Parallels · SivaParvathi3112 · Apr 20, 2026 · May 4, 2026 · May 5, 2026
@@ -4,14 +4,15 @@ import (
 	"context"
 
 	"github.com/Parallels/prl-devops-service/models"
+	"github.com/Parallels/prl-devops-service/errors"
 	log "github.com/cjlapao/common-go-logger"
 )
 
 type ApiContext interface {
 	Context() context.Context
 	GetAuthorizationContext() *AuthorizationContext
 	GetRequestId() string
-	GetUser() *models.ApiUser
+	GetUser(diag *errors.Diagnostics) *models.ApiUser
 	Verbose() bool
 	EnableLog()
 	DisableLog()

@@ -5,6 +5,7 @@ import (
 	"net/http"
 
 	"github.com/Parallels/prl-devops-service/constants"
+	"github.com/Parallels/prl-devops-service/errors"
 	"github.com/Parallels/prl-devops-service/models"
 	log "github.com/cjlapao/common-go-logger"
 )
@@ -98,11 +99,15 @@ func (c *BaseContext) GetRequestId() string {
 	return id.(string)
 }
 
-func (c *BaseContext) GetUser() *models.ApiUser {
-	if c.authContext != nil {
+func (c *BaseContext) GetUser(diag *errors.Diagnostics) *models.ApiUser {
+	if c.authContext != nil && c.authContext.User != nil {
 		return c.authContext.User
 	}
 
+	if diag != nil {
+		diag.AddError("401", "User not found or session expired", "GetUser")
+	}
+
 	return nil
 }
 

@@ -6,6 +6,7 @@ import (
 	"strings"
 
 	"github.com/Parallels/prl-devops-service/basecontext"
+	"github.com/Parallels/prl-devops-service/errors"
 	"github.com/Parallels/prl-devops-service/models"
 	log "github.com/cjlapao/common-go-logger"
 )
@@ -69,7 +70,7 @@ func (m *MockBaseContext) GetRequestId() string {
 	return m.MockRequestID
 }
 
-func (m *MockBaseContext) GetUser() *models.ApiUser {
+func (m *MockBaseContext) GetUser(diag *errors.Diagnostics) *models.ApiUser {
 	if m.callbackFunctions["GetUser"] != nil {
 		m.callbackFunctions["GetUser"]()
 	}

@@ -15,6 +15,7 @@ import (
 	"github.com/Parallels/prl-devops-service/config"
 	"github.com/Parallels/prl-devops-service/constants"
 	data_models "github.com/Parallels/prl-devops-service/data/models"
+	prlerrors "github.com/Parallels/prl-devops-service/errors"
 	"github.com/Parallels/prl-devops-service/helpers"
 	"github.com/Parallels/prl-devops-service/jobs"
 	"github.com/Parallels/prl-devops-service/mappers"
@@ -1883,6 +1884,7 @@ func PushCatalogManifestHandler() restapi.ControllerHandler {
 		defer r.Body.Close()
 		ctx := GetBaseContext(r)
 		defer Recover(ctx, r, w)
+		pushCatalogManifestDiag := prlerrors.NewDiagnostics("/v1/catalog/push")
 		var request catalog_models.PushCatalogManifestRequest
 		if err := http_helper.MapRequestBody(r, &request); err != nil {
 			ReturnApiError(ctx, w, models.ApiErrorResponse{
@@ -1911,9 +1913,9 @@ func PushCatalogManifestHandler() restapi.ControllerHandler {
 			return
 		}
 
-		userContext := ctx.GetUser()
-		if userContext == nil {
-			ReturnApiError(ctx, w, models.ApiErrorResponse{Code: http.StatusUnauthorized, Message: "User not found"})
+		userContext := ctx.GetUser(pushCatalogManifestDiag)
+		if pushCatalogManifestDiag.HasErrors() {
+			ReturnApiErrorWithDiagnostics(ctx, w, models.NewDiagnosticsWithCode(pushCatalogManifestDiag, http.StatusUnauthorized))
 			return
 		}
 
@@ -1923,9 +1925,9 @@ func PushCatalogManifestHandler() restapi.ControllerHandler {
 			return
 		}
 
