ING-1187: Return appropriate status for bad credentials

Author: Westwooo

gateway/dataimpl/server_v1/errorhandler.go

@@ -529,6 +529,29 @@ func (e ErrorHandler) NewSearchSourceNotFoundStatus(baseErr error, indexName str
 	return st
 }
 
+func (e ErrorHandler) NewSearchIndexAuthenticationFailureStatus(baseErr error, bucketName, scopeName *string) *status.Status {
+	var path string
+	var resource string
+	if bucketName != nil {
+		path = *bucketName
+		resource = "bucket"
+		if scopeName != nil {
+			path = path + "/" + *scopeName
+			resource = "scope"
+		}
+	}
+
+	msg := fmt.Sprintf("Insufficient permissions to perform search index operation against %s.", path)
+	st := status.New(codes.PermissionDenied, msg)
+	st = e.tryAttachStatusDetails(st, &epb.ResourceInfo{
+		ResourceType: resource,
+		ResourceName: path,
+		Description:  "",
+	})
+	st = e.tryAttachExtraContext(st, baseErr)
+	return st
+}
+
 func (e ErrorHandler) NewDocMissingStatus(baseErr error, bucketName, scopeName, collectionName, docId string) *status.Status {
 	st := status.New(codes.NotFound,
 		fmt.Sprintf("Document '%s' not found in '%s/%s/%s'.",

