pkg: authorization: add Err to tweak response status code

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

docs/extend/authorization.md

@@ -147,12 +147,12 @@ should implement the following two methods:
 
 ```json
 {
-    "User":              "The user identification"
+    "User":              "The user identification",
-    "UserAuthNMethod":   "The authentication method used"
+    "UserAuthNMethod":   "The authentication method used",
-    "RequestMethod":     "The HTTP method"
+    "RequestMethod":     "The HTTP method",
-    "RequestUri":        "The HTTP request URI"
+    "RequestUri":        "The HTTP request URI",
-    "RequestBody":       "Byte array containing the raw HTTP request body"
+    "RequestBody":       "Byte array containing the raw HTTP request body",
-    "RequestHeader":     "Byte array containing the raw HTTP request header as a map[string][]string "
+    "RequestHeader":     "Byte array containing the raw HTTP request header as a map[string][]string ",
     "RequestStatusCode": "Request status code"
 }
 ```
@@ -161,26 +161,26 @@ should implement the following two methods:
 
 ```json
 {
-    "Allow" : "Determined whether the user is allowed or not"
+    "Allow": "Determined whether the user is allowed or not",
-    "Msg":    "The authorization message"
+    "Msg":   "The authorization message",
+    "Err":   "The error message if things go wrong"
 }
 ```
-
 #### /AuthzPlugin.AuthZRes
 
 **Request**:
 
 ```json
 {
-    "User":              "The user identification"
+    "User":              "The user identification",
-    "UserAuthNMethod":   "The authentication method used"
+    "UserAuthNMethod":   "The authentication method used",
-    "RequestMethod":     "The HTTP method"
+    "RequestMethod":     "The HTTP method",
-    "RequestUri":        "The HTTP request URI"
+    "RequestUri":        "The HTTP request URI",
-    "RequestBody":       "Byte array containing the raw HTTP request body"
+    "RequestBody":       "Byte array containing the raw HTTP request body",
-    "RequestHeader":     "Byte array containing the raw HTTP request header as a map[string][]string"
+    "RequestHeader":     "Byte array containing the raw HTTP request header as a map[string][]string",
-    "RequestStatusCode": "Request status code"
+    "RequestStatusCode": "Request status code",
-    "ResponseBody":      "Byte array containing the raw HTTP response body"
+    "ResponseBody":      "Byte array containing the raw HTTP response body",
-    "ResponseHeader":    "Byte array containing the raw HTTP response header as a map[string][]string"
+    "ResponseHeader":    "Byte array containing the raw HTTP response header as a map[string][]string",
     "ResponseStatusCode":"Response status code"
 }
 ```
@@ -189,10 +189,11 @@ should implement the following two methods:
 
 ```json
 {
-   "Allow" :               "Determined whether the user is allowed or not"
+   "Allow":              "Determined whether the user is allowed or not",
-   "Msg":                  "The authorization message"
+   "Msg":                "The authorization message",
-   "ModifiedBody":         "Byte array containing a modified body of the raw HTTP body (or nil if no changes required)"
+   "Err":                "The error message if things go wrong",
-   "ModifiedHeader":       "Byte array containing a modified header of the HTTP response (or nil if no changes required)"
+   "ModifiedBody":       "Byte array containing a modified body of the raw HTTP body (or nil if no changes required)",
+   "ModifiedHeader":     "Byte array containing a modified header of the HTTP response (or nil if no changes required)",
    "ModifiedStatusCode": "int containing the modified version of the status code (or 0 if not change is required)"
 }
 ```
@@ -222,7 +223,8 @@ Request body           | []byte            | Raw request body
 Name    | Type   | Description
 --------|--------|----------------------------------------------------------------------------------
 Allow   | bool   | Boolean value indicating whether the request is allowed or denied
-Message | string | Authorization message (will be returned to the client in case the access is denied)
+Msg     | string | Authorization message (will be returned to the client in case the access is denied)
+Err     | string | Error message (will be returned to the client in case the plugin encounter an error)
 
 ### Response authorization
 
@@ -249,4 +251,5 @@ Response body           | []byte            | Raw docker daemon response body
 Name    | Type   | Description
 --------|--------|----------------------------------------------------------------------------------
 Allow   | bool   | Boolean value indicating whether the response is allowed or denied
-Message | string | Authorization message (will be returned to the client in case the access is denied)
+Msg     | string | Authorization message (will be returned to the client in case the access is denied)
+Err     | string | Error message (will be returned to the client in case the plugin encounter an error)

integration-cli/docker_cli_authz_unix_test.go

@@ -17,9 +17,12 @@ import (
 	"github.com/go-check/check"
 )
 