-		job, err := jobManager.CreateNewJob(userContext.ID, "catalog", "push", "Initializing catalog push")
-		if err != nil {
-			ReturnApiError(ctx, w, models.NewFromErrorWithCode(err, http.StatusInternalServerError))
+		job := jobManager.CreateNewJob(userContext.ID, "catalog", "push", "Initializing catalog push", pushCatalogManifestDiag)
+		if pushCatalogManifestDiag.HasErrors() {
+			ReturnApiErrorWithDiagnostics(ctx, w, models.NewDiagnosticsWithCode(pushCatalogManifestDiag, http.StatusInternalServerError))
 			return
 		}
 
@@ -1994,10 +1996,10 @@ func AsyncPushCatalogManifestHandler() restapi.ControllerHandler {
 		defer r.Body.Close()
 		ctx := GetBaseContext(r)
 		defer Recover(ctx, r, w)
-
-		userContext := ctx.GetUser()
-		if userContext == nil {
-			ReturnApiError(ctx, w, models.ApiErrorResponse{Code: http.StatusUnauthorized, Message: "User not found"})
+		asyncPushCatalogManifestDiag := prlerrors.NewDiagnostics("/v1/catalog/push/async")
+		userContext := ctx.GetUser(asyncPushCatalogManifestDiag)
+		if asyncPushCatalogManifestDiag.HasErrors() {
+			ReturnApiErrorWithDiagnostics(ctx, w, models.NewDiagnosticsWithCode(asyncPushCatalogManifestDiag, http.StatusUnauthorized))
 			return
 		}
 
@@ -2035,9 +2037,9 @@ func AsyncPushCatalogManifestHandler() restapi.ControllerHandler {
 			return
 		}
 
-		job, err := jobManager.CreateNewJob(userContext.ID, "catalog", "push", "Initializing catalog push")
-		if err != nil {
-			ReturnApiError(ctx, w, models.NewFromErrorWithCode(err, http.StatusInternalServerError))
+		job := jobManager.CreateNewJob(userContext.ID, "catalog", "push", "Initializing catalog push", asyncPushCatalogManifestDiag)
+		if asyncPushCatalogManifestDiag.HasErrors() {
+			ReturnApiErrorWithDiagnostics(ctx, w, models.NewDiagnosticsWithCode(asyncPushCatalogManifestDiag, http.StatusInternalServerError))
 			return
 		}
 
@@ -2069,6 +2071,7 @@ func PullCatalogManifestHandler() restapi.ControllerHandler {
 		defer r.Body.Close()
 		ctx := GetBaseContext(r)
 		defer Recover(ctx, r, w)
+		pullCatalogManifestDiag := prlerrors.NewDiagnostics("/v1/catalog/pull")
 		var request catalog_models.PullCatalogManifestRequest
 		if err := http_helper.MapRequestBody(r, &request); err != nil {
 			ReturnApiError(ctx, w, models.ApiErrorResponse{
@@ -2136,9 +2139,9 @@ func PullCatalogManifestHandler() restapi.ControllerHandler {
 			}
 		}
 
-		userContext := ctx.GetUser()
-		if userContext == nil {
-			ReturnApiError(ctx, w, models.ApiErrorResponse{Code: http.StatusUnauthorized, Message: "User not found"})
+		userContext := ctx.GetUser(pullCatalogManifestDiag)
+		if pullCatalogManifestDiag.HasErrors() {
+			ReturnApiErrorWithDiagnostics(ctx, w, models.NewDiagnosticsWithCode(pullCatalogManifestDiag, http.StatusUnauthorized))
 			return
 		}
 
@@ -2148,9 +2151,9 @@ func PullCatalogManifestHandler() restapi.ControllerHandler {
 			return
 		}
 
-		job, err := jobManager.CreateNewJob(userContext.ID, "catalog", "pull", "Initializing repository pull")
-		if err != nil {
-			ReturnApiError(ctx, w, models.NewFromErrorWithCode(err, http.StatusInternalServerError))
+		job := jobManager.CreateNewJob(userContext.ID, "catalog", "pull", "Initializing repository pull", pullCatalogManifestDiag)
+		if pullCatalogManifestDiag.HasErrors() {
+			ReturnApiErrorWithDiagnostics(ctx, w, models.NewDiagnosticsWithCode(pullCatalogManifestDiag, http.StatusInternalServerError))
 			return
 		}
 
