Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/server/authz/errors.go
Victor Lyuboslavsky c88cc953fb
Refactor endpoint_utils for modularization (#36484) 
Resolves #37192

Separating generic endpoint_utils middleware logic from domain-specific
business logic. New bounded contexts would share the generic logic and
implement their own domain-specific logic. The two approaches used in
this PR are:
- Use common `platform` types
- Use interfaces

In the next PR we will move `endpointer_utils`, `authzcheck` and
`ratelimit` into `platform` directory.

# Checklist for submitter

- [x] Added changes file

## Testing

- [x] Added/updated tests
- [x] QA'd all new/changed functionality manually



<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Refactor**
* Restructured internal error handling and context management to support
bounded context architecture.
* Improved error context collection and telemetry observability through
a provider-based mechanism.
* Decoupled licensing and authentication concerns into interfaces for
better modularity.

* **Chores**
* Updated internal package dependencies to align with new architectural
boundaries.

<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-12-31 09:12:00 -06:00

81 lines
2.3 KiB
Go
Raw Blame History

package authz
import (
"net/http"
"github.com/fleetdm/fleet/v4/server/fleet"
platform_http "github.com/fleetdm/fleet/v4/server/platform/http"
)
const (
// ForbiddenErrorMessage is the error message that should be returned to
// clients when an action is forbidden. It is intentionally vague to prevent
// disclosing information that a client should not have access to.
ForbiddenErrorMessage = "forbidden"
)
// Forbidden is the error type for authorization errors
type Forbidden struct {
internal string
subject *fleet.User
object interface{}
action interface{}
fleet.ErrorWithUUID
}
// ForbiddenWithInternal creates a new error that will return a simple
// "forbidden" to the client, logging internally the more detailed message
// provided.
func ForbiddenWithInternal(internal string, subject *fleet.User, object, action interface{}) *Forbidden {
return &Forbidden{
internal: internal,
subject: subject,
object: object,
action: action,
}
}
// Error implements the error interface.
func (e *Forbidden) Error() string {
return ForbiddenErrorMessage
}
// StatusCode implements the go-kit http StatusCoder interface.
func (e *Forbidden) StatusCode() int {
return http.StatusForbidden
}
// Internal allows the internal error message to be logged.
func (e *Forbidden) Internal() string {
return e.internal
}
// LogFields allows this error to be logged with subject, object, and action.
func (e *Forbidden) LogFields() []interface{} {
// Only logging User's email, and not other details such as Password and Salt.
email := "nil"
if e.subject != nil {
email = e.subject.Email
}
return []interface{}{
"subject", email,
"object", e.object,
"action", e.action,
}
}
// CheckMissing is the error to return when no authorization check was performed
// by the service.
//
// Deprecated: Use platform_http.CheckMissing instead. This alias is kept for
// backward compatibility.
type CheckMissing = platform_http.CheckMissing
// CheckMissingWithResponse creates a new error indicating the authorization
// check was missed, and including the response for further analysis by the error
// encoder.
//
// Deprecated: Use platform_http.CheckMissingWithResponse instead. This alias is
// kept for backward compatibility.
var CheckMissingWithResponse = platform_http.CheckMissingWithResponse
Reference in a new issue View git blame Copy permalink