Address incorrect errors

Emyrk · Emyrk · commit 29e7c464329b · 2023-02-03T09:32:35.000-06:00
diff --git a/coderd/authzquery/authz.go b/coderd/authzquery/authz.go
@@ -268,7 +268,7 @@ func fetchWithPostFilter[ArgumentType any, ObjectType rbac.Objecter,
 // are predicated on the RBAC permissions of the related Template object.
 func queryWithRelated[ObjectType any, ArgumentType any, Related rbac.Objecter](
 	// Arguments
-	_ slog.Logger,
+	logger slog.Logger,
 	authorizer rbac.Authorizer,
 	action rbac.Action,
 	relatedFunc func(ObjectType, ArgumentType) (Related, error),
@@ -277,7 +277,7 @@ func queryWithRelated[ObjectType any, ArgumentType any, Related rbac.Objecter](
 		// Fetch the rbac subject
 		act, ok := ActorFromContext(ctx)
 		if !ok {
-			return empty, xerrors.Errorf("no authorization actor in context")
+			return empty, NoActorError
 		}
 
 		// Fetch the rbac object
@@ -295,7 +295,7 @@ func queryWithRelated[ObjectType any, ArgumentType any, Related rbac.Objecter](
 		// Authorize the action
 		err = authorizer.Authorize(ctx, act, action, rel.RBACObject())
 		if err != nil {
-			return empty, xerrors.Errorf("unauthorized: %w", err)
+			return empty, LogNotAuthorizedError(ctx, logger, err)
 		}
 
 		return obj, nil
diff --git a/coderd/authzquery/job.go b/coderd/authzquery/job.go
@@ -100,7 +100,7 @@ func (q *AuthzQuerier) GetProvisionerJobByID(ctx context.Context, id uuid.UUID)
 			return database.ProvisionerJob{}, err
 		}
 	default:
-		return database.ProvisionerJob{}, xerrors.Errorf("unknown job type: %q", job.Type)
+		return database.ProvisionerJob{},  xerrors.Errorf("unknown job type: %q", job.Type)
 	}
 
 	return job, nil
diff --git a/coderd/authzquery/workspace.go b/coderd/authzquery/workspace.go
@@ -89,13 +89,13 @@ func (q *AuthzQuerier) GetWorkspaceAgentsByResourceIDs(ctx context.Context, ids
 		if err == nil {
 			continue
 		}
-		if errors.Is(err, sql.ErrNoRows) {
+		if errors.Is(err, sql.ErrNoRows) && !errors.As(err, &NotAuthorizedError{}) {
 			// The agent is not tied to a workspace, likely from an orphaned template version.
 			// Just return it.
 			continue
 		}
 		// Otherwise, we cannot read the workspace, so we cannot read the agent.
-		return nil, err
+		return nil, LogNotAuthorizedError(ctx, q.log, err)
 	}
 	return agents, nil
 }
@@ -221,15 +221,15 @@ func (q *AuthzQuerier) GetWorkspaceResourceByID(ctx context.Context, id uuid.UUI
 
 	build, err := q.db.GetWorkspaceBuildByJobID(ctx, resource.JobID)
 	if err != nil {
-		return database.WorkspaceResource{}, nil
+		return database.WorkspaceResource{}, err
 	}
 
 	// If the workspace can be read, then the resource can be read.
 	_, err = fetch(q.log, q.auth, q.db.GetWorkspaceByID)(ctx, build.WorkspaceID)
 	if err != nil {
-		return database.WorkspaceResource{}, nil
+		return database.WorkspaceResource{}, err
 	}
-	return resource, err
+	return resource, nil
 }
 
 // GetWorkspaceResourceMetadataByResourceIDs is an all or nothing call. If a single resource is not authorized, then

Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,7 @@ func (q *AuthzQuerier) GetProvisionerJobByID(ctx context.Context, id uuid.UUID)`
`100`	`100`	`return database.ProvisionerJob{}, err`
`101`	`101`	`}`
`102`	`102`	`default:`
`103`		`- return database.ProvisionerJob{}, xerrors.Errorf("unknown job type: %q", job.Type)`
	`103`	`+ return database.ProvisionerJob{}, xerrors.Errorf("unknown job type: %q", job.Type)`
`104`	`104`	`}`
`105`	`105`
`106`	`106`	`return job, nil`
Original file line number	Diff line number	Diff line change
`@@ -89,13 +89,13 @@ func (q *AuthzQuerier) GetWorkspaceAgentsByResourceIDs(ctx context.Context, ids`
`89`	`89`	`if err == nil {`
`90`	`90`	`continue`
`91`	`91`	`}`
`92`		`- if errors.Is(err, sql.ErrNoRows) {`
	`92`	`+ if errors.Is(err, sql.ErrNoRows) && !errors.As(err, &NotAuthorizedError{}) {`
`93`	`93`	`// The agent is not tied to a workspace, likely from an orphaned template version.`
`94`	`94`	`// Just return it.`
`95`	`95`	`continue`
`96`	`96`	`}`
`97`	`97`	`// Otherwise, we cannot read the workspace, so we cannot read the agent.`
`98`		`- return nil, err`
	`98`	`+ return nil, LogNotAuthorizedError(ctx, q.log, err)`
`99`	`99`	`}`
`100`	`100`	`return agents, nil`
`101`	`101`	`}`
`@@ -221,15 +221,15 @@ func (q *AuthzQuerier) GetWorkspaceResourceByID(ctx context.Context, id uuid.UUI`
`221`	`221`
`222`	`222`	`build, err := q.db.GetWorkspaceBuildByJobID(ctx, resource.JobID)`
`223`	`223`	`if err != nil {`
`224`		`- return database.WorkspaceResource{}, nil`
	`224`	`+ return database.WorkspaceResource{}, err`
`225`	`225`	`}`
`226`	`226`
`227`	`227`	`// If the workspace can be read, then the resource can be read.`
`228`	`228`	`_, err = fetch(q.log, q.auth, q.db.GetWorkspaceByID)(ctx, build.WorkspaceID)`
`229`	`229`	`if err != nil {`
`230`		`- return database.WorkspaceResource{}, nil`
	`230`	`+ return database.WorkspaceResource{}, err`
`231`	`231`	`}`
`232`		`- return resource, err`
	`232`	`+ return resource, nil`
`233`	`233`	`}`
`234`	`234`
`235`	`235`	`// GetWorkspaceResourceMetadataByResourceIDs is an all or nothing call. If a single resource is not authorized, then`