Treat permission denied as 403

haaawk · haaawk · commit 5ff8afe43e58 · 2024-09-27T19:02:37.000+02:00
Signed-off-by: Piotr Jastrzebski &lt;piotr@chiselstrike.com&gt;
diff --git a/libsql-server/src/auth/authenticated.rs b/libsql-server/src/auth/authenticated.rs
@@ -67,12 +67,12 @@ impl Authenticated {
         perm: Permission,
     ) -> crate::Result<()> {
         match self {
-            Authenticated::Anonymous => Err(crate::Error::NotAuthorized(
+            Authenticated::Anonymous => Err(crate::Error::Forbidden(
                 "anonymous access not allowed".to_string(),
             )),
             Authenticated::Authorized(a) => {
                 if !a.has_right(Scope::Namespace(namespace.clone()), perm) {
-                    Err(crate::Error::NotAuthorized(format!(
+                    Err(crate::Error::Forbidden(format!(
                                 "Current session doesn't not have {perm:?} permission to namespace {namespace}")))
                 } else {
                     Ok(())
@@ -84,7 +84,7 @@ impl Authenticated {
                 {
                     Ok(())
                 } else {
-                    Err(crate::Error::NotAuthorized(format!(
+                    Err(crate::Error::Forbidden(format!(
                                 "Current session doesn't not have {perm:?} permission to namespace {namespace}")))
                 }
             }
@@ -95,7 +95,7 @@ impl Authenticated {
         match self {
             Authenticated::Authorized(a) if a.ddl_permitted(namespace) => Ok(()),
             Authenticated::FullAccess => Ok(()),
-            _ => Err(crate::Error::NotAuthorized(format!(
+            _ => Err(crate::Error::Forbidden(format!(
                 "DDL statements not permitted on namespace {namespace}"
             ))),
         }
diff --git a/libsql-server/src/connection/program.rs b/libsql-server/src/connection/program.rs
@@ -371,7 +371,7 @@ pub async fn check_program_auth(
             StmtKind::Attach(ref ns) => {
                 ctx.auth.has_right(ns, Permission::AttachRead)?;
                 if !ctx.meta_store.handle(ns.clone()).await.get().allow_attach {
-                    return Err(Error::NotAuthorized(format!(
+                    return Err(Error::Forbidden(format!(
                         "Namespace `{ns}` doesn't allow attach"
                     )));
                 }
diff --git a/libsql-server/src/error.rs b/libsql-server/src/error.rs
@@ -37,6 +37,8 @@ pub enum Error {
     InvalidBatchStep(usize),
     #[error("Not authorized to execute query: {0}")]
     NotAuthorized(String),
+    #[error("Authorization forbidden: {0}")]
+    Forbidden(String),
     #[error("The replicator exited, instance cannot make any progress.")]
     ReplicatorExited,
     #[error("Timed out while opening database connection")]
@@ -176,6 +178,7 @@ impl IntoResponse for &Error {
             Internal(_) => self.format_err(StatusCode::INTERNAL_SERVER_ERROR),
             InvalidBatchStep(_) => self.format_err(StatusCode::INTERNAL_SERVER_ERROR),
             NotAuthorized(_) => self.format_err(StatusCode::UNAUTHORIZED),
+            Forbidden(_) => self.format_err(StatusCode::FORBIDDEN),
             ReplicatorExited => self.format_err(StatusCode::SERVICE_UNAVAILABLE),
             DbCreateTimeout => self.format_err(StatusCode::TOO_MANY_REQUESTS),
             BuilderError(_) => self.format_err(StatusCode::INTERNAL_SERVER_ERROR),
diff --git a/libsql-server/tests/namespaces/snapshots/tests__namespaces__shared_schema__check_migration_perms.snap b/libsql-server/tests/namespaces/snapshots/tests__namespaces__shared_schema__check_migration_perms.snap
@@ -4,6 +4,6 @@ expression: "conn.execute(\"create table test (x)\", ()).await.unwrap_err()"
 ---
 Hrana(
     Api(
-        "{\"error\":\"Not authorized to execute query: Current session doesn't not have Write permission to namespace schema\"}",
+        "{\"error\":\"Authorization forbidden: Current session doesn't not have Write permission to namespace schema\"}",
     ),
 )
diff --git a/libsql-server/tests/namespaces/snapshots/tests__namespaces__shared_schema__disable_ddl.snap b/libsql-server/tests/namespaces/snapshots/tests__namespaces__shared_schema__disable_ddl.snap