gateway/dataimpl/server_v1/searchadminserver.go

@@ -111,6 +111,8 @@ func (s *SearchIndexAdminServer) CreateIndex(ctx context.Context, in *admin_sear
 			return nil, s.errorHandler.NewIncorrectSearchSourceTypeStatus(err, in.Name, in.SourceType).Err()
 		} else if errors.Is(err, cbsearchx.ErrSourceNotFound) {
 			return nil, s.errorHandler.NewSearchSourceNotFoundStatus(err, in.Name, in.SourceName).Err()
+		} else if errors.Is(err, cbsearchx.ErrAuthenticationFailure) {
+			return nil, s.errorHandler.NewSearchIndexAuthenticationFailureStatus(err, in.BucketName, in.ScopeName).Err()
 		}
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
@@ -217,6 +219,8 @@ func (s *SearchIndexAdminServer) UpdateIndex(ctx context.Context, in *admin_sear
 			return nil, s.errorHandler.NewIncorrectSearchSourceTypeStatus(err, in.Index.Name, in.Index.SourceType).Err()
 		} else if errors.Is(err, cbsearchx.ErrSourceNotFound) {
 			return nil, s.errorHandler.NewSearchSourceNotFoundStatus(err, in.Index.Name, in.Index.SourceName).Err()
+		} else if errors.Is(err, cbsearchx.ErrAuthenticationFailure) {
+			return nil, s.errorHandler.NewSearchIndexAuthenticationFailureStatus(err, in.BucketName, in.ScopeName).Err()
 		}
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
@@ -264,6 +268,8 @@ func (s *SearchIndexAdminServer) DeleteIndex(ctx context.Context, in *admin_sear
 			return nil, s.errorHandler.NewSearchIndexNameEmptyStatus(err).Err()
 		} else if errors.Is(err, cbsearchx.ErrOnlyBucketOrScopeSet) {
 			return nil, s.errorHandler.NewOnlyBucketOrScopeSetStatus(err, in.Name).Err()
+		} else if errors.Is(err, cbsearchx.ErrAuthenticationFailure) {
+			return nil, s.errorHandler.NewSearchIndexAuthenticationFailureStatus(err, in.BucketName, in.ScopeName).Err()
 		}
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
@@ -311,6 +317,8 @@ func (s *SearchIndexAdminServer) GetIndex(ctx context.Context, in *admin_search_
 			return nil, s.errorHandler.NewSearchIndexNameEmptyStatus(err).Err()
 		} else if errors.Is(err, cbsearchx.ErrOnlyBucketOrScopeSet) {
 			return nil, s.errorHandler.NewOnlyBucketOrScopeSetStatus(err, in.Name).Err()
+		} else if errors.Is(err, cbsearchx.ErrAuthenticationFailure) {
+			return nil, s.errorHandler.NewSearchIndexAuthenticationFailureStatus(err, in.BucketName, in.ScopeName).Err()
 		}
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
@@ -346,6 +354,8 @@ func (s *SearchIndexAdminServer) ListIndexes(ctx context.Context, in *admin_sear
 			return nil, s.errorHandler.NewSearchServiceNotAvailableStatus(err, "").Err()
 		} else if errors.Is(err, cbsearchx.ErrOnlyBucketOrScopeSet) {
 			return nil, s.errorHandler.NewOnlyBucketOrScopeSetStatus(err, "").Err()
+		} else if errors.Is(err, cbsearchx.ErrAuthenticationFailure) {
+			return nil, s.errorHandler.NewSearchIndexAuthenticationFailureStatus(err, in.BucketName, in.ScopeName).Err()
 		}
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
@@ -393,6 +403,8 @@ func (s *SearchIndexAdminServer) AnalyzeDocument(ctx context.Context, in *admin_
 			return nil, s.errorHandler.NewOnlyBucketOrScopeSetStatus(err, in.Name).Err()
 		} else if errors.Is(err, cbsearchx.ErrNoIndexPartitionsFound) {
 			return nil, s.errorHandler.NewSearchIndexNotReadyStatus(err, in.Name).Err()
+		} else if errors.Is(err, cbsearchx.ErrAuthenticationFailure) {
+			return nil, s.errorHandler.NewSearchIndexAuthenticationFailureStatus(err, in.BucketName, in.ScopeName).Err()
 		}
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
@@ -432,6 +444,8 @@ func (s *SearchIndexAdminServer) GetIndexedDocumentsCount(ctx context.Context, i
 			return nil, s.errorHandler.NewSearchIndexNameEmptyStatus(err).Err()
 		} else if errors.Is(err, cbsearchx.ErrOnlyBucketOrScopeSet) {
 			return nil, s.errorHandler.NewOnlyBucketOrScopeSetStatus(err, in.Name).Err()
+		} else if errors.Is(err, cbsearchx.ErrAuthenticationFailure) {
+			return nil, s.errorHandler.NewSearchIndexAuthenticationFailureStatus(err, in.BucketName, in.ScopeName).Err()
 		}
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
@@ -470,6 +484,8 @@ func (s *SearchIndexAdminServer) PauseIndexIngest(ctx context.Context, in *admin
 			return nil, s.errorHandler.NewSearchIndexNameEmptyStatus(err).Err()
 		} else if errors.Is(err, cbsearchx.ErrOnlyBucketOrScopeSet) {
 			return nil, s.errorHandler.NewOnlyBucketOrScopeSetStatus(err, in.Name).Err()
+		} else if errors.Is(err, cbsearchx.ErrAuthenticationFailure) {
+			return nil, s.errorHandler.NewSearchIndexAuthenticationFailureStatus(err, in.BucketName, in.ScopeName).Err()
 		}
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
@@ -506,6 +522,8 @@ func (s *SearchIndexAdminServer) ResumeIndexIngest(ctx context.Context, in *admi
 			return nil, s.errorHandler.NewSearchIndexNameEmptyStatus(err).Err()
 		} else if errors.Is(err, cbsearchx.ErrOnlyBucketOrScopeSet) {
 			return nil, s.errorHandler.NewOnlyBucketOrScopeSetStatus(err, in.Name).Err()
+		} else if errors.Is(err, cbsearchx.ErrAuthenticationFailure) {
+			return nil, s.errorHandler.NewSearchIndexAuthenticationFailureStatus(err, in.BucketName, in.ScopeName).Err()
 		}
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
@@ -542,6 +560,8 @@ func (s *SearchIndexAdminServer) AllowIndexQuerying(ctx context.Context, in *adm
 			return nil, s.errorHandler.NewSearchIndexNameEmptyStatus(err).Err()
 		} else if errors.Is(err, cbsearchx.ErrOnlyBucketOrScopeSet) {
 			return nil, s.errorHandler.NewOnlyBucketOrScopeSetStatus(err, in.Name).Err()
+		} else if errors.Is(err, cbsearchx.ErrAuthenticationFailure) {
+			return nil, s.errorHandler.NewSearchIndexAuthenticationFailureStatus(err, in.BucketName, in.ScopeName).Err()
 		}
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
@@ -578,6 +598,8 @@ func (s *SearchIndexAdminServer) DisallowIndexQuerying(ctx context.Context, in *
 			return nil, s.errorHandler.NewSearchIndexNameEmptyStatus(err).Err()
 		} else if errors.Is(err, cbsearchx.ErrOnlyBucketOrScopeSet) {
 			return nil, s.errorHandler.NewOnlyBucketOrScopeSetStatus(err, in.Name).Err()
+		} else if errors.Is(err, cbsearchx.ErrAuthenticationFailure) {
+			return nil, s.errorHandler.NewSearchIndexAuthenticationFailureStatus(err, in.BucketName, in.ScopeName).Err()
 		}
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
@@ -614,6 +636,8 @@ func (s *SearchIndexAdminServer) FreezeIndexPlan(ctx context.Context, in *admin_
 			return nil, s.errorHandler.NewSearchIndexNameEmptyStatus(err).Err()
 		} else if errors.Is(err, cbsearchx.ErrOnlyBucketOrScopeSet) {
 			return nil, s.errorHandler.NewOnlyBucketOrScopeSetStatus(err, in.Name).Err()
+		} else if errors.Is(err, cbsearchx.ErrAuthenticationFailure) {
+			return nil, s.errorHandler.NewSearchIndexAuthenticationFailureStatus(err, in.BucketName, in.ScopeName).Err()
 		}
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}
@@ -650,6 +674,8 @@ func (s *SearchIndexAdminServer) UnfreezeIndexPlan(ctx context.Context, in *admi
 			return nil, s.errorHandler.NewSearchIndexNameEmptyStatus(err).Err()
 		} else if errors.Is(err, cbsearchx.ErrOnlyBucketOrScopeSet) {
 			return nil, s.errorHandler.NewOnlyBucketOrScopeSetStatus(err, in.Name).Err()
+		} else if errors.Is(err, cbsearchx.ErrAuthenticationFailure) {
+			return nil, s.errorHandler.NewSearchIndexAuthenticationFailureStatus(err, in.BucketName, in.ScopeName).Err()
 		}
 		return nil, s.errorHandler.NewGenericStatus(err).Err()
 	}

