string, regs []string, binds []string, devs []string, gpu bool, pinUser string) *UpStream {
 	us := NewUnixSocket(socket)
 	a := []*regexp.Regexp{}
 	for _, r := range regs {
 		p, _ := regexp.Compile(r)
 		a = append(a, p)
 	}
-	return &UpStream{
+	upstream := &UpStream{
 		Name:  socket,
 		proxy: newReverseProxy(us.connectSocket),
 		allowed: a,
 		bindMounts: binds,
 		devMappings: devs,
 		gpu: gpu,
+		pinUser: pinUser,
 	}
+	return upstream
 }
 
 
@@ -97,11 +100,24 @@ func (u *UpStream) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		http.Error(w, fmt.Sprintf("Only GET requests are allowed, req.Method: %s", req.Method), 400)
 		return
 	}*/
+	/*
+	// Hijack the connection to inspect who called it
+	hj, ok := w.(http.Hijacker)
+	if !ok {
+		http.Error(w, "webserver doesn't support hijacking", http.StatusInternalServerError)
+		return
+	}
+	conn, _, err := hj.Hijack()
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}*/
 	// Read the body
 	body, err := ioutil.ReadAll(req.Body)
 	if err != nil {
 		fmt.Println(err.Error())
 	}
+	//syscall.GetsockoptUcred(int(fd), syscall.SOL_SOCKET, syscall.SO_PEERCRED)
 	//fmt.Printf("%v\n", hostConfig.Mounts)
 	// And now set a new body, which will simulate the same data we read:
 	req.Body = ioutil.NopCloser(bytes.NewBuffer(body))
@@ -125,6 +141,15 @@ func (u *UpStream) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 			config.Env = append(config.Env, "PATH=/usr/local/nvidia/bin:/usr/local/cuda/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin")
 			config.Env = append(config.Env, "LD_LIBRARY_PATH=/usr/local/nvidia/")
 		}
+		if u.pinUser != "" {
+			// TODO: Should depend on calling user from syscall.GetsockoptUcred()
+			if config.User != "" {
+				fmt.Printf("Overwrite User with '%s', was '%s'\n", u.pinUser, config.User)
+			} else {
+				fmt.Printf("Overwrite User with '%s'\n", u.pinUser)
+			}
+			config.User = u.pinUser
+		}
 		for _, bMount := range u.bindMounts {
 			if bMount == "" {
 				continue