Fix authorization issue - when request is denied return forbbiden exist code (403).
- Return 403 (forbidden) when request is denied in authorization flows (including integration test) - Fix #22428 - Close #22431 Signed-off-by: Liron Levin <liron@twistlock.com>
This commit is contained in:
Liron Levin
parent
b0a5762348
commit
526abc00b1
4 changed files with 48 additions and 5 deletions
|
|
@ -3,7 +3,6 @@ package daemon
|
|||
import (
|
||||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
"strings"
|
||||
|
||||
netsettings "github.com/docker/docker/daemon/network"
|
||||
|
|
@ -97,7 +96,7 @@ func (daemon *Daemon) getAllNetworks() []libnetwork.Network {
|
|||
func (daemon *Daemon) CreateNetwork(create types.NetworkCreateRequest) (*types.NetworkCreateResponse, error) {
|
||||
if runconfig.IsPreDefinedNetwork(create.Name) {
|
||||
err := fmt.Errorf("%s is a pre-defined network and cannot be created", create.Name)
|
||||
return nil, errors.NewErrorWithStatusCode(err, http.StatusForbidden)
|
||||
return nil, errors.NewRequestForbiddenError(err)
|
||||
}
|
||||
|
||||
var warning string
|
||||
|
|
@ -221,7 +220,7 @@ func (daemon *Daemon) DeleteNetwork(networkID string) error {
|
|||
|
||||
if runconfig.IsPreDefinedNetwork(nw.Name()) {
|
||||
err := fmt.Errorf("%s is a pre-defined network and cannot be removed", nw.Name())
|
||||
return errors.NewErrorWithStatusCode(err, http.StatusForbidden)
|
||||
return errors.NewRequestForbiddenError(err)
|
||||
}
|
||||
|
||||
if err := nw.Delete(); err != nil {
|
||||
|
|
|
|||
|
|
@ -28,6 +28,12 @@ func NewBadRequestError(err error) error {
|
|||
return NewErrorWithStatusCode(err, http.StatusBadRequest)
|
||||
}
|
||||
|
||||
// NewRequestForbiddenError creates a new API error
|
||||
// that has the 403 HTTP status code associated to it.
|
||||
func NewRequestForbiddenError(err error) error {
|
||||
return NewErrorWithStatusCode(err, http.StatusForbidden)
|
||||
}
|
||||
|
||||
// NewRequestNotFoundError creates a new API error
|
||||
// that has the 404 HTTP status code associated to it.
|
||||
func NewRequestNotFoundError(err error) error {
|
||||
|
|
|
|||
|
|
@ -21,6 +21,9 @@ import (
|
|||
"github.com/docker/docker/pkg/integration/checker"
|
||||
"github.com/docker/docker/pkg/plugins"
|
||||
"github.com/go-check/check"
|
||||
"net"
|
||||
"net/http/httputil"
|
||||
"net/url"
|
||||
)
|
||||
|
||||
const (
|
||||
|
|
@ -272,6 +275,27 @@ func (s *DockerAuthzSuite) TestAuthZPluginDenyRequest(c *check.C) {
|
|||
c.Assert(res, check.Equals, fmt.Sprintf("Error response from daemon: authorization denied by plugin %s: %s\n", testAuthZPlugin, unauthorizedMessage))
|
||||
}
|
||||
|
||||
// TestAuthZPluginApiDenyResponse validates that when authorization plugin deny the request, the status code is forbidden
|
||||
func (s *DockerAuthzSuite) TestAuthZPluginApiDenyResponse(c *check.C) {
|
||||
err := s.d.Start("--authorization-plugin=" + testAuthZPlugin)
|
||||
c.Assert(err, check.IsNil)
|
||||
s.ctrl.reqRes.Allow = false
|
||||
s.ctrl.resRes.Msg = unauthorizedMessage
|
||||
|
||||
daemonURL, err := url.Parse(s.d.sock())
|
||||
|
||||
conn, err := net.DialTimeout(daemonURL.Scheme, daemonURL.Path, time.Second*10)
|
||||
c.Assert(err, check.IsNil)
|
||||
client := httputil.NewClientConn(conn, nil)
|
||||
req, err := http.NewRequest("GET", "/version", nil)
|
||||
c.Assert(err, check.IsNil)
|
||||
resp, err := client.Do(req)
|
||||
|
||||
c.Assert(err, check.IsNil)
|
||||
c.Assert(resp.StatusCode, checker.Equals, http.StatusForbidden)
|
||||
c.Assert(err, checker.IsNil)
|
||||
}
|
||||
|
||||
func (s *DockerAuthzSuite) TestAuthZPluginDenyResponse(c *check.C) {
|
||||
err := s.d.Start("--authorization-plugin=" + testAuthZPlugin)
|
||||
c.Assert(err, check.IsNil)
|
||||
|
|
|
|||
|
|
@ -85,7 +85,7 @@ func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
|
|||
}
|
||||
|
||||
if !authRes.Allow {
|
||||
return fmt.Errorf("authorization denied by plugin %s: %s", plugin.Name(), authRes.Msg)
|
||||
return newAuthorizationError(plugin.Name(), authRes.Msg)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -110,7 +110,7 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
|
|||
}
|
||||
|
||||
if !authRes.Allow {
|
||||
return fmt.Errorf("authorization denied by plugin %s: %s", plugin.Name(), authRes.Msg)
|
||||
return newAuthorizationError(plugin.Name(), authRes.Msg)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -163,3 +163,17 @@ func headers(header http.Header) map[string]string {
|
|||
}
|
||||
return v
|
||||
}
|
||||
|
||||
// authorizationError represents an authorization deny error
|
||||
type authorizationError struct {
|
||||
error
|
||||
}
|
||||
|
||||
// HTTPErrorStatusCode returns the authorization error status code (forbidden)
|
||||
func (e authorizationError) HTTPErrorStatusCode() int {
|
||||
return http.StatusForbidden
|
||||
}
|
||||
|
||||
func newAuthorizationError(plugin, msg string) authorizationError {
|
||||
return authorizationError{error: fmt.Errorf("authorization denied by plugin %s: %s", plugin, msg)}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue