fix(grpc): retry transient errors when teams service is unavailable (#225)

Previously, repository authorization checks would return the
PermissionDenied code if the downstream API returned any error response,
regardless of actual authorization status.

This commit separates errors from the downstream API and the actual
authorization state, returning the Unavailable code instead for
the former case. This allows for deploy clients to automatically retry
transient errors.

Author: tronghn

pkg/grpc/interceptor/auth/server.go

@@ -36,7 +36,7 @@ type TokenValidator interface {
 }
 
 type TeamsClient interface {
-	IsAuthorized(ctx context.Context, repo, team string) bool
+	IsAuthorized(ctx context.Context, repo, team string) (bool, error)
 }
 
 type authData struct {
@@ -87,7 +87,12 @@ func (s *ServerInterceptor) UnaryServerInterceptor(ctx context.Context, req inte
 			return nil, status.Errorf(codes.InvalidArgument, "missing team in metadata")
 		}
 
-		if !s.TeamsClient.IsAuthorized(ctx, repo, team) {
+		authorized, err := s.TeamsClient.IsAuthorized(ctx, repo, team)
+		if err != nil {
+			metrics.InterceptorRequest(requestTypeJWT, "teams_service_error")
+			return nil, status.Errorf(codes.Unavailable, "something wrong happened when communicating with the teams service")
+		}
+		if !authorized {
 			metrics.InterceptorRequest(requestTypeJWT, "repo_not_authorized")
 			return nil, status.Errorf(codes.PermissionDenied, fmt.Sprintf("repo %q not authorized by team %q", repo, team))
 		}
@@ -180,7 +185,11 @@ func (s *ServerInterceptor) StreamServerInterceptor(srv interface{}, ss grpc.Ser
 			return status.Errorf(codes.InvalidArgument, "missing team in metadata")
 		}
 
-		if !s.TeamsClient.IsAuthorized(ss.Context(), repo, team) {
+		authorized, err := s.TeamsClient.IsAuthorized(ss.Context(), repo, team)
+		if err != nil {
+			return status.Errorf(codes.Unavailable, "something wrong happened when communicating with the teams service")
+		}
+		if !authorized {
 			return status.Errorf(codes.PermissionDenied, fmt.Sprintf("repo %q not authorized by team %q", repo, team))
 		}
 	} else {

pkg/grpc/interceptor/auth/server_test.go

@@ -180,8 +180,8 @@ type mockTeamsClient struct {
 	authorized map[string]string
 }
 
-func (m *mockTeamsClient) IsAuthorized(ctx context.Context, repo, team string) bool {
-	return m.authorized[repo] == team
+func (m *mockTeamsClient) IsAuthorized(ctx context.Context, repo, team string) (bool, error) {
+	return m.authorized[repo] == team, nil
 }
 
 func handler(ctx context.Context, req any) (any, error) {

pkg/naisapi/naisapi.go

@@ -30,15 +30,15 @@ func NewClient(target string, insecureConnection bool) (*Client, error) {
 	}, nil
 }
 
-func (c *Client) IsAuthorized(ctx context.Context, repo, team string) bool {
+func (c *Client) IsAuthorized(ctx context.Context, repo, team string) (bool, error) {
 	resp, err := c.client.IsRepositoryAuthorized(ctx, &protoapi.IsRepositoryAuthorizedRequest{
 		TeamSlug:   team,
 		Repository: repo,
 	})
 	if err != nil {
 		log.WithError(err).Error("checking repo authorization in teams")
-		return false
+		return false, err
 	}
 
-	return resp.IsAuthorized
+	return resp.IsAuthorized, nil
 }