(ctx context.Context, logger slog.Logger, err error)
| 75 | } |
| 76 | |
| 77 | func logNotAuthorizedError(ctx context.Context, logger slog.Logger, err error) error { |
| 78 | // Only log the errors if it is an UnauthorizedError error. |
| 79 | internalError := new(rbac.UnauthorizedError) |
| 80 | if err != nil && xerrors.As(err, &internalError) { |
| 81 | e := new(topdown.Error) |
| 82 | if xerrors.As(err, &e) || e.Code == topdown.CancelErr { |
| 83 | // For some reason rego changes a canceled context to a topdown.CancelErr. We |
| 84 | // expect to check for canceled context errors if the user cancels the request, |
| 85 | // so we should change the error to a context.Canceled error. |
| 86 | // |
| 87 | // NotAuthorizedError is == to sql.ErrNoRows, which is not correct |
| 88 | // if it's actually a canceled context. |
| 89 | contextError := *internalError |
| 90 | contextError.SetInternal(context.Canceled) |
| 91 | return &contextError |
| 92 | } |
| 93 | logger.Debug(ctx, "unauthorized", |
| 94 | slog.F("internal_error", internalError.Internal()), |
| 95 | slog.F("input", internalError.Input()), |
| 96 | slog.Error(err), |
| 97 | ) |
| 98 | } |
| 99 | |
| 100 | return NotAuthorizedError{ |
| 101 | Err: err, |
| 102 | } |
| 103 | } |
| 104 | |
| 105 | // querier is a wrapper around the database store that performs authorization |
| 106 | // checks before returning data. All querier methods expect an authorization |
no test coverage detected