Skip to content

Commit

Permalink
add missing response body to blocked requests
Browse files Browse the repository at this point in the history
  • Loading branch information
@micbar
micbar committed May 10, 2023
1 parent 1f8164c commit fe44154
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 1 deletion.
5 changes: 5 additions & 0 deletions changelog/unreleased/policies-response-body.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Bugfix: Add missing response to blocked requests

We added the missing response body to requests which were blocked by the policy engine.

https://github.com/owncloud/ocis/pull/6277
48 changes: 47 additions & 1 deletion services/proxy/pkg/middleware/policies.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,12 @@ package middleware

import (
"net/http"
"path"
"time"

revactx "github.com/cs3org/reva/v2/pkg/ctx"
"github.com/go-chi/chi/v5/middleware"
"github.com/go-chi/render"
"github.com/owncloud/ocis/v2/ocis-pkg/log"
"github.com/owncloud/ocis/v2/ocis-pkg/service/grpc"
pMessage "github.com/owncloud/ocis/v2/protogen/gen/ocis/messages/policies/v0"
Expand All @@ -12,6 +16,21 @@ import (
tusd "github.com/tus/tusd/pkg/handler"
)

// RequestDenied struct for OdataErrorMain
type RequestDenied struct {
Error RequestDeniedError `json:"error"`
}

// RequestDeniedError struct for RequestDenied
type RequestDeniedError struct {
Code string `json:"code"`
Message string `json:"message"`
// The structure of this object is service-specific
Innererror map[string]interface{} `json:"innererror,omitempty"`
}

const DeniedMessage = "Operation denied due to security policies"

// Policies verifies if a request is granted or not.
func Policies(logger log.Logger, qs string) func(next http.Handler) http.Handler {
pClient := pService.NewPoliciesProviderService("com.owncloud.api.policies", grpc.DefaultClient())
Expand Down Expand Up @@ -59,11 +78,38 @@ func Policies(logger log.Logger, qs string) func(next http.Handler) http.Handler
}

if !rsp.Result {
w.WriteHeader(http.StatusForbidden)
RenderError(w, r, req, http.StatusForbidden, DeniedMessage)
return
}

next.ServeHTTP(w, r)
})
}
}

// RenderError writes a Policies ErrorObject to the response writer
func RenderError(w http.ResponseWriter, r *http.Request, evaluateReq *pService.EvaluateRequest, status int, msg string) {
filename := evaluateReq.Environment.GetResource().GetName()
if filename == "" {
filename = path.Base(evaluateReq.Environment.GetRequest().GetPath())
}

innererror := map[string]interface{}{
"date": time.Now().UTC().Format(time.RFC3339),
}

innererror["request-id"] = middleware.GetReqID(r.Context())
innererror["method"] = evaluateReq.Environment.GetRequest().GetMethod()
innererror["filename"] = filename
innererror["path"] = evaluateReq.Environment.GetRequest().GetPath()

resp := &RequestDenied{
Error: RequestDeniedError{
Code: "deniedByPolicy",
Message: msg,
Innererror: innererror,
},
}
render.Status(r, status)
render.JSON(w, r, resp)
}

0 comments on commit fe44154

Please sign in to comment.