Merge pull request #826 from atlanhq/GOV-667

fix(transport): prevent duplicate AuthPolicy creation on retry after timeout

Author: ankitpatnaik-atlan

pyatlan/client/aio/client.py

@@ -168,7 +168,9 @@ def __init__(self, **kwargs):
 
         # Create async session with custom transport that supports retry and proxy
         self._async_session = httpx.AsyncClient(
-            transport=PyatlanAsyncTransport(retry=self.retry, **transport_kwargs),
+            transport=PyatlanAsyncTransport(
+                retry=self.retry, client=self, **transport_kwargs
+            ),
             headers={
                 "x-atlan-agent": "sdk",
                 "x-atlan-agent-id": "python",
@@ -980,7 +982,9 @@ async def max_retries(  # type: ignore[override,misc]
         if self.verify is not None:
             transport_kwargs["verify"] = self.verify
 
-        new_transport = PyatlanAsyncTransport(retry=max_retries, **transport_kwargs)
+        new_transport = PyatlanAsyncTransport(
+            retry=max_retries, client=self, **transport_kwargs
+        )
         session._transport = new_transport
 
         LOGGER.debug(

pyatlan/client/atlan.py

@@ -211,8 +211,11 @@ def __init__(self, **data):
         # Configure httpx client with custom transport that supports retry and proxy
         # Note: We pass proxy/SSL config to the transport, not the client,
         # so that retry logic properly respects these settings
+        # Pass self reference to transport for duplicate checking during retries
         self._session = httpx.Client(
-            transport=PyatlanSyncTransport(retry=self.retry, **transport_kwargs),
+            transport=PyatlanSyncTransport(
+                retry=self.retry, client=self, **transport_kwargs
+            ),
             headers={
                 "x-atlan-agent": "sdk",
                 "x-atlan-agent-id": "python",
@@ -2007,7 +2010,9 @@ def max_retries(  # type: ignore[misc]
         if self.verify is not None:
             transport_kwargs["verify"] = self.verify
 
-        new_transport = PyatlanSyncTransport(retry=max_retries, **transport_kwargs)
+        new_transport = PyatlanSyncTransport(
+            retry=max_retries, client=self, **transport_kwargs
+        )
         self._session._transport = new_transport
 
