From b1a30dd8bad7f36ac0d7b572a28d01a06d26d220 Mon Sep 17 00:00:00 2001
From: Anton Kosyakov <anton@gitpod.io>
Date: Mon, 23 Oct 2023 09:27:30 +0200
Subject: [PATCH] [server] report internal errors to check permissions (#18964)

intead of reporting them as permission denied
---
 components/server/src/authorization/spicedb-authorizer.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/components/server/src/authorization/spicedb-authorizer.ts b/components/server/src/authorization/spicedb-authorizer.ts
index 0a83c366d893dc..6c45d9efa7ac76 100644
--- a/components/server/src/authorization/spicedb-authorizer.ts
+++ b/components/server/src/authorization/spicedb-authorizer.ts
@@ -16,6 +16,7 @@ import { base64decode } from "@jmondi/oauth2-server";
 import { DecodedZedToken } from "@gitpod/spicedb-impl/lib/impl/v1/impl.pb";
 import { RequestContext } from "node-fetch";
 import { getRequestContext } from "../util/request-context";
+import { ApplicationError, ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
 
 async function tryThree<T>(errMessage: string, code: (attempt: number) => Promise<T>): Promise<T> {
     let attempt = 0;
@@ -110,7 +111,10 @@ export class SpiceDBAuthorizer {
                 log.error("[spicedb] Failed to perform authorization check.", err, {
                     request: new TrustedValue(req),
                 });
-                return { permitted: !featureEnabled };
+                if (!featureEnabled) {
+                    return { permitted: true };
+                }
+                throw new ApplicationError(ErrorCodes.INTERNAL_SERVER_ERROR, "Failed to perform authorization check.");
             } finally {
                 observeSpicedbClientLatency("check", error, timer());
             }