Update googleapis with latest CheckError codes (#722)

repositories.bzl

@@ -511,8 +511,6 @@ cc_proto_library(
         "google/api/log.proto",
         "google/api/logging.proto",
         "google/api/metric.proto",
-        "google/api/experimental/experimental.proto",
-        "google/api/experimental/authorization_config.proto",
         "google/api/monitored_resource.proto",
         "google/api/monitoring.proto",
         "google/api/resource.proto",
@@ -551,9 +549,9 @@ cc_proto_library(
         name = "googleapis_git",
         build_file_content = BUILD,
         patch_cmds = ["find . -type f -name '*BUILD*' | xargs rm"],
-        strip_prefix = "googleapis-32a10f69e2c9ce15bba13ab1ff928bacebb25160",  # May 20, 2019
-        url = "https://github.com/googleapis/googleapis/archive/32a10f69e2c9ce15bba13ab1ff928bacebb25160.tar.gz",
-        sha256 = "6861efa8619579e06e70dd4765cdf6cef1ecad6a1a2026ad750541e99552bf71",
+        strip_prefix = "googleapis-ae7a4cc69cc1e206b16f1b9db803907d7a3d97c8",  # Oct 22, 2019
+        url = "https://github.com/googleapis/googleapis/archive/ae7a4cc69cc1e206b16f1b9db803907d7a3d97c8.tar.gz",
+        sha256 = "f96e11515c302045e8ab6708ba68d7cea8a02e2a96add92033315ff894076980",
     )
 
     if bind:

src/api_manager/service_control/check_response_test.cc

@@ -123,19 +123,49 @@ TEST(CheckResponseTest,
   EXPECT_EQ(Code::PERMISSION_DENIED, result.code());
 }
 
+TEST(CheckResponseTest, WhenResponseIsBlockedWithSecurityPolicyViolated) {
+  Status result =
+      ConvertCheckErrorToStatus(CheckError::SECURITY_POLICY_VIOLATED);
+  EXPECT_EQ(Code::PERMISSION_DENIED, result.code());
+}
+
+TEST(CheckResponseTest, WhenResponseIsBlockedWithInvalidCredentail) {
+  Status result = ConvertCheckErrorToStatus(CheckError::INVALID_CREDENTIAL);
+  EXPECT_EQ(Code::PERMISSION_DENIED, result.code());
+}
+
+TEST(CheckResponseTest, WhenResponseIsBlockedWithLocationPolicyViolated) {
+  Status result =
+      ConvertCheckErrorToStatus(CheckError::LOCATION_POLICY_VIOLATED);
+  EXPECT_EQ(Code::PERMISSION_DENIED, result.code());
+}
+
+TEST(CheckResponseTest, WhenResponseIsBlockedWithConsumerInvalid) {
+  Status result = ConvertCheckErrorToStatus(CheckError::CONSUMER_INVALID);
+  EXPECT_EQ(Code::PERMISSION_DENIED, result.code());
+}
+
 TEST(CheckResponseTest, FailOpenWhenResponseIsUnknownNamespaceLookup) {
   EXPECT_TRUE(
       ConvertCheckErrorToStatus(CheckError::NAMESPACE_LOOKUP_UNAVAILABLE).ok());
 }
 
-TEST(CheckResponseTest, FailOpenWhenResponseIsUnknownBillingStatus) {
+TEST(CheckResponseTest, UnavailableCheckErrorStatus) {
   EXPECT_TRUE(
       ConvertCheckErrorToStatus(CheckError::BILLING_STATUS_UNAVAILABLE).ok());
-}
-
-TEST(CheckResponseTest, FailOpenWhenResponseIsUnknownServiceStatus) {
   EXPECT_TRUE(
       ConvertCheckErrorToStatus(CheckError::SERVICE_STATUS_UNAVAILABLE).ok());
+  EXPECT_TRUE(
+      ConvertCheckErrorToStatus(CheckError::QUOTA_CHECK_UNAVAILABLE).ok());
+  EXPECT_TRUE(ConvertCheckErrorToStatus(
+                  CheckError::CLOUD_RESOURCE_MANAGER_BACKEND_UNAVAILABLE)
+                  .ok());
+  EXPECT_TRUE(
+      ConvertCheckErrorToStatus(CheckError::SECURITY_POLICY_BACKEND_UNAVAILABLE)
+          .ok());
+  EXPECT_TRUE(
+      ConvertCheckErrorToStatus(CheckError::LOCATION_POLICY_BACKEND_UNAVAILABLE)
+          .ok());
 }
 
 }  // namespace service_control

src/api_manager/service_control/proto.cc

@@ -1470,9 +1470,31 @@ Status Proto::ConvertCheckResponse(const CheckResponse& check_response,
                     std::string("API ") + service_name +
                         " has billing disabled. Please enable it.",
                     Status::SERVICE_CONTROL);
+    case CheckError::SECURITY_POLICY_VIOLATED:
+      return Status(Code::PERMISSION_DENIED,
+                    "Request is not allowed as per security policies.",
+                    Status::SERVICE_CONTROL);
+    case CheckError::INVALID_CREDENTIAL:
+      return Status(Code::PERMISSION_DENIED,
+                    "The credential in the request can not be verified",
+                    Status::SERVICE_CONTROL);
+    case CheckError::LOCATION_POLICY_VIOLATED:
+      return Status(Code::PERMISSION_DENIED,
+                    "Request is not allowed as per location policies.",
+                    Status::SERVICE_CONTROL);
+    case CheckError::CONSUMER_INVALID:
+      return Status(Code::PERMISSION_DENIED,
+                    "The consumer from the API key does not represent"
+                    " a valid consumer folder or organization",
+                    Status::SERVICE_CONTROL);
+
     case CheckError::NAMESPACE_LOOKUP_UNAVAILABLE:
     case CheckError::SERVICE_STATUS_UNAVAILABLE:
     case CheckError::BILLING_STATUS_UNAVAILABLE:
+    case CheckError::QUOTA_CHECK_UNAVAILABLE:
+    case CheckError::CLOUD_RESOURCE_MANAGER_BACKEND_UNAVAILABLE:
+    case CheckError::SECURITY_POLICY_BACKEND_UNAVAILABLE:
+    case CheckError::LOCATION_POLICY_BACKEND_UNAVAILABLE:
       // Fail open for internal server errors per recommendation
       return Status::OK;
     default: