9 年之前 · 2f6e3b0ba0
--- a/daemon/network.go
+++ b/daemon/network.go
@@ -3,7 +3,6 @@ package daemon
 
				 import (
			
 
				 	"fmt"
			
 
				 	"net"
			
 
				-	"net/http"
			
 
				 	"strings"
			
 
				 
			
 
				 	netsettings "github.com/docker/docker/daemon/network"
			
@@ -97,7 +96,7 @@ func (daemon *Daemon) getAllNetworks() []libnetwork.Network {
 
				 func (daemon *Daemon) CreateNetwork(create types.NetworkCreateRequest) (*types.NetworkCreateResponse, error) {
			
 
				 	if runconfig.IsPreDefinedNetwork(create.Name) {
			
 
				 		err := fmt.Errorf("%s is a pre-defined network and cannot be created", create.Name)
			
 
				-		return nil, errors.NewErrorWithStatusCode(err, http.StatusForbidden)
			
 
				+		return nil, errors.NewRequestForbiddenError(err)
			
 
				 	}
			
 
				 
			
 
				 	var warning string
			
@@ -221,7 +220,7 @@ func (daemon *Daemon) DeleteNetwork(networkID string) error {
 
				 
			
 
				 	if runconfig.IsPreDefinedNetwork(nw.Name()) {
			
 
				 		err := fmt.Errorf("%s is a pre-defined network and cannot be removed", nw.Name())
			
 
				-		return errors.NewErrorWithStatusCode(err, http.StatusForbidden)
			
 
				+		return errors.NewRequestForbiddenError(err)
			
 
				 	}
			
 
				 
			
 
				 	if err := nw.Delete(); err != nil {
			
--- a/errors/errors.go
+++ b/errors/errors.go
@@ -28,6 +28,12 @@ func NewBadRequestError(err error) error {
 
				 	return NewErrorWithStatusCode(err, http.StatusBadRequest)
			
 
				 }
			
 
				 
			
 
				+// NewRequestForbiddenError creates a new API error
			
 
				+// that has the 403 HTTP status code associated to it.
			
 
				+func NewRequestForbiddenError(err error) error {
			
 
				+	return NewErrorWithStatusCode(err, http.StatusForbidden)
			
 
				+}
			
 
				+
			
 
				 // NewRequestNotFoundError creates a new API error
			
 
				 // that has the 404 HTTP status code associated to it.
			
 
				 func NewRequestNotFoundError(err error) error {
			
--- a/integration-cli/docker_cli_authz_unix_test.go
+++ b/integration-cli/docker_cli_authz_unix_test.go
@@ -21,6 +21,9 @@ import (
 
				 	"github.com/docker/docker/pkg/integration/checker"
			
 
				 	"github.com/docker/docker/pkg/plugins"
			
 
				 	"github.com/go-check/check"
			
 
				+	"net"
			
 
				+	"net/http/httputil"
			
 
				+	"net/url"
			
 
				 )
			
 
				 
			
 
				 const (
			
@@ -272,6 +275,27 @@ func (s *DockerAuthzSuite) TestAuthZPluginDenyRequest(c *check.C) {
 
				 	c.Assert(res, check.Equals, fmt.Sprintf("Error response from daemon: authorization denied by plugin %s: %s\n", testAuthZPlugin, unauthorizedMessage))
			
 
				 }
			
 
				 
			
 
				+// TestAuthZPluginApiDenyResponse validates that when authorization plugin deny the request, the status code is forbidden
			
 
				+func (s *DockerAuthzSuite) TestAuthZPluginApiDenyResponse(c *check.C) {
			
 
				+	err := s.d.Start("--authorization-plugin=" + testAuthZPlugin)
			
 
				+	c.Assert(err, check.IsNil)
			
 
				+	s.ctrl.reqRes.Allow = false
			
 
				+	s.ctrl.resRes.Msg = unauthorizedMessage
			
 
				+
			
 
				+	daemonURL, err := url.Parse(s.d.sock())
			
 
				+
			
 
				+	conn, err := net.DialTimeout(daemonURL.Scheme, daemonURL.Path, time.Second*10)
			
 
				+	c.Assert(err, check.IsNil)
			
 
				+	client := httputil.NewClientConn(conn, nil)
			
 
				+	req, err := http.NewRequest("GET", "/version", nil)
			
 
				+	c.Assert(err, check.IsNil)
			
 
				+	resp, err := client.Do(req)
			
 
				+
			
 
				+	c.Assert(err, check.IsNil)
			
 
				+	c.Assert(resp.StatusCode, checker.Equals, http.StatusForbidden)
			
 
				+	c.Assert(err, checker.IsNil)
			
 
				+}
			
 
				+
			
 
				 func (s *DockerAuthzSuite) TestAuthZPluginDenyResponse(c *check.C) {
			
 
				 	err := s.d.Start("--authorization-plugin=" + testAuthZPlugin)
			
 
				 	c.Assert(err, check.IsNil)
			
--- a/pkg/authorization/authz.go
+++ b/pkg/authorization/authz.go
@@ -85,7 +85,7 @@ func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
 
				 		}
			
 
				 
			
 
				 		if !authRes.Allow {
			
 
				-			return fmt.Errorf("authorization denied by plugin %s: %s", plugin.Name(), authRes.Msg)
			
 
				+			return newAuthorizationError(plugin.Name(), authRes.Msg)
			
 
				 		}
			
 
				 	}
			
 
				 
			
@@ -110,7 +110,7 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
 
				 		}
			
 
				 
			
 
				 		if !authRes.Allow {
			
 
				-			return fmt.Errorf("authorization denied by plugin %s: %s", plugin.Name(), authRes.Msg)
			
 
				+			return newAuthorizationError(plugin.Name(), authRes.Msg)
			
 
				 		}
			
 
				 	}
			
 
				 
			
@@ -163,3 +163,17 @@ func headers(header http.Header) map[string]string {
 
				 	}
			
 
				 	return v
			
 
				 }
			
 
				+
			
 
				+// authorizationError represents an authorization deny error
			
 
				+type authorizationError struct {
			
 
				+	error
			
 
				+}
			
 
				+
			
 
				+// HTTPErrorStatusCode returns the authorization error status code (forbidden)
			
 
				+func (e authorizationError) HTTPErrorStatusCode() int {
			
 
				+	return http.StatusForbidden
			
 
				+}
			
 
				+
			
 
				+func newAuthorizationError(plugin, msg string) authorizationError {
			
 
				+	return authorizationError{error: fmt.Errorf("authorization denied by plugin %s: %s", plugin, msg)}
			
 
				+}