Merge branch 'main' into allow-no-pollers

Author: Shivs11

chasm/test_component_test.go

@@ -20,14 +20,15 @@ type (
 	TestComponent    struct {
 		UnimplementedComponent
 
-		ComponentData          *protoMessageType
-		SubComponent1          Field[*TestSubComponent1]
-		SubComponent2          Field[*TestSubComponent2]
-		SubData1               Field[*protoMessageType]
-		SubComponents          Map[string, *TestSubComponent1]
-		PendingActivities      Map[int, *TestSubComponent1]
-		SubComponent11Pointer  Field[*TestSubComponent11]
-		SubComponent11Pointer2 Field[*TestSubComponent11]
+		ComponentData                *protoMessageType
+		SubComponent1                Field[*TestSubComponent1]
+		SubComponent2                Field[*TestSubComponent2]
+		SubData1                     Field[*protoMessageType]
+		SubComponents                Map[string, *TestSubComponent1]
+		PendingActivities            Map[int, *TestSubComponent1]
+		SubComponent11Pointer        Field[*TestSubComponent11]
+		SubComponent11Pointer2       Field[*TestSubComponent11]
+		SubComponentInterfacePointer Field[Component]
 
 		Visibility Field[*Visibility]
 	}

chasm/tree_test.go

@@ -452,20 +452,21 @@ func (s *nodeSuite) TestPointerAttributes() {
 		},
 	}
 
+	sc1 := &TestSubComponent1{
+		SubComponent1Data: &protoMessageType{
+			RunId: tv.WithWorkflowIDNumber(1).WorkflowID(),
+		},
+		SubComponent11: NewComponentField[*TestSubComponent11](nil, sc11),
+	}
+
 	s.Run("Sync and serialize component with pointer", func() {
 		var nilSerializedNodes map[string]*persistencespb.ChasmNode
 		rootNode, err := s.newTestTree(nilSerializedNodes)
 		s.NoError(err)
 
-		sc1 := &TestSubComponent1{
-			SubComponent1Data: &protoMessageType{
-				RunId: tv.WithWorkflowIDNumber(1).WorkflowID(),
-			},
-			SubComponent11: NewComponentField[*TestSubComponent11](nil, sc11),
-		}
-
 		rootComponent := &TestComponent{
-			SubComponent1: NewComponentField[*TestSubComponent1](nil, sc1),
+			SubComponent1:                NewComponentField[*TestSubComponent1](nil, sc1),
+			SubComponentInterfacePointer: NewComponentField[Component](nil, sc1),
 		}
 
 		rootNode.value = rootComponent
@@ -477,7 +478,7 @@ func (s *nodeSuite) TestPointerAttributes() {
 
 		mutations, err := rootNode.CloseTransaction()
 		s.NoError(err)
-		s.Len(mutations.UpdatedNodes, 4, "root, SubComponent1, SubComponent11, and SubComponent11Pointer must be updated")
+		s.Len(mutations.UpdatedNodes, 5, "root, SubComponent1, SubComponent11, SubComponent11Pointer, and SubComponentInterfacePointer must be updated")
 		s.Empty(mutations.DeletedNodes)
 
 		s.Equal([]string{"SubComponent1", "SubComponent11"}, rootNode.children["SubComponent11Pointer"].serializedNode.GetMetadata().GetPointerAttributes().GetNodePath())
@@ -502,6 +503,14 @@ func (s *nodeSuite) TestPointerAttributes() {
 		s.NoError(err)
 		s.NotNil(sc11Des)
 		s.Equal(sc11.SubComponent11Data.GetRunId(), sc11Des.SubComponent11Data.GetRunId())
+
+		ifacePtr, err := rootComponent.SubComponentInterfacePointer.Get(chasmContext)
+		s.NoError(err)
+		s.NotNil(ifacePtr)
+
+		sc1ptr, ok := ifacePtr.(*TestSubComponent1)
+		s.True(ok)
+		s.ProtoEqual(sc1ptr.SubComponent1Data, sc1.SubComponent1Data)
 	})
 
 	s.Run("Clear pointer by setting it to the empty field", func() {

common/authorization/interceptor.go

@@ -101,14 +101,15 @@ func NewInterceptor(
 	exposeAuthorizerErrors dynamicconfig.BoolPropertyFn,
 ) *Interceptor {
 	return &Interceptor{
-		claimMapper:         claimMapper,
-		authorizer:          authorizer,
-		logger:              logger,
-		namespaceChecker:    namespaceChecker,
-		metricsHandler:      metricsHandler,
-		authHeaderName:      cmp.Or(authHeaderName, defaultAuthHeaderName),
-		authExtraHeaderName: cmp.Or(authExtraHeaderName, defaultAuthExtraHeaderName),
-		audienceGetter:      audienceGetter,
+		claimMapper:            claimMapper,
+		authorizer:             authorizer,
+		logger:                 logger,
+		namespaceChecker:       namespaceChecker,
+		metricsHandler:         metricsHandler,
+		authHeaderName:         cmp.Or(authHeaderName, defaultAuthHeaderName),
+		authExtraHeaderName:    cmp.Or(authExtraHeaderName, defaultAuthExtraHeaderName),
+		audienceGetter:         audienceGetter,
+		exposeAuthorizerErrors: exposeAuthorizerErrors,
 	}
 }
 
@@ -225,7 +226,7 @@ func (a *Interceptor) Authorize(ctx context.Context, claims *Claims, ct *CallTar
 	if err != nil {
 		metrics.ServiceErrAuthorizeFailedCounter.With(mh).Record(1)
 		a.logger.Error("Authorization error", tag.Error(err))
-		if a.exposeAuthorizerErrors != nil && a.exposeAuthorizerErrors() {
+		if a.exposeAuthorizerErrors() {
 			return err
 		}
 		return errUnauthorized // return a generic error to the caller without disclosing details

common/authorization/interceptor_test.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"
+	"go.temporal.io/api/serviceerror"
 	"go.temporal.io/api/workflowservice/v1"
 	"go.temporal.io/server/common/dynamicconfig"
 	"go.temporal.io/server/common/log"
@@ -138,6 +139,29 @@ func (s *authorizerInterceptorSuite) TestAuthorizationFailed() {
 	s.Error(err)
 }
 
+func (s *authorizerInterceptorSuite) TestAuthorizationFailedExposed() {
+	interceptor := NewInterceptor(
+		s.mockClaimMapper,
+		s.mockAuthorizer,
+		s.mockMetricsHandler,
+		log.NewNoopLogger(),
+		mockNamespaceChecker(testNamespace),
+		nil,
+		"",
+		"",
+		dynamicconfig.GetBoolPropertyFn(true),
+	)
+
+	authErr := serviceerror.NewInternal("intentional test failure")
+	s.mockAuthorizer.EXPECT().Authorize(ctx, nil, describeNamespaceTarget).
+		Return(Result{Decision: DecisionDeny}, authErr)
+	s.mockMetricsHandler.EXPECT().Counter(metrics.ServiceErrAuthorizeFailedCounter.Name()).Return(metrics.NoopCounterMetricFunc)
+
+	res, err := interceptor.Intercept(ctx, describeNamespaceRequest, describeNamespaceInfo, s.handler)
+	s.Nil(res)
+	s.ErrorIs(err, authErr)
+}
+
 func (s *authorizerInterceptorSuite) TestNoopClaimMapperWithoutTLS() {
 	admin := &Claims{System: RoleAdmin}
 	s.mockAuthorizer.EXPECT().Authorize(gomock.Any(), admin, describeNamespaceTarget).