report_err_cleanup

services/api/src/context/mod.rs

@@ -12,7 +12,7 @@ mod secret_key;
 
 pub use database::{Database, DbConnection};
 pub use messenger::{Body, ButtonBody, Email, Message, Messenger, NewUserBody};
-pub use rbac::Rbac;
+pub use rbac::{Rbac, RbacError};
 pub use secret_key::{JwtError, SecretKey};
 
 pub struct ApiContext {

services/api/src/context/rbac.rs

@@ -1,7 +1,7 @@
 use bencher_rbac::{Organization, Project};
 use oso::{Oso, ToPolar};
 
-use crate::{model::user::auth::AuthUser, ApiError};
+use crate::model::user::auth::AuthUser;
 
 pub struct Rbac(pub Oso);
 
@@ -11,21 +11,41 @@ impl From<Oso> for Rbac {
     }
 }
 
+#[derive(Debug, thiserror::Error)]
+pub enum RbacError {
+    #[error("Failed to check permissions: {0}")]
+    IsAllowed(oso::OsoError),
+    #[error("Permission ({permission}) denied for user ({auth_user:?}) on organization ({organization:?})")]
+    IsAllowedOrganization {
+        auth_user: AuthUser,
+        permission: bencher_rbac::organization::Permission,
+        organization: Organization,
+    },
+    #[error("Permission ({permission}) denied for user ({auth_user:?}) on project ({project:?})")]
+    IsAllowedProject {
+        auth_user: AuthUser,
+        permission: bencher_rbac::project::Permission,
+        project: Project,
+    },
+}
+
 impl Rbac {
     pub fn is_allowed<Actor, Action, Resource>(
         &self,
         actor: Actor,
         action: Action,
         resource: Resource,
-    ) -> Result<bool, ApiError>
+    ) -> Result<bool, RbacError>
     where
         Actor: ToPolar,
         Action: ToPolar,
         Resource: ToPolar,
     {
-        self.0
-            .is_allowed(actor, action, resource)
-            .map_err(ApiError::IsAllowed)
+        self.0.is_allowed(actor, action, resource).map_err(|e| {
+            #[cfg(feature = "sentry")]
+            sentry::capture_error(&e);
+            RbacError::IsAllowed(e)
+        })
     }
 
     pub fn is_allowed_unwrap<Actor, Action, Resource>(
@@ -49,11 +69,11 @@ impl Rbac {
         auth_user: &AuthUser,
         permission: bencher_rbac::organization::Permission,
         organization: impl Into<Organization>,
-    ) -> Result<(), ApiError> {
+    ) -> Result<(), RbacError> {
         let organization = organization.into();
         self.is_allowed_unwrap(auth_user, permission, organization.clone())
             .then_some(())
-            .ok_or_else(|| ApiError::IsAllowedOrganization {
+            .ok_or_else(|| RbacError::IsAllowedOrganization {
                 auth_user: auth_user.clone(),
                 permission,
                 organization,
@@ -65,11 +85,11 @@ impl Rbac {
         auth_user: &AuthUser,
         permission: bencher_rbac::project::Permission,
         project: impl Into<Project>,
-    ) -> Result<(), ApiError> {
+    ) -> Result<(), RbacError> {
         let project = project.into();
         self.is_allowed_unwrap(auth_user, permission, project.clone())
             .then_some(())
-            .ok_or_else(|| ApiError::IsAllowedProject {
+            .ok_or_else(|| RbacError::IsAllowedProject {
                 auth_user: auth_user.clone(),
                 permission,
                 project,

services/api/src/endpoints/organization/allowed.rs

@@ -51,7 +51,13 @@ pub async fn org_allowed_get(
 
     let json = get_inner(rqctx.context(), path_params.into_inner(), &auth_user)
         .await
-        .map_err(|e| endpoint.err(e))?;
+        .map_err(|e| {
+            if let ApiError::HttpError(e) = e {
+                e
+            } else {
+                endpoint.err(e).into()
+            }
+        })?;
 
     response_ok!(endpoint, json)
 }

services/api/src/endpoints/organization/members.rs

@@ -96,7 +96,13 @@ pub async fn org_members_get(
         endpoint,
     )
     .await
-    .map_err(|e| endpoint.err(e))?;
+    .map_err(|e| {
+        if let ApiError::HttpError(e) = e {
+            e
+        } else {
+            endpoint.err(e).into()
+        }
+    })?;
 
     response_ok!(endpoint, json)
 }
@@ -182,7 +188,13 @@ pub async fn org_member_post(
         &auth_user,
     )
     .await
-    .map_err(|e| endpoint.err(e))?;
+    .map_err(|e| {
+        if let ApiError::HttpError(e) = e {
+            e
+        } else {
+            endpoint.err(e).into()
+        }
+    })?;
 
     response_accepted!(endpoint, json)
 }
@@ -309,7 +321,13 @@ pub async fn org_member_get(
 
     let json = get_one_inner(rqctx.context(), path_params.into_inner(), &auth_user)
         .await
-        .map_err(|e| endpoint.err(e))?;
+        .map_err(|e| {
+            if let ApiError::HttpError(e) = e {
+                e
+            } else {
+                endpoint.err(e).into()
+            }
+        })?;
 