-const testAuthZPlugin = "authzplugin"
+const (
-const unauthorizedMessage = "User unauthorized authz plugin"
+	testAuthZPlugin     = "authzplugin"
-const containerListAPI = "/containers/json"
+	unauthorizedMessage = "User unauthorized authz plugin"
+	errorMessage        = "something went wrong..."
+	containerListAPI    = "/containers/json"
+)
 
 func init() {
 	check.Suite(&DockerAuthzSuite{
@@ -66,9 +69,12 @@ func (s *DockerAuthzSuite) SetUpSuite(c *check.C) {
 	})
 
 	mux.HandleFunc("/AuthZPlugin.AuthZReq", func(w http.ResponseWriter, r *http.Request) {
+		if s.ctrl.reqRes.Err != "" {
+			w.WriteHeader(http.StatusInternalServerError)
+		}
 		b, err := json.Marshal(s.ctrl.reqRes)
-		w.Write(b)
 		c.Assert(err, check.IsNil)
+		w.Write(b)
 		defer r.Body.Close()
 		body, err := ioutil.ReadAll(r.Body)
 		c.Assert(err, check.IsNil)
@@ -88,6 +94,9 @@ func (s *DockerAuthzSuite) SetUpSuite(c *check.C) {
 	})
 
 	mux.HandleFunc("/AuthZPlugin.AuthZRes", func(w http.ResponseWriter, r *http.Request) {
+		if s.ctrl.resRes.Err != "" {
+			w.WriteHeader(http.StatusInternalServerError)
+		}
 		b, err := json.Marshal(s.ctrl.resRes)
 		c.Assert(err, check.IsNil)
 		w.Write(b)
@@ -214,6 +223,31 @@ func (s *DockerAuthzSuite) TestAuthZPluginDenyResponse(c *check.C) {
 	c.Assert(res, check.Equals, fmt.Sprintf("Error response from daemon: %s\n", unauthorizedMessage))
 }
 
+func (s *DockerAuthzSuite) TestAuthZPluginErrorResponse(c *check.C) {
+	err := s.d.Start("--authz-plugin=" + testAuthZPlugin)
+	c.Assert(err, check.IsNil)
+	s.ctrl.reqRes.Allow = true
+	s.ctrl.resRes.Err = errorMessage
+
+	// Ensure command is blocked
+	res, err := s.d.Cmd("ps")
+	c.Assert(err, check.NotNil)
+
+	c.Assert(res, check.Equals, fmt.Sprintf("Error response from daemon: Plugin Error: %s, %s\n", errorMessage, authorization.AuthZApiResponse))
+}
+
+func (s *DockerAuthzSuite) TestAuthZPluginErrorRequest(c *check.C) {
+	err := s.d.Start("--authz-plugin=" + testAuthZPlugin)
+	c.Assert(err, check.IsNil)
+	s.ctrl.reqRes.Err = errorMessage
+
+	// Ensure command is blocked
+	res, err := s.d.Cmd("ps")
+	c.Assert(err, check.NotNil)
+
+	c.Assert(res, check.Equals, fmt.Sprintf("Error response from daemon: Plugin Error: %s, %s\n", errorMessage, authorization.AuthZApiRequest))
+}
+
 // assertURIRecorded verifies that the given URI was sent and recorded in the authz plugin
 func assertURIRecorded(c *check.C, uris []string, uri string) {
 

pkg/authorization/api.go

@@ -43,10 +43,12 @@ type Request struct {
 
 // Response represents authZ plugin response
 type Response struct {
-
 	// Allow indicating whether the user is allowed or not
 	Allow bool `json:"Allow"`
 
 	// Msg stores the authorization message
 	Msg string `json:"Msg,omitempty"`
+
+	// Err stores a message in case there's an error
+	Err string `json:"Err,omitempty"`
 }

pkg/authorization/authz.go

@@ -84,6 +84,10 @@ func (a *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
 			return err
 		}
 
+		if authRes.Err != "" {
+			return fmt.Errorf(authRes.Err)
+		}
+
 		if !authRes.Allow {
 			return fmt.Errorf(authRes.Msg)
 		}
@@ -107,6 +111,10 @@ func (a *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
 			return err
 		}
 
+		if authRes.Err != "" {
+			return fmt.Errorf(authRes.Err)
+		}
+
 		if !authRes.Allow {
 			return fmt.Errorf(authRes.Msg)
 		}

pkg/authorization/authz_test.go

@@ -19,6 +19,37 @@ import (
 
 const pluginAddress = "authzplugin.sock"
 
+func TestAuthZRequestPluginError(t *testing.T) {
+	server := authZPluginTestServer{t: t}
+	go server.start()
+	defer server.stop()
+
+	authZPlugin := createTestPlugin(t)
+
+	request := Request{
+		User:           "user",
+		RequestBody:    []byte("sample body"),
+		RequestURI:     "www.authz.com",
+		RequestMethod:  "GET",
+		RequestHeaders: map[string]string{"header": "value"},
+	}
+	server.replayResponse = Response{
+		Err: "an error",
+	}
+
+	actualResponse, err := authZPlugin.AuthZRequest(&request)
+	if err != nil {
+		t.Fatalf("Failed to authorize request %v", err)
+	}
+
+	if !reflect.DeepEqual(server.replayResponse, *actualResponse) {
+		t.Fatalf("Response must be equal")
+	}
+	if !reflect.DeepEqual(request, server.recordedRequest) {
+		t.Fatalf("Requests must be equal")
+	}
+}
+
 func TestAuthZRequestPlugin(t *testing.T) {
 	server := authZPluginTestServer{t: t}
 	go server.start()