add missing response body to blocked requests

2026-05-03 17:29:22 -05:00 · 2023-05-10 21:50:33 +02:00
parent 9945dad647
commit 43ed7392be
2 changed files with 54 additions and 1 deletions
@@ -2,8 +2,12 @@ package middleware

 import (
 	"net/http"
+	"path"
+	"time"

 	revactx "github.com/cs3org/reva/v2/pkg/ctx"
+	"github.com/go-chi/chi/v5/middleware"
+	"github.com/go-chi/render"
 	"github.com/owncloud/ocis/v2/ocis-pkg/log"
 	"github.com/owncloud/ocis/v2/ocis-pkg/service/grpc"
 	pMessage "github.com/owncloud/ocis/v2/protogen/gen/ocis/messages/policies/v0"
@@ -12,6 +16,23 @@ import (
 	tusd "github.com/tus/tusd/pkg/handler"
 )

+type (
+	// RequestDenied struct for OdataErrorMain
+	RequestDenied struct {
+		Error RequestDeniedError `json:"error"`
+	}
+
+	// RequestDeniedError struct for RequestDenied
+	RequestDeniedError struct {
+		Code    string `json:"code"`
+		Message string `json:"message"`
+		// The structure of this object is service-specific
+		Innererror map[string]interface{} `json:"innererror,omitempty"`
+	}
+)
+
+const DeniedMessage = "Operation denied due to security policies"
+
 // Policies verifies if a request is granted or not.
 func Policies(logger log.Logger, qs string) func(next http.Handler) http.Handler {
 	pClient := pService.NewPoliciesProviderService("com.owncloud.api.policies", grpc.DefaultClient())
@@ -59,7 +80,7 @@ func Policies(logger log.Logger, qs string) func(next http.Handler) http.Handler
 			}

 			if !rsp.Result {
-				w.WriteHeader(http.StatusForbidden)
+				RenderError(w, r, req, http.StatusForbidden, DeniedMessage)
 				return
 			}

@@ -67,3 +88,30 @@ func Policies(logger log.Logger, qs string) func(next http.Handler) http.Handler
 		})
 	}
 }
+
+// RenderError writes a Policies ErrorObject to the response writer
+func RenderError(w http.ResponseWriter, r *http.Request, evaluateReq *pService.EvaluateRequest, status int, msg string) {
+	filename := evaluateReq.Environment.GetResource().GetName()
+	if filename == "" {
+		filename = path.Base(evaluateReq.Environment.GetRequest().GetPath())
+	}
+
+	innererror := map[string]interface{}{
+		"date": time.Now().UTC().Format(time.RFC3339),
+	}
+
+	innererror["request-id"] = middleware.GetReqID(r.Context())
+	innererror["method"] = evaluateReq.Environment.GetRequest().GetMethod()
+	innererror["filename"] = filename
+	innererror["path"] = evaluateReq.Environment.GetRequest().GetPath()
+
+	resp := &RequestDenied{
+		Error: RequestDeniedError{
+			Code:       "deniedByPolicy",
+			Message:    msg,
+			Innererror: innererror,
+		},
+	}
+	render.Status(r, status)
+	render.JSON(w, r, resp)
+}