throw ForbiddenError instead of SamException in createRuntime

http/src/main/scala/org/broadinstitute/dsde/workbench/leonardo/http/service/RuntimeServiceInterp.scala

@@ -29,7 +29,7 @@ import org.broadinstitute.dsde.workbench.leonardo.SamResourceId.{
 }
 import org.broadinstitute.dsde.workbench.leonardo.config._
 import org.broadinstitute.dsde.workbench.leonardo.dao.DockerDAO
-import org.broadinstitute.dsde.workbench.leonardo.dao.sam.{SamService, SamUtils}
+import org.broadinstitute.dsde.workbench.leonardo.dao.sam.{SamException, SamService, SamUtils}
 import org.broadinstitute.dsde.workbench.leonardo.db._
 import org.broadinstitute.dsde.workbench.leonardo.http.service.DiskServiceInterp.getDiskSamPolicyMap
 import org.broadinstitute.dsde.workbench.leonardo.model.SamResourceAction.{
@@ -88,14 +88,18 @@ class RuntimeServiceInterp[F[_]: Parallel](
         LeoLenses.cloudContextToGoogleProject.get(cloudContext),
         AzureUnimplementedException("Azure runtime is not supported yet")
       )
-      // Check if the user has launch_notebook_cluster on the google-project resource.
-      _ <- samService.checkAuthorized(
-        userInfo.accessToken.token,
-        ProjectSamResourceId(googleProject),
-        ProjectAction.CreateRuntime
-      )
       // Resolve the user email in Sam from the user token. This translates a pet token to the owner email.
       userEmail <- samService.getUserEmail(userInfo.accessToken.token)
+      // Check if the user has launch_notebook_cluster on the google-project resource.
+      _ <- samService
+        .checkAuthorized(
+          userInfo.accessToken.token,
+          ProjectSamResourceId(googleProject),
+          ProjectAction.CreateRuntime
+        )
+        .adaptError {
+          case e: SamException if e.statusCode == StatusCodes.Forbidden => ForbiddenError(userEmail)
+        }
       _ <- context.span.traverse(s => F.delay(s.addAnnotation("Done Sam call for cluster permission")))
       // Grab the pet service account for the user
       petSA <- samService.getPetServiceAccount(userInfo.accessToken.token, googleProject)

http/src/main/scala/org/broadinstitute/dsde/workbench/leonardo/http/service/RuntimeV2ServiceInterp.scala

@@ -17,7 +17,7 @@ import org.broadinstitute.dsde.workbench.leonardo.SamResourceId.{
 }
 import org.broadinstitute.dsde.workbench.leonardo.config.PersistentDiskConfig
 import org.broadinstitute.dsde.workbench.leonardo.dao._
-import org.broadinstitute.dsde.workbench.leonardo.dao.sam.{SamService, SamUtils}
+import org.broadinstitute.dsde.workbench.leonardo.dao.sam.{SamException, SamService, SamUtils}
 import org.broadinstitute.dsde.workbench.leonardo.db._
 import org.broadinstitute.dsde.workbench.leonardo.http.service.DiskServiceInterp.getDiskSamPolicyMap
 import org.broadinstitute.dsde.workbench.leonardo.http.service.RuntimeServiceInterp.getRuntimeSamPolicyMap
@@ -57,10 +57,14 @@ class RuntimeV2ServiceInterp[F[_]: Parallel](
     for {
       ctx <- as.ask
 
-      _ <- samService.checkAuthorized(userInfo.accessToken.token,
-                                      WorkspaceResourceSamResourceId(workspaceId),
-                                      WorkspaceAction.Compute
-      )
+      _ <- samService
+        .checkAuthorized(userInfo.accessToken.token,
+                         WorkspaceResourceSamResourceId(workspaceId),
+                         WorkspaceAction.Compute
+        )
+        .adaptError {
+          case e: SamException if e.statusCode == StatusCodes.Forbidden => ForbiddenError(userInfo.userEmail)
+        }
       _ <- ctx.span.traverse(s => F.delay(s.addAnnotation("Done auth call for azure runtime permission")))
 
       workspaceDescOpt <- wsmClientProvider.getWorkspace(userInfo.accessToken.token, workspaceId)

http/src/test/scala/org/broadinstitute/dsde/workbench/leonardo/http/service/RuntimeServiceInterpSpec.scala

@@ -215,12 +215,14 @@ class RuntimeServiceInterpTest
   it should "fail if user doesn't have project level permission" in {
     val samService = mock[SamService[IO]]
     val runtimeService = makeRuntimeService(samService = samService)
+    when(samService.getUserEmail(isEq(unauthorizedUserInfo.accessToken.token))(any()))
+      .thenReturn(IO.pure(unauthorizedUserInfo.userEmail))
     when(
       samService.checkAuthorized(isEq(unauthorizedUserInfo.accessToken.token),
                                  isEq(ProjectSamResourceId(cloudContextGcp.value)),
                                  isEq(ProjectAction.CreateRuntime)
       )(any())
-    ).thenReturn(IO.raiseError(ForbiddenError(unauthorizedUserInfo.userEmail)))
+    ).thenReturn(IO.raiseError(SamException.create("no access", StatusCodes.Forbidden.intValue, TraceId(""))))
     val res = for {
       r <- runtimeService
         .createRuntime(

http/src/test/scala/org/broadinstitute/dsde/workbench/leonardo/http/service/RuntimeV2ServiceInterpSpec.scala

@@ -202,7 +202,7 @@ class RuntimeV2ServiceInterpSpec extends AnyFlatSpec with LeonardoTestSuite with
                                  WorkspaceResourceSamResourceId(workspaceId),
                                  WorkspaceAction.Compute
       )
-    ).thenReturn(IO.raiseError(ForbiddenError(unauthorizedUserInfo.userEmail)))
+    ).thenReturn(IO.raiseError(SamException.create("no access", StatusCodes.Forbidden.intValue, TraceId(""))))
     val runtimeV2Service = makeInterp(samService = samService)
 
     val thrown = the[ForbiddenError] thrownBy {