diff --git a/api/api.go b/api/api.go index e057caaa..16e24bb2 100644 --- a/api/api.go +++ b/api/api.go @@ -348,7 +348,7 @@ func (h *caHandler) ProvisionerKey(w http.ResponseWriter, r *http.Request) { func (h *caHandler) Roots(w http.ResponseWriter, r *http.Request) { roots, err := h.Authority.GetRoots() if err != nil { - WriteError(w, errs.ForbiddenErr(err)) + WriteError(w, errs.ForbiddenErr(err, "error getting roots")) return } @@ -366,7 +366,7 @@ func (h *caHandler) Roots(w http.ResponseWriter, r *http.Request) { func (h *caHandler) Federation(w http.ResponseWriter, r *http.Request) { federated, err := h.Authority.GetFederation() if err != nil { - WriteError(w, errs.ForbiddenErr(err)) + WriteError(w, errs.ForbiddenErr(err, "error getting federated roots")) return } diff --git a/api/revoke.go b/api/revoke.go index 44d52cb9..25520e3e 100644 --- a/api/revoke.go +++ b/api/revoke.go @@ -96,7 +96,7 @@ func (h *caHandler) Revoke(w http.ResponseWriter, r *http.Request) { } if err := h.Authority.Revoke(ctx, opts); err != nil { - WriteError(w, errs.ForbiddenErr(err)) + WriteError(w, errs.ForbiddenErr(err, "error revoking certificate")) return } diff --git a/api/sign.go b/api/sign.go index a1e5b998..93c5f599 100644 --- a/api/sign.go +++ b/api/sign.go @@ -74,7 +74,7 @@ func (h *caHandler) Sign(w http.ResponseWriter, r *http.Request) { certChain, err := h.Authority.Sign(body.CsrPEM.CertificateRequest, opts, signOpts...) if err != nil { - WriteError(w, errs.ForbiddenErr(err)) + WriteError(w, errs.ForbiddenErr(err, "error signing certificate")) return } certChainPEM := certChainToPEM(certChain) diff --git a/api/ssh.go b/api/ssh.go index 43ee6b98..c9be1527 100644 --- a/api/ssh.go +++ b/api/ssh.go @@ -293,7 +293,7 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) { cert, err := h.Authority.SignSSH(ctx, publicKey, opts, signOpts...) if err != nil { - WriteError(w, errs.ForbiddenErr(err)) + WriteError(w, errs.ForbiddenErr(err, "error signing ssh certificate")) return } @@ -301,7 +301,7 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) { if addUserPublicKey != nil && authority.IsValidForAddUser(cert) == nil { addUserCert, err := h.Authority.SignSSHAddUser(ctx, addUserPublicKey, cert) if err != nil { - WriteError(w, errs.ForbiddenErr(err)) + WriteError(w, errs.ForbiddenErr(err, "error signing ssh certificate")) return } addUserCertificate = &SSHCertificate{addUserCert} @@ -326,7 +326,7 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) { certChain, err := h.Authority.Sign(cr, provisioner.SignOptions{}, signOpts...) if err != nil { - WriteError(w, errs.ForbiddenErr(err)) + WriteError(w, errs.ForbiddenErr(err, "error signing identity certificate")) return } identityCertificate = certChainToPEM(certChain) diff --git a/api/sshRekey.go b/api/sshRekey.go index 8d2ba5ee..b2c55509 100644 --- a/api/sshRekey.go +++ b/api/sshRekey.go @@ -68,7 +68,7 @@ func (h *caHandler) SSHRekey(w http.ResponseWriter, r *http.Request) { newCert, err := h.Authority.RekeySSH(ctx, oldCert, publicKey, signOpts...) if err != nil { - WriteError(w, errs.ForbiddenErr(err)) + WriteError(w, errs.ForbiddenErr(err, "error signing ssh certificate")) return } @@ -78,7 +78,7 @@ func (h *caHandler) SSHRekey(w http.ResponseWriter, r *http.Request) { identity, err := h.renewIdentityCertificate(r, notBefore, notAfter) if err != nil { - WriteError(w, errs.ForbiddenErr(err)) + WriteError(w, errs.ForbiddenErr(err, "error signing identity certificate")) return } diff --git a/api/sshRenew.go b/api/sshRenew.go index 5dfd5983..8d07ba01 100644 --- a/api/sshRenew.go +++ b/api/sshRenew.go @@ -60,7 +60,7 @@ func (h *caHandler) SSHRenew(w http.ResponseWriter, r *http.Request) { newCert, err := h.Authority.RenewSSH(ctx, oldCert) if err != nil { - WriteError(w, errs.ForbiddenErr(err)) + WriteError(w, errs.ForbiddenErr(err, "error signing ssh certificate")) return } @@ -70,7 +70,7 @@ func (h *caHandler) SSHRenew(w http.ResponseWriter, r *http.Request) { identity, err := h.renewIdentityCertificate(r, notBefore, notAfter) if err != nil { - WriteError(w, errs.ForbiddenErr(err)) + WriteError(w, errs.ForbiddenErr(err, "error signing identity certificate")) return } diff --git a/api/sshRevoke.go b/api/sshRevoke.go index cfc25f04..60f44f2a 100644 --- a/api/sshRevoke.go +++ b/api/sshRevoke.go @@ -75,7 +75,7 @@ func (h *caHandler) SSHRevoke(w http.ResponseWriter, r *http.Request) { opts.OTT = body.OTT if err := h.Authority.Revoke(ctx, opts); err != nil { - WriteError(w, errs.ForbiddenErr(err)) + WriteError(w, errs.ForbiddenErr(err, "error revoking ssh certificate")) return } diff --git a/errs/error.go b/errs/error.go index 60312313..2c1fe6a9 100644 --- a/errs/error.go +++ b/errs/error.go @@ -169,7 +169,8 @@ func StatusCodeError(code int, e error, opts ...Option) error { case http.StatusUnauthorized: return UnauthorizedErr(e, opts...) case http.StatusForbidden: - return ForbiddenErr(e, opts...) + opts = append(opts, withDefaultMessage(ForbiddenDefaultMsg)) + return NewErr(http.StatusForbidden, e, opts...) case http.StatusInternalServerError: return InternalServerErr(e, opts...) case http.StatusNotImplemented: @@ -199,12 +200,18 @@ var ( // BadRequestPrefix is the prefix added to the bad request messages that are // directly sent to the cli. BadRequestPrefix = "The request could not be completed: " + + // ForbiddenPrefix is the prefix added to the forbidden messates that are + // sent to the cli. + ForbiddenPrefix = "The request was forbidden by the certificate authority: " ) func formatMessage(status int, msg string) string { switch status { case http.StatusBadRequest: return BadRequestPrefix + msg + "." + case http.StatusForbidden: + return ForbiddenPrefix + msg + "." default: return msg } @@ -356,14 +363,12 @@ func UnauthorizedErr(err error, opts ...Option) error { // Forbidden creates a 403 error with the given format and arguments. func Forbidden(format string, args ...interface{}) error { - args = append(args, withDefaultMessage(ForbiddenDefaultMsg)) - return Errorf(http.StatusForbidden, format, args...) + return New(http.StatusForbidden, format, args...) } // ForbiddenErr returns an 403 error with the given error. -func ForbiddenErr(err error, opts ...Option) error { - opts = append(opts, withDefaultMessage(ForbiddenDefaultMsg)) - return NewErr(http.StatusForbidden, err, opts...) +func ForbiddenErr(err error, format string, args ...interface{}) error { + return NewError(http.StatusForbidden, err, format, args...) } // NotFound creates a 404 error with the given format and arguments.