CBG-4345 don't panic if role documents can't be read #7816
Merged
+526
−240
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Refactor tests in prep for CBG-4345 which changes some return values. - create helper functions - replace assert.True(t, x == y) with assert.Equal(t, x, y) - Create error types to assert on
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR addresses panic issues when role documents cannot be read by converting functions that previously panicked into error-returning functions. The changes ensure graceful error handling throughout the authentication and channel access system, particularly when role documents are missing or corrupted.
Key changes:
- Modified authentication functions to return errors instead of panicking when role documents can't be read
- Updated all callers to handle the new error returns
- Added proper error logging and user-friendly error responses
Reviewed Changes
Copilot reviewed 22 out of 22 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| auth/principal.go | Updated interface definitions to return errors for channel access methods |
| auth/user.go | Modified user methods to return errors when role loading fails instead of panicking |
| auth/role.go | Updated role methods to return errors for channel access operations |
| auth/user_collection_access.go | Added error handling to collection-specific channel access methods |
| auth/role_collection_access.go | Updated collection role methods to return errors |
| auth/collection_access.go | Modified interface definitions for collection access to include error returns |
| db/crud.go | Updated MakeUserCtx to handle errors from user channel operations |
| db/changes.go | Added error handling throughout changes feed processing |
| db/design_doc.go | Updated view filtering to handle channel access errors |
| db/functions/function.go | Added error handling for channel authorization in functions |
| db/functions/js_function.go | Updated JavaScript function execution to handle user context errors |
| rest/handler.go | Modified audit logging to handle role retrieval errors gracefully |
| rest/bulk_api.go | Updated bulk operations to handle channel access errors properly |
| rest/admin_api.go | Added error handling to principal marshaling |
| rest/diagnostic_api.go | Updated diagnostic API to handle channel access errors |
| rest/user_api_test.go | Updated tests to handle new error returns |
| rest/role_api_test.go | Modified tests to check for errors in channel operations |
| db/util_testing.go | Added error handling to test utilities |
| db/database_test.go | Updated tests to handle new error signatures |
| auth/user_test.go | Modified tests to check for errors in user operations |
| auth/auth_test.go | Updated authentication tests to handle new error returns |
| auth/collection_access_test.go | Added error checking to collection access tests |
torcolvin
force-pushed
the
CBG-4345-thread-err
branch
from
a45805d to
0b831e5
Compare
adamcfraser
requested changes
Oct 28, 2025
Collaborator
adamcfraser
left a comment
adamcfraser
left a comment
There was a problem hiding this comment.
Looks fine. Generally I don't like including the text "Error" in warning or info logging, made a few suggestions to avoid that, and a few other error handling comments.
Co-authored-by: Adam Fraser <adam.fraser@couchbase.com>
Co-authored-by: Adam Fraser <adam.fraser@couchbase.com>
Co-authored-by: Adam Fraser <adam.fraser@couchbase.com>
Co-authored-by: Adam Fraser <adam.fraser@couchbase.com>
Co-authored-by: Adam Fraser <adam.fraser@couchbase.com>
Co-authored-by: Adam Fraser <adam.fraser@couchbase.com>
adamcfraser
approved these changes
Nov 12, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CBG-4345 don't panic if role documents can't be read
If a role can't be read, we want to end the connection because we don't know the right role information to use to use. In the case of BLIP, we should exit with a 503 to indicate to the app to retry. At the point we have a
auth.Userobject, we have authenticated and that's probably OK, but there could be an error reading the role document (SDK error, etc).I changed the handler code to exit with the auth error if we can't read the role document from the user. This is a behavioral change, but I think is the correct one to do, we don't know information about the user. An alternative would be to log an info or error. This is not that dissimilar to the behavior we have now (GetRole would panic, the HTTP handler would exit 500).
This code will need careful review to make sure that the functions and goroutines will terminate correctly.
Pre-review checklist
fmt.Print,log.Print, ...)base.UD(docID),base.MD(dbName))docs/apiIntegration Tests
GSI=true,xattrs=truehttps://jenkins.sgwdev.com/job/SyncGatewayIntegration/148/