From e939bf6fb89a52e2afc7f830a787f73e58af3807 Mon Sep 17 00:00:00 2001
From: yifeizhuang <zivy@google.com>
Date: Wed, 6 Oct 2021 11:02:42 -0700
Subject: [PATCH] rbac: fix status code PERMISSION_DENIED (#8578)

RBAC should fail with PERMISSION_DENIED, fix https://github.com/grpc/grpc-java/issues/8576
---
 xds/src/main/java/io/grpc/xds/RbacFilter.java     | 7 +++----
 xds/src/test/java/io/grpc/xds/RbacFilterTest.java | 3 ++-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/xds/src/main/java/io/grpc/xds/RbacFilter.java b/xds/src/main/java/io/grpc/xds/RbacFilter.java
index 387afac82c..0f5ac1025b 100644
--- a/xds/src/main/java/io/grpc/xds/RbacFilter.java
+++ b/xds/src/main/java/io/grpc/xds/RbacFilter.java
@@ -177,14 +177,13 @@ final class RbacFilter implements Filter, ServerInterceptorBuilder {
                 final ServerCall<ReqT, RespT> call,
                 final Metadata headers, ServerCallHandler<ReqT, RespT> next) {
           AuthDecision authResult = authEngine.evaluate(headers, call);
-          if (logger.isLoggable(Level.FINER)) {
-            logger.log(Level.FINER,
+          if (logger.isLoggable(Level.FINE)) {
+            logger.log(Level.FINE,
                 "Authorization result for serverCall {0}: {1}, matching policy: {2}.",
                 new Object[]{call, authResult.decision(), authResult.matchingPolicyName()});
           }
           if (GrpcAuthorizationEngine.Action.DENY.equals(authResult.decision())) {
-            Status status = Status.UNAUTHENTICATED.withDescription(
-                    "Access Denied, matching policy: " + authResult.matchingPolicyName());
+            Status status = Status.PERMISSION_DENIED.withDescription("Access Denied");
             call.close(status, new Metadata());
             return new ServerCall.Listener<ReqT>(){};
           }
diff --git a/xds/src/test/java/io/grpc/xds/RbacFilterTest.java b/xds/src/test/java/io/grpc/xds/RbacFilterTest.java
index c97ca5c52d..da42ec1a2f 100644
--- a/xds/src/test/java/io/grpc/xds/RbacFilterTest.java
+++ b/xds/src/test/java/io/grpc/xds/RbacFilterTest.java
@@ -256,7 +256,8 @@ public class RbacFilterTest {
     verify(mockHandler, never()).startCall(eq(mockServerCall), any(Metadata.class));
     ArgumentCaptor<Status> captor = ArgumentCaptor.forClass(Status.class);
     verify(mockServerCall).close(captor.capture(), any(Metadata.class));
-    assertThat(captor.getValue().getCode()).isEqualTo(Status.UNAUTHENTICATED.getCode());
+    assertThat(captor.getValue().getCode()).isEqualTo(Status.PERMISSION_DENIED.getCode());
+    assertThat(captor.getValue().getDescription()).isEqualTo("Access Denied");
     verify(mockServerCall).getAttributes();
     verifyNoMoreInteractions(mockServerCall);