         LOGGER.debug(

pyatlan/client/common/transport.py

@@ -0,0 +1,185 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2025 Atlan Pte. Ltd.
+"""
+Shared transport utilities for sync and async Atlan HTTP transports.
+
+Provides duplicate AuthPolicy detection logic used by both
+PyatlanSyncTransport and PyatlanAsyncTransport.
+"""
+
+from __future__ import annotations
+
+import json
+import logging
+from typing import Any, Optional
+
+import httpx
+
+from pyatlan.client.constants import BULK_UPDATE, INDEX_SEARCH
+from pyatlan.errors import ErrorCode
+from pyatlan.model.search import Bool, DSL, IndexSearchRequest, Term
+
+logger = logging.getLogger(__name__)
+
+
+def build_policy_search_request(
+    policy_name: str, persona_guid: str
+) -> IndexSearchRequest:
+    """Build an IndexSearchRequest to find an existing AuthPolicy by name and persona."""
+    query = Bool(
+        filter=[
+            Term(field="__typeName.keyword", value="AuthPolicy"),
+            Term(field="name.keyword", value=policy_name),
+            Term(field="__persona", value=persona_guid),
+        ]
+    )
+    return IndexSearchRequest(
+        dsl=DSL(query=query, size=1, from_=0),
+        attributes=["name", "qualifiedName"],
+    )
+
+
+def create_mock_response(
+    existing_policy: dict, temp_guid: str = "-1"
+) -> httpx.Response:
+    """Build a mock bulk-entity response containing an already-created policy."""
+    response_body = {
+        "mutatedEntities": {"CREATE": [existing_policy]},
+        "guidAssignments": {temp_guid: existing_policy.get("guid")},
+    }
+    return httpx.Response(
+        status_code=200,
+        json=response_body,
+        request=httpx.Request("POST", f"http://mock/{BULK_UPDATE.path}"),
+    )
+
+
+def parse_auth_policy_entity(request: httpx.Request) -> Optional[tuple[str, str, str]]:
+    """
+    Parse the request body and return (policy_name, persona_guid, temp_guid)
+    if the request is a bulk POST containing an AuthPolicy, else None.
+    """
+    if request.method != "POST" or BULK_UPDATE.path not in str(request.url):
+        return None
+    if not request.content:
+        return None
+
+    try:
+        body = json.loads(request.content.decode("utf-8"))
+    except (json.JSONDecodeError, UnicodeDecodeError):
+        logger.debug(
+            "parse_auth_policy_entity: failed to decode request body, skipping duplicate check"
+        )
+        return None
+
+    for entity in body.get("entities", []):
+        if entity.get("typeName") != "AuthPolicy":
+            continue
+        policy_name = entity.get("attributes", {}).get("name")
+        access_control = entity.get("attributes", {}).get("accessControl")
+        persona_guid = (
+            access_control.get("guid") if isinstance(access_control, dict) else None
+        )
+        if policy_name and persona_guid:
+            return policy_name, persona_guid, entity.get("guid", "-1")
+    return None
+
+
+def find_existing_policy(
+    client: Any, policy_name: str, persona_guid: str
+) -> Optional[dict]:
+    """
+    Search for an existing AuthPolicy by name and persona GUID (synchronous).
+
+    Raises:
+        ErrorCode.UNABLE_TO_SEARCH_EXISTING_POLICY: if the search call fails.
+    """
+    try:
+        search_request = build_policy_search_request(policy_name, persona_guid)
+        raw_json = client._call_api(INDEX_SEARCH, request_obj=search_request)
+        if raw_json and raw_json.get("entities"):
+            return raw_json["entities"][0]
+        return None
+    except Exception as e:
+        raise ErrorCode.UNABLE_TO_SEARCH_EXISTING_POLICY.exception_with_parameters(
+            policy_name, persona_guid, str(e)
+        ) from e
+
+
+async def find_existing_policy_async(
+    client: Any, policy_name: str, persona_guid: str
+) -> Optional[dict]:
+    """
+    Search for an existing AuthPolicy by name and persona GUID (asynchronous).
+
+    Raises:
+        ErrorCode.UNABLE_TO_SEARCH_EXISTING_POLICY: if the search call fails.
+    """
+    try:
+        search_request = build_policy_search_request(policy_name, persona_guid)
+        raw_json = await client._call_api(INDEX_SEARCH, request_obj=search_request)
+        if raw_json and raw_json.get("entities"):
+            return raw_json["entities"][0]
+        return None
+    except Exception as e:
+        raise ErrorCode.UNABLE_TO_SEARCH_EXISTING_POLICY.exception_with_parameters(
+            policy_name, persona_guid, str(e)
+        ) from e
+
+
+def check_for_duplicate_policy(
+    client: Any, request: httpx.Request
+) -> Optional[httpx.Response]:
+    """
+    Check whether a bulk POST is creating an AuthPolicy that already exists (synchronous).
+    Only called during retry attempts, never on the first request.
+
+    Returns a mock response with the existing policy if a duplicate is found,
+    or None to let the retry proceed normally.
+
+    Raises:
+        ErrorCode.UNABLE_TO_SEARCH_EXISTING_POLICY: if the duplicate search fails.
+    """
+    parsed = parse_auth_policy_entity(request)
+    if not parsed:
+        return None
+
+    policy_name, persona_guid, temp_guid = parsed
+    existing_policy = find_existing_policy(client, policy_name, persona_guid)
+    if existing_policy:
+        logger.info(
+            f"Found existing policy '{policy_name}' with guid "
+            f"{existing_policy.get('guid')} during retry check"
+        )
+        return create_mock_response(existing_policy, temp_guid)
+    return None
+
+
+async def check_for_duplicate_policy_async(
+    client: Any, request: httpx.Request
+) -> Optional[httpx.Response]:
+    """
+    Check whether a bulk POST is creating an AuthPolicy that already exists (asynchronous).
+    Only called during retry attempts, never on the first request.
+
+    Returns a mock response with the existing policy if a duplicate is found,
+    or None to let the retry proceed normally.
+
+    Raises:
+        ErrorCode.UNABLE_TO_SEARCH_EXISTING_POLICY: if the duplicate search fails.
+    """
+    parsed = parse_auth_policy_entity(request)
+    if not parsed:
+        return None
+
+    policy_name, persona_guid, temp_guid = parsed
+    existing_policy = await find_existing_policy_async(
+        client, policy_name, persona_guid
+    )
+    if existing_policy:
+        logger.info(
+            f"Found existing policy '{policy_name}' with guid "
+            f"{existing_policy.get('guid')} during retry check"
+        )
+        return create_mock_response(existing_policy, temp_guid)
+    return None

pyatlan/client/transport.py

@@ -1,4 +1,3 @@
-# type: ignore
 """
 Custom HTTP transport with retry support for Atlan Python SDK.
 
