[Issue #8997] SOAP/Proxy: handle HTTPError Privilege issue without logging exception#9012
Conversation
jakobpederson
changed the title
jakobpederson
force-pushed
the
jakobpederson/8997-soap-log-httperror-not-exception
branch
2 times, most recently
from
5bab42f to
00bb2d5
Compare
jakobpederson
changed the title
jakobpederson
force-pushed
the
jakobpederson/8997-soap-log-httperror-not-exception
branch
from
00bb2d5 to
72f239c
Compare
jakobpederson
requested review from
freddieyebra,
hao10282025-sudo,
kkrug and
mdragon
| except HTTPError: | ||
| msg = "soap_client_certificate: User did not have permission to access this application" | ||
| logger.info( | ||
| msg=msg, | ||
| extra={ | ||
| "soap_api_event": LegacySoapApiEvent.ERROR_CALLING_SIMPLER, | ||
| }, | ||
| ) | ||
| return soap_proxy_response.to_flask_response() |
There was a problem hiding this comment.
Is this overly broad? Is it possible to hit this HTTPError from something other than a permissions issue?
There was a problem hiding this comment.
I think the thinking is we only ever explicitly raise an HTTPError in one place in the SOAP/Proxy. I think in the space between this check and the actual response we won't see any other HTTPError. That being said I think you're right and we could easily raise a custom exception so I'll add that.
| for record in caplog.records | ||
| if record.message == "User did not have permission to access this application" | ||
| ) | ||
| assert post_message.message == "User did not have permission to access this application" |
There was a problem hiding this comment.
Is this testing the correct log message (i.e. the one you just added, "soap_client_certificate: User did not have permission to access this application")? I think this is testing the inner log message from get_application_zip_response.py.
Also, is there actually an assertion here that verifies the AC of "not having the correct permission does not log the exception?" I would think we need something verifies that logging did not occur, something like:
error_records = [r for r in caplog.records if r.levelno >= logging.ERROR and "Unable to process Simpler SOAP proxy response" in r.message] assert len(error_records) == 0
| post_message = next( | ||
| record | ||
| for record in caplog.records | ||
| if record.message == "User did not have permission to access this application" | ||
| ) |
There was a problem hiding this comment.
I think the assert after this is redundant - if the message isn't found within next() it will raise an error and fail the test, though that would be with an unhelpful failure message. You could do a list comprehension with assert len(...) == 1.
jakobpederson
deleted the
jakobpederson/8997-soap-log-httperror-not-exception
branch
2 participants
Summary
Fixes / Work for #8997
Changes proposed
Handled the HTTPError that results when user does not have Privilege to access an application.
Context for reviewers
Previously this was being logged as an exception which was setting off alarms in New Relic. This handles it more gracefully and lessens alarm noise.
Validation steps