401 instead of 403 on wrong backup auth credential type

Author: ravi-signal

service/src/main/java/org/whispersystems/textsecuregcm/backup/BackupManager.java

@@ -649,7 +649,7 @@ static void checkBackupLevel(final AuthenticatedBackupUser backupUser, final Bac
    *
    * @param backupUser     The backup user to check
    * @param credentialType The credential type to require
-   * @throws {@link Status#PERMISSION_DENIED} error if the backup user is not authenticated with the given
+   * @throws {@link Status#UNAUTHENTICATED} error if the backup user is not authenticated with the given
    * {@code credentialType}
    */
   @VisibleForTesting
@@ -659,8 +659,8 @@ static void checkBackupCredentialType(final AuthenticatedBackupUser backupUser,
               FAILURE_REASON_TAG_NAME, "credential_type")
           .increment();
 
-      throw Status.PERMISSION_DENIED
-          .withDescription("credential does not support the requested operation")
+      throw Status.UNAUTHENTICATED
+          .withDescription("wrong credential type for the requested operation")
           .asRuntimeException();
     }
   }

service/src/test/java/org/whispersystems/textsecuregcm/backup/BackupManagerTest.java

@@ -176,7 +176,7 @@ void checkBackupCredentialType(final BackupCredentialType authenticateCredential
           .isThrownBy(checkCredentialType)
           .extracting(StatusRuntimeException::getStatus)
           .extracting(Status::getCode)
-          .isEqualTo(Status.Code.PERMISSION_DENIED);
+          .isEqualTo(Status.Code.UNAUTHENTICATED);
     } else {
       assertThatNoException().isThrownBy(checkCredentialType);
     }
@@ -215,7 +215,7 @@ public void createBackupWrongCredentialType(final BackupLevel backupLevel) {
 
     assertThatExceptionOfType(StatusRuntimeException.class)
         .isThrownBy(() -> backupManager.createMessageBackupUploadDescriptor(backupUser).join())
-        .matches(exception -> exception.getStatus().getCode() == Status.PERMISSION_DENIED.getCode());
+        .matches(exception -> exception.getStatus().getCode() == Status.UNAUTHENTICATED.getCode());
   }
 
   @Test
@@ -245,7 +245,7 @@ public void createTemporaryMediaAttachmentWrongCredentialType() {
         .isThrownBy(() -> backupManager.createTemporaryAttachmentUploadDescriptor(backupUser))
         .extracting(StatusRuntimeException::getStatus)
         .extracting(Status::getCode)
-        .isEqualTo(Status.Code.PERMISSION_DENIED);
+        .isEqualTo(Status.Code.UNAUTHENTICATED);
   }
 
   @ParameterizedTest
@@ -502,7 +502,7 @@ public void copyWrongCredentialType() {
         .isThrownBy(() -> copy(backupUser))
         .extracting(StatusRuntimeException::getStatus)
         .extracting(Status::getCode)
-        .isEqualTo(Status.Code.PERMISSION_DENIED);
+        .isEqualTo(Status.Code.UNAUTHENTICATED);
   }
 
   @Test
@@ -675,7 +675,7 @@ public void deleteWrongCredentialType() {
     assertThatThrownBy(() ->
         backupManager.deleteMedia(backupUser, List.of(new BackupManager.StorageDescriptor(5, mediaId))).then().block())
         .isInstanceOf(StatusRuntimeException.class)
-        .matches(e -> ((StatusRuntimeException) e).getStatus().getCode() == Status.PERMISSION_DENIED.getCode());
+        .matches(e -> ((StatusRuntimeException) e).getStatus().getCode() == Status.UNAUTHENTICATED.getCode());
   }
 
   @Test