Skip to content

fix: improve error message for insufficient privilege #590

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+27 −30
Open

fix: improve error message for insufficient privilege #590

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 1 addition & 4 deletions src/storage/database/knex.ts
View file
Original file line number Diff line number Diff line change
@@ -798,10 +798,7 @@ export class DBError extends StorageBackendError implements RenderableError {
static fromDBError(pgError: DatabaseError, query?: string) {
switch (pgError.code) {
case '42501':
return ERRORS.AccessDenied(
'new row violates row-level security policy',
pgError
).withMetadata({
return ERRORS.AccessDenied('Database error: insufficient privilege', pgError).withMetadata({
query,
code: pgError.code,
})
6 changes: 3 additions & 3 deletions src/test/object.test.ts
View file
Original file line number Diff line number Diff line change
@@ -314,7 +314,7 @@ describe('testing POST object via multipart upload', () => {
JSON.stringify({
statusCode: '403',
error: 'Unauthorized',
message: 'new row violates row-level security policy',
message: 'Database error: insufficient privilege',
})
)
})
@@ -800,7 +800,7 @@ describe('testing POST object via binary upload', () => {
JSON.stringify({
statusCode: '403',
error: 'Unauthorized',
message: 'new row violates row-level security policy',
message: 'Database error: insufficient privilege',
})
)
})
@@ -1672,7 +1672,7 @@ describe('testing generating signed URL for upload', () => {
JSON.stringify({
statusCode: '403',
error: 'Unauthorized',
message: 'new row violates row-level security policy',
message: 'Database error: insufficient privilege',
})
)
// Ensure that row does not exist in database.
46 changes: 23 additions & 23 deletions src/test/rls_tests.yaml
View file
Original file line number Diff line number Diff line change
@@ -54,15 +54,15 @@ tests:
asserts:
- operation: upload
status: 400
error: 'new row violates row-level security policy'
error: 'Database error: insufficient privilege'

- operation: upload.upsert
status: 400
message: 'new row violates row-level security policy'
message: 'Database error: insufficient privilege'

- operation: bucket.create
status: 400
error: 'new row violates row-level security policy'
error: 'Database error: insufficient privilege'

- operation: bucket.delete
status: 400
@@ -113,15 +113,15 @@ tests:
asserts:
- operation: upload
status: 400
error: 'new row violates row-level security policy'
error: 'Database error: insufficient privilege'

- operation: upload.upsert
status: 400
message: 'new row violates row-level security policy'
message: 'Database error: insufficient privilege'

- operation: bucket.create
status: 400
error: 'new row violates row-level security policy'
error: 'Database error: insufficient privilege'

- operation: bucket.delete
status: 400
@@ -199,11 +199,11 @@ tests:

- operation: upload
status: 400
error: 'new row violates row-level security policy'
error: 'Database error: insufficient privilege'

- operation: upload.upsert
status: 400
message: 'new row violates row-level security policy'
message: 'Database error: insufficient privilege'

- operation: upload
policies:
@@ -240,19 +240,19 @@ tests:
asserts:
- operation: bucket.create
status: 400
error: 'new row violates row-level security policy'
error: 'Database error: insufficient privilege'

- operation: bucket.delete
status: 400
error: 'Bucket not found'

- operation: upload
status: 400
error: 'new row violates row-level security policy'
error: 'Database error: insufficient privilege'

- operation: upload.upsert
status: 400
message: 'new row violates row-level security policy'
message: 'Database error: insufficient privilege'

- operation: upload
policies:
@@ -281,7 +281,7 @@ tests:
asserts:
- operation: bucket.create
status: 400
error: 'new row violates row-level security policy'
error: 'Database error: insufficient privilege'

- operation: bucket.delete
status: 400
@@ -322,15 +322,15 @@ tests:

- operation: bucket.create
status: 400
error: 'new row violates row-level security policy'
error: 'Database error: insufficient privilege'

- operation: upload
status: 400
error: 'new row violates row-level security policy'
error: 'Database error: insufficient privilege'

- operation: upload.upsert
status: 400
message: 'new row violates row-level security policy'
message: 'Database error: insufficient privilege'

- operation: upload
policies:
@@ -363,15 +363,15 @@ tests:

- operation: bucket.create
status: 400
error: 'new row violates row-level security policy'
error: 'Database error: insufficient privilege'

- operation: upload
status: 400
error: 'new row violates row-level security policy'
error: 'Database error: insufficient privilege'

- operation: upload.upsert
status: 400
message: 'new row violates row-level security policy'
message: 'Database error: insufficient privilege'

- operation: upload
bucketName: 'bucket_delete_test_{{runId}}'
@@ -406,15 +406,15 @@ tests:

- operation: bucket.create
status: 400
error: 'new row violates row-level security policy'
error: 'Database error: insufficient privilege'

