kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Fix authorization issue - when request is denied return forbbiden exist code (403).

Browse source 
- Return 403 (forbidden) when request is denied in authorization flows
(including integration test)
- Fix #22428
- Close #22431

Signed-off-by: Liron Levin <liron@twistlock.com>
This commit is contained in:
Liron Levin 2016-05-02 11:54:09 +03:00
parent b0a5762348
commit 526abc00b1
4 changed files with 48 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
daemon/network.go
View file

@ -3,7 +3,6 @@ package daemon
import ( import (
"fmt" "fmt"
"net" "net"
"net/http"
"strings" "strings"
netsettings "github.com/docker/docker/daemon/network" netsettings "github.com/docker/docker/daemon/network"
@ -97,7 +96,7 @@ func (daemon *Daemon) getAllNetworks() []libnetwork.Network {
func (daemon *Daemon) CreateNetwork(create types.NetworkCreateRequest) (*types.NetworkCreateResponse, error) { func (daemon *Daemon) CreateNetwork(create types.NetworkCreateRequest) (*types.NetworkCreateResponse, error) {
if runconfig.IsPreDefinedNetwork(create.Name) { if runconfig.IsPreDefinedNetwork(create.Name) {
err := fmt.Errorf("%s is a pre-defined network and cannot be created", create.Name) err := fmt.Errorf("%s is a pre-defined network and cannot be created", create.Name)
return nil, errors.NewErrorWithStatusCode(err, http.StatusForbidden) return nil, errors.NewRequestForbiddenError(err)
} }
var warning string var warning string
@ -221,7 +220,7 @@ func (daemon *Daemon) DeleteNetwork(networkID string) error {
if runconfig.IsPreDefinedNetwork(nw.Name()) { if runconfig.IsPreDefinedNetwork(nw.Name()) {
err := fmt.Errorf("%s is a pre-defined network and cannot be removed", nw.Name()) err := fmt.Errorf("%s is a pre-defined network and cannot be removed", nw.Name())
return errors.NewErrorWithStatusCode(err, http.StatusForbidden) return errors.NewRequestForbiddenError(err)
} }
if err := nw.Delete(); err != nil { if err := nw.Delete(); err != nil {

6
errors/errors.go
View file

@ -28,6 +28,12 @@ func NewBadRequestError(err error) error {
return NewErrorWithStatusCode(err, http.StatusBadRequest) return NewErrorWithStatusCode(err, http.StatusBadRequest)
} }
// NewRequestForbiddenError creates a new API error
// that has the 403 HTTP status code associated to it.
func NewRequestForbiddenError(err error) error {
return NewErrorWithStatusCode(err, http.StatusForbidden)
}
// NewRequestNotFoundError creates a new API error // NewRequestNotFoundError creates a new API error
// that has the 404 HTTP status code associated to it. // that has the 404 HTTP status code associated to it.
func NewRequestNotFoundError(err error) error { func NewRequestNotFoundError(err error) error {

24
integration-cli/docker_cli_authz_unix_test.go
View file

@ -21,6 +21,9 @@ import (
"github.com/docker/docker/pkg/integration/checker" "github.com/docker/docker/pkg/integration/checker"
"github.com/docker/docker/pkg/plugins" "github.com/docker/docker/pkg/plugins"
"github.com/go-check/check" "github.com/go-check/check"
"net"
"net/http/httputil"
"net/url"
) )
const ( const (
@ -272,6 +275,27 @@ func (s *DockerAuthzSuite) TestAuthZPluginDenyRequest(c *check.C) {
c.Assert(res, check.Equals, fmt.Sprintf("Error response from daemon: authorization denied by plugin %s: %s\n", testAuthZPlugin, unauthorizedMessage)) c.Assert(res, check.Equals, fmt.Sprintf("Error response from daemon: authorization denied by plugin %s: %s\n", testAuthZPlugin, unauthorizedMessage))
} }
// TestAuthZPluginApiDenyResponse validates that when authorization plugin deny the request, the status code is forbidden
func (s *DockerAuthzSuite) TestAuthZPluginApiDenyResponse(c *check.C) {
err := s.d.Start("--authorization-plugin=" + testAuthZPlugin)
c.Assert(err, check.IsNil)
s.ctrl.reqRes.Allow = false
s.ctrl.resRes.Msg = unauthorizedMessage
daemonURL, err := url.Parse(s.d.sock())
conn, err := net.DialTimeout(daemonURL.Scheme, daemonURL.Path, time.Second*10)
c.Assert(err, check.IsNil)
client := httputil.NewClientConn(conn, nil)
req, err := http.NewRequest("GET", "/version", nil)
c.Assert(err, check.IsNil)
resp, err := client.Do(req)
c.Assert(err, check.IsNil)
c.Assert(resp.StatusCode, checker.Equals, http.StatusForbidden)
c.Assert(err, checker.IsNil)
}
func (s *DockerAuthzSuite) TestAuthZPluginDenyResponse(c *check.C) { func (s *DockerAuthzSuite) TestAuthZPluginDenyResponse(c *check.C) {
err := s.d.Start("--authorization-plugin=" + testAuthZPlugin) err := s.d.Start("--authorization-plugin=" + testAuthZPlugin)
c.Assert(err, check.IsNil) c.Assert(err, check.IsNil)

18
pkg/authorization/authz.go
View file

@ -85,7 +85,7 @@ func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
} }
if !authRes.Allow { if !authRes.Allow {
return fmt.Errorf("authorization denied by plugin %s: %s", plugin.Name(), authRes.Msg) return newAuthorizationError(plugin.Name(), authRes.Msg)
} }
} }
@ -110,7 +110,7 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
} }
if !authRes.Allow { if !authRes.Allow {
return fmt.Errorf("authorization denied by plugin %s: %s", plugin.Name(), authRes.Msg) return newAuthorizationError(plugin.Name(), authRes.Msg)
} }
} }
@ -163,3 +163,17 @@ func headers(header http.Header) map[string]string {
} }
return v return v
} }
// authorizationError represents an authorization deny error
type authorizationError struct {
error
}
// HTTPErrorStatusCode returns the authorization error status code (forbidden)
func (e authorizationError) HTTPErrorStatusCode() int {
return http.StatusForbidden
}
func newAuthorizationError(plugin, msg string) authorizationError {
return authorizationError{error: fmt.Errorf("authorization denied by plugin %s: %s", plugin, msg)}
}