Merge remote-tracking branch 'upstream/master'

Azure · May 10, 2023 · 72bfdd1 · 72bfdd1
2 parents 4cfc601 + 3520f04
commit 72bfdd1
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/pkg/api/validate/dynamic/dynamic.go b/pkg/api/validate/dynamic/dynamic.go
@@ -28,6 +28,7 @@ import (
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/compute"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/network"
 	"github.com/Azure/ARO-RP/pkg/util/permissions"
+	"github.com/Azure/ARO-RP/pkg/util/steps"
 	"github.com/Azure/ARO-RP/pkg/util/subnet"
 	"github.com/Azure/ARO-RP/pkg/util/token"
 )
@@ -404,6 +405,16 @@ func (c closure) usingListPermissions() (bool, error) {
 		return false, err
 	}
 
+	// If we get a StatusForbidden, try refreshing the SP (since with a
+	// brand-new SP it might take time to propagate)
+	if detailedErr, ok := err.(autorest.DetailedError); ok &&
+		detailedErr.StatusCode == http.StatusForbidden {
+		return false, steps.ErrWantRefresh
+	}
+	if err != nil {
+		return false, err
+	}
+
 	for _, action := range c.actions {
 		ok, err := permissions.CanDoAction(perms, action)
 		if !ok || err != nil {

diff --git a/pkg/util/steps/refreshing.go b/pkg/util/steps/refreshing.go
@@ -73,7 +73,9 @@ func (s *authorizationRefreshingActionStep) run(ctx context.Context, log *logrus
 		// role propagation delay) then refresh and retry.
 		if timeoutCtx.Err() == nil && err != nil &&
 			(azureerrors.IsUnauthorizedClientError(err) ||
-				azureerrors.HasAuthorizationFailedError(err)) {
+				azureerrors.HasAuthorizationFailedError(err) ||
+				azureerrors.IsInvalidSecretError(err) ||
+				err == ErrWantRefresh) {
 			log.Printf("auth error, refreshing and retrying: %v", err)
 			// Try refreshing auth.
 			err = s.auth.Rebuild()