Distinguish rootwrap Authorization vs Not found errors

Rootwrap will return "not authorized" for a command
that is defined in the rootwrap filters but not
installed on the system.  Therefore return the first
matching filter for such a command so that sudo will
try to execute it and return a more appropriate error.

Change-Id: I77eeff229e73d55083a735af7a9029469132c800

nova/rootwrap/wrapper.py

@@ -47,13 +47,17 @@ def match_filter(filters, userargs):
     returns the first matching filter, or None is none matched.
     """
 
+    found_filter = None
+
     for f in filters:
         if f.match(userargs):
-            # Skip if executable is absent
+            # Try other filters if executable is absent
             if not os.access(f.exec_path, os.X_OK):
+                if not found_filter:
+                    found_filter = f
                 continue
             # Otherwise return matching filter for execution
             return f
 
-    # No filter matched
+    # No filter matched or first missing executable
-    return None
+    return found_filter

nova/tests/test_nova_rootwrap.py

@@ -47,8 +47,11 @@ class RootwrapTestCase(test.TestCase):
         self.assertTrue(filtermatch is None)
 
     def test_missing_command(self):
-        usercmd = ["foo_bar_not_exist"]
+        valid_but_missing = ["foo_bar_not_exist"]
-        filtermatch = wrapper.match_filter(self.filters, usercmd)
+        invalid = ["foo_bar_not_exist_and_not_matched"]
+        filtermatch = wrapper.match_filter(self.filters, valid_but_missing)
+        self.assertTrue(filtermatch is not None)
+        filtermatch = wrapper.match_filter(self.filters, invalid)
         self.assertTrue(filtermatch is None)
 
     def test_DnsmasqFilter(self):