From 8933acc11a2c4fd8a76ef973918c3bff6481c902 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADctor=20Rold=C3=A1n=20Betancort?=
 <vroldanbet@authzed.com>
Date: Mon, 27 Nov 2023 13:12:02 +0000
Subject: [PATCH 1/2] crdb: fix watch error: %!s(<nil>)

I identified some error reports in CRDB based clusters
that showed the following:

{
   "level":"error",
   "protocol":"grpc",
   "grpc.component":"server",
   "grpc.service":"authzed.api.v1.WatchService",
   "grpc.method":"Watch",
   "grpc.method_type":"server_stream",
   "grpc.start_time":"2023-11-27T12:38:35Z",
   "grpc.code":"Internal",
   "grpc.error":"rpc error: code = Internal desc = watch error: %!s(<nil>)",
   "grpc.time_ms":1030,
   "time":"2023-11-27T12:38:36Z",
}

I could only identify one spot where a nil
error could be sent over the errors channel,
which would in turn cause SpiceDB response
to have gRPC error code "Internal".

If the sql.Rows return an error that isnt
cancellation, then it's possible that nil values
will be sent over the error channel.
---
 internal/datastore/crdb/watch.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/datastore/crdb/watch.go b/internal/datastore/crdb/watch.go
index 7c4dea8f9c..e05f61f72a 100644
--- a/internal/datastore/crdb/watch.go
+++ b/internal/datastore/crdb/watch.go
@@ -205,7 +205,7 @@ func (cds *crdbDatastore) Watch(ctx context.Context, afterRevision datastore.Rev
 			pending.Changes = append(pending.Changes, oneChange)
 		}
 
-		if changes.Err() != nil {
+		if err := changes.Err(); err != nil {
 			if errors.Is(ctx.Err(), context.Canceled) {
 				closeCtx, closeCancel := context.WithTimeout(context.Background(), 5*time.Second)
 				defer closeCancel()

From 64071606f35b87f629c9cb7048bda5d73ddc9c70 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADctor=20Rold=C3=A1n=20Betancort?=
 <vroldanbet@authzed.com>
Date: Thu, 23 Nov 2023 12:42:38 +0000
Subject: [PATCH 2/2] use git SHA for vuln fix in grpc-health-probe

GHSA-2c7c-3mj9-8fq
---
 Dockerfile         | 2 +-
 Dockerfile.release | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 4e8cc429c2..c0ff317d5b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,7 +9,7 @@ WORKDIR /go/src/app
 RUN apk update && apk add --no-cache git
 RUN git clone https://github.com/grpc-ecosystem/grpc-health-probe.git
 WORKDIR /go/src/app/grpc-health-probe
-RUN git checkout 680bc1a
+RUN git checkout 46b326771cb9e57af7a495973a180e388b1a516f
 RUN CGO_ENABLED=0 go install -a -tags netgo -ldflags=-w
 
 FROM cgr.dev/chainguard/static:latest
diff --git a/Dockerfile.release b/Dockerfile.release
index 18311eae03..6dd5e24c8a 100644
--- a/Dockerfile.release
+++ b/Dockerfile.release
@@ -6,7 +6,7 @@ WORKDIR /go/src/app
 RUN apk update && apk add --no-cache git
 RUN git clone https://github.com/grpc-ecosystem/grpc-health-probe.git
 WORKDIR /go/src/app/grpc-health-probe
-RUN git checkout 680bc1a
+RUN git checkout 46b326771cb9e57af7a495973a180e388b1a516f
 RUN CGO_ENABLED=0 go install -a -tags netgo -ldflags=-w
 
 FROM $BASE