chore(registry): more granular "access denied" messages

Author: kosmoz

internal/registry/authz/authorizer.go

@@ -36,18 +36,27 @@ func NewAuthorizer() Authorizer {
 func (a *authorizer) Authorize(ctx context.Context, nameStr string, action Action) error {
 	auth := auth.ArtifactsAuthentication.Require(ctx)
 
-	if action == ActionWrite &&
-		(auth.CurrentCustomerOrgID() != nil ||
-			auth.CurrentUserRole() == nil ||
-			*auth.CurrentUserRole() == types.UserRoleReadOnly) {
-		return ErrAccessDenied
+	if action == ActionWrite {
+		if auth.CurrentCustomerOrgID() != nil {
+			return NewErrAccessDenied("customer user can not perform write action")
+		}
+
+		if auth.CurrentUserRole() == nil {
+			return NewErrAccessDenied("user with no role can not perform write action")
+		}
+
+		if *auth.CurrentUserRole() == types.UserRoleReadOnly {
+			return NewErrAccessDenied("read-only user can not perform write action")
+		}
 	}
 
 	org := auth.CurrentOrg()
 	if name, err := name.Parse(nameStr); err != nil {
 		return err
-	} else if org.Slug == nil || *org.Slug != name.OrgName {
-		return ErrAccessDenied
+	} else if org.Slug == nil {
+		return NewErrAccessDenied("organization has no slug")
+	} else if *org.Slug != name.OrgName {
+		return NewErrAccessDenied("organization slug does not match reference")
 	}
 
 	return nil
@@ -57,18 +66,27 @@ func (a *authorizer) Authorize(ctx context.Context, nameStr string, action Actio
 func (a *authorizer) AuthorizeReference(ctx context.Context, nameStr string, reference string, action Action) error {
 	auth := auth.ArtifactsAuthentication.Require(ctx)
 
-	if action == ActionWrite &&
-		(auth.CurrentCustomerOrgID() != nil ||
-			auth.CurrentUserRole() == nil ||
-			*auth.CurrentUserRole() == types.UserRoleReadOnly) {
-		return ErrAccessDenied
+	if action == ActionWrite {
+		if auth.CurrentCustomerOrgID() != nil {
+			return NewErrAccessDenied("customer user can not perform write action")
+		}
+
+		if auth.CurrentUserRole() == nil {
+			return NewErrAccessDenied("user with no role can not perform write action")
+		}
+
+		if *auth.CurrentUserRole() == types.UserRoleReadOnly {
+			return NewErrAccessDenied("read-only user can not perform write action")
+		}
 	}
 
 	org := auth.CurrentOrg()
 	if name, err := name.Parse(nameStr); err != nil {
 		return err
-	} else if org.Slug == nil || *org.Slug != name.OrgName {
-		return ErrAccessDenied
+	} else if org.Slug == nil {
+		return NewErrAccessDenied("organization has no slug")
+	} else if *org.Slug != name.OrgName {
+		return NewErrAccessDenied("organization slug does not match reference")
 	} else if action != ActionWrite && auth.CurrentCustomerOrgID() != nil {
 		if org.HasFeature(types.FeatureLicensing) {
 			err := db.CheckLicenseForArtifact(ctx,
@@ -79,7 +97,7 @@ func (a *authorizer) AuthorizeReference(ctx context.Context, nameStr string, ref
 				*auth.CurrentOrgID(),
 			)
 			if errors.Is(err, apierrors.ErrForbidden) {
-				return ErrAccessDenied
+				return NewErrAccessDenied("license required")
 			} else if err != nil {
 				return err
 			}
@@ -93,17 +111,24 @@ func (a *authorizer) AuthorizeReference(ctx context.Context, nameStr string, ref
 func (a *authorizer) AuthorizeBlob(ctx context.Context, digest digest.Digest, action Action) error {
 	auth := auth.ArtifactsAuthentication.Require(ctx)
 
