rbac: add IsUnauthorizedError, return 404 if UnauthorizedError in organizationByUserAndName

johnstcn · johnstcn · commit d5997538d204 · 2023-02-02T11:16:53.000Z
diff --git a/coderd/rbac/error.go b/coderd/rbac/error.go
@@ -1,6 +1,10 @@
 package rbac
 
-import "github.com/open-policy-agent/opa/rego"
+import (
+	"errors"
+
+	"github.com/open-policy-agent/opa/rego"
+)
 
 const (
 	// errUnauthorized is the error message that should be returned to
@@ -18,6 +22,12 @@ type UnauthorizedError struct {
 	output   rego.ResultSet
 }
 
+// IsUnauthorizedError is a convenience function to check if err is UnauthorizedError.
+// It is equivalent to errors.As(err, &UnauthorizedError{}).
+func IsUnauthorizedError(err error) bool {
+	return errors.As(err, &UnauthorizedError{})
+}
+
 // ForbiddenWithInternal creates a new error that will return a simple
 // "forbidden" to the client, logging internally the more detailed message
 // provided.
@@ -50,3 +60,11 @@ func (e *UnauthorizedError) Input() map[string]interface{} {
 func (e *UnauthorizedError) Output() rego.ResultSet {
 	return e.output
 }
+
+// As implements the errors.As interface.
+func (*UnauthorizedError) As(target interface{}) bool {
+	if _, ok := target.(*UnauthorizedError); ok {
+		return true
+	}
+	return false
+}
diff --git a/coderd/rbac/error_test.go b/coderd/rbac/error_test.go
@@ -0,0 +1,30 @@
+package rbac
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"golang.org/x/xerrors"
+)
+
+func TestIsUnauthorizedError(t *testing.T) {
+	t.Parallel()
+	t.Run("NotWrapped", func(t *testing.T) {
+		t.Parallel()
+		errFunc := func() error {
+			return UnauthorizedError{}
+		}
+
+		err := errFunc()
+		require.True(t, IsUnauthorizedError(err))
+	})
+
+	t.Run("Wrapped", func(t *testing.T) {
+		t.Parallel()
+		errFunc := func() error {
+			return xerrors.Errorf("test error: %w", UnauthorizedError{})
+		}
+		err := errFunc()
+		require.True(t, IsUnauthorizedError(err))
+	})
+}
diff --git a/coderd/users.go b/coderd/users.go
@@ -966,7 +966,7 @@ func (api *API) organizationByUserAndName(rw http.ResponseWriter, r *http.Reques
 	ctx := r.Context()
 	organizationName := chi.URLParam(r, "organizationname")
 	organization, err := api.Database.GetOrganizationByName(ctx, organizationName)
-	if errors.Is(err, sql.ErrNoRows) {
+	if errors.Is(err, sql.ErrNoRows) || rbac.IsUnauthorizedError(err) {
 		httpapi.ResourceNotFound(rw)
 		return
 	}

Original file line number	Diff line number	Diff line change
`@@ -966,7 +966,7 @@ func (api API) organizationByUserAndName(rw http.ResponseWriter, r http.Reques`
`966`	`966`	`ctx := r.Context()`
`967`	`967`	`organizationName := chi.URLParam(r, "organizationname")`
`968`	`968`	`organization, err := api.Database.GetOrganizationByName(ctx, organizationName)`
`969`		`- if errors.Is(err, sql.ErrNoRows) {`
	`969`	`+ if errors.Is(err, sql.ErrNoRows) \|\| rbac.IsUnauthorizedError(err) {`
`970`	`970`	`httpapi.ResourceNotFound(rw)`
`971`	`971`	`return`
`972`	`972`	`}`