search

sap-linuxlab / community.sap_launchpad

Automation for SAP - Collection of Ansible Modules for various tasks using SAP Launchpad APIs
Apache License 2.0
8 stars 7 forks source link

Download with software_center_download fails #3

Closed Kaefermade closed 1 year ago

Kaefermade commented 2 years ago

I'm trying to use the software_center_download module as part of my playbook. But it fails with the following message:

"An exception has occurred - You do not have proper authorization to download software, please check: https://launchpad.support.sap.com/#/user/authorizations"

First of all I've checked the permissions, my S-User has. They are correctly set and I'm able to download software from SAP using a browser. As suggested when using an Universal ID I also reset my Account Password without any difference. So I tried it again with an S-User of my colleague which has super admin rights and the module worked as expected. His S-User uses a Universal ID, too. The only difference are those super admin rights, which shouldn't prevent me from downloading.

Any ideas how to fix this?

dirktimmer commented 1 year ago

Hi, the authorization is checked against the Description field and when your are not using english, you will get the error.

Better is to check against the ObjectId:

def _has_download_authorization():
    global _HAS_DOWNLOAD_AUTHORIZATION
    if _HAS_DOWNLOAD_AUTHORIZATION is None:
        user_attributes = _request(C.URL_ACCOUNT_ATTRIBUTES).json()
        sid = user_attributes['uid']

        url = C.URL_SERVICE_USER_ADMIN + f"/UserSet('{sid}')/UserExistingAuthorizationsSet"
        j = _request(url, headers={'Accept': 'application/json'}).json()
        authorization_descs = [r['ObjectId'] for r in j['d']['results']]
        _HAS_DOWNLOAD_AUTHORIZATION = "SWDOWNLOAD" in authorization_descs
    return _HAS_DOWNLOAD_AUTHORIZATION

Best regards, Dirk

sean-freeman commented 1 year ago

@Kaefermade Please excuse the delay, I have been OOO for weeks

Thanks for the GH Issue, it has reminded me that I did not copy/paste the FAQ for these common errors into this repo. For now you can see them under the Terraform Templates repo (which leverages the auto-downloads) > terraform.templates_for_sap -- /docs/FAQ.md#common-errors

When the prefix "An exception has occurred - " is used, it is passing the direct error message from SAP.com and is the catch-all. You can see this on this line of code: software_center_download.py#L158

Unfortunately, this is not something I will debug as it would require your credentials and I would never accept that responsibility. Execution manually of the Python code is possible and commented-out code in this example that will turn on debugging to show all API traffic: see EXEC_EXAMPLES.md#execution-example-with-python-environment. With debugging enabled it would reveal what is happening, but please be careful when copy/pasting as it may contain sensisitive data.

sean-freeman commented 1 year ago

OK bit strange to get a comment from @dirktimmer seconds after I open this GH Issue and reply, but I'll take it -- that is an excellent catch by Dirk!

..... reviewing JSON payloads again, will alter my language to compare but I like the suggested solution

sean-freeman commented 1 year ago

There are two objects returned for SAP Software Download authorization:

[
  {
    "UserId": "S0000000000",
    "ObjectId": "SWDOWNLOAD",
    "ObjectDesc": "Software Download",
    "Field": "GLOBAL",
    "FieldDesc": "Global",
    "Value": "",
    "ValueDescription": "",
    "ValueType": "",
    "InstallationUser": "",
    "InstallationUserDesc": "",
    "AuthLevelId": "G_SOFTDOWN",
    "AuthLevelDesc": ""
  },
  {
    "UserId": "S0000000000",
    "ObjectId": "G_SOFTDOWN",
    "ObjectDesc": "Software Download",
    "Field": "",
    "FieldDesc": "",
    "Value": "",
    "ValueDescription": "",
    "ValueType": "",
    "InstallationUser": "",
    "InstallationUserDesc": "",
    "AuthLevelId": "group",
    "AuthLevelDesc": ""
  }
]
dirktimmer commented 1 year ago

Yes, I can see it in my payload also. But i think the first is refering to the second one. From where you got the acces rights. In the first is the "AuthLevelId": "G_SOFTDOWN" what is in the second the ObjectId. In my ObjectDesc the value is 'Software herunterladen' (german).

sean-freeman commented 1 year ago

Agree, there is definitely a parent-child relationship between the objects. However I would prefer to cover all scenarios as I cannot be familiar with all permutations of authorizations in different SAP Company Numbers (SCN), different SAP User IDs, and different languages.

it is possible G_SOFTDOWN is a subset auth to allow certain download access, and the user would not have access to SWDOWNLOAD

Committing a fix, then creating a dev branch which I meant to do a while ago

sean-freeman commented 1 year ago

@Kaefermade please test again and close this GH Issue if now working. Big thanks to @dirktimmer for finding this blind spot 👍

Kaefermade commented 1 year ago

Works like a charm now. Thank you. :)

sean-freeman commented 1 year ago

Thanks for test confirming. For future reference, could also force language to English but this may have unexpected consequences j = _request(url, headers={'Accept': 'application/json'}, params={'sap-language': 'en'}).json()

EDIT: Also added FAQ