che-server returns 500 when OpenShift token expires in nativeUserMode

[sparkoo]

Describe the bug

In nativeUserMode, when OpenShift token expires, che-server returns 500 on all requests with expired token. Dashboard can't properly react to that. Che-server should return 401.

Issue in code is in OpenshiftTokenInitializationFilter at https://github.com/eclipse-che/che-server/blob/main/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/multiuser/oauth/OpenshiftTokenInitializationFilter.java#L87 where we throw RuntimeException, which is evaluated as code 500 in response. Few lines above we detect 401 response from Kubernetes API, but only to log.

Che version

7.34@latest

Steps to reproduce

1. deploy with nativeUserMode enabled (default on current main on openshift with devworkspaces)
2. set openshift token lifetime to some short time with oc edit oauth cluster and set

spec:
  tokenConfig:
    accessTokenMaxAgeSeconds: 120

3. wait for few minutes until openshift reconciles new configuration
4. login to Che
5. wait until token expires
6. open dashboard again, you'll see error as in screenshot
7. Check browser network traffic, it gets 500 on all requests to che-server

Expected behavior

Che-server should return 401, same as kubernetes API.

Runtime

OpenShift

Screenshots

No response

Installation method

chectl/next

Environment

other (please specify in additional context)

Eclipse Che Logs

2021-08-09 11:29:53,121[nio-8080-exec-9]  [ERROR] [shiftTokenInitializationFilter 84]   - Unauthorized when getting current user. Invalid OpenShift token, probably expired. Re-login? Re-request the token?
2021-08-09 11:29:53,122[nio-8080-exec-9]  [ERROR] [o.a.c.c.C.[.[.[/api].[default] 175]  - Servlet.service() for servlet [default] in context with path [/api] threw exception
java.lang.RuntimeException: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://172.30.0.1/apis/user.openshift.io/v1/users/~. Message: Unauthorized! Configured service account doesn't have access. Service account may have been revoked. Unauthorized.
	at org.eclipse.che.workspace.infrastructure.openshift.multiuser.oauth.OpenshiftTokenInitializationFilter.getUserId(OpenshiftTokenInitializationFilter.java:87)
	at org.eclipse.che.multiuser.api.authentication.commons.filter.MultiUserEnvironmentInitializationFilter.doFilter(MultiUserEnvironmentInitializationFilter.java:117)
	at org.eclipse.che.commons.logback.filter.RequestIdLoggerFilter.doFilter(RequestIdLoggerFilter.java:50)
	at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
	at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:194)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:167)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:764)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:364)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:624)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1651)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.base/java.lang.Thread.run(Unknown Source)
Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://172.30.0.1/apis/user.openshift.io/v1/users/~. Message: Unauthorized! Configured service account doesn't have access. Service account may have been revoked. Unauthorized.
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:681)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:618)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:560)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:521)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:488)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:470)
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleGet(BaseOperation.java:827)
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.getMandatory(BaseOperation.java:197)
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.get(BaseOperation.java:164)
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.get(BaseOperation.java:88)
	at io.fabric8.openshift.client.DefaultOpenShiftClient.currentUser(DefaultOpenShiftClient.java:663)
	at org.eclipse.che.workspace.infrastructure.openshift.multiuser.oauth.OpenshiftTokenInitializationFilter.getCurrentUser(OpenshiftTokenInitializationFilter.java:113)
	at org.eclipse.che.workspace.infrastructure.openshift.multiuser.oauth.OpenshiftTokenInitializationFilter.getUserId(OpenshiftTokenInitializationFilter.java:81)
	... 23 common frames omitted

Additional context

#20275