Handle storm preconditions which throw exceptions for AuthDeny and NoSuchView with their own codes

vEpiphyte · vEpiphyte · commit a13510b911a4 · 2025-03-31T10:45:51.000-04:00
Update the loginV1 handler to sent 403/404 codes on errors.
diff --git a/changes/5bc9697951b7c5b83a6bced86e256a10.yaml b/changes/5bc9697951b7c5b83a6bced86e256a10.yaml
@@ -1,6 +1,5 @@
 ---
-desc: Update Synapse HTTP APIs to set a non-200 HTTP status code when errors are
-  returned. This does not apply to the ``api/v1/login`` endpoint.
+desc: Update Synapse HTTP APIs to set a non-200 HTTP status code when errors are returned.
 prs: []
 type: bug
 ...
diff --git a/synapse/lib/httpapi.py b/synapse/lib/httpapi.py
@@ -551,6 +551,13 @@ async def _reqValidOpts(self, opts: dict | None) -> dict | None:
 
         return opts
 
+    def _handleStormErr(self, err: Exception):
+        if isinstance(err, s_exc.AuthDeny):
+            return self.sendRestExc(err, status_code=HTTPStatus.FORBIDDEN)
+        if isinstance(err, s_exc.NoSuchView):
+            return self.sendRestExc(err, status_code=HTTPStatus.NOT_FOUND)
+        return self.sendRestExc(err, status_code=HTTPStatus.BAD_REQUEST)
+
 class StormNodesV1(StormHandler):
 
     async def post(self):
@@ -586,7 +593,7 @@ async def get(self):
                 flushed = True
         except Exception as e:
             if not flushed:
-                return self.sendRestExc(e, status_code=HTTPStatus.BAD_REQUEST)
+                return self._handleStormErr(e)
 
 class StormV1(StormHandler):
 
@@ -621,7 +628,7 @@ async def get(self):
                 flushed = True
         except Exception as e:
             if not flushed:
-                return self.sendRestExc(e, status_code=HTTPStatus.BAD_REQUEST)
+                return self._handleStormErr(e)
 
 class StormCallV1(StormHandler):
 
@@ -647,7 +654,7 @@ async def get(self):
         try:
             ret = await self.getCore().callStorm(query, opts=opts)
         except Exception as e:
-            return self.sendRestExc(e, status_code=HTTPStatus.BAD_REQUEST)
+            return self._handleStormErr(e)
         else:
             return self.sendRestRetn(ret)
 
@@ -681,7 +688,7 @@ async def get(self):
                 flushed = True
         except Exception as e:
             if not flushed:
-                return self.sendRestExc(e, status_code=HTTPStatus.BAD_REQUEST)
+                return self._handleStormErr(e)
 
 class ReqValidStormV1(StormHandler):
 
@@ -700,7 +707,7 @@ async def get(self):
         try:
             ret = await self.cell.reqValidStorm(query, opts)
         except Exception as e:
-            return self.sendRestExc(e, status_code=HTTPStatus.BAD_REQUEST)
+            return self._handleStormErr(e)
         else:
             return self.sendRestRetn(ret)
 
diff --git a/synapse/tests/test_lib_httpapi.py b/synapse/tests/test_lib_httpapi.py
@@ -430,20 +430,18 @@ async def test_http_auth(self):
                 async with sess.post(f'https://localhost:{port}/api/v1/login') as resp:
                     self.eq(resp.status, http.HTTPStatus.BAD_REQUEST)
                     item = await resp.json()
-                    print(item)
                     self.eq('SchemaViolation', item.get('code'))
                 async with sess.post(f'https://localhost:{port}/api/v1/login', json=['newp',]) as resp:
                     self.eq(resp.status, http.HTTPStatus.BAD_REQUEST)
                     item = await resp.json()
-                    print(item)
                     self.eq('SchemaViolation', item.get('code'))
 
             async with self.getHttpSess() as sess:
 
                 info = {'user': 'hehe', 'passwd': 'newp'}
                 with self.getAsyncLoggerStream('synapse.lib.httpapi', 'No such user.') as stream:
                     async with sess.post(f'https://localhost:{port}/api/v1/login', json=info) as resp:
-                        self.eq(resp.status, http.HTTPStatus.OK)
+                        self.eq(resp.status, http.HTTPStatus.NOT_FOUND)
                         item = await resp.json()
                         self.eq('AuthDeny', item.get('code'))
                         self.true(await  stream.wait(timeout=6))
@@ -453,7 +451,7 @@ async def test_http_auth(self):
                 await core.setUserLocked(visiiden, True)
                 with self.getAsyncLoggerStream('synapse.lib.httpapi', 'User is locked.') as stream:
                     async with sess.post(f'https://localhost:{port}/api/v1/login', json=info) as resp:
-                        self.eq(resp.status, http.HTTPStatus.OK)
+                        self.eq(resp.status, http.HTTPStatus.FORBIDDEN)
                         item = await resp.json()
                         self.eq('AuthDeny', item.get('code'))
                         self.true(await  stream.wait(timeout=6))
@@ -464,7 +462,7 @@ async def test_http_auth(self):
                 info = {'user': 'visi', 'passwd': 'borked'}
                 with self.getAsyncLoggerStream('synapse.lib.httpapi', 'Incorrect password.') as stream:
                     async with sess.post(f'https://localhost:{port}/api/v1/login', json=info) as resp:
-                        self.eq(resp.status, http.HTTPStatus.OK)
+                        self.eq(resp.status, http.HTTPStatus.FORBIDDEN)
                         item = await resp.json()
                         self.eq('AuthDeny', item.get('code'))
                         self.true(await stream.wait(timeout=6))
@@ -1602,6 +1600,21 @@ async def test_http_storm(self):
                 self.true(await task.waitfini(6))
                 self.len(0, core.boss.tasks)
 
+                fork = await core.callStorm('return($lib.view.get().fork().iden)')
+                lowuser = await core.auth.addUser('lowuser')
+
+                async with sess.get(f'https://localhost:{port}/api/v1/storm/nodes',
+                                    json={'query': '.created', 'opts': {'view': s_common.guid()}}) as resp:
+                    self.eq(resp.status, http.HTTPStatus.NOT_FOUND)
+
+                async with sess.get(f'https://localhost:{port}/api/v1/storm',
+                                    json={'query': '.created', 'opts': {'view': s_common.guid()}}) as resp:
+                    self.eq(resp.status, http.HTTPStatus.NOT_FOUND)
+
+                async with sess.get(f'https://localhost:{port}/api/v1/storm',
+                                    json={'query': '.created', 'opts': {'user': lowuser.iden, 'view': fork}}) as resp:
+                    self.eq(resp.status, http.HTTPStatus.FORBIDDEN)
+
                 # check reqvalidstorm with various queries
                 tvs = (
                     ('test:str=test', {}, 'ok'),
@@ -2193,7 +2206,7 @@ async def test_http_locked_admin(self):
                     self.eq('NotAuthenticated', item.get('code'))
 
                 resp = await sess.post(f'{root}/api/v1/login', json={'user': 'visi', 'passwd': 'secret123'})
-                self.eq(resp.status, http.HTTPStatus.OK)
+                self.eq(resp.status, http.HTTPStatus.FORBIDDEN)
                 retn = await resp.json()
                 self.eq(retn.get('status'), 'err')
                 self.eq(retn.get('code'), 'AuthDeny')
