chainloop-dev · migmartri · Mar 30, 2026 · Mar 30, 2026 · Mar 30, 2026 · Mar 30, 2026
diff --git a/app/controlplane/pkg/biz/workflowcontract.go b/app/controlplane/pkg/biz/workflowcontract.go
@@ -1,5 +1,5 @@
 //
-// Copyright 2024-2025 The Chainloop Authors.
+// Copyright 2024-2026 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -500,6 +500,9 @@ func (uc *WorkflowContractUseCase) ValidatePolicyAttachment(providerName string,
 	}
 
 	if err = provider.ValidateAttachment(att, token); err != nil {
+		if errors.Is(err, policies.ErrUnauthorized) {
+			return NewErrUnauthorized(fmt.Errorf("invalid attachment: %w", err))
+		}
 		return fmt.Errorf("invalid attachment: %w", err)
 	}
 
@@ -695,6 +698,9 @@ func (uc *WorkflowContractUseCase) GetPolicy(providerName, policyName, policyOrg
 		if errors.Is(err, policies.ErrNotFound) {
 			return nil, NewErrNotFound(fmt.Sprintf("policy %q", policyName))
 		}
+		if errors.Is(err, policies.ErrUnauthorized) {
+			return nil, NewErrUnauthorized(fmt.Errorf("failed to resolve policy %q: %w", policyName, err))
+		}
 
 		return nil, fmt.Errorf("failed to resolve policy: %w. Available providers: %s", err, uc.policyRegistry.GetProviderNames())
 	}
@@ -716,6 +722,9 @@ func (uc *WorkflowContractUseCase) GetPolicyGroup(providerName, groupName, group
 		if errors.Is(err, policies.ErrNotFound) {
 			return nil, NewErrNotFound(fmt.Sprintf("policy group %q", groupName))
 		}
+		if errors.Is(err, policies.ErrUnauthorized) {
+			return nil, NewErrUnauthorized(fmt.Errorf("failed to resolve policy group %q: %w", groupName, err))
+		}
 
 		return nil, fmt.Errorf("failed to resolve policy: %w. Available providers: %s", err, uc.policyRegistry.GetProviderNames())
 	}

diff --git a/app/controlplane/pkg/policies/policyprovider.go b/app/controlplane/pkg/policies/policyprovider.go
@@ -1,5 +1,5 @@
 //
-// Copyright 2024-2025 The Chainloop Authors.
+// Copyright 2024-2026 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -78,7 +78,10 @@ type ProviderAuthOpts struct {
 	OrgName string
 }
 
-var ErrNotFound = fmt.Errorf("policy not found")
+var (
+	ErrNotFound     = fmt.Errorf("policy not found")
+	ErrUnauthorized = fmt.Errorf("unauthorized request to policy provider")
+)
 
 // Resolve calls the remote provider for retrieving a policy
 func (p *PolicyProvider) Resolve(policyName, policyOrgName string, authOpts ProviderAuthOpts) (*schemaapi.Policy, *PolicyReference, error) {
@@ -147,12 +150,15 @@ func (p *PolicyProvider) ValidateAttachment(att *schemaapi.PolicyAttachment, tok
 	}
 
 	if resp.StatusCode != http.StatusOK {
-		if resp.StatusCode == http.StatusNotFound || resp.StatusCode == http.StatusMethodNotAllowed {
+		switch resp.StatusCode {
+		case http.StatusNotFound, http.StatusMethodNotAllowed:
 			// Ignore endpoint not found as it might not be implemented by the provider
 			return nil
+		case http.StatusUnauthorized, http.StatusForbidden:
+			return ErrUnauthorized
+		default:
+			return fmt.Errorf("expected status code 200 but got %d", resp.StatusCode)
 		}
-
-		return fmt.Errorf("expected status code 200 but got %d", resp.StatusCode)
 	}
 
 	resBytes, err := io.ReadAll(resp.Body)
@@ -233,11 +239,14 @@ func (p *PolicyProvider) queryProvider(url *url.URL, digest, orgName string, aut
 	}
 
 	if resp.StatusCode != http.StatusOK {
-		if resp.StatusCode == http.StatusNotFound {
+		switch resp.StatusCode {
+		case http.StatusNotFound:
 			return "", "", ErrNotFound
+		case http.StatusUnauthorized, http.StatusForbidden:
+			return "", "", ErrUnauthorized
+		default:
+			return "", "", fmt.Errorf("expected status code 200 but got %d", resp.StatusCode)
 		}
-
-		return "", "", fmt.Errorf("expected status code 200 but got %d", resp.StatusCode)
 	}
 