@@ -4,6 +4,6 @@ expression: "conn.execute(\"create table test (x)\", ()).await.unwrap_err()"
 ---
 Hrana(
     Api(
-        "{\"error\":\"Not authorized to execute query: DDL statements not permitted on namespace ns1\"}",
+        "{\"error\":\"Authorization forbidden: DDL statements not permitted on namespace ns1\"}",
     ),
 )
diff --git a/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-2.snap b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-2.snap
@@ -4,6 +4,6 @@ expression: "txn.execute(\"ATTACH DATABASE bar as bar\", ()).await.unwrap_err()"
 ---
 Hrana(
     Api(
-        "{\"error\":\"Not authorized to execute query: Current session doesn't not have AttachRead permission to namespace bar\"}",
+        "{\"error\":\"Authorization forbidden: Current session doesn't not have AttachRead permission to namespace bar\"}",
     ),
 )
diff --git a/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-3.snap b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-3.snap
@@ -4,6 +4,6 @@ expression: "bar_conn.execute(\"ATTACH foo as foo\", ()).await.unwrap_err()"
 ---
 Hrana(
     Api(
-        "{\"error\":\"Not authorized to execute query: Namespace `foo` doesn't allow attach\"}",
+        "{\"error\":\"Authorization forbidden: Namespace `foo` doesn't allow attach\"}",
     ),
 )
diff --git a/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth.snap b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth.snap
@@ -4,6 +4,6 @@ expression: "bar_conn.execute(\"ATTACH foo as foo\", ()).await.unwrap_err()"
 ---
 Hrana(
     Api(
-        "{\"error\":\"Not authorized to execute query: Current session doesn't not have AttachRead permission to namespace foo\"}",
+        "{\"error\":\"Authorization forbidden: Current session doesn't not have AttachRead permission to namespace foo\"}",
     ),
 )
diff --git a/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_no_auth.snap b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_no_auth.snap
@@ -4,6 +4,6 @@ expression: "bar_conn.execute(\"ATTACH foo as foo\", ()).await.unwrap_err()"
 ---
 Hrana(
     Api(
-        "{\"error\":\"Not authorized to execute query: Namespace `foo` doesn't allow attach\"}",
+        "{\"error\":\"Authorization forbidden: Namespace `foo` doesn't allow attach\"}",
     ),
 )

Original file line number	Diff line number	Diff line change
`@@ -371,7 +371,7 @@ pub async fn check_program_auth(`
`371`	`371`	`StmtKind::Attach(ref ns) => {`
`372`	`372`	`ctx.auth.has_right(ns, Permission::AttachRead)?;`
`373`	`373`	`if !ctx.meta_store.handle(ns.clone()).await.get().allow_attach {`
`374`		`- return Err(Error::NotAuthorized(format!(`
	`374`	`+ return Err(Error::Forbidden(format!(`
`375`	`375`	"Namespace `{ns}` doesn't allow attach"
`376`	`376`	`)));`
`377`	`377`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,6 @@ expression: "conn.execute(\"create table test (x)\", ()).await.unwrap_err()"`
`4`	`4`	`---`
`5`	`5`	`Hrana(`
`6`	`6`	`Api(`
`7`		`- "{\"error\":\"Not authorized to execute query: Current session doesn't not have Write permission to namespace schema\"}",`
	`7`	`+ "{\"error\":\"Authorization forbidden: Current session doesn't not have Write permission to namespace schema\"}",`
`8`	`8`	`),`
`9`	`9`	`)`
Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,6 @@ expression: "txn.execute(\"ATTACH DATABASE bar as bar\", ()).await.unwrap_err()"`
`4`	`4`	`---`
`5`	`5`	`Hrana(`
`6`	`6`	`Api(`
`7`		`- "{\"error\":\"Not authorized to execute query: Current session doesn't not have AttachRead permission to namespace bar\"}",`
	`7`	`+ "{\"error\":\"Authorization forbidden: Current session doesn't not have AttachRead permission to namespace bar\"}",`
`8`	`8`	`),`
`9`	`9`	`)`
Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,6 @@ expression: "bar_conn.execute(\"ATTACH foo as foo\", ()).await.unwrap_err()"`
`4`	`4`	`---`
`5`	`5`	`Hrana(`
`6`	`6`	`Api(`
`7`		- "{\"error\":\"Not authorized to execute query: Namespace `foo` doesn't allow attach\"}",
	`7`	+ "{\"error\":\"Authorization forbidden: Namespace `foo` doesn't allow attach\"}",
`8`	`8`	`),`
`9`	`9`	`)`