From 12f33af0967886f1b6bdb8026ce84f948681c585 Mon Sep 17 00:00:00 2001
From: Tom Kirchner <tjk@amazon.com>
Date: Wed, 8 Apr 2020 12:32:36 -0700
Subject: [PATCH] apiserver: include error messages in error responses

---
 sources/api/apiserver/src/server/mod.rs | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/sources/api/apiserver/src/server/mod.rs b/sources/api/apiserver/src/server/mod.rs
index a9a58b06f78..3c2dfef5ce6 100644
--- a/sources/api/apiserver/src/server/mod.rs
+++ b/sources/api/apiserver/src/server/mod.rs
@@ -6,7 +6,9 @@ mod error;
 pub use error::Error;
 
 use crate::datastore::{Committed, FilesystemDataStore, Key, Value};
-use actix_web::{error::ResponseError, web, App, HttpRequest, HttpResponse, HttpServer, Responder};
+use actix_web::{
+    error::ResponseError, web, App, FromRequest, HttpRequest, HttpResponse, HttpServer, Responder,
+};
 use bottlerocket_release::BottlerocketRelease;
 use error::Result;
 use futures::future;
@@ -64,6 +66,17 @@ where
 
     let http_server = HttpServer::new(move || {
         App::new()
+            // In our implementation of ResponseError on our own error type below, we include the
+            // error message in the response for debugging purposes.  If actix rejects a request
+            // early because it doesn't fit our model, though, it doesn't even get to the
+            // ResponseError implementation.  This configuration of the Json extractor allows us to
+            // add the error message into the response.
+            .app_data(web::Json::<Settings>::configure(|cfg| {
+                cfg.error_handler(|err, _req| HttpResponse::BadRequest().body(err.to_string()).into())
+            }))
+
+            // This makes the data store available to API methods merely by having a Data
+            // parameter.
             .app_data(shared_datastore.clone())
 
             // Retrieve the full API model; not all data is writable, so we only support GET.
@@ -396,7 +409,10 @@ impl ResponseError for error::Error {
             SetGroup { .. } => HttpResponse::InternalServerError(),
             ReleaseData { .. } => HttpResponse::InternalServerError(),
         }
-        .finish()
+        // Include the error message in the response, and for all error types.  The Bottlerocket
+        // API is only exposed locally, and only on the host filesystem and to authorized
+        // containers, so we're not worried about exposing error details.
+        .body(self.to_string())
     }
 }