feat(authz): introduce conditional access control via CEL (#4040)

2026-06-17 21:17:58 +08:00 · 2026-05-09 20:43:00 +01:00
parent ddb6279a25
commit 8a6674f198
15 changed files with 1636 additions and 85 deletions
@@ -110,6 +110,14 @@ func AuthzOnlyAdminsMiddleware(conf *config.Config) mux.MiddlewareFunc {
 }

 func AuthzFail(w http.ResponseWriter, r *http.Request, identity, realm string, delay int) {
+	AuthzFailWithReason(w, r, identity, realm, delay, "")
+}
+
+// AuthzFailWithReason behaves like AuthzFail but, when reason is non-empty,
+// embeds it in the response body's error detail under the "reason" key. This
+// lets policy conditions surface the operator-authored Message to the client
+// alongside the standard DENIED error code.
+func AuthzFailWithReason(w http.ResponseWriter, r *http.Request, identity, realm string, delay int, reason string) {
 	time.Sleep(time.Duration(delay) * time.Second)

 	// don't send auth headers if request is coming from UI
@@ -127,9 +135,16 @@ func AuthzFail(w http.ResponseWriter, r *http.Request, identity, realm string, d

 	if identity == "" {
 		WriteJSON(w, http.StatusUnauthorized, apiErr.NewErrorList(apiErr.NewError(apiErr.UNAUTHORIZED)))
-	} else {
-		WriteJSON(w, http.StatusForbidden, apiErr.NewErrorList(apiErr.NewError(apiErr.DENIED)))
+
+		return
 	}
+
+	denied := apiErr.NewError(apiErr.DENIED)
+	if reason != "" {
+		denied.AddDetail(map[string]string{"reason": reason})
+	}
+
+	WriteJSON(w, http.StatusForbidden, apiErr.NewErrorList(denied))
 }

 func WriteJSON(response http.ResponseWriter, status int, data any) {