Check for 403 status code when preparing tap error (#3215)

* Check for 403 to pass to websocketError Signed-off-by: Kevin Leimkuhler <[email protected]>
linkerd · Aug 8, 2019 · db381a0 · db381a0
1 parent 43bc175
commit db381a0
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/web/srv/api_handlers.go b/web/srv/api_handlers.go
@@ -180,6 +180,7 @@ func (h *handler) handleAPITopRoutes(w http.ResponseWriter, req *http.Request, p
 func createTapErrorMessage(err error) string {
 	log.Debugf("tap error: %s", err.Error())
 
+	// TODO: reconcile this cast and 403 check with the one in handleAPITap
 	if httpErr, ok := err.(protohttp.HTTPError); ok && httpErr.Code == http.StatusForbidden {
 		return fmt.Sprintf("Missing authorization, visit %s to remedy", tap.TapRbacURL)
 	}
@@ -238,7 +239,17 @@ func (h *handler) handleAPITap(w http.ResponseWriter, req *http.Request, p httpr
 	go func() {
 		reader, body, err := tap.Reader(h.k8sAPI, tapReq, 0)
 		if err != nil {
-			websocketError(ws, websocket.ClosePolicyViolation, err)
+			// If there was a [403] error when initiating a tap, close the
+			// socket with `ClosePolicyViolation` status code so that the error
+			// renders without the error prefix in the banner
+			if httpErr, ok := err.(protohttp.HTTPError); ok && httpErr.Code == http.StatusForbidden {
+				websocketError(ws, websocket.ClosePolicyViolation, err)
+				return
+			}
+
+			// All other errors from initiating a tap should close with
+			// `CloseInternalServerErr` status code
+			websocketError(ws, websocket.CloseInternalServerErr, err)
 			return
 		}
 		defer body.Close()