Fix authorization issue - when request is denied return forbbiden exist code (403).

- Return 403 (forbidden) when request is denied in authorization flows
(including integration test)
- Fix moby#22428
- Close moby#22431

Signed-off-by: Liron Levin <[email protected]>

Author: Liron Levin

daemon/network.go

@@ -3,7 +3,6 @@ package daemon
 import (
 	"fmt"
 	"net"
-	"net/http"
 	"strings"
 
 	netsettings "github.com/docker/docker/daemon/network"
@@ -97,7 +96,7 @@ func (daemon *Daemon) getAllNetworks() []libnetwork.Network {
 func (daemon *Daemon) CreateNetwork(create types.NetworkCreateRequest) (*types.NetworkCreateResponse, error) {
 	if runconfig.IsPreDefinedNetwork(create.Name) {
 		err := fmt.Errorf("%s is a pre-defined network and cannot be created", create.Name)
-		return nil, errors.NewErrorWithStatusCode(err, http.StatusForbidden)
+		return nil, errors.NewRequestForbiddenError(err)
 	}
 
 	var warning string
@@ -221,7 +220,7 @@ func (daemon *Daemon) DeleteNetwork(networkID string) error {
 
 	if runconfig.IsPreDefinedNetwork(nw.Name()) {
 		err := fmt.Errorf("%s is a pre-defined network and cannot be removed", nw.Name())
-		return errors.NewErrorWithStatusCode(err, http.StatusForbidden)
+		return errors.NewRequestForbiddenError(err)
 	}
 
 	if err := nw.Delete(); err != nil {

errors/errors.go

@@ -28,6 +28,12 @@ func NewBadRequestError(err error) error {
 	return NewErrorWithStatusCode(err, http.StatusBadRequest)
 }
 
+// NewRequestForbiddenError creates a new API error
+// that has the 403 HTTP status code associated to it.
+func NewRequestForbiddenError(err error) error {
+	return NewErrorWithStatusCode(err, http.StatusForbidden)
+}
+
 // NewRequestNotFoundError creates a new API error
 // that has the 404 HTTP status code associated to it.
 func NewRequestNotFoundError(err error) error {

integration-cli/docker_cli_authz_unix_test.go

@@ -21,6 +21,9 @@ import (
 	"github.com/docker/docker/pkg/integration/checker"
 	"github.com/docker/docker/pkg/plugins"
 	"github.com/go-check/check"
+	"net"
+	"net/http/httputil"
+	"net/url"
 )
 
 const (
@@ -272,6 +275,27 @@ func (s *DockerAuthzSuite) TestAuthZPluginDenyRequest(c *check.C) {
 	c.Assert(res, check.Equals, fmt.Sprintf("Error response from daemon: authorization denied by plugin %s: %s\n", testAuthZPlugin, unauthorizedMessage))
 }
 
+// TestAuthZPluginApiDenyResponse validates that when authorization plugin deny the request, the status code is forbidden
+func (s *DockerAuthzSuite) TestAuthZPluginApiDenyResponse(c *check.C) {
+	err := s.d.Start("--authorization-plugin=" + testAuthZPlugin)
+	c.Assert(err, check.IsNil)
+	s.ctrl.reqRes.Allow = false
+	s.ctrl.resRes.Msg = unauthorizedMessage
+
+	daemonURL, err := url.Parse(s.d.sock())
+
+	conn, err := net.DialTimeout(daemonURL.Scheme, daemonURL.Path, time.Second*10)
+	c.Assert(err, check.IsNil)
+	client := httputil.NewClientConn(conn, nil)
+	req, err := http.NewRequest("GET", "/version", nil)
+	c.Assert(err, check.IsNil)
+	resp, err := client.Do(req)
+
+	c.Assert(err, check.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusForbidden)
+	c.Assert(err, checker.IsNil)
+}
+
 func (s *DockerAuthzSuite) TestAuthZPluginDenyResponse(c *check.C) {
 	err := s.d.Start("--authorization-plugin=" + testAuthZPlugin)
 	c.Assert(err, check.IsNil)

pkg/authorization/authz.go

@@ -85,7 +85,7 @@ func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
 		}
 
 		if !authRes.Allow {
-			return fmt.Errorf("authorization denied by plugin %s: %s", plugin.Name(), authRes.Msg)
+			return newAuthorizationError(plugin.Name(), authRes.Msg)
 		}
 	}
 
@@ -110,7 +110,7 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
 		}
 
 		if !authRes.Allow {
-			return fmt.Errorf("authorization denied by plugin %s: %s", plugin.Name(), authRes.Msg)
+			return newAuthorizationError(plugin.Name(), authRes.Msg)
 		}
 	}
 
@@ -163,3 +163,17 @@ func headers(header http.Header) map[string]string {
 	}
 	return v
 }
+
+// authorizationError represents an authorization deny error
+type authorizationError struct {
+	error
+}
+
+// HTTPErrorStatusCode returns the authorization error status code (forbidden)
+func (e authorizationError) HTTPErrorStatusCode() int {
+	return http.StatusForbidden
+}
+
+func newAuthorizationError(plugin, msg string) authorizationError {
+	return authorizationError{error: fmt.Errorf("authorization denied by plugin %s: %s", plugin, msg)}
+}