-	if action == ActionWrite &&
-		(auth.CurrentCustomerOrgID() != nil ||
-			auth.CurrentUserRole() == nil ||
-			*auth.CurrentUserRole() == types.UserRoleReadOnly) {
-		return ErrAccessDenied
+	if action == ActionWrite {
+		if auth.CurrentCustomerOrgID() != nil {
+			return NewErrAccessDenied("customer user can not perform write action")
+		}
+
+		if auth.CurrentUserRole() == nil {
+			return NewErrAccessDenied("user with no role can not perform write action")
+		}
+
+		if *auth.CurrentUserRole() == types.UserRoleReadOnly {
+			return NewErrAccessDenied("read-only user can not perform write action")
+		}
 	}
 
 	if auth.CurrentCustomerOrgID() != nil && auth.CurrentOrg().HasFeature(types.FeatureLicensing) {
 		err := db.CheckLicenseForArtifactBlob(ctx, digest.String(), *auth.CurrentCustomerOrgID(), *auth.CurrentOrgID())
 		if errors.Is(err, apierrors.ErrForbidden) {
-			return ErrAccessDenied
+			return NewErrAccessDenied("license required")
 		} else if err != nil {
 			return err
 		}

internal/registry/authz/error.go

@@ -1,5 +1,12 @@
 package authz
 
-import "errors"
+import (
+	"errors"
+	"fmt"
+)
 
 var ErrAccessDenied = errors.New("access denied")
+
+func NewErrAccessDenied(message string) error {
+	return fmt.Errorf("%w: %s", ErrAccessDenied, message)
+}

internal/registry/blob.go

@@ -88,7 +88,7 @@ func (b *blobs) handle(resp http.ResponseWriter, req *http.Request) *regError {
 			return regErrDigestInvalid
 		} else if err := b.authz.AuthorizeBlob(req.Context(), h, authz.ActionStat); err != nil {
 			if errors.Is(err, authz.ErrAccessDenied) {
-				return regErrDenied
+				return regErrDenied(err.Error())
 			} else if errors.Is(err, registryerror.ErrInvalidArtifactName) {
 				return regErrNameInvalid
 			}
@@ -99,7 +99,7 @@ func (b *blobs) handle(resp http.ResponseWriter, req *http.Request) *regError {
 		if h, err := digest.Parse(target); err == nil {
 			if err := b.authz.AuthorizeBlob(req.Context(), h, authz.ActionRead); err != nil {
 				if errors.Is(err, authz.ErrAccessDenied) {
-					return regErrDenied
+					return regErrDenied(err.Error())
 				} else if errors.Is(err, registryerror.ErrInvalidArtifactName) {
 					return regErrNameInvalid
 				}
@@ -112,7 +112,7 @@ func (b *blobs) handle(resp http.ResponseWriter, req *http.Request) *regError {
 	case http.MethodPost:
 		if err := b.authz.Authorize(req.Context(), repo, authz.ActionWrite); err != nil {
 			if errors.Is(err, authz.ErrAccessDenied) {
-				return regErrDenied
+				return regErrDenied(err.Error())
 			} else if errors.Is(err, registryerror.ErrInvalidArtifactName) {
 				return regErrNameInvalid
 			}
@@ -122,7 +122,7 @@ func (b *blobs) handle(resp http.ResponseWriter, req *http.Request) *regError {
 	case http.MethodPatch:
 		if err := b.authz.Authorize(req.Context(), repo, authz.ActionWrite); err != nil {
 			if errors.Is(err, authz.ErrAccessDenied) {
-				return regErrDenied
+				return regErrDenied(err.Error())
 			} else if errors.Is(err, registryerror.ErrInvalidArtifactName) {
 				return regErrNameInvalid
 			}
@@ -134,7 +134,7 @@ func (b *blobs) handle(resp http.ResponseWriter, req *http.Request) *regError {
 			return regErrDigestInvalid
 		} else if err := b.authz.AuthorizeBlob(req.Context(), h, authz.ActionWrite); err != nil {
 			if errors.Is(err, authz.ErrAccessDenied) {
-				return regErrDenied
+				return regErrDenied(err.Error())
 			} else if errors.Is(err, registryerror.ErrInvalidArtifactName) {
 				return regErrNameInvalid
 			}

internal/registry/error.go

@@ -113,10 +113,12 @@ var regErrMethodUnknown = &regError{
 	Message: "We don't understand your method + url",
 }
 
