Add reason messsage for HTTPForbidden

Currently there is no message for HTTPForbidden. When user operate from horizon, access control is properly working but there is no message for the reason in error dialog. For example: Error: Unable to modify host "controller-1". None (Reason/Action message is expected but it shows "None") When a message in HTTPForbidden is extracted, cgts-client needs to look into "description" as the message in HTTPForbidden is: {"error_message": "{"code": 403, "title": "Forbidden", "description": "error message"}"} Closes-bug: 2037320 Test Plan: PASS: Fresh install successfully(SX/DC) PASS: Login with reader role, modify configuration for inventory and show the error dialog with reason: "Not allowed/Role admin is needed" PASS: Login with admin role, modify configuration for inventory and no error dialog related access control is shown Change-Id: I4d0e2c2db5a12240145aef432c7d8ecf53a60204 Signed-off-by: Takamasa Takenaka <takamasa.takenaka@windriver.com>
2023-09-22 17:56:26 -03:00
parent f75c8ffc64
commit 6fd1a4902c
2 changed files with 10 additions and 4 deletions
--- a/sysinv/cgts-client/cgts-client/cgtsclient/common/http.py
+++ b/sysinv/cgts-client/cgts-client/cgtsclient/common/http.py
@@ -1,4 +1,4 @@
-# Copyright 2013-2022 Wind River, Inc.
+# Copyright 2013-2023 Wind River, Inc.
 # Copyright 2012 Openstack Foundation
 # All Rights Reserved.
 #
@@ -403,7 +403,10 @@ class HTTPClient(httplib2.Http):
            raise exceptions.HTTPUnauthorized(body)
        elif status_code == 403:
            error_json = self._extract_error_json(body_str)
-            raise exceptions.Forbidden(error_json.get('faultstring'))
+            reason = error_json.get('faultstring')
+            if reason is None:
+                reason = error_json.get('description')
+            raise exceptions.Forbidden(reason)
        elif 400 <= status_code < 600:
            _logger.warn("Request returned failure status: %s", status_code)  # pylint: disable=deprecated-method
            error_json = self._extract_error_json(body_str)
--- a/sysinv/sysinv/sysinv/sysinv/api/hooks.py
+++ b/sysinv/sysinv/sysinv/sysinv/api/hooks.py
@@ -16,7 +16,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 #
-# Copyright (c) 2013-2018 Wind River Systems, Inc.
+# Copyright (c) 2013-2023 Wind River Systems, Inc.
 #

 import re
@@ -196,17 +196,20 @@ class AccessPolicyHook(hooks.PecanHook):
                except Exception:
                    raise exc.HTTPForbidden()
            else:
+                role = ""
                method = state.request.method
                if method == 'GET':
+                    role = "reader"
                    has_api_access = policy.authorize(
                        base_policy.READER_IN_SYSTEM_PROJECTS, {},
                        context.to_dict(), do_raise=False)
                else:
+                    role = "admin"
                    has_api_access = policy.authorize(
                        base_policy.ADMIN_IN_SYSTEM_PROJECTS, {},
                        context.to_dict(), do_raise=False)
                if not has_api_access:
-                    raise exc.HTTPForbidden()
+                    raise exc.HTTPForbidden("Not allowed/Role " + role + " is needed")


 class NoExceptionTracebackHook(hooks.PecanHook):