@@ -8,11 +7,19 @@
 
 import logging
 from functools import partial
-from typing import Any, Optional, Union
+from typing import TYPE_CHECKING, Any, Optional, Union, cast
 
 import httpx
 from httpx_retries import Retry
 
+from pyatlan.client.common.transport import (
+    check_for_duplicate_policy,
+    check_for_duplicate_policy_async,
+)
+
+if TYPE_CHECKING:
+    from pyatlan.client.atlan import AtlanClient
+
 logger = logging.getLogger(__name__)
 
 
@@ -43,9 +50,11 @@ class PyatlanSyncTransport(httpx.BaseTransport):
     def __init__(
         self,
         retry: Optional[Retry] = None,
+        client: Optional["AtlanClient"] = None,
         **kwargs: Any,
     ) -> None:
         self.retry = retry or Retry()
+        self._client = client  # Reference to AtlanClient for duplicate checking
         # Ensure trust_env is True by default to respect environment variables
         # unless explicitly overridden
         if "trust_env" not in kwargs:
@@ -97,6 +106,19 @@ def _retry_operation(
                 logger.debug(
                     "_retry_operation retrying response=%s retry=%s", response, retry
                 )
+
+                # ONLY during retry: check if this is a policy creation and if duplicate exists
+                if self._client:
+                    duplicate_response = check_for_duplicate_policy(
+                        self._client, request
+                    )
+                    if duplicate_response:
+                        logger.warning(
+                            "RETRY PREVENTED: Policy already exists (likely from previous "
+                            "request that timed out but succeeded). Returning existing policy."
+                        )
+                        return duplicate_response
+
                 retry = retry.increment()
                 retry.sleep(response)
 
@@ -109,9 +131,9 @@ def _retry_operation(
                 continue
 
             if retry.is_exhausted() or not retry.is_retryable_status_code(
-                response.status_code
+                cast(httpx.Response, response).status_code
             ):
-                return response
+                return cast(httpx.Response, response)
 
     def close(self) -> None:
         """Close the underlying transport."""
@@ -145,9 +167,11 @@ class PyatlanAsyncTransport(httpx.AsyncBaseTransport):
     def __init__(
         self,
         retry: Optional[Retry] = None,
+        client: Optional["AtlanClient"] = None,
         **kwargs: Any,
     ) -> None:
         self.retry = retry or Retry()
+        self._client = client  # Reference to AtlanClient for duplicate checking
         # Ensure trust_env is True by default to respect environment variables
         # unless explicitly overridden
         if "trust_env" not in kwargs:
@@ -201,6 +225,19 @@ async def _retry_operation_async(
                     response,
                     retry,
                 )
+
+                # ONLY during retry: check if this is a policy creation and if duplicate exists
+                if self._client:
+                    duplicate_response = await check_for_duplicate_policy_async(
+                        self._client, request
+                    )
+                    if duplicate_response:
+                        logger.warning(
+                            "RETRY PREVENTED: Policy already exists (likely from previous "
+                            "request that timed out but succeeded). Returning existing policy."
+                        )
+                        return duplicate_response
+
                 retry = retry.increment()
                 await retry.asleep(response)
 
@@ -213,9 +250,9 @@ async def _retry_operation_async(
                 continue
 
             if retry.is_exhausted() or not retry.is_retryable_status_code(
-                response.status_code
+                cast(httpx.Response, response).status_code
             ):
-                return response
+                return cast(httpx.Response, response)
 
     async def aclose(self) -> None:
         """Close the underlying transport."""

pyatlan/errors.py

@@ -1054,6 +1054,13 @@ class ErrorCode(Enum):
         "your intention to fail after a maximum number of retries was reached.",
         ApiError,
     )
+    UNABLE_TO_SEARCH_EXISTING_POLICY = (
+        500,
+        "ATLAN-PYTHON-500-007",
+        "Unable to search for an existing policy '{0}' for persona '{1}': {2}",
+        "Check your backend connectivity and ensure the Atlan search service is accessible.",
+        ApiError,
+    )
 
     def __init__(
         self,