enhance user-pinning

Author: ChristianKniep

main.go

@@ -33,11 +33,6 @@ var (
 		Usage: "Map devices, bind-mounts and environment into each container to allow GPU usage",
 		EnvVar: "DOXY_GPU_ENABLED",
 	}
-	constrainUser = cli.BoolFlag{
-		Name: "user-pinning",
-		Usage: "Pin user within container to the UID calling the command",
-		EnvVar: "DOXY_USER_PINNING_ENABLED",
-	}
 	debugFlag = cli.BoolFlag{
 		Name: "debug",
 		Usage: "Print proxy requests",
@@ -59,10 +54,15 @@ var (
 		Usage: "File holding line-separated regex-patterns to be allowed (comments allowed, use #)",
 		EnvVar: "DOXY_PATTERN_FILE",
 	}
+	pinUserBool = cli.BoolFlag{
+		Name: "pin-user",
+		Usage: "Pin user within container to the UID calling the command",
+		EnvVar: "DOXY_USER_PINNING_ENABLED",
+	}
 	pinUserFlag = cli.StringFlag{
-		Name:  "pin-user",
-		Usage: "Overwrite `--user` with given value",
-		EnvVar: "DOXY_PIN_USER",
+		Name:  "user",
+		Usage: "Overwrite `--user` with given value (if pin-user is set)",
+		EnvVar: "DOXY_USER",
 	}
 	deviceFileFlag = cli.StringFlag{
 		Name:  "device-file",
@@ -83,8 +83,9 @@ func EvalOptions(cfg *config.Config) (po []proxy.ProxyOption) {
 	po = append(po, proxy.WithGpuValue(gpu))
 	devMaps, _ := cfg.String("device-mappings")
 	po = append(po, proxy.WithDevMappings(strings.Split(devMaps,",")))
-	pinUser, _ := cfg.String("pin-user")
-	po = append(po, proxy.WithPinUserValue(pinUser))
+	pinUser, _ := cfg.String("user")
+	pinUserBool, _ := cfg.Bool("pin-user")
+	po = append(po, proxy.WithPinUser(pinUserBool, pinUser))
 	return
 }
 
@@ -155,6 +156,7 @@ func main() {
 		patternFileFlag,
 		proxyPatternKey,
 		bindAddFlag,
+		pinUserBool,
 		pinUserFlag,
 	}
 	app.Action = RunApp

proxy/main.go

@@ -48,8 +48,9 @@ var (
 )
 
 type Proxy struct {
+	po ProxyOptions
 	dockerSocket, newSocket, pinUser 	string
-	debug, gpu 							bool
+	debug, gpu, pinUserEnabled			bool
 	patterns 							[]string
 	bindMounts,devMappings				[]string
 }
@@ -65,6 +66,8 @@ func NewProxy(opts ...ProxyOption) Proxy {
 		debug: options.Debug,
 		gpu: options.Gpu,
 		pinUser: options.PinUser,
+		pinUserEnabled: options.PinUserEnabled,
+		po: options,
 		patterns: options.Patterns,
 		bindMounts: options.BindMounts,
 		devMappings: options.DevMappings,
@@ -77,12 +80,13 @@ func (p *Proxy) GetOptions() map[string]interface{} {
 		"proxy-socket": p.newSocket,
 		"debug": p.debug,
 		"patterns": p.patterns,
+		"pin-user": p.pinUserEnabled,
 	}
 	return opt
 }
 
 func (p *Proxy) Run() {
-	upstream := NewUpstream(p.dockerSocket, p.patterns, p.bindMounts, p.devMappings, p.gpu, p.pinUser)
+	upstream := NewUpstream(p.dockerSocket, p.patterns, p.bindMounts, p.devMappings, p.gpu, p.pinUser, p.pinUserEnabled)
 	sigc := make(chan os.Signal, 1)
 	signal.Notify(sigc, os.Interrupt, os.Kill, syscall.SIGTERM)
 	l, err := ListenToNewSock(p.newSocket, sigc)

proxy/options.go

@@ -1,19 +1,17 @@
 package proxy
 
+
 type ProxyOptions struct {
-	DockerSocket 	string
-	ProxySocket 	string
-	PinUser			string
-	Debug,Gpu 			bool
-	Patterns 		[]string
-	BindMounts		[]string
-	DevMappings		[]string
+	DockerSocket,ProxySocket,PinUser 	string
+	Debug,Gpu,PinUserEnabled 			bool
+	Patterns,BindMounts,DevMappings 	[]string
 }
 
 var defaultProxyOptions = ProxyOptions{
 	DockerSocket: DOCKER_SOCKET,
 	ProxySocket: PROXY_SOCKET,
 	PinUser: "",
+	PinUserEnabled: false,
 	Debug: false,
 	Gpu: false,
 	Patterns: []string{},
@@ -23,9 +21,10 @@ var defaultProxyOptions = ProxyOptions{
 
 type ProxyOption func(*ProxyOptions)
 