     response_ok!(endpoint, json)
 }
@@ -353,7 +371,13 @@ pub async fn org_member_patch(
         &auth_user,
     )
     .await
-    .map_err(|e| endpoint.err(e))?;
+    .map_err(|e| {
+        if let ApiError::HttpError(e) = e {
+            e
+        } else {
+            endpoint.err(e).into()
+        }
+    })?;
 
     response_accepted!(endpoint, json)
 }
@@ -405,7 +429,13 @@ pub async fn org_member_delete(
 
     let json = delete_inner(rqctx.context(), path_params.into_inner(), &auth_user)
         .await
-        .map_err(|e| endpoint.err(e))?;
+        .map_err(|e| {
+            if let ApiError::HttpError(e) = e {
+                e
+            } else {
+                endpoint.err(e).into()
+            }
+        })?;
 
     response_accepted!(endpoint, json)
 }

services/api/src/endpoints/organization/organizations.rs

@@ -84,7 +84,13 @@ pub async fn organizations_get(
         endpoint,
     )
     .await
-    .map_err(|e| endpoint.err(e))?;
+    .map_err(|e| {
+        if let ApiError::HttpError(e) = e {
+            e
+        } else {
+            endpoint.err(e).into()
+        }
+    })?;
 
     response_ok!(endpoint, json)
 }
@@ -146,7 +152,13 @@ pub async fn organization_post(
 
     let json = post_inner(rqctx.context(), body.into_inner(), &auth_user)
         .await
-        .map_err(|e| endpoint.err(e))?;
+        .map_err(|e| {
+            if let ApiError::HttpError(e) = e {
+                e
+            } else {
+                endpoint.err(e).into()
+            }
+        })?;
 
     response_accepted!(endpoint, json)
 }
@@ -222,7 +234,13 @@ pub async fn organization_get(
 
     let json = get_one_inner(rqctx.context(), path_params.into_inner(), &auth_user)
         .await
-        .map_err(|e| endpoint.err(e))?;
+        .map_err(|e| {
+            if let ApiError::HttpError(e) = e {
+                e
+            } else {
+                endpoint.err(e).into()
+            }
+        })?;
 
     response_ok!(endpoint, json)
 }
@@ -265,7 +283,13 @@ pub async fn organization_patch(
         &auth_user,
     )
     .await
-    .map_err(|e| endpoint.err(e))?;
+    .map_err(|e| {
+        if let ApiError::HttpError(e) = e {
+            e
+        } else {
+            endpoint.err(e).into()
+        }
+    })?;
 
     response_accepted!(endpoint, json)
 }

services/api/src/endpoints/organization/plan.rs

@@ -69,7 +69,13 @@ pub async fn org_plan_post(
         &auth_user,
     )
     .await
-    .map_err(|e| endpoint.err(e))?;
+    .map_err(|e| {
+        if let ApiError::HttpError(e) = e {
+            e
+        } else {
+            endpoint.err(e).into()
+        }
+    })?;
 
     response_accepted!(endpoint, json)
 }
@@ -154,7 +160,13 @@ pub async fn org_plan_get(
 
     let json = get_one_inner(rqctx.context(), path_params.into_inner(), &auth_user)
         .await
-        .map_err(|e| endpoint.err(e))?;
+        .map_err(|e| {
+            if let ApiError::HttpError(e) = e {
+                e
+            } else {
+                endpoint.err(e).into()
+            }
+        })?;
 
     response_ok!(endpoint, json)
 }

services/api/src/endpoints/organization/projects.rs

@@ -96,7 +96,13 @@ pub async fn org_projects_get(
         endpoint,
     )
     .await
-    .map_err(|e| endpoint.err(e))?;
+    .map_err(|e| {
+        if let ApiError::HttpError(e) = e {
+            e
+        } else {
+            endpoint.err(e).into()
+        }
+    })?;
 
     response_ok!(endpoint, json)
 }
@@ -162,7 +168,13 @@ pub async fn org_project_post(
         &auth_user,
     )
     .await
-    .map_err(|e| endpoint.err(e))?;
+    .map_err(|e| {
+        if let ApiError::HttpError(e) = e {
+            e
+        } else {
+            endpoint.err(e).into()
+        }
+    })?;
 
     response_accepted!(endpoint, json)
 }

services/api/src/endpoints/organization/usage.rs

@@ -71,7 +71,13 @@ pub async fn org_usage_get(
         &auth_user,
     )
     .await
-    .map_err(|e| endpoint.err(e))?;
+    .map_err(|e| {
+        if let ApiError::HttpError(e) = e {
+            e
+        } else {
+            endpoint.err(e).into()
+        }
+    })?;
 
     response_ok!(endpoint, json)
 }

services/api/src/endpoints/project/allowed.rs

@@ -51,7 +51,13 @@ pub async fn proj_allowed_get(
 
     let json = get_inner(rqctx.context(), path_params.into_inner(), &auth_user)
         .await
-        .map_err(|e| endpoint.err(e))?;
+        .map_err(|e| {
+            if let ApiError::HttpError(e) = e {
+                e
+            } else {
+                endpoint.err(e).into()
+            }
+        })?;
 
     response_ok!(endpoint, json)
 }
@@ -64,7 +70,7 @@ async fn get_inner(
     let conn = &mut *context.conn().await;
 
     Ok(JsonAllowed {
-        allowed: QueryProject::is_allowed_resource_id(
+        allowed: QueryProject::is_allowed(
             conn,
             &context.rbac,
             &path_params.project,