Narrow expected responses for CheckUserInGroup

When checking whether a given user is in a given group, keystone will
return a 404 Not Found if all went well but the user was not in the
group. It may also return a 403 if the user and the group are in
different backends, which would also mean that the user was not in the
group[1]. Any other 400 response is a client error and any 500 response
is a server error to which the user should be alerted.

Without this patch, openstackclient treats any exception as a valid "not
found" and may end up hiding server errors. This patch reduces the
caught exceptions to 403 and 404 responses and treats everything else as
an error.

[1] https://developer.openstack.org/api-ref/identity/v3/?expanded=check-whether-user-belongs-to-group-detail#check-whether-user-belongs-to-group

Closes-bug: #1672634

Change-Id: Id3f3b2409b7cee480ee3c19b6d6c3070599ffe8f

1 files changed, 9 insertions, 6 deletions

diff --git a/openstackclient/identity/v3/group.py b/openstackclient/identity/v3/group.py
index 2afdabc1..b5f5d8ad 100644
--- a/openstackclient/identity/v3/group.py
+++ b/openstackclient/identity/v3/group.py
@@ -102,12 +102,15 @@ class CheckUserInGroup(command.Command):
 
         try:
             identity_client.users.check_in_group(user_id, group_id)
-        except Exception:
-            msg = _("%(user)s not in group %(group)s\n") % {
-                'user': parsed_args.user,
-                'group': parsed_args.group,
-            }
-            sys.stderr.write(msg)
+        except ks_exc.http.HTTPClientError as e:
+            if e.http_status == 403 or e.http_status == 404:
+                msg = _("%(user)s not in group %(group)s\n") % {
+                    'user': parsed_args.user,
+                    'group': parsed_args.group,
+                }
+                sys.stderr.write(msg)
+            else:
+                raise e
         else:
             msg = _("%(user)s in group %(group)s\n") % {
                 'user': parsed_args.user,