-var regErrDenied = &regError{
-	Status:  http.StatusForbidden,
-	Code:    "DENIED",
-	Message: "Access to the resource has been denied",
+func regErrDenied(message string) *regError {
+	return &regError{
+		Status:  http.StatusForbidden,
+		Code:    "DENIED",
+		Message: message,
+	}
 }
 
 var regErrDeniedQuotaExceeded = &regError{

internal/registry/manifest.go

@@ -109,7 +109,7 @@ func (handler *manifests) handle(resp http.ResponseWriter, req *http.Request) *r
 	case http.MethodGet:
 		if err := handler.authz.AuthorizeReference(req.Context(), repo, target, authz.ActionRead); err != nil {
 			if errors.Is(err, authz.ErrAccessDenied) {
-				return regErrDenied
+				return regErrDenied(err.Error())
 			} else if errors.Is(err, registryerror.ErrInvalidArtifactName) {
 				return regErrNameInvalid
 			}
@@ -119,7 +119,7 @@ func (handler *manifests) handle(resp http.ResponseWriter, req *http.Request) *r
 	case http.MethodHead:
 		if err := handler.authz.AuthorizeReference(req.Context(), repo, target, authz.ActionStat); err != nil {
 			if errors.Is(err, authz.ErrAccessDenied) {
-				return regErrDenied
+				return regErrDenied(err.Error())
 			} else if errors.Is(err, registryerror.ErrInvalidArtifactName) {
 				return regErrNameInvalid
 			}
@@ -129,7 +129,7 @@ func (handler *manifests) handle(resp http.ResponseWriter, req *http.Request) *r
 	case http.MethodPut:
 		if err := handler.authz.AuthorizeReference(req.Context(), repo, target, authz.ActionWrite); err != nil {
 			if errors.Is(err, authz.ErrAccessDenied) {
-				return regErrDenied
+				return regErrDenied(err.Error())
 			} else if errors.Is(err, registryerror.ErrInvalidArtifactName) {
 				return regErrNameInvalid
 			}
@@ -139,7 +139,7 @@ func (handler *manifests) handle(resp http.ResponseWriter, req *http.Request) *r
 	case http.MethodDelete:
 		if err := handler.authz.AuthorizeReference(req.Context(), repo, target, authz.ActionWrite); err != nil {
 			if errors.Is(err, authz.ErrAccessDenied) {
-				return regErrDenied
+				return regErrDenied(err.Error())
 			} else if errors.Is(err, registryerror.ErrInvalidArtifactName) {
 				return regErrNameInvalid
 			}
@@ -159,7 +159,7 @@ func (m *manifests) handleTags(resp http.ResponseWriter, req *http.Request) *reg
 	if req.Method == http.MethodGet {
 		if err := m.authz.Authorize(req.Context(), repo, authz.ActionRead); err != nil {
 			if errors.Is(err, authz.ErrAccessDenied) {
-				return regErrDenied
+				return regErrDenied(err.Error())
 			} else if errors.Is(err, registryerror.ErrInvalidArtifactName) {
 				return regErrNameInvalid
 			}
@@ -252,7 +252,7 @@ func (m *manifests) handleReferrers(resp http.ResponseWriter, req *http.Request)
 
 	if err := m.authz.AuthorizeReference(req.Context(), repo, target, authz.ActionRead); err != nil {
 		if errors.Is(err, authz.ErrAccessDenied) {
-			return regErrDenied
+			return regErrDenied(err.Error())
 		} else if errors.Is(err, registryerror.ErrInvalidArtifactName) {
 			return regErrNameInvalid
 		}