@@ -2207,10 +2210,10 @@ func AsyncPullCatalogManifestHandler() restapi.ControllerHandler {
 		defer r.Body.Close()
 		ctx := GetBaseContext(r)
 		defer Recover(ctx, r, w)
-
-		userContext := ctx.GetUser()
-		if userContext == nil {
-			ReturnApiError(ctx, w, models.ApiErrorResponse{Code: http.StatusUnauthorized, Message: "User not found"})
+		asyncPullCatalogManifestDiag := prlerrors.NewDiagnostics("/v1/catalog/pull/async")
+		userContext := ctx.GetUser(asyncPullCatalogManifestDiag)
+		if asyncPullCatalogManifestDiag.HasErrors() {
+			ReturnApiErrorWithDiagnostics(ctx, w, models.NewDiagnosticsWithCode(asyncPullCatalogManifestDiag, http.StatusUnauthorized))
 			return
 		}
 
@@ -2258,9 +2261,9 @@ func AsyncPullCatalogManifestHandler() restapi.ControllerHandler {
 			return
 		}
 
-		job, err := jobManager.CreateNewJob(userContext.ID, "catalog", "pull", "Initializing repository pull")
-		if err != nil {
-			ReturnApiError(ctx, w, models.NewFromErrorWithCode(err, http.StatusInternalServerError))
+		job := jobManager.CreateNewJob(userContext.ID, "catalog", "pull", "Initializing repository pull", asyncPullCatalogManifestDiag)
+		if asyncPullCatalogManifestDiag.HasErrors() {
+			ReturnApiErrorWithDiagnostics(ctx, w, models.NewDiagnosticsWithCode(asyncPullCatalogManifestDiag, http.StatusInternalServerError))
 			return
 		}
 

@@ -22,6 +22,7 @@ import (
 	"github.com/Parallels/prl-devops-service/config"
 	"github.com/Parallels/prl-devops-service/constants"
 	data_models "github.com/Parallels/prl-devops-service/data/models"
+	prlerrors "github.com/Parallels/prl-devops-service/errors"
 	"github.com/Parallels/prl-devops-service/helpers"
 	"github.com/Parallels/prl-devops-service/jobs"
 	"github.com/Parallels/prl-devops-service/mappers"
@@ -378,7 +379,7 @@ func GetCatalogManagersHandler() restapi.ControllerHandler {
 			return
 		}
 
-		user := ctx.GetUser()
+		user := ctx.GetUser(nil)
 		if user == nil {
 			ReturnApiError(ctx, w, models.NewFromErrorWithCode(errors.New("User not contextually found"), http.StatusUnauthorized))
 			return
@@ -475,7 +476,7 @@ func GetCatalogManagerByIdHandler() restapi.ControllerHandler {
 		vars := mux.Vars(r)
 		id := vars["id"]
 
-		user := ctx.GetUser()
+		user := ctx.GetUser(nil)
 		if user == nil {
 			ReturnApiError(ctx, w, models.NewFromErrorWithCode(errors.New("User not contextually found"), http.StatusUnauthorized))
 			return
@@ -556,7 +557,7 @@ func CreateCatalogManagerHandler() restapi.ControllerHandler {
 		}
 		defer r.Body.Close()
 
-		user := ctx.GetUser()
+		user := ctx.GetUser(nil)
 
 		newMgr := mappers.FromCatalogManagerRequest(&req)
 		newMgr.OwnerID = user.ID
@@ -642,7 +643,7 @@ func UpdateCatalogManagerHandler() restapi.ControllerHandler {
 			return
 		}
 
-		user := ctx.GetUser()
+		user := ctx.GetUser(nil)
 		authCtxUpdate := ctx.GetAuthorizationContext()
 		effectiveClaimsUpdate := authCtxUpdate.GetEffectiveClaims()
 		effectiveRolesUpdate := authCtxUpdate.GetEffectiveRoles()
@@ -721,7 +722,7 @@ func DeleteCatalogManagerHandler() restapi.ControllerHandler {
 			return
 		}
 
