From eb0c06fa81dbd04dc6fc4b99319181fd65481f30 Mon Sep 17 00:00:00 2001
From: Adit Sarfaty <asarfaty@vmware.com>
Date: Thu, 31 Aug 2017 12:27:46 +0300
Subject: [PATCH] Handle bad or expired XSRF token

The XSRF token might be expired after too long with no activity.
This should not happen because the nsxlib cluster uses keep alive
messages.
in case it does happen, the keep alive will detect this incident
and renew the session.

Change-Id: I6c9a7af01b5b18c2a7e46cc6bf8337b7205d161f
---
 vmware_nsxlib/v3/client.py     | 4 +++-
 vmware_nsxlib/v3/cluster.py    | 6 ++++++
 vmware_nsxlib/v3/exceptions.py | 4 ++++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/vmware_nsxlib/v3/client.py b/vmware_nsxlib/v3/client.py
index 7dd0c87e..783721db 100644
--- a/vmware_nsxlib/v3/client.py
+++ b/vmware_nsxlib/v3/client.py
@@ -36,7 +36,9 @@ def http_error_to_exception(status_code, error_code):
              'default': exceptions.ResourceNotFound},
         requests.codes.PRECONDITION_FAILED: exceptions.StaleRevision,
         requests.codes.INTERNAL_SERVER_ERROR:
-            {'99': exceptions.ClientCertificateNotTrusted}}
+            {'99': exceptions.ClientCertificateNotTrusted},
+        requests.codes.FORBIDDEN:
+            {'98': exceptions.BadXSRFToken}}
 
     if status_code in errors:
         if isinstance(errors[status_code], dict):
diff --git a/vmware_nsxlib/v3/cluster.py b/vmware_nsxlib/v3/cluster.py
index f72633ee..0dc10f6a 100644
--- a/vmware_nsxlib/v3/cluster.py
+++ b/vmware_nsxlib/v3/cluster.py
@@ -468,6 +468,12 @@ class ClusteredAPI(object):
                         {'ep': endpoint})
             # regenerate connection pool based on new certificate
             endpoint.regenerate_pool()
+        except exceptions.BadXSRFToken:
+            LOG.warning("Failed to validate API cluster endpoint "
+                        "'%(ep)s' due to expired XSRF token",
+                        {'ep': endpoint})
+            # regenerate connection pool based on token
+            endpoint.regenerate_pool()
         except Exception as e:
             endpoint.set_state(EndpointState.DOWN)
             LOG.warning("Failed to validate API cluster endpoint "
diff --git a/vmware_nsxlib/v3/exceptions.py b/vmware_nsxlib/v3/exceptions.py
index 66095afb..10b97eee 100644
--- a/vmware_nsxlib/v3/exceptions.py
+++ b/vmware_nsxlib/v3/exceptions.py
@@ -101,6 +101,10 @@ class ClientCertificateNotTrusted(ManagerError):
     message = _("Certificate not trusted")
 
 
+class BadXSRFToken(ManagerError):
+    message = _("Bad or expired XSRF token")
+
+
 class ServiceClusterUnavailable(ManagerError):
     message = _("Service cluster: '%(cluster_id)s' is unavailable. Please, "
                 "check NSX setup and/or configuration")