mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
cdcea6f492
This assists to address a regression where distribution errors were not properly
handled, resulting in a generic 500 (internal server error) to be returned for
`/distribution/name/json` if you weren't authenticated, whereas it should return
a 40x (401).
This patch attempts to extract the HTTP status-code that was returned by the
distribution code, and falls back to returning a 500 status if unable to match.
Before this change:
curl -v --unix-socket /var/run/docker.sock http://localhost/distribution/name/json
* Trying /var/run/docker.sock...
* Connected to localhost (/var/run/docker.sock) port 80 (#0)
> GET /distribution/name/json HTTP/1.1
> Host: localhost
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 500 Internal Server Error
< Api-Version: 1.37
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/dev (linux)
< Date: Tue, 03 Jul 2018 15:52:53 GMT
< Content-Length: 115
<
{"message":"errors:\ndenied: requested access to the resource is denied\nunauthorized: authentication required\n"}
* Curl_http_done: called premature == 0
* Connection #0 to host localhost left intact
daemon logs:
DEBU[2018-07-03T15:52:51.424950601Z] Calling GET /distribution/name/json
DEBU[2018-07-03T15:52:53.179895572Z] FIXME: Got an API for which error does not match any expected type!!!: errors:
denied: requested access to the resource is denied
unauthorized: authentication required
error_type=errcode.Errors module=api
ERRO[2018-07-03T15:52:53.179942783Z] Handler for GET /distribution/name/json returned error: errors:
denied: requested access to the resource is denied
unauthorized: authentication required
With this patch applied:
curl -v --unix-socket /var/run/docker.sock http://localhost/distribution/name/json
* Trying /var/run/docker.sock...
* Connected to localhost (/var/run/docker.sock) port 80 (#0)
> GET /distribution/name/json HTTP/1.1
> Host: localhost
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Api-Version: 1.38
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/dev (linux)
< Date: Fri, 03 Aug 2018 14:58:09 GMT
< Content-Length: 115
<
{"message":"errors:\ndenied: requested access to the resource is denied\nunauthorized: authentication required\n"}
* Curl_http_done: called premature == 0
* Connection #0 to host localhost left intact
daemon logs:
DEBU[2018-08-03T14:58:08.018726228Z] Calling GET /distribution/name/json
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
156 lines
4.7 KiB
Go
156 lines
4.7 KiB
Go
package httputils // import "github.com/docker/docker/api/server/httputils"
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
|
|
"github.com/docker/distribution/registry/api/errcode"
|
|
"github.com/docker/docker/api/types"
|
|
"github.com/docker/docker/api/types/versions"
|
|
"github.com/docker/docker/errdefs"
|
|
"github.com/gorilla/mux"
|
|
"github.com/sirupsen/logrus"
|
|
"google.golang.org/grpc/codes"
|
|
"google.golang.org/grpc/status"
|
|
)
|
|
|
|
type causer interface {
|
|
Cause() error
|
|
}
|
|
|
|
// GetHTTPErrorStatusCode retrieves status code from error message.
|
|
func GetHTTPErrorStatusCode(err error) int {
|
|
if err == nil {
|
|
logrus.WithFields(logrus.Fields{"error": err}).Error("unexpected HTTP error handling")
|
|
return http.StatusInternalServerError
|
|
}
|
|
|
|
var statusCode int
|
|
|
|
// Stop right there
|
|
// Are you sure you should be adding a new error class here? Do one of the existing ones work?
|
|
|
|
// Note that the below functions are already checking the error causal chain for matches.