-		user := ctx.GetUser()
+		user := ctx.GetUser(nil)
 		authCtxDelete := ctx.GetAuthorizationContext()
 		effectiveClaimsDelete := authCtxDelete.GetEffectiveClaims()
 		effectiveRolesDelete := authCtxDelete.GetEffectiveRoles()
@@ -766,10 +767,10 @@ func AsyncPushCatalogManifestToCatalogManagerHandler() restapi.ControllerHandler
 		defer r.Body.Close()
 		ctx := GetBaseContext(r)
 		defer Recover(ctx, r, w)
-
-		userContext := ctx.GetUser()
-		if userContext == nil {
-			ReturnApiError(ctx, w, models.ApiErrorResponse{Code: http.StatusUnauthorized, Message: "User not found"})
+		asyncPushCatalogManifestDiag := prlerrors.NewDiagnostics("AsyncPushCatalogManifestToCatalogManagerHandler")
+		userContext := ctx.GetUser(asyncPushCatalogManifestDiag)
+		if asyncPushCatalogManifestDiag.HasErrors() {
+			ReturnApiErrorWithDiagnostics(ctx, w, models.NewDiagnosticsWithCode(asyncPushCatalogManifestDiag, http.StatusUnauthorized))
 			return
 		}
 
@@ -833,9 +834,9 @@ func AsyncPushCatalogManifestToCatalogManagerHandler() restapi.ControllerHandler
 			return
 		}
 
-		localJob, err := jobManager.CreateNewJob(userContext.ID, "catalog", "push", "Initializing catalog push to manager "+mgr.Name)
-		if err != nil {
-			ReturnApiError(ctx, w, models.NewFromErrorWithCode(err, http.StatusInternalServerError))
+		localJob := jobManager.CreateNewJob(userContext.ID, "catalog", "push", "Initializing catalog push to manager "+mgr.Name, asyncPushCatalogManifestDiag)
+		if asyncPushCatalogManifestDiag.HasErrors() {
+			ReturnApiErrorWithDiagnostics(ctx, w, models.NewDiagnosticsWithCode(asyncPushCatalogManifestDiag, http.StatusInternalServerError))
 			return
 		}
 
@@ -936,7 +937,7 @@ func getAuthorizedCatalogManagerForUse(ctx basecontext.ApiContext, managerID str
 		return nil, &apiErr
 	}
 
-	user := ctx.GetUser()
+	user := ctx.GetUser(nil)
 	if user == nil {
 		apiErr := models.NewFromErrorWithCode(errors.New("User not contextually found"), http.StatusUnauthorized)
 		return nil, &apiErr
@@ -1298,7 +1299,7 @@ func forwardCatalogManagerRequest(ctx basecontext.ApiContext, w http.ResponseWri
 	// Inject the current user's effective claims and roles so the downstream
 	// catalog service can filter results using the calling user's permissions
 	// rather than the stored catalog-manager credentials.
-	if fwdUser := ctx.GetUser(); fwdUser != nil {
+	if fwdUser := ctx.GetUser(nil); fwdUser != nil {
 		fwdAuthCtx := ctx.GetAuthorizationContext()
 		claims := fwdAuthCtx.GetEffectiveClaims()
 		roles := fwdAuthCtx.GetEffectiveRoles()

@@ -18,8 +18,8 @@ import (
 // orchestrator-to-host calls, there is no user account on the target, so
 // "system" is used as a fallback owner. Returns ("", false) when the request
 // is not authenticated at all.
-func getEffectiveCallerID(ctx *basecontext.BaseContext) (string, bool) {
-	if user := ctx.GetUser(); user != nil {
+func getEffectiveCallerID(ctx *basecontext.BaseContext, diag *errors.Diagnostics) (string, bool) {
+	if user := ctx.GetUser(nil); user != nil {
 		return user.ID, true
 	}
 	authCtx := ctx.GetAuthorizationContext()
@@ -35,6 +35,9 @@ func getEffectiveCallerID(ctx *basecontext.BaseContext) (string, bool) {
 		return currentUser, true
 	}
 
+	if diag != nil {
+		diag.AddError("401", "Caller identity not found", "getEffectiveCallerID")
+	}
 	return "", false
 }