fix(authz): populate correct error for deleted service account

2026-04-08 21:20:26 +01:00 · 2026-04-08 21:44:56 +05:30
5 changed files with 25 additions and 10 deletions
--- a/pkg/modules/serviceaccount/implserviceaccount/module.go
+++ b/pkg/modules/serviceaccount/implserviceaccount/module.go
@@ -361,7 +361,7 @@ func (module *module) getOrGetSetIdentity(ctx context.Context, serviceAccountID
 		return identity, nil
 	}

-	storableServiceAccount, err := module.store.GetByID(ctx, serviceAccountID)
+	storableServiceAccount, err := module.store.GetActiveByID(ctx, serviceAccountID)
 	if err != nil {
 		return nil, err
 	}
--- a/pkg/modules/serviceaccount/implserviceaccount/store.go
+++ b/pkg/modules/serviceaccount/implserviceaccount/store.go
@@ -105,6 +105,24 @@ func (store *store) GetByID(ctx context.Context, id valuer.UUID) (*serviceaccoun
 	return storable, nil
 }

+func (store *store) GetActiveByID(ctx context.Context, id valuer.UUID) (*serviceaccounttypes.ServiceAccount, error) {
+	storable := new(serviceaccounttypes.ServiceAccount)
+
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(storable).
+		Where("id = ?", id).
+		Where("status = ?", serviceaccounttypes.ServiceAccountStatusActive).
+		Scan(ctx)
+	if err != nil {
+		return nil, store.sqlstore.WrapNotFoundErrf(err, serviceaccounttypes.ErrCodeServiceAccountNotFound, "service account with id: %s doesn't exist", id)
+	}
+
+	return storable, nil
+}
+
 func (store *store) CountByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error) {
 	storable := new(serviceaccounttypes.ServiceAccount)

--- a/pkg/types/serviceaccounttypes/service_acccount.go
+++ b/pkg/types/serviceaccounttypes/service_acccount.go
@@ -238,6 +238,7 @@ type Store interface {
 	Get(context.Context, valuer.UUID, valuer.UUID) (*ServiceAccount, error)
 	GetActiveByOrgIDAndName(context.Context, valuer.UUID, string) (*ServiceAccount, error)
 	GetByID(context.Context, valuer.UUID) (*ServiceAccount, error)
+	GetActiveByID(context.Context, valuer.UUID) (*ServiceAccount, error)
 	CountByOrgID(context.Context, valuer.UUID) (int64, error)
 	List(context.Context, valuer.UUID) ([]*ServiceAccount, error)
 	Update(context.Context, valuer.UUID, *ServiceAccount) error
--- a/tests/integration/src/serviceaccount/03_auth.py
+++ b/tests/integration/src/serviceaccount/03_auth.py
@@ -245,10 +245,9 @@ def test_service_account_key_deleted_account_rejected(
        timeout=5,
    )

-    assert response.status_code in (
-        HTTPStatus.UNAUTHORIZED,
-        HTTPStatus.FORBIDDEN,
-    ), f"Expected 401/403 for disabled service account, got {response.status_code}: {response.text}"
+    assert (
+        response.status_code == HTTPStatus.UNAUTHORIZED
+    ), f"Expected 401 for disabled service account, got {response.status_code}: {response.text}"


 def test_service_account_key_revoked_key_rejected(
--- a/tests/integration/src/serviceaccount/05_me.py
+++ b/tests/integration/src/serviceaccount/05_me.py
@@ -54,11 +54,8 @@ def test_get_me_requires_sa_identity(
    )

    # user JWT has no service account ID in claims, should fail
-    assert response.status_code in (
-        HTTPStatus.BAD_REQUEST,
-        HTTPStatus.FORBIDDEN,
-        HTTPStatus.NOT_FOUND,
-        HTTPStatus.UNAUTHORIZED,
+    assert (
+        response.status_code == HTTPStatus.NOT_FOUND
    ), f"Expected error for user JWT on service account /me, got {response.status_code}: {response.text}"