Treat permission denied as 403

Signed-off-by: Piotr Jastrzebski <[email protected]>

libsql-server/src/auth/authenticated.rs

@@ -67,12 +67,12 @@ impl Authenticated {
         perm: Permission,
     ) -> crate::Result<()> {
         match self {
-            Authenticated::Anonymous => Err(crate::Error::NotAuthorized(
+            Authenticated::Anonymous => Err(crate::Error::Forbidden(
                 "anonymous access not allowed".to_string(),
             )),
             Authenticated::Authorized(a) => {
                 if !a.has_right(Scope::Namespace(namespace.clone()), perm) {
-                    Err(crate::Error::NotAuthorized(format!(
+                    Err(crate::Error::Forbidden(format!(
                                 "Current session doesn't not have {perm:?} permission to namespace {namespace}")))
                 } else {
                     Ok(())
@@ -84,7 +84,7 @@ impl Authenticated {
                 {
                     Ok(())
                 } else {
-                    Err(crate::Error::NotAuthorized(format!(
+                    Err(crate::Error::Forbidden(format!(
                                 "Current session doesn't not have {perm:?} permission to namespace {namespace}")))
                 }
             }
@@ -95,7 +95,7 @@ impl Authenticated {
         match self {
             Authenticated::Authorized(a) if a.ddl_permitted(namespace) => Ok(()),
             Authenticated::FullAccess => Ok(()),
-            _ => Err(crate::Error::NotAuthorized(format!(
+            _ => Err(crate::Error::Forbidden(format!(
                 "DDL statements not permitted on namespace {namespace}"
             ))),
         }

libsql-server/src/connection/program.rs

@@ -371,7 +371,7 @@ pub async fn check_program_auth(
             StmtKind::Attach(ref ns) => {
                 ctx.auth.has_right(ns, Permission::AttachRead)?;
                 if !ctx.meta_store.handle(ns.clone()).await.get().allow_attach {
-                    return Err(Error::NotAuthorized(format!(
+                    return Err(Error::Forbidden(format!(
                         "Namespace `{ns}` doesn't allow attach"
                     )));
                 }

libsql-server/src/error.rs

@@ -37,6 +37,8 @@ pub enum Error {
     InvalidBatchStep(usize),
     #[error("Not authorized to execute query: {0}")]
     NotAuthorized(String),
+    #[error("Authorization forbidden: {0}")]
+    Forbidden(String),
     #[error("The replicator exited, instance cannot make any progress.")]
     ReplicatorExited,
     #[error("Timed out while opening database connection")]
@@ -176,6 +178,7 @@ impl IntoResponse for &Error {
             Internal(_) => self.format_err(StatusCode::INTERNAL_SERVER_ERROR),
             InvalidBatchStep(_) => self.format_err(StatusCode::INTERNAL_SERVER_ERROR),
             NotAuthorized(_) => self.format_err(StatusCode::UNAUTHORIZED),
+            Forbidden(_) => self.format_err(StatusCode::FORBIDDEN),
             ReplicatorExited => self.format_err(StatusCode::SERVICE_UNAVAILABLE),
             DbCreateTimeout => self.format_err(StatusCode::TOO_MANY_REQUESTS),
             BuilderError(_) => self.format_err(StatusCode::INTERNAL_SERVER_ERROR),

libsql-server/tests/namespaces/snapshots/tests__namespaces__shared_schema__check_migration_perms.snap

@@ -4,6 +4,6 @@ expression: "conn.execute(\"create table test (x)\", ()).await.unwrap_err()"
 ---
 Hrana(
     Api(
-        "{\"error\":\"Not authorized to execute query: Current session doesn't not have Write permission to namespace schema\"}",
+        "{\"error\":\"Authorization forbidden: Current session doesn't not have Write permission to namespace schema\"}",
     ),
 )

libsql-server/tests/namespaces/snapshots/tests__namespaces__shared_schema__disable_ddl.snap

@@ -4,6 +4,6 @@ expression: "conn.execute(\"create table test (x)\", ()).await.unwrap_err()"
 ---
 Hrana(
     Api(
-        "{\"error\":\"Not authorized to execute query: DDL statements not permitted on namespace ns1\"}",
+        "{\"error\":\"Authorization forbidden: DDL statements not permitted on namespace ns1\"}",
     ),
 )

libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-2.snap

@@ -4,6 +4,6 @@ expression: "txn.execute(\"ATTACH DATABASE bar as bar\", ()).await.unwrap_err()"
 ---
 Hrana(
     Api(
-        "{\"error\":\"Not authorized to execute query: Current session doesn't not have AttachRead permission to namespace bar\"}",
+        "{\"error\":\"Authorization forbidden: Current session doesn't not have AttachRead permission to namespace bar\"}",
     ),
 )

libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-3.snap

@@ -4,6 +4,6 @@ expression: "bar_conn.execute(\"ATTACH foo as foo\", ()).await.unwrap_err()"
 ---
 Hrana(
     Api(
-        "{\"error\":\"Not authorized to execute query: Namespace `foo` doesn't allow attach\"}",
+        "{\"error\":\"Authorization forbidden: Namespace `foo` doesn't allow attach\"}",
     ),
 )

libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth.snap

@@ -4,6 +4,6 @@ expression: "bar_conn.execute(\"ATTACH foo as foo\", ()).await.unwrap_err()"
 ---
 Hrana(
     Api(
-        "{\"error\":\"Not authorized to execute query: Current session doesn't not have AttachRead permission to namespace foo\"}",
+        "{\"error\":\"Authorization forbidden: Current session doesn't not have AttachRead permission to namespace foo\"}",
     ),
 )

libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_no_auth.snap

@@ -4,6 +4,6 @@ expression: "bar_conn.execute(\"ATTACH foo as foo\", ()).await.unwrap_err()"
 ---
 Hrana(
     Api(
-        "{\"error\":\"Not authorized to execute query: Namespace `foo` doesn't allow attach\"}",
+        "{\"error\":\"Authorization forbidden: Namespace `foo` doesn't allow attach\"}",
     ),
 )