Modify errs.ForbiddenErr to always return an error to the cli.
This commit is contained in:
parent
4f84cef0cf
commit
b5db3f5706
8 changed files with 23 additions and 18 deletions
|
@ -348,7 +348,7 @@ func (h *caHandler) ProvisionerKey(w http.ResponseWriter, r *http.Request) {
|
|||
func (h *caHandler) Roots(w http.ResponseWriter, r *http.Request) {
|
||||
roots, err := h.Authority.GetRoots()
|
||||
if err != nil {
|
||||
WriteError(w, errs.ForbiddenErr(err))
|
||||
WriteError(w, errs.ForbiddenErr(err, "error getting roots"))
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -366,7 +366,7 @@ func (h *caHandler) Roots(w http.ResponseWriter, r *http.Request) {
|
|||
func (h *caHandler) Federation(w http.ResponseWriter, r *http.Request) {
|
||||
federated, err := h.Authority.GetFederation()
|
||||
if err != nil {
|
||||
WriteError(w, errs.ForbiddenErr(err))
|
||||
WriteError(w, errs.ForbiddenErr(err, "error getting federated roots"))
|
||||
return
|
||||
}
|
||||
|
||||
|
|
|
@ -96,7 +96,7 @@ func (h *caHandler) Revoke(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
|
||||
if err := h.Authority.Revoke(ctx, opts); err != nil {
|
||||
WriteError(w, errs.ForbiddenErr(err))
|
||||
WriteError(w, errs.ForbiddenErr(err, "error revoking certificate"))
|
||||
return
|
||||
}
|
||||
|
||||
|
|
|
@ -74,7 +74,7 @@ func (h *caHandler) Sign(w http.ResponseWriter, r *http.Request) {
|
|||
|
||||
certChain, err := h.Authority.Sign(body.CsrPEM.CertificateRequest, opts, signOpts...)
|
||||
if err != nil {
|
||||
WriteError(w, errs.ForbiddenErr(err))
|
||||
WriteError(w, errs.ForbiddenErr(err, "error signing certificate"))
|
||||
return
|
||||
}
|
||||
certChainPEM := certChainToPEM(certChain)
|
||||
|
|
|
@ -293,7 +293,7 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
|
|||
|
||||
cert, err := h.Authority.SignSSH(ctx, publicKey, opts, signOpts...)
|
||||
if err != nil {
|
||||
WriteError(w, errs.ForbiddenErr(err))
|
||||
WriteError(w, errs.ForbiddenErr(err, "error signing ssh certificate"))
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -301,7 +301,7 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
|
|||
if addUserPublicKey != nil && authority.IsValidForAddUser(cert) == nil {
|
||||
addUserCert, err := h.Authority.SignSSHAddUser(ctx, addUserPublicKey, cert)
|
||||
if err != nil {
|
||||
WriteError(w, errs.ForbiddenErr(err))
|
||||
WriteError(w, errs.ForbiddenErr(err, "error signing ssh certificate"))
|
||||
return
|
||||
}
|
||||
addUserCertificate = &SSHCertificate{addUserCert}
|
||||
|
@ -326,7 +326,7 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
|
|||
|
||||
certChain, err := h.Authority.Sign(cr, provisioner.SignOptions{}, signOpts...)
|
||||
if err != nil {
|
||||
WriteError(w, errs.ForbiddenErr(err))
|
||||
WriteError(w, errs.ForbiddenErr(err, "error signing identity certificate"))
|
||||
return
|
||||
}
|
||||
identityCertificate = certChainToPEM(certChain)
|
||||
|
|
|
@ -68,7 +68,7 @@ func (h *caHandler) SSHRekey(w http.ResponseWriter, r *http.Request) {
|
|||
|
||||
newCert, err := h.Authority.RekeySSH(ctx, oldCert, publicKey, signOpts...)
|
||||
if err != nil {
|
||||
WriteError(w, errs.ForbiddenErr(err))
|
||||
WriteError(w, errs.ForbiddenErr(err, "error signing ssh certificate"))
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -78,7 +78,7 @@ func (h *caHandler) SSHRekey(w http.ResponseWriter, r *http.Request) {
|
|||
|
||||
identity, err := h.renewIdentityCertificate(r, notBefore, notAfter)
|
||||
if err != nil {
|
||||
WriteError(w, errs.ForbiddenErr(err))
|
||||
WriteError(w, errs.ForbiddenErr(err, "error signing identity certificate"))
|
||||
return
|
||||
}
|
||||
|
||||
|
|
|
@ -60,7 +60,7 @@ func (h *caHandler) SSHRenew(w http.ResponseWriter, r *http.Request) {
|
|||
|
||||
newCert, err := h.Authority.RenewSSH(ctx, oldCert)
|
||||
if err != nil {
|
||||
WriteError(w, errs.ForbiddenErr(err))
|
||||
WriteError(w, errs.ForbiddenErr(err, "error signing ssh certificate"))
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -70,7 +70,7 @@ func (h *caHandler) SSHRenew(w http.ResponseWriter, r *http.Request) {
|
|||
|
||||
identity, err := h.renewIdentityCertificate(r, notBefore, notAfter)
|
||||
if err != nil {
|
||||
WriteError(w, errs.ForbiddenErr(err))
|
||||
WriteError(w, errs.ForbiddenErr(err, "error signing identity certificate"))
|
||||
return
|
||||
}
|
||||
|
||||
|
|
|
@ -75,7 +75,7 @@ func (h *caHandler) SSHRevoke(w http.ResponseWriter, r *http.Request) {
|
|||
opts.OTT = body.OTT
|
||||
|
||||
if err := h.Authority.Revoke(ctx, opts); err != nil {
|
||||
WriteError(w, errs.ForbiddenErr(err))
|
||||
WriteError(w, errs.ForbiddenErr(err, "error revoking ssh certificate"))
|
||||
return
|
||||
}
|
||||
|
||||
|
|
|
@ -169,7 +169,8 @@ func StatusCodeError(code int, e error, opts ...Option) error {
|
|||
case http.StatusUnauthorized:
|
||||
return UnauthorizedErr(e, opts...)
|
||||
case http.StatusForbidden:
|
||||
return ForbiddenErr(e, opts...)
|
||||
opts = append(opts, withDefaultMessage(ForbiddenDefaultMsg))
|
||||
return NewErr(http.StatusForbidden, e, opts...)
|
||||
case http.StatusInternalServerError:
|
||||
return InternalServerErr(e, opts...)
|
||||
case http.StatusNotImplemented:
|
||||
|
@ -199,12 +200,18 @@ var (
|
|||
// BadRequestPrefix is the prefix added to the bad request messages that are
|
||||
// directly sent to the cli.
|
||||
BadRequestPrefix = "The request could not be completed: "
|
||||
|
||||
// ForbiddenPrefix is the prefix added to the forbidden messates that are
|
||||
// sent to the cli.
|
||||
ForbiddenPrefix = "The request was forbidden by the certificate authority: "
|
||||
)
|
||||
|
||||
func formatMessage(status int, msg string) string {
|
||||
switch status {
|
||||
case http.StatusBadRequest:
|
||||
return BadRequestPrefix + msg + "."
|
||||
case http.StatusForbidden:
|
||||
return ForbiddenPrefix + msg + "."
|
||||
default:
|
||||
return msg
|
||||
}
|
||||
|
@ -356,14 +363,12 @@ func UnauthorizedErr(err error, opts ...Option) error {
|
|||
|
||||
// Forbidden creates a 403 error with the given format and arguments.
|
||||
func Forbidden(format string, args ...interface{}) error {
|
||||
args = append(args, withDefaultMessage(ForbiddