Skip to content

fix(policies): handle 401/403 from policy provider as unauthorized error#2962

Merged
migmartri merged 3 commits intochainloop-dev:mainfrom
migmartri:fix/policy-provider-401-handling
Mar 30, 2026
Merged

fix(policies): handle 401/403 from policy provider as unauthorized error#2962
migmartri merged 3 commits intochainloop-dev:mainfrom
migmartri:fix/policy-provider-401-handling

Conversation

@migmartri
Copy link
Copy Markdown
Member

@migmartri migmartri commented Mar 30, 2026

Summary

  • Added ErrUnauthorized sentinel error in the policies package for HTTP 401/403 responses from policy providers
  • Mapped this error to biz.ErrUnauthorized in GetPolicy, GetPolicyGroup, and ValidatePolicyAttachment so it surfaces as a gRPC PERMISSION_DENIED with a descriptive message instead of being masked as an internal error
  • Added table-driven tests covering HTTP status code handling for Resolve, ResolveGroup, and ValidateAttachment

@migmartri
fix(policies): handle 401/403 from policy provider as unauthorized error
5092af8 
Previously, HTTP 401/403 responses from policy providers were returned
as generic errors, falling through to LogAndMaskErr which masked them
from the client. Now they surface as proper unauthorized errors with
descriptive messages.

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
@migmartri migmartri requested a review from jiparis March 30, 2026 19:15
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 3 files

@migmartri
fix(policies): preserve upstream error message on 401/403 responses
79e5e78 
Read the response body from the policy provider and include it in the
error so the caller sees the actual reason for the rejection instead
of a bare sentinel.

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
@migmartri
fix(policies): extract reason from JSON error responses
483e995 
Upstream policy providers return structured JSON with a reason field.
Parse the response body and extract the reason for a clearer error
message instead of dumping the raw JSON blob.

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
@migmartri migmartri merged commit 1041f32 into chainloop-dev:main Mar 30, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@jiparis jiparis jiparis approved these changes

@matiasinsaurralde matiasinsaurralde Awaiting requested review from matiasinsaurralde

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@migmartri @jiparis