Propagate correct HTTP status for security exceptions on SQL analytic… (opensearch-project#5473)

* Propagate correct HTTP status for security exceptions on SQL analytics path

The SQL plugin's unified query handler (/_plugins/_sql) returned HTTP 500
for all exceptions from the analytics engine path, including security
exceptions that should be 403 Forbidden. This caused authorization denials
to appear as internal server errors to users.

Fix: Check if the exception is an OpenSearchException and extract its
proper HTTP status (e.g., 403 for OpenSearchSecurityException) instead of
hardcoding 500. Both the explain and execute paths are fixed.

Also updates AnalyticsEngineSecurityIT SQL deny tests to assert 403
directly, removing the previous workaround that accepted either 403 or 500.

Signed-off-by: carrofin <carrofin@amazon.com>
Signed-off-by: Finn Carroll <carrofin@amazon.com>

* Spotless apply

Signed-off-by: Finn Carroll <carrofin@amazon.com>

* Re-use helper.

Signed-off-by: Finn Carroll <carrofin@amazon.com>

---------

Signed-off-by: carrofin <carrofin@amazon.com>
Signed-off-by: Finn Carroll <carrofin@amazon.com>

Author: finnegancarroll

integ-test/src/test/java/org/opensearch/sql/security/AnalyticsEngineSecurityIT.java

@@ -263,24 +263,14 @@ public void testSQLQueryAllowedForAuthorizedUser() throws IOException {
     }
   }
 
-  // TODO: The SQL endpoint (/_plugins/_sql) returns 500 instead of 403 for security exceptions.
-  // The legacy RestSqlAction error handling wraps OpenSearchSecurityException as a generic 500
-  // Internal Server Error rather than propagating the 403 Forbidden status. The authorization
-  // IS denied (query does not execute), but the HTTP status is incorrect. These tests accept
-  // either 403 or 500 until the SQL plugin's error propagation is fixed.
-
   @Test
   public void testSQLQueryDeniedForUnauthorizedUser() throws IOException {
     ResponseException e =
         assertThrows(
             ResponseException.class,
             () ->
                 executeSQLAsUser("SELECT name, age FROM " + TEST_INDEX + " LIMIT 3", DENIED_USER));
-    assertTrue(
-        "Expected 403 or 500 with security exception, got "
-            + e.getResponse().getStatusLine().getStatusCode(),
-        e.getResponse().getStatusLine().getStatusCode() == 403
-            || e.getResponse().getStatusLine().getStatusCode() == 500);
+    assertEquals(403, e.getResponse().getStatusLine().getStatusCode());
   }
 
   @Test
@@ -291,11 +281,7 @@ public void testSQLQueryDeniedForForbiddenIndex() throws IOException {
             () ->
                 executeSQLAsUser(
                     "SELECT name, age FROM " + FORBIDDEN_INDEX + " LIMIT 3", ALLOWED_USER));
-    assertTrue(
-        "Expected 403 or 500 with security exception, got "
-            + e.getResponse().getStatusLine().getStatusCode(),
-        e.getResponse().getStatusLine().getStatusCode() == 403
-            || e.getResponse().getStatusLine().getStatusCode() == 500);
+    assertEquals(403, e.getResponse().getStatusLine().getStatusCode());
   }
 
   @Test
@@ -306,11 +292,7 @@ public void testSQLQueryDeniedWithSearchPermissionOnly() throws IOException {
             () ->
                 executeSQLAsUser(
                     "SELECT name, age FROM " + TEST_INDEX + " LIMIT 3", SEARCH_ONLY_USER));
-    assertTrue(
-        "Expected 403 or 500 with security exception, got "
-            + e.getResponse().getStatusLine().getStatusCode(),
-        e.getResponse().getStatusLine().getStatusCode() == 403
-            || e.getResponse().getStatusLine().getStatusCode() == 500);
+    assertEquals(403, e.getResponse().getStatusLine().getStatusCode());
   }
 
   /** Executes a PPL query via the production SQL plugin endpoint (/_plugins/_ppl). */

legacy/src/main/java/org/opensearch/sql/legacy/plugin/RestSqlAction.java

@@ -210,7 +210,7 @@ private void handleException(RestChannel restChannel, Exception exception) {
     reportError(restChannel, exception, status);
   }
 
-  private static RestStatus getRestStatus(Exception ex) {
+  public static RestStatus getRestStatus(Exception ex) {
     int code = getRawErrorCode(ex);
     return RestStatus.fromCode(code);
   }

plugin/src/main/java/org/opensearch/sql/plugin/SQLPlugin.java

@@ -264,7 +264,7 @@ protected Object buildJsonObject(ExplainResponse resp) {
               @Override
               public void onFailure(Exception e) {
                 channel.sendResponse(
-                    new BytesRestResponse(RestStatus.INTERNAL_SERVER_ERROR, e.getMessage()));
+                    new BytesRestResponse(RestSqlAction.getRestStatus(e), e.getMessage()));
               }
             });
       } else {
@@ -283,7 +283,7 @@ public void onResponse(TransportPPLQueryResponse response) {
               @Override
               public void onFailure(Exception e) {
                 channel.sendResponse(
-                    new BytesRestResponse(RestStatus.INTERNAL_SERVER_ERROR, e.getMessage()));
+                    new BytesRestResponse(RestSqlAction.getRestStatus(e), e.getMessage()));
               }
             });
       }