From ff04873a2a60dbb7688fff955d2947cce9966ced Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Tue, 23 Nov 2021 18:58:16 -0800 Subject: [PATCH] Change the default error type to forbidden in Sign. The errors will also be propagated from sign options. --- authority/tls.go | 25 ++++++++++++++++++++----- authority/tls_test.go | 10 +++++----- 2 files changed, 25 insertions(+), 10 deletions(-) diff --git a/authority/tls.go b/authority/tls.go index 716d8956..7853198e 100644 --- a/authority/tls.go +++ b/authority/tls.go @@ -94,7 +94,10 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign // Validate the given certificate request. case provisioner.CertificateRequestValidator: if err := k.Valid(csr); err != nil { - return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...) + return nil, errs.ApplyOptions( + errs.ForbiddenErr(err, "error validating certificate"), + opts..., + ) } // Validates the unsigned certificate template. @@ -131,26 +134,38 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign // Set default subject if err := withDefaultASN1DN(a.config.AuthorityConfig.Template).Modify(leaf, signOpts); err != nil { - return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...) + return nil, errs.ApplyOptions( + errs.ForbiddenErr(err, "error creating certificate"), + opts..., + ) } for _, m := range certModifiers { if err := m.Modify(leaf, signOpts); err != nil { - return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...) + return nil, errs.ApplyOptions( + errs.ForbiddenErr(err, "error creating certificate"), + opts..., + ) } } // Certificate validation. for _, v := range certValidators { if err := v.Valid(leaf, signOpts); err != nil { - return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...) + return nil, errs.ApplyOptions( + errs.ForbiddenErr(err, "error validating certificate"), + opts..., + ) } } // Certificate modifiers after validation for _, m := range certEnforcers { if err := m.Enforce(leaf); err != nil { - return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...) + return nil, errs.ApplyOptions( + errs.ForbiddenErr(err, "error creating certificate"), + opts..., + ) } } diff --git a/authority/tls_test.go b/authority/tls_test.go index e61025a6..41354e8d 100644 --- a/authority/tls_test.go +++ b/authority/tls_test.go @@ -281,8 +281,8 @@ func TestAuthority_Sign(t *testing.T) { csr: csr, extraOpts: extraOpts, signOpts: signOpts, - err: errors.New("authority.Sign: default ASN1DN template cannot be nil"), - code: http.StatusUnauthorized, + err: errors.New("default ASN1DN template cannot be nil"), + code: http.StatusForbidden, } }, "fail create cert": func(t *testing.T) *signTest { @@ -309,7 +309,7 @@ func TestAuthority_Sign(t *testing.T) { csr: csr, extraOpts: extraOpts, signOpts: _signOpts, - err: errors.New("authority.Sign: requested duration of 25h0m0s is more than the authorized maximum certificate duration of 24h1m0s"), + err: errors.New("requested duration of 25h0m0s is more than the authorized maximum certificate duration of 24h1m0s"), code: http.StatusBadRequest, } }, @@ -322,7 +322,7 @@ func TestAuthority_Sign(t *testing.T) { csr: csr, extraOpts: extraOpts, signOpts: signOpts, - err: errors.New("authority.Sign: certificate request does not contain the valid DNS names - got [test.smallstep.com smallstep test], want [test.smallstep.com]"), + err: errors.New("certificate request does not contain the valid DNS names - got [test.smallstep.com smallstep test], want [test.smallstep.com]"), code: http.StatusBadRequest, } }, @@ -348,7 +348,7 @@ ZYtQ9Ot36qc= csr: csr, extraOpts: extraOpts, signOpts: signOpts, - err: errors.New("authority.Sign: certificate request RSA key must be at least 2048 bits (256 bytes)"), + err: errors.New("certificate request RSA key must be at least 2048 bits (256 bytes)"), code: http.StatusForbidden, } },