-func WithPinUserValue(pu string) ProxyOption {
+func WithPinUser(pub bool, pu string) ProxyOption {
 	return func(o *ProxyOptions) {
 		o.PinUser = pu
+		o.PinUserEnabled = pub
 	}
 }
 func WithDockerSocket(s string) ProxyOption {

proxy/proxy.go

@@ -21,14 +21,15 @@ import (
 
 // UpStream creates upstream handler struct
 type UpStream struct {
-	Name  		string
-	proxy 		http.Handler
+	Name  			string
+	proxy 			http.Handler
 	// TODO: Kick out separat config options and use more generic one
-	allowed 	[]*regexp.Regexp
-	bindMounts 	[]string
-	devMappings []string
-	gpu 		bool
-	pinUser 	string
+	allowed 		[]*regexp.Regexp
+	bindMounts 		[]string
+	devMappings 	[]string
+	gpu 			bool
+	pinUser 		string
+	pinUserEnabled	bool
 }
 
 // UnixSocket just provides the path, so that I can test it
@@ -64,8 +65,27 @@ func newReverseProxy(dial func(network, addr string) (net.Conn, error)) *httputi
 	}
 }
 
+func NewUpstreamPO(po ProxyOptions) *UpStream {
+	us := NewUnixSocket(po.ProxySocket)
+	a := []*regexp.Regexp{}
+	for _, r := range po.Patterns {
+		p, _ := regexp.Compile(r)
+		a = append(a, p)
+	}
+	upstream := &UpStream{
+		Name:  po.ProxySocket,
+		proxy: newReverseProxy(us.connectSocket),
+		allowed: a,
+		bindMounts: po.BindMounts,
+		devMappings: po.DevMappings,
+		gpu: po.Gpu,
+		pinUser: po.PinUser,
+		pinUserEnabled: po.PinUserEnabled,
+	}
+	return upstream
+}
 // NewUpstream returns a new socket (magic)
-func NewUpstream(socket string, regs []string, binds []string, devs []string, gpu bool, pinUser string) *UpStream {
+func NewUpstream(socket string, regs []string, binds []string, devs []string, gpu bool, pinUser string, pinUserB bool) *UpStream {
 	us := NewUnixSocket(socket)
 	a := []*regexp.Regexp{}
 	for _, r := range regs {
@@ -80,6 +100,7 @@ func NewUpstream(socket string, regs []string, binds []string, devs []string, gp
 		devMappings: devs,
 		gpu: gpu,
 		pinUser: pinUser,
+		pinUserEnabled: pinUserB,
 	}
 	return upstream
 }
@@ -141,14 +162,20 @@ func (u *UpStream) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 			config.Env = append(config.Env, "PATH=/usr/local/nvidia/bin:/usr/local/cuda/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin")
 			config.Env = append(config.Env, "LD_LIBRARY_PATH=/usr/local/nvidia/")
 		}
-		if u.pinUser != "" {
+		if u.pinUserEnabled {
+			fmt.Print("Alter User setting ")
 			// TODO: Should depend on calling user from syscall.GetsockoptUcred()
-			if config.User != "" {
-				fmt.Printf("Overwrite User with '%s', was '%s'\n", u.pinUser, config.User)
-			} else {
-				fmt.Printf("Overwrite User with '%s'\n", u.pinUser)
+			switch {
+			case config.User != "" && u.pinUser == "":
+				fmt.Printf(" - Remove setting User, was '%s'\n", config.User)
+				config.User = ""
+			case config.User != "" && u.pinUser != "":
+				fmt.Printf(" - Overwrite User with '%s', was '%s'\n", u.pinUser, config.User)
+				config.User = u.pinUser
+			default:
+				fmt.Printf(" - Set User to '%s'\n", u.pinUser)
+				config.User = u.pinUser
 			}
-			config.User = u.pinUser
 		}
 		for _, bMount := range u.bindMounts {
 			if bMount == "" {