From 5ff8afe43e58ba928102add5a905187422592098 Mon Sep 17 00:00:00 2001 From: Piotr Jastrzebski Date: Fri, 27 Sep 2024 17:49:51 +0200 Subject: [PATCH] Treat permission denied as 403 Signed-off-by: Piotr Jastrzebski --- libsql-server/src/auth/authenticated.rs | 8 ++++---- libsql-server/src/connection/program.rs | 2 +- libsql-server/src/error.rs | 3 +++ ..._namespaces__shared_schema__check_migration_perms.snap | 2 +- .../tests__namespaces__shared_schema__disable_ddl.snap | 2 +- .../tests__standalone__attach__attach_auth-2.snap | 2 +- .../tests__standalone__attach__attach_auth-3.snap | 2 +- .../snapshots/tests__standalone__attach__attach_auth.snap | 2 +- .../tests__standalone__attach__attach_no_auth.snap | 2 +- 9 files changed, 14 insertions(+), 11 deletions(-) diff --git a/libsql-server/src/auth/authenticated.rs b/libsql-server/src/auth/authenticated.rs index d23a8f3dfa..2e0c899ade 100644 --- a/libsql-server/src/auth/authenticated.rs +++ b/libsql-server/src/auth/authenticated.rs @@ -67,12 +67,12 @@ impl Authenticated { perm: Permission, ) -> crate::Result<()> { match self { - Authenticated::Anonymous => Err(crate::Error::NotAuthorized( + Authenticated::Anonymous => Err(crate::Error::Forbidden( "anonymous access not allowed".to_string(), )), Authenticated::Authorized(a) => { if !a.has_right(Scope::Namespace(namespace.clone()), perm) { - Err(crate::Error::NotAuthorized(format!( + Err(crate::Error::Forbidden(format!( "Current session doesn't not have {perm:?} permission to namespace {namespace}"))) } else { Ok(()) @@ -84,7 +84,7 @@ impl Authenticated { { Ok(()) } else { - Err(crate::Error::NotAuthorized(format!( + Err(crate::Error::Forbidden(format!( "Current session doesn't not have {perm:?} permission to namespace {namespace}"))) } } @@ -95,7 +95,7 @@ impl Authenticated { match self { Authenticated::Authorized(a) if a.ddl_permitted(namespace) => Ok(()), Authenticated::FullAccess => Ok(()), - _ => Err(crate::Error::NotAuthorized(format!( + _ => Err(crate::Error::Forbidden(format!( "DDL statements not permitted on namespace {namespace}" ))), } diff --git a/libsql-server/src/connection/program.rs b/libsql-server/src/connection/program.rs index 7b009b8589..08dd9526f3 100644 --- a/libsql-server/src/connection/program.rs +++ b/libsql-server/src/connection/program.rs @@ -371,7 +371,7 @@ pub async fn check_program_auth( StmtKind::Attach(ref ns) => { ctx.auth.has_right(ns, Permission::AttachRead)?; if !ctx.meta_store.handle(ns.clone()).await.get().allow_attach { - return Err(Error::NotAuthorized(format!( + return Err(Error::Forbidden(format!( "Namespace `{ns}` doesn't allow attach" ))); } diff --git a/libsql-server/src/error.rs b/libsql-server/src/error.rs index 89f40b09e0..be7e9f491b 100644 --- a/libsql-server/src/error.rs +++ b/libsql-server/src/error.rs @@ -37,6 +37,8 @@ pub enum Error { InvalidBatchStep(usize), #[error("Not authorized to execute query: {0}")] NotAuthorized(String), + #[error("Authorization forbidden: {0}")] + Forbidden(String), #[error("The replicator exited, instance cannot make any progress.")] ReplicatorExited, #[error("Timed out while opening database connection")] @@ -176,6 +178,7 @@ impl IntoResponse for &Error { Internal(_) => self.format_err(StatusCode::INTERNAL_SERVER_ERROR), InvalidBatchStep(_) => self.format_err(StatusCode::INTERNAL_SERVER_ERROR), NotAuthorized(_) => self.format_err(StatusCode::UNAUTHORIZED), + Forbidden(_) => self.format_err(StatusCode::FORBIDDEN), ReplicatorExited => self.format_err(StatusCode::SERVICE_UNAVAILABLE), DbCreateTimeout => self.format_err(StatusCode::TOO_MANY_REQUESTS), BuilderError(_) => self.format_err(StatusCode::INTERNAL_SERVER_ERROR), diff --git a/libsql-server/tests/namespaces/snapshots/tests__namespaces__shared_schema__check_migration_perms.snap b/libsql-server/tests/namespaces/snapshots/tests__namespaces__shared_schema__check_migration_perms.snap index 8976ca2549..5e0da980ca 100644 --- a/libsql-server/tests/namespaces/snapshots/tests__namespaces__shared_schema__check_migration_perms.snap +++ b/libsql-server/tests/namespaces/snapshots/tests__namespaces__shared_schema__check_migration_perms.snap @@ -4,6 +4,6 @@ expression: "conn.execute(\"create table test (x)\", ()).await.unwrap_err()" --- Hrana( Api( - "{\"error\":\"Not authorized to execute query: Current session doesn't not have Write permission to namespace schema\"}", + "{\"error\":\"Authorization forbidden: Current session doesn't not have Write permission to namespace schema\"}", ), ) diff --git a/libsql-server/tests/namespaces/snapshots/tests__namespaces__shared_schema__disable_ddl.snap b/libsql-server/tests/namespaces/snapshots/tests__namespaces__shared_schema__disable_ddl.snap index 231928e4db..2a001980a4 100644 --- a/libsql-server/tests/namespaces/snapshots/tests__namespaces__shared_schema__disable_ddl.snap +++ b/libsql-server/tests/namespaces/snapshots/tests__namespaces__shared_schema__disable_ddl.snap @@ -4,6 +4,6 @@ expression: "conn.execute(\"create table test (x)\", ()).await.unwrap_err()" --- Hrana( Api( - "{\"error\":\"Not authorized to execute query: DDL statements not permitted on namespace ns1\"}", + "{\"error\":\"Authorization forbidden: DDL statements not permitted on namespace ns1\"}", ), ) diff --git a/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-2.snap b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-2.snap index b85cfec07a..0adc6a4392 100644 --- a/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-2.snap +++ b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-2.snap @@ -4,6 +4,6 @@ expression: "txn.execute(\"ATTACH DATABASE bar as bar\", ()).await.unwrap_err()" --- Hrana( Api( - "{\"error\":\"Not authorized to execute query: Current session doesn't not have AttachRead permission to namespace bar\"}", + "{\"error\":\"Authorization forbidden: Current session doesn't not have AttachRead permission to namespace bar\"}", ), ) diff --git a/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-3.snap b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-3.snap index bc5b791048..3045a81510 100644 --- a/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-3.snap +++ b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-3.snap @@ -4,6 +4,6 @@ expression: "bar_conn.execute(\"ATTACH foo as foo\", ()).await.unwrap_err()" --- Hrana( Api( - "{\"error\":\"Not authorized to execute query: Namespace `foo` doesn't allow attach\"}", + "{\"error\":\"Authorization forbidden: Namespace `foo` doesn't allow attach\"}", ), ) diff --git a/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth.snap b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth.snap index 4846fb5d3c..99cacae60e 100644 --- a/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth.snap +++ b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth.snap @@ -4,6 +4,6 @@ expression: "bar_conn.execute(\"ATTACH foo as foo\", ()).await.unwrap_err()" --- Hrana( Api( - "{\"error\":\"Not authorized to execute query: Current session doesn't not have AttachRead permission to namespace foo\"}", + "{\"error\":\"Authorization forbidden: Current session doesn't not have AttachRead permission to namespace foo\"}", ), ) diff --git a/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_no_auth.snap b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_no_auth.snap index bc5b791048..3045a81510 100644 --- a/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_no_auth.snap +++ b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_no_auth.snap @@ -4,6 +4,6 @@ expression: "bar_conn.execute(\"ATTACH foo as foo\", ()).await.unwrap_err()" --- Hrana( Api( - "{\"error\":\"Not authorized to execute query: Namespace `foo` doesn't allow attach\"}", + "{\"error\":\"Authorization forbidden: Namespace `foo` doesn't allow attach\"}", ), )