mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 21:47:20 +00:00
d83fd5f384
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #40028 # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **Bug Fixes** * Fixed telemetry misclassification where client-side errors were incorrectly reported as server errors. Client-side errors and request cancellations are now properly categorized for improved error tracking and observability. * **Tests** * Added test coverage for client error detection and context cancellation handling. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
88 lines
2.4 KiB
Go
88 lines
2.4 KiB
Go
package authz
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"github.com/fleetdm/fleet/v4/server/fleet"
|
|
platform_http "github.com/fleetdm/fleet/v4/server/platform/http"
|
|
)
|
|
|
|
const (
|
|
// ForbiddenErrorMessage is the error message that should be returned to
|
|
// clients when an action is forbidden. It is intentionally vague to prevent
|
|
// disclosing information that a client should not have access to.
|
|
ForbiddenErrorMessage = "forbidden"
|
|
)
|
|
|
|
// Forbidden is the error type for authorization errors
|
|
type Forbidden struct {
|
|
internal string
|
|
subject *fleet.User
|
|
object interface{}
|
|
action interface{}
|
|
|
|
fleet.ErrorWithUUID
|
|
}
|
|
|
|
// ForbiddenWithInternal creates a new error that will return a simple
|
|
// "forbidden" to the client, logging internally the more detailed message
|
|
// provided.
|
|
func ForbiddenWithInternal(internal string, subject *fleet.User, object, action interface{}) *Forbidden {
|
|
return &Forbidden{
|
|
internal: internal,
|
|
subject: subject,
|
|
object: object,
|
|
action: action,
|
|
}
|
|
}
|
|
|
|
// Error implements the error interface.
|
|
func (e *Forbidden) Error() string {
|
|
return ForbiddenErrorMessage
|
|
}
|
|
|
|
// StatusCode implements the go-kit http StatusCoder interface.
|
|
func (e *Forbidden) StatusCode() int {
|
|
return http.StatusForbidden
|
|
}
|
|
|
|
func (e *Forbidden) IsClientError() bool {
|
|
return true
|
|
}
|
|
|
|
// Forbidden implements platform_authz.Forbidden interface.
|
|
func (e *Forbidden) Forbidden() {}
|
|
|
|
// Internal allows the internal error message to be logged.
|
|
func (e *Forbidden) Internal() string {
|
|
return e.internal
|
|
}
|
|
|
|
// LogFields allows this error to be logged with subject, object, and action.
|
|
func (e *Forbidden) LogFields() []interface{} {
|
|
// Only logging User's email, and not other details such as Password and Salt.
|
|
email := "nil"
|
|
if e.subject != nil {
|
|
email = e.subject.Email
|
|
}
|
|
return []interface{}{
|
|
"subject", email,
|
|
"object", e.object,
|
|
"action", e.action,
|
|
}
|
|
}
|
|
|
|
// CheckMissing is the error to return when no authorization check was performed
|
|
// by the service.
|
|
//
|
|
// Deprecated: Use platform_http.CheckMissing instead. This alias is kept for
|
|
// backward compatibility.
|
|
type CheckMissing = platform_http.CheckMissing
|
|
|
|
// CheckMissingWithResponse creates a new error indicating the authorization
|
|
// check was missed, and including the response for further analysis by the error
|
|
// encoder.
|
|
//
|
|
// Deprecated: Use platform_http.CheckMissingWithResponse instead. This alias is
|
|
// kept for backward compatibility.
|
|
var CheckMissingWithResponse = platform_http.CheckMissingWithResponse
|