From 3c9680fa0b4a2d9cf5231db72f2fbc9bb74b8f9e Mon Sep 17 00:00:00 2001
From: Dmitry Dodzin <d.dodzin@gmail.com>
Date: Tue, 4 Feb 2025 13:55:46 +0200
Subject: [PATCH] Make it so no protocol break

---
 .../src/proxies/incoming/subscriptions.rs      |  7 +++++--
 mirrord/layer/src/error.rs                     |  3 ++-
 mirrord/operator/src/crd/policy.rs             |  2 +-
 mirrord/protocol/src/error.rs                  | 18 +++++++++---------
 4 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/mirrord/intproxy/src/proxies/incoming/subscriptions.rs b/mirrord/intproxy/src/proxies/incoming/subscriptions.rs
index 7731707d8c8..24a59eaead7 100644
--- a/mirrord/intproxy/src/proxies/incoming/subscriptions.rs
+++ b/mirrord/intproxy/src/proxies/incoming/subscriptions.rs
@@ -258,9 +258,12 @@ impl SubscriptionsManager {
             }
 
             Err(
-                ref response_error @ ResponseError::Forbidden {
+                ref response_error @ (ResponseError::Forbidden {
                     ref blocked_action, ..
-                },
+                }
+                | ResponseError::ForbiddenWithReason {
+                    ref blocked_action, ..
+                }),
             ) => {
                 tracing::warn!(%response_error, "Port subscribe blocked by policy");
 
diff --git a/mirrord/layer/src/error.rs b/mirrord/layer/src/error.rs
index 771f198944c..4f4b44b7812 100644
--- a/mirrord/layer/src/error.rs
+++ b/mirrord/layer/src/error.rs
@@ -281,7 +281,8 @@ impl From<HookError> for i64 {
                 ResponseError::PortAlreadyStolen(_port) => libc::EINVAL,
                 ResponseError::NotImplemented => libc::EINVAL,
                 ResponseError::StripPrefix(_) => libc::EINVAL,
-                err @ ResponseError::Forbidden { .. } => {
+                err @ (ResponseError::Forbidden { .. }
+                | ResponseError::ForbiddenWithReason { .. }) => {
                     graceful_exit!(
                         "Stopping mirrord run. Please adjust your mirrord configuration.\n{err}"
                     );
diff --git a/mirrord/operator/src/crd/policy.rs b/mirrord/operator/src/crd/policy.rs
index 2bd2ac18996..598439653c3 100644
--- a/mirrord/operator/src/crd/policy.rs
+++ b/mirrord/operator/src/crd/policy.rs
@@ -178,7 +178,7 @@ pub struct IncomingNetworkPolicy {
 #[serde(rename_all = "camelCase")]
 pub struct HttpFilterPolicy {
     /// Require the user's header filter to match this regex if such filter is provided.
-    /// 
+    ///
     /// This works in tandem with the `steal-without-filter` block
     /// to require that the user to specifies a header filter for the network steal feature.
     pub header_filter: Option<String>,
diff --git a/mirrord/protocol/src/error.rs b/mirrord/protocol/src/error.rs
index 5da1b48c828..95cc85dcd45 100644
--- a/mirrord/protocol/src/error.rs
+++ b/mirrord/protocol/src/error.rs
@@ -59,11 +59,10 @@ pub enum ResponseError {
     #[error("Operation is not yet supported by mirrord.")]
     NotImplemented,
 
-    #[error("{blocked_action} is forbidden by {} for this target ({}).", policy_name_string(.policy_name.as_deref()), policy_reason(.reason.as_deref()))]
+    #[error("{blocked_action} is forbidden by {} for this target (your organization does not allow you to use this mirrord feature with the chosen target).", policy_name_string(.policy_name.as_deref()))]
     Forbidden {
         blocked_action: BlockedAction,
         policy_name: Option<String>,
-        reason: Option<String>,
     },
 
     #[error("Failed stripping path with `{0}`!")]
@@ -71,6 +70,13 @@ pub enum ResponseError {
 
     #[error("File has to be opened locally!")]
     OpenLocal,
+
+    #[error("{blocked_action} is forbidden by {} for this target ({reason}).", policy_name_string(.policy_name.as_deref()))]
+    ForbiddenWithReason {
+        blocked_action: BlockedAction,
+        policy_name: Option<String>,
+        reason: String,
+    },
 }
 
 impl From<StripPrefixError> for ResponseError {
@@ -88,12 +94,6 @@ fn policy_name_string(policy_name: Option<&str>) -> String {
     }
 }
 
-fn policy_reason(reason: Option<&str>) -> String {
-    reason
-        .unwrap_or("your organization does not allow you to use this mirrord feature with the chosen target")
-        .into()
-}
-
 /// Minimal mirrord-protocol version that allows [`BlockedAction::Mirror`].
 pub static MIRROR_BLOCK_VERSION: LazyLock<VersionReq> =
     LazyLock::new(|| ">=1.12.0".parse().expect("Bad Identifier"));
@@ -104,7 +104,7 @@ pub static MIRROR_POLICY_REASON_VERSION: LazyLock<VersionReq> =
     LazyLock::new(|| ">=1.17.0".parse().expect("Bad Identifier"));
 
 /// All the actions that can be blocked by the operator, to identify the blocked feature in a
-/// [`ResponseError::Forbidden`] message.
+/// [`ResponseError::Forbidden`] or [`ResponseError::ForbiddenWithReason`] message.
 #[derive(Encode, Decode, Debug, PartialEq, Clone, Eq, Error)]
 pub enum BlockedAction {
     Steal(StealType),