api-server-rest should not produce HTTP 500 on failed policy validation

[mkulke]

At the moment, if a user requests a secret via ASR and in a CoCoAS the requests does not pass the rego police, the result for the user will be http status "500 internal error". this error code is probably not correct, since it indicates that the fault is not a fixable issue, but a technical problem in the guts of KBS or AS. However, the service works as intended, the policy needs to be adjusted to allow the release of the secret to this particular TEE.

An appropriate response code would be 401 unauthorized, IMO. I think KBS will already answer with this error code, but we would need to wire it through all layers of intermediate RPCs.

ASR response:

curl -v http://127.0.0.1:8006/cdh/resource/default/key/doesntexist
*   Trying 127.0.0.1:8006...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 127.0.0.1 (127.0.0.1) port 8006 (#0)
> GET /cdh/resource/default/key/doesntexist HTTP/1.1
> Host: 127.0.0.1:8006
> User-Agent: curl/7.74.0
> Accept: */*
>
  0     0    0     0    0     0      0      0 --:--:--  0:00:04 --:--:--     0* Mark bundle as not supporting multiuse
< HTTP/1.1 500 Internal Server Error
< content-length: 216
< date: Fri, 14 Jun 2024 09:30:14 GMT
<
{ [216 bytes data]
100   216  100   216    0     0     45      0  0:00:04  0:00:04 --:--:--    45
* Connection #0 to host 127.0.0.1 left intact
rpc status: Status { code: INTERNAL, message: "[CDH] [ERROR]: Get Resource failed", details: [], special_fields: SpecialFields { unknown_fields: UnknownFields { fields: None }, cached_size: CachedSize { size: 0 } } }

KBS log:

[2024-06-14T08:24:41Z INFO  actix_web::middleware::logger] 10.244.1.1 "POST /kbs/v0/attest HTTP/1.1" 401 215 "-" "attestation-agent-kbs-client/0.1.0" 0.005681