|
|
switch {
|
|
case errdefs.IsNotFound(err):
|
|
statusCode = http.StatusNotFound
|
|
case errdefs.IsInvalidParameter(err):
|
|
statusCode = http.StatusBadRequest
|
|
case errdefs.IsConflict(err) || errdefs.IsAlreadyExists(err):
|
|
statusCode = http.StatusConflict
|
|
case errdefs.IsUnauthorized(err):
|
|
statusCode = http.StatusUnauthorized
|
|
case errdefs.IsUnavailable(err):
|
|
statusCode = http.StatusServiceUnavailable
|
|
case errdefs.IsForbidden(err):
|
|
statusCode = http.StatusForbidden
|
|
case errdefs.IsNotModified(err):
|
|
statusCode = http.StatusNotModified
|
|
case errdefs.IsNotImplemented(err):
|
|
statusCode = http.StatusNotImplemented
|
|
case errdefs.IsSystem(err) || errdefs.IsUnknown(err) || errdefs.IsDataLoss(err) || errdefs.IsDeadline(err) || errdefs.IsCancelled(err):
|
|
statusCode = http.StatusInternalServerError
|
|
default:
|
|
statusCode = statusCodeFromGRPCError(err)
|
|
if statusCode != http.StatusInternalServerError {
|
|
return statusCode
|
|
}
|
|
statusCode = statusCodeFromDistributionError(err)
|
|
if statusCode != http.StatusInternalServerError {
|
|
return statusCode
|
|
}
|
|
if e, ok := err.(causer); ok {
|
|
return GetHTTPErrorStatusCode(e.Cause())
|
|
}
|
|
|
|
logrus.WithFields(logrus.Fields{
|
|
"module": "api",
|
|
"error_type": fmt.Sprintf("%T", err),
|
|
}).Debugf("FIXME: Got an API for which error does not match any expected type!!!: %+v", err)
|
|
}
|
|
|
|
if statusCode == 0 {
|
|
statusCode = http.StatusInternalServerError
|
|
}
|
|
|
|
return statusCode
|
|
}
|
|
|
|
func apiVersionSupportsJSONErrors(version string) bool {
|
|
const firstAPIVersionWithJSONErrors = "1.23"
|
|
return version == "" || versions.GreaterThan(version, firstAPIVersionWithJSONErrors)
|
|
}
|
|
|
|
// MakeErrorHandler makes an HTTP handler that decodes a Docker error and
|
|
// returns it in the response.
|
|
func MakeErrorHandler(err error) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
statusCode := GetHTTPErrorStatusCode(err)
|
|
vars := mux.Vars(r)
|
|
if apiVersionSupportsJSONErrors(vars["version"]) {
|
|
response := &types.ErrorResponse{
|
|
Message: err.Error(),
|
|
}
|
|
WriteJSON(w, statusCode, response)
|
|
} else {
|
|
http.Error(w, status.Convert(err).Message(), statusCode)
|
|
}
|
|
}
|
|
}
|
|
|
|
// statusCodeFromGRPCError returns status code according to gRPC error
|
|
func statusCodeFromGRPCError(err error) int {
|
|
switch status.Code(err) {
|
|
case codes.InvalidArgument: // code 3
|
|
return http.StatusBadRequest
|
|
case codes.NotFound: // code 5
|
|
return http.StatusNotFound
|
|
case codes.AlreadyExists: // code 6
|
|
return http.StatusConflict
|
|
case codes.PermissionDenied: // code 7
|
|
return http.StatusForbidden
|
|
case codes.FailedPrecondition: // code 9
|
|
return http.StatusBadRequest
|
|
case codes.Unauthenticated: // code 16
|
|
return http.StatusUnauthorized
|
|
case codes.OutOfRange: // code 11
|
|
return http.StatusBadRequest
|
|
case codes.Unimplemented: // code 12
|
|
return http.StatusNotImplemented
|
|
case codes.Unavailable: // code 14
|
|
return http.StatusServiceUnavailable
|
|
default:
|
|
if e, ok := err.(causer); ok {
|
|
return statusCodeFromGRPCError(e.Cause())
|
|
}
|
|
// codes.Canceled(1)
|
|
// codes.Unknown(2)
|
|
// codes.DeadlineExceeded(4)
|
|
// codes.ResourceExhausted(8)
|
|
// codes.Aborted(10)
|
|
// codes.Internal(13)
|
|
// codes.DataLoss(15)
|
|
return http.StatusInternalServerError
|
|
}
|
|
}
|
|
|
|
// statusCodeFromDistributionError returns status code according to registry errcode
|
|
// code is loosely based on errcode.ServeJSON() in docker/distribution
|
|
func statusCodeFromDistributionError(err error) int {
|
|
switch errs := err.(type) {
|
|
case errcode.Errors:
|
|
if len(errs) < 1 {
|
|
return http.StatusInternalServerError
|
|
}
|
|
if _, ok := errs[0].(errcode.ErrorCoder); ok {
|
|
return statusCodeFromDistributionError(errs[0])
|
|
}
|
|
case errcode.ErrorCoder:
|
|
return errs.ErrorCode().Descriptor().HTTPStatusCode
|
|
default:
|
|
if e, ok := err.(causer); ok {
|
|
return statusCodeFromDistributionError(e.Cause())
|
|
}
|
|
}
|
|
return http.StatusInternalServerError
|
|
}
|