 	resBytes, err := io.ReadAll(resp.Body)

diff --git a/app/controlplane/pkg/policies/policyprovider_http_test.go b/app/controlplane/pkg/policies/policyprovider_http_test.go
@@ -0,0 +1,185 @@
+//
+// Copyright 2026 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package policies
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestResolveHTTPStatusHandling(t *testing.T) {
+	testCases := []struct {
+		name       string
+		statusCode int
+		wantErr    error
+	}{
+		{
+			name:       "401 returns ErrUnauthorized",
+			statusCode: http.StatusUnauthorized,
+			wantErr:    ErrUnauthorized,
+		},
+		{
+			name:       "403 returns ErrUnauthorized",
+			statusCode: http.StatusForbidden,
+			wantErr:    ErrUnauthorized,
+		},
+		{
+			name:       "404 returns ErrNotFound",
+			statusCode: http.StatusNotFound,
+			wantErr:    ErrNotFound,
+		},
+		{
+			name:       "500 returns generic error",
+			statusCode: http.StatusInternalServerError,
+			wantErr:    nil, // generic error, not a sentinel
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+				w.WriteHeader(tc.statusCode)
+			}))
+			defer server.Close()
+
+			provider := &PolicyProvider{
+				name: "test",
+				url:  server.URL,
+			}
+
+			_, _, err := provider.Resolve("test-policy", "", ProviderAuthOpts{Token: "test-token"})
+			require.Error(t, err)
+
+			if tc.wantErr != nil {
+				assert.ErrorIs(t, err, tc.wantErr)
+			} else {
+				assert.NotErrorIs(t, err, ErrUnauthorized)
+				assert.NotErrorIs(t, err, ErrNotFound)
+				assert.Contains(t, err.Error(), fmt.Sprintf("got %d", tc.statusCode))
+			}
+		})
+	}
+}
+
+func TestResolveGroupHTTPStatusHandling(t *testing.T) {
+	testCases := []struct {
+		name       string
+		statusCode int
+		wantErr    error
+	}{
+		{
+			name:       "401 returns ErrUnauthorized",
+			statusCode: http.StatusUnauthorized,
+			wantErr:    ErrUnauthorized,
+		},
+		{
+			name:       "403 returns ErrUnauthorized",
+			statusCode: http.StatusForbidden,
+			wantErr:    ErrUnauthorized,
+		},
+		{
+			name:       "404 returns ErrNotFound",
+			statusCode: http.StatusNotFound,
+			wantErr:    ErrNotFound,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+				w.WriteHeader(tc.statusCode)
+			}))
+			defer server.Close()
+
+			provider := &PolicyProvider{
+				name: "test",
+				url:  server.URL,
+			}
+
+			_, _, err := provider.ResolveGroup("test-group", "", ProviderAuthOpts{Token: "test-token"})
+			require.Error(t, err)
+			assert.ErrorIs(t, err, tc.wantErr)
+		})
+	}
+}
+
+func TestValidateAttachmentHTTPStatusHandling(t *testing.T) {
+	testCases := []struct {
+		name       string
+		statusCode int
+		wantErr    error
+		errNil     bool
+	}{
+		{
+			name:       "401 returns ErrUnauthorized",
+			statusCode: http.StatusUnauthorized,
+			wantErr:    ErrUnauthorized,
+		},
+		{
+			name:       "403 returns ErrUnauthorized",
+			statusCode: http.StatusForbidden,
+			wantErr:    ErrUnauthorized,
+		},
+		{
+			name:       "404 is ignored",
+			statusCode: http.StatusNotFound,
+			errNil:     true,
+		},
+		{
+			name:       "405 is ignored",
+			statusCode: http.StatusMethodNotAllowed,
+			errNil:     true,
+		},
+		{
+			name:       "500 returns generic error",
+			statusCode: http.StatusInternalServerError,
+			wantErr:    nil,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+				w.WriteHeader(tc.statusCode)
+			}))
+			defer server.Close()
+
+			provider := &PolicyProvider{
+				name: "test",
+				url:  server.URL,
+			}
+
+			err := provider.ValidateAttachment(nil, "test-token")
+			if tc.errNil {
+				assert.NoError(t, err)
+				return
+			}
+
+			require.Error(t, err)
+			if tc.wantErr != nil {
+				assert.ErrorIs(t, err, tc.wantErr)
+			} else {
+				assert.NotErrorIs(t, err, ErrUnauthorized)
+				assert.Contains(t, err.Error(), fmt.Sprintf("got %d", tc.statusCode))
+			}
+		})
+	}
+}