gateway/test/search_mgmt_test.go

@@ -29,7 +29,7 @@ func (s *GatewayOpsTestSuite) RunCommonIndexErrorCases(
 	indexName string,
 	fn func(ctx context.Context, opts *commonIndexErrorTestData) (interface{}, error),
 ) {
-	_, scope := s.initialiseBucketAndScope()
+	bucket, scope := s.initialiseBucketAndScope()
 
 	s.Run("BucketNotFound", func() {
 		_, err := fn(ctx, &commonIndexErrorTestData{
@@ -57,19 +57,18 @@ func (s *GatewayOpsTestSuite) RunCommonIndexErrorCases(
 		})
 	})
 
-	// TODO - ING-1187
-	// s.Run("BadCredentials", func() {
-	// 	_, err := fn(ctx, &commonIndexErrorTestData{
-	// 		IndexName:  indexName,
-	// 		BucketName: bucket,
-	// 		ScopeName:  scope,
-	// 		Creds:      s.badRpcCreds,
-	// 	})
-	// 	assertRpcStatus(s.T(), err, codes.Unauthenticated)
-	// 	assertRpcErrorDetails(s.T(), err, func(d *epb.ResourceInfo) {
-	// 		assert.Equal(s.T(), "searchindex", d.ResourceType)
-	// 	})
-	// })
+	s.Run("BadCredentials", func() {
+		_, err := fn(ctx, &commonIndexErrorTestData{
+			IndexName:  indexName,
+			BucketName: bucket,
+			ScopeName:  scope,
+			Creds:      s.badRpcCreds,
+		})
+		assertRpcStatus(s.T(), err, codes.PermissionDenied)
+		assertRpcErrorDetails(s.T(), err, func(d *epb.ResourceInfo) {
+			assert.Equal(s.T(), "", d.ResourceType)
+		})
+	})
 }
 
 func (s *GatewayOpsTestSuite) TestGetIndex() {

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0
 	github.com/aws/aws-sdk-go-v2/config v1.28.8
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.9
-	github.com/couchbase/gocbcorex v0.0.0-20251022095750-491da08faa75
+	github.com/couchbase/gocbcorex v0.0.0-20251103090415-9c1017f074ad
 	github.com/couchbase/goprotostellar v1.0.3-0.20250811181441-159acea69746
 	github.com/couchbaselabs/gocbconnstr v1.0.5
 	github.com/couchbaselabs/gocbconnstr/v2 v2.0.0-20240607131231-fb385523de28

go.sum

@@ -67,8 +67,8 @@ github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/couchbase/gocbcorex v0.0.0-20251022095750-491da08faa75 h1:H53znXKq5qgA0SLMgF5XuV0sHGQQ0wrmjJ1Cz7vxgEU=
-github.com/couchbase/gocbcorex v0.0.0-20251022095750-491da08faa75/go.mod h1:6dno13KSKXpYALSx1KkYNHCwIQiuZdfL1xc3dDcYl1o=
+github.com/couchbase/gocbcorex v0.0.0-20251103090415-9c1017f074ad h1:73Mp0a/Psf3CMKllTBXpXA6XMkLrwXy20EkNBqWL1uo=
+github.com/couchbase/gocbcorex v0.0.0-20251103090415-9c1017f074ad/go.mod h1:6dno13KSKXpYALSx1KkYNHCwIQiuZdfL1xc3dDcYl1o=
 github.com/couchbase/goprotostellar v1.0.3-0.20250811181441-159acea69746 h1:kibnwIhBQ50egj2wCX3cd+MtwPXKre4DTDnXuoXQCGQ=
 github.com/couchbase/goprotostellar v1.0.3-0.20250811181441-159acea69746/go.mod h1:x/he3raYF/EspPXAfuVsBdLFNEYUxgFhlicJTRduPZ4=
 github.com/couchbaselabs/gocbconnstr v1.0.5 h1:e0JokB5qbcz7rfnxEhNRTKz8q1svoRvDoZihsiwNigA=