fix: Prevent attr update when external pdp is down

[KevLehman]

Proposed changes (including videos or screenshots)

Issue(s)

https://rocketchat.atlassian.net/browse/CORE-2021

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• Bug Fixes

  • Improved error handling when the Policy Decision Point (PDP) service is unavailable. Room attribute update operations now properly fail with a clear error message instead of attempting operations against an unreachable service.

• Tests

  • Added test coverage for PDP unavailability scenarios to validate fail-closed behavior during room attribute operations.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4df883f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 64e9d923-0c16-4793-88cd-8777202d1838

📥 Commits

Reviewing files that changed from the base of the PR and between fc39e07 and 4df883f.

📒 Files selected for processing (4)

• apps/meteor/tests/end-to-end/api/abac.ts
• ee/packages/abac/src/errors.ts
• ee/packages/abac/src/index.ts
• ee/packages/abac/src/pdp/VirtruPDP.ts

---

Walkthrough

The changes implement fail-closed behavior for PDP (Policy Decision Point) unavailability when updating room ABAC attributes. A new error class and availability check method were added to the ABAC service, ensuring room attribute mutation operations verify PDP health before proceeding. The VirtruPDP implementation was updated to remove a redundant pre-check that conflicted with this behavior.

Changes

Cohort / File(s)	Summary
Error Definitions ee/packages/abac/src/errors.ts	Added AbacErrorCode.PdpUnavailable enum member and new PdpUnavailableError exception class extending AbacError for handling PDP unavailability scenarios.
ABAC Service ee/packages/abac/src/index.ts	Introduced ensurePdpAvailable() private method and integrated it into four room ABAC mutation methods (setRoomAbacAttributes, updateRoomAbacAttributeValues, addRoomAbacAttributeByKey, replaceRoomAbacAttributeByKey) to enforce PDP availability checks before operations proceed.
PDP Implementation ee/packages/abac/src/pdp/VirtruPDP.ts	Removed availability pre-check from onRoomAttributesChanged() method, eliminating early exit logic and allowing evaluation to proceed regardless of PDP health status.
Test Coverage apps/meteor/tests/end-to-end/api/abac.ts	Added test case validating fail-closed behavior when PDP becomes unavailable during room attribute updates, expecting 400 response with error-pdp-unavailable.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant ABAC as ABAC Service
    participant PDP as PDP Health Check
    participant Response

    Client->>ABAC: POST /api/v1/abac/rooms/:roomId/attributes/:attrKey
    activate ABAC
    ABAC->>PDP: isAvailable()
    activate PDP
    PDP-->>ABAC: false (unavailable)
    deactivate PDP
    ABAC->>ABAC: throw PdpUnavailableError
    deactivate ABAC
    ABAC->>Response: 400 Bad Request
    activate Response
    Response-->>Client: { success: false, error: 'error-pdp-unavailable' }
    deactivate Response

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

type: bug

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 75.00000% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 70.31%. Comparing base (fc39e07) to head (4df883f).
⚠️ Report is 1 commits behind head on feat/externalpdp.

Additional details and impacted files

@@                 Coverage Diff                  @@
##           feat/externalpdp   #39978      +/-   ##
====================================================
- Coverage             70.34%   70.31%   -0.03%     
====================================================
  Files                  3247     3247              
  Lines                115559   115568       +9     
  Branches              21064    20994      -70     
====================================================
- Hits                  81286    81261      -25     
- Misses                32207    32244      +37     
+ Partials               2066     2063       -3     

Flag	Coverage Δ
e2e	60.48% <ø> (-0.01%)	⬇️
e2e-api	48.13% <ø> (-0.02%)	⬇️
unit	70.72% <75.00%> (-0.05%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cubic-dev-ai]

No issues found across 4 files