From 07831049be701b8fe0be087e07efc6ef4602fcbb Mon Sep 17 00:00:00 2001
From: Andrew Stucki <andrew.stucki@hashicorp.com>
Date: Mon, 5 Jun 2023 13:10:17 -0400
Subject: [PATCH] Fix up case where subscription is terminated due to ACLs
 changing or a snapshot restore occurring (#17566)

* Fix up case where subscription is terminated due to ACLs changing or a snapshot restore occurring

* Add changelog entry

* Switch to use errors.Is
---
 .changelog/17566.txt        | 3 +++
 agent/proxycfg-glue/glue.go | 7 +++++++
 2 files changed, 10 insertions(+)
 create mode 100644 .changelog/17566.txt

diff --git a/.changelog/17566.txt b/.changelog/17566.txt
new file mode 100644
index 000000000..f15718bd7
--- /dev/null
+++ b/.changelog/17566.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+xds: Fixed a bug where modifying ACLs on a token being actively used for an xDS connection caused all xDS updates to fail.
+```
diff --git a/agent/proxycfg-glue/glue.go b/agent/proxycfg-glue/glue.go
index 03afd5c15..320d2fc25 100644
--- a/agent/proxycfg-glue/glue.go
+++ b/agent/proxycfg-glue/glue.go
@@ -5,6 +5,7 @@ package proxycfgglue
 
 import (
 	"context"
+	"errors"
 
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-memdb"
@@ -141,6 +142,12 @@ func newUpdateEvent(correlationID string, result any, err error) proxycfg.Update
 	if acl.IsErrNotFound(err) {
 		err = proxycfg.TerminalError(err)
 	}
+	// these are also errors where we should mark them
+	// as terminal for the sake of proxycfg, since they require
+	// a resubscribe.
+	if errors.Is(err, stream.ErrSubForceClosed) || errors.Is(err, stream.ErrShuttingDown) {
+		err = proxycfg.TerminalError(err)
+	}
 	return proxycfg.UpdateEvent{
 		CorrelationID: correlationID,
 		Result:        result,