- operation: upload
status: 400
error: 'new row violates row-level security policy'
error: 'Database error: insufficient privilege'

- operation: upload.upsert
status: 400
message: 'new row violates row-level security policy'
message: 'Database error: insufficient privilege'

- operation: upload
bucketName: 'bucket_to_move_{{runId}}'
@@ -446,7 +446,7 @@ tests:

- operation: bucket.create
status: 400
error: 'new row violates row-level security policy'
error: 'Database error: insufficient privilege'

- operation: upload
bucketName: 'bucket_{{runId}}'
@@ -457,7 +457,7 @@ tests:
useExistingBucketName: 'bucket_{{runId}}'
objectName: 'object_{{runId}}.txt'
status: 400
message: 'new row violates row-level security policy'
message: 'Database error: insufficient privilege'

- operation: upload
bucketName: 'bucket_to_copy_{{runId}}'

Unchanged files with check annotations Beta

View file
src/admin-app.ts
app.get('/metrics', async (req, reply) => {
if (registriesToMerge.length === 0) {
const globalRegistry = appInstance.metrics.client.register
const defaultRegistries = (appInstance.metrics as any).getCustomDefaultMetricsRegistries()

Check warning on line 19 in src/admin-app.ts

GitHub Actions / Test / OS ubuntu-20.04 / Node 20 

Unexpected any. Specify a different type
const routeRegistries = (appInstance.metrics as any).getCustomRouteMetricsRegistries()

Check warning on line 20 in src/admin-app.ts

GitHub Actions / Test / OS ubuntu-20.04 / Node 20 

Unexpected any. Specify a different type
registriesToMerge = Array.from(
new Set([globalRegistry, ...defaultRegistries, ...routeRegistries])
View file
src/config.ts
try {
const parsed = JSON.parse(jwtJWKS)
config.jwtJWKS = parsed
} catch (e: any) {

Check warning on line 450 in src/config.ts

GitHub Actions / Test / OS ubuntu-20.04 / Node 20 

'e' is defined but never used

Check warning on line 450 in src/config.ts

GitHub Actions / Test / OS ubuntu-20.04 / Node 20 

Unexpected any. Specify a different type
throw new Error('Unable to parse JWT_JWKS value to JSON')
}
}
View file
src/http/error-handler.ts
// Fastify errors
if ('statusCode' in error) {
const err = error as FastifyError
return reply.status((error as any).statusCode || 500).send({

Check warning on line 67 in src/http/error-handler.ts

GitHub Actions / Test / OS ubuntu-20.04 / Node 20 

Unexpected any. Specify a different type
statusCode: `${err.statusCode}`,
error: err.name,
message: err.message,
View file
src/http/plugins/jwt.ts
fastify.decorateRequest('jwt', '')
fastify.decorateRequest('jwtPayload', undefined)
fastify.addHook('preHandler', async (request, reply) => {

Check warning on line 28 in src/http/plugins/jwt.ts

GitHub Actions / Test / OS ubuntu-20.04 / Node 20 

'reply' is defined but never used
request.jwt = (request.headers.authorization || '').replace(BEARER, '')
if (!request.jwt && request.routeConfig.allowInvalidJwt) {
request.jwtPayload = payload
request.owner = payload.sub
request.isAuthenticated = true
} catch (err: any) {

Check warning on line 44 in src/http/plugins/jwt.ts

GitHub Actions / Test / OS ubuntu-20.04 / Node 20 

Unexpected any. Specify a different type
request.jwtPayload = { role: 'anon' }
request.isAuthenticated = false
View file
src/http/plugins/log-request.ts
interface FastifyContextConfig {
operation?: { type: string }
resources?: (req: FastifyRequest<any>) => string[]

Check warning on line 21 in src/http/plugins/log-request.ts

GitHub Actions / Test / OS ubuntu-20.04 / Node 20 

Unexpected any. Specify a different type
}
}
const resources = getFirstDefined<string[]>(
req.resources,
req.routeConfig.resources?.(req),
(req.raw as any).resources,

Check warning on line 63 in src/http/plugins/log-request.ts

GitHub Actions / Test / OS ubuntu-20.04 / Node 20 

Unexpected any. Specify a different type
resourceFromParams ? [resourceFromParams] : ([] as string[])
)
const rId = req.id
const cIP = req.ip
const statusCode = options.statusCode
const error = (req.raw as any).executionError || req.executionError

Check warning on line 118 in src/http/plugins/log-request.ts

GitHub Actions / Test / OS ubuntu-20.04 / Node 20 

Unexpected any. Specify a different type
const tenantId = req.tenantId
const buildLogMessage = `${tenantId} | ${rMeth} | ${statusCode} | ${cIP} | ${rId} | ${rUrl} | ${uAgent}`