Make it so no protocol break

mirrord/intproxy/src/proxies/incoming/subscriptions.rs

@@ -258,9 +258,12 @@ impl SubscriptionsManager {
             }
 
             Err(
-                ref response_error @ ResponseError::Forbidden {
+                ref response_error @ (ResponseError::Forbidden {
                     ref blocked_action, ..
-                },
+                }
+                | ResponseError::ForbiddenWithReason {
+                    ref blocked_action, ..
+                }),
             ) => {
                 tracing::warn!(%response_error, "Port subscribe blocked by policy");
 

mirrord/layer/src/error.rs

@@ -281,7 +281,8 @@ impl From<HookError> for i64 {
                 ResponseError::PortAlreadyStolen(_port) => libc::EINVAL,
                 ResponseError::NotImplemented => libc::EINVAL,
                 ResponseError::StripPrefix(_) => libc::EINVAL,
-                err @ ResponseError::Forbidden { .. } => {
+                err @ (ResponseError::Forbidden { .. }
+                | ResponseError::ForbiddenWithReason { .. }) => {
                     graceful_exit!(
                         "Stopping mirrord run. Please adjust your mirrord configuration.\n{err}"
                     );

mirrord/operator/src/crd/policy.rs

@@ -178,7 +178,7 @@ pub struct IncomingNetworkPolicy {
 #[serde(rename_all = "camelCase")]
 pub struct HttpFilterPolicy {
     /// Require the user's header filter to match this regex if such filter is provided.
-    /// 
+    ///
     /// This works in tandem with the `steal-without-filter` block
     /// to require that the user to specifies a header filter for the network steal feature.
     pub header_filter: Option<String>,

mirrord/protocol/src/error.rs

@@ -59,18 +59,24 @@ pub enum ResponseError {
     #[error("Operation is not yet supported by mirrord.")]
     NotImplemented,
 
-    #[error("{blocked_action} is forbidden by {} for this target ({}).", policy_name_string(.policy_name.as_deref()), policy_reason(.reason.as_deref()))]
+    #[error("{blocked_action} is forbidden by {} for this target (your organization does not allow you to use this mirrord feature with the chosen target).", policy_name_string(.policy_name.as_deref()))]
     Forbidden {
         blocked_action: BlockedAction,
         policy_name: Option<String>,
-        reason: Option<String>,
     },
 
     #[error("Failed stripping path with `{0}`!")]
     StripPrefix(String),
 
     #[error("File has to be opened locally!")]
     OpenLocal,
+
+    #[error("{blocked_action} is forbidden by {} for this target ({reason}).", policy_name_string(.policy_name.as_deref()))]
+    ForbiddenWithReason {
+        blocked_action: BlockedAction,
+        policy_name: Option<String>,
+        reason: String,
+    },
 }
 
 impl From<StripPrefixError> for ResponseError {
@@ -88,12 +94,6 @@ fn policy_name_string(policy_name: Option<&str>) -> String {
     }
 }
 
-fn policy_reason(reason: Option<&str>) -> String {
-    reason
-        .unwrap_or("your organization does not allow you to use this mirrord feature with the chosen target")
-        .into()
-}
-
 /// Minimal mirrord-protocol version that allows [`BlockedAction::Mirror`].
 pub static MIRROR_BLOCK_VERSION: LazyLock<VersionReq> =
     LazyLock::new(|| ">=1.12.0".parse().expect("Bad Identifier"));
@@ -104,7 +104,7 @@ pub static MIRROR_POLICY_REASON_VERSION: LazyLock<VersionReq> =
     LazyLock::new(|| ">=1.17.0".parse().expect("Bad Identifier"));
 
 /// All the actions that can be blocked by the operator, to identify the blocked feature in a
-/// [`ResponseError::Forbidden`] message.
+/// [`ResponseError::Forbidden`] or [`ResponseError::ForbiddenWithReason`] message.
 #[derive(Encode, Decode, Debug, PartialEq, Clone, Eq, Error)]
 pub enum BlockedAction {
     Steal(StealType),