Add more information when returning 403

[atemate]

Motivation: when one executes neuro run/log/top/delete with multiple resources used (image, volumes), we raise just web.HTTPForbidden without any additional information on which exactly resource is forbidden.

In future, we will need to patch all errors we raise server-side to provide more information there (i.e. raise web.HTTPForbidden() does not include any body, so we should get rid of it).

[codecov]

Codecov Report

Merging #833 into master will increase coverage by 0.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master     #833      +/-   ##
==========================================
+ Coverage   94.36%   94.38%   +0.01%     
==========================================
  Files          30       30              
  Lines        3921     3933      +12     
  Branches      434      436       +2     
==========================================
+ Hits         3700     3712      +12     
  Misses        166      166              
  Partials       55       55

Impacted Files	Coverage Δ
platform_api/handlers/jobs_handler.py	98.03% <100%> (+0.06%)	⬆️
platform_api/user.py	94.59% <100%> (+0.3%)	⬆️

[codecov]

Codecov Report

Merging #833 into master will increase coverage by 0.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master     #833      +/-   ##
==========================================
+ Coverage   94.36%   94.37%   +0.01%     
==========================================
  Files          30       30              
  Lines        3921     3929       +8     
  Branches      434      436       +2     
==========================================
+ Hits         3700     3708       +8     
  Misses        166      166              
  Partials       55       55

Impacted Files	Coverage Δ
platform_api/handlers/jobs_handler.py	98% <100%> (+0.04%)	⬆️
platform_api/user.py	94.59% <100%> (+0.3%)	⬆️

[dalazx]

not sure if we want to completely stop using aiohttp_security.check_permission. have we checked our options re extending our auth policies etc?

[atemate]

have we checked our options re extending our auth policies etc?

@asvetlov is it reasonable to extend aiohttp_security's functionality so that AuthPolicy so that method async def permits(...) -> bool is more general something like async def permits(...) -> Any OR aiohttp_security provides specific general exceptions that contain additional information?

[atemate]

created an issue on aiohttp_security: aio-libs/aiohttp-security#241

[atemate]

In any case, if we decide to fix this in aiohttp_security first, it will take long. So regarding this PR there are 2 possible ways:

1. Keep using aiohttp_security. Change the semantics of permits() to return missing permissions (on platform-auth-client side) and wrap it with a custom check_permissions() method temporarily.
2. Merge it as it is now (and drop dependency on aiohttp_security), and once the aiohttp_security is improved, and return it back

Personally, I'd stick to the first option.

[dalazx]

@ayushkovskiy please create an issue for moving these changes to neuro-auth-client.