Merge pull request #1758 from tursodatabase/turso-509

Distinguish between missing namespace and lack of permissions to access it.
tursodatabase · Sep 27, 2024 · 6f7204e · 6f7204e
2 parents 9a6e342 + 5ff8afe
commit 6f7204e
Show file tree

Hide file tree

Showing 9 changed files with 15 additions and 12 deletions.
diff --git a/libsql-server/src/auth/authenticated.rs b/libsql-server/src/auth/authenticated.rs
@@ -67,12 +67,12 @@ impl Authenticated {
         perm: Permission,
     ) -> crate::Result<()> {
         match self {
-            Authenticated::Anonymous => Err(crate::Error::NotAuthorized(
+            Authenticated::Anonymous => Err(crate::Error::Forbidden(
                 "anonymous access not allowed".to_string(),
             )),
             Authenticated::Authorized(a) => {
                 if !a.has_right(Scope::Namespace(namespace.clone()), perm) {
-                    Err(crate::Error::NotAuthorized(format!(
+                    Err(crate::Error::Forbidden(format!(
                                 "Current session doesn't not have {perm:?} permission to namespace {namespace}")))
                 } else {
                     Ok(())
@@ -84,7 +84,7 @@ impl Authenticated {
                 {
                     Ok(())
                 } else {
-                    Err(crate::Error::NotAuthorized(format!(
+                    Err(crate::Error::Forbidden(format!(
                                 "Current session doesn't not have {perm:?} permission to namespace {namespace}")))
                 }
             }
@@ -95,7 +95,7 @@ impl Authenticated {
         match self {
             Authenticated::Authorized(a) if a.ddl_permitted(namespace) => Ok(()),
             Authenticated::FullAccess => Ok(()),
-            _ => Err(crate::Error::NotAuthorized(format!(
+            _ => Err(crate::Error::Forbidden(format!(
                 "DDL statements not permitted on namespace {namespace}"
             ))),
         }

diff --git a/libsql-server/src/connection/program.rs b/libsql-server/src/connection/program.rs
@@ -371,7 +371,7 @@ pub async fn check_program_auth(
             StmtKind::Attach(ref ns) => {
                 ctx.auth.has_right(ns, Permission::AttachRead)?;
                 if !ctx.meta_store.handle(ns.clone()).await.get().allow_attach {
-                    return Err(Error::NotAuthorized(format!(
+                    return Err(Error::Forbidden(format!(
                         "Namespace `{ns}` doesn't allow attach"
                     )));
                 }

diff --git a/libsql-server/src/error.rs b/libsql-server/src/error.rs
@@ -37,6 +37,8 @@ pub enum Error {
     InvalidBatchStep(usize),
     #[error("Not authorized to execute query: {0}")]
     NotAuthorized(String),
+    #[error("Authorization forbidden: {0}")]
+    Forbidden(String),
     #[error("The replicator exited, instance cannot make any progress.")]
     ReplicatorExited,
     #[error("Timed out while opening database connection")]
@@ -176,6 +178,7 @@ impl IntoResponse for &Error {
             Internal(_) => self.format_err(StatusCode::INTERNAL_SERVER_ERROR),
             InvalidBatchStep(_) => self.format_err(StatusCode::INTERNAL_SERVER_ERROR),
             NotAuthorized(_) => self.format_err(StatusCode::UNAUTHORIZED),
+            Forbidden(_) => self.format_err(StatusCode::FORBIDDEN),
             ReplicatorExited => self.format_err(StatusCode::SERVICE_UNAVAILABLE),
             DbCreateTimeout => self.format_err(StatusCode::TOO_MANY_REQUESTS),
             BuilderError(_) => self.format_err(StatusCode::INTERNAL_SERVER_ERROR),
@@ -185,7 +188,7 @@ impl IntoResponse for &Error {
             QueryError(_) => self.format_err(StatusCode::BAD_REQUEST),
             InvalidHost(_) => self.format_err(StatusCode::BAD_REQUEST),
             InvalidPath(_) => self.format_err(StatusCode::BAD_REQUEST),
-            NamespaceDoesntExist(_) => self.format_err(StatusCode::BAD_REQUEST),
+            NamespaceDoesntExist(_) => self.format_err(StatusCode::NOT_FOUND),
             PrimaryConnectionTimeout => self.format_err(StatusCode::INTERNAL_SERVER_ERROR),
             NamespaceAlreadyExist(_) => self.format_err(StatusCode::BAD_REQUEST),
             InvalidNamespace => self.format_err(StatusCode::BAD_REQUEST),

diff --git a/...r/tests/namespaces/snapshots/tests__namespaces__shared_schema__check_migration_perms.snap b/...r/tests/namespaces/snapshots/tests__namespaces__shared_schema__check_migration_perms.snap
@@ -4,6 +4,6 @@ expression: "conn.execute(\"create table test (x)\", ()).await.unwrap_err()"
 ---
 Hrana(
     Api(
-        "{\"error\":\"Not authorized to execute query: Current session doesn't not have Write permission to namespace schema\"}",
+        "{\"error\":\"Authorization forbidden: Current session doesn't not have Write permission to namespace schema\"}",
     ),
 )
diff --git a/libsql-server/tests/namespaces/snapshots/tests__namespaces__shared_schema__disable_ddl.snap b/libsql-server/tests/namespaces/snapshots/tests__namespaces__shared_schema__disable_ddl.snap
@@ -4,6 +4,6 @@ expression: "conn.execute(\"create table test (x)\", ()).await.unwrap_err()"
 ---
 Hrana(
     Api(
-        "{\"error\":\"Not authorized to execute query: DDL statements not permitted on namespace ns1\"}",
+        "{\"error\":\"Authorization forbidden: DDL statements not permitted on namespace ns1\"}",
     ),
 )
diff --git a/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-2.snap b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-2.snap
@@ -4,6 +4,6 @@ expression: "txn.execute(\"ATTACH DATABASE bar as bar\", ()).await.unwrap_err()"
 ---
 Hrana(
     Api(
-        "{\"error\":\"Not authorized to execute query: Current session doesn't not have AttachRead permission to namespace bar\"}",
+        "{\"error\":\"Authorization forbidden: Current session doesn't not have AttachRead permission to namespace bar\"}",
     ),
 )
diff --git a/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-3.snap b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth-3.snap
@@ -4,6 +4,6 @@ expression: "bar_conn.execute(\"ATTACH foo as foo\", ()).await.unwrap_err()"
 ---
 Hrana(
     Api(
-        "{\"error\":\"Not authorized to execute query: Namespace `foo` doesn't allow attach\"}",
+        "{\"error\":\"Authorization forbidden: Namespace `foo` doesn't allow attach\"}",
     ),
 )
diff --git a/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth.snap b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_auth.snap
@@ -4,6 +4,6 @@ expression: "bar_conn.execute(\"ATTACH foo as foo\", ()).await.unwrap_err()"
 ---
 Hrana(
     Api(
-        "{\"error\":\"Not authorized to execute query: Current session doesn't not have AttachRead permission to namespace foo\"}",
+        "{\"error\":\"Authorization forbidden: Current session doesn't not have AttachRead permission to namespace foo\"}",
     ),
 )
diff --git a/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_no_auth.snap b/libsql-server/tests/standalone/snapshots/tests__standalone__attach__attach_no_auth.snap
@@ -4,6 +4,6 @@ expression: "bar_conn.execute(\"ATTACH foo as foo\", ()).await.unwrap_err()"
 ---
 Hrana(
     Api(
-        "{\"error\":\"Not authorized to execute query: Namespace `foo` doesn't allow attach\"}",
+        "{\"error\":\"Authorization forbidden: Namespace `foo` doesn't allow attach\"}",
     ),
 )
-Original file line number
+Diff line change
@@ Expand Up @@
     ---
     Hrana(
         Api(
-            "{\"error\":\"Not authorized to execute query: Current session doesn't not have Write permission to namespace schema\"}",
+            "{\"error\":\"Authorization forbidden: Current session doesn't not have Write permission to namespace schema\"}",
         ),
     )