Merge pull request distribution#51 from squizzi/enforcement-middlewar…

…e-errors

[ENGDTR-2139] Add Enforcement Policy specific errors to manifest handler

errors.go

@@ -127,3 +127,19 @@ type ErrTagConflict struct {
 func (err ErrTagConflict) Error() string {
 	return fmt.Sprintf("tag=%s cannot be overwritten because %s is an immutable repository", err.Tag, err.Name)
 }
+
+// ErrPolicyEnforced is returned when access to a requested resource is denied
+// because a configured enforcement policy is denying the request.
+type ErrPolicyEnforced struct {
+	RepoName string
+	PolicyID string
+	Global   bool
+}
+
+func (err ErrPolicyEnforced) Error() string {
+	if !err.Global {
+		return fmt.Sprintf("pull access denied against %s: enforcement policy %s blocked request", err.RepoName, err.PolicyID)
+	}
+	return fmt.Sprintf("pull access denied against %s: global enforcement policy blocked request", err.RepoName)
+
+}

registry/api/errcode/register.go

@@ -83,6 +83,17 @@ var (
 		an immutable resource`,
 		HTTPStatusCode: http.StatusConflict,
 	})
+
+	// ErrorPolicyEnforced is returned if an action made by a client has been
+	// blocked by a configured enforcement policy within the registry
+	ErrorCodePolicyEnforced = Register("errcode", ErrorDescriptor{
+		Value:   "ENFORCED",
+		Message: "enforcement policy blocked request",
+		Description: `The access controller denied access for the
+		operation on a resource due to a configured enforcement policy
+		blocking the requested access.`,
+		HTTPStatusCode: http.StatusForbidden,
+	})
 )
 
 var nextCode = 1000

registry/handlers/manifests.go

@@ -142,13 +142,17 @@ func (imh *manifestHandler) GetManifest(w http.ResponseWriter, r *http.Request)
 	}
 	manifest, err := manifests.Get(imh, imh.Digest, options...)
 	if err != nil {
-		if _, ok := err.(distribution.ErrManifestUnknownRevision); ok {
-			imh.Errors = append(imh.Errors, v2.ErrorCodeManifestUnknown.WithDetail(err))
-		} else {
-			imh.Errors = append(imh.Errors, errcode.ErrorCodeUnknown.WithDetail(err))
+		switch manifestErr := err.(type) {
+		case distribution.ErrManifestUnknownRevision:
+			imh.Errors = append(imh.Errors, v2.ErrorCodeManifestUnknown.WithDetail(manifestErr))
+		case distribution.ErrPolicyEnforced:
+			imh.Errors = append(imh.Errors, errcode.ErrorCodePolicyEnforced.WithMessage(manifestErr.Error()))
+		default:
+			imh.Errors = append(imh.Errors, errcode.ErrorCodeUnknown.WithDetail(manifestErr))
 		}
 		return
 	}
+
 	// determine the type of the returned manifest
 	manifestType := manifestSchema1
 	schema2Manifest, isSchema2 := manifest.(*schema2.DeserializedManifest)
@@ -205,10 +209,13 @@ func (imh *manifestHandler) GetManifest(w http.ResponseWriter, r *http.Request)
 
 		manifest, err = manifests.Get(imh, manifestDigest)
 		if err != nil {
-			if _, ok := err.(distribution.ErrManifestUnknownRevision); ok {
-				imh.Errors = append(imh.Errors, v2.ErrorCodeManifestUnknown.WithDetail(err))
-			} else {
-				imh.Errors = append(imh.Errors, errcode.ErrorCodeUnknown.WithDetail(err))
+			switch manifestErr := err.(type) {
+			case distribution.ErrManifestUnknownRevision:
+				imh.Errors = append(imh.Errors, v2.ErrorCodeManifestUnknown.WithDetail(manifestErr))
+			case distribution.ErrPolicyEnforced:
+				imh.Errors = append(imh.Errors, errcode.ErrorCodePolicyEnforced.WithMessage(manifestErr.Error()))
+			default:
+				imh.Errors = append(imh.Errors, errcode.ErrorCodeUnknown.WithDetail(manifestErr))
 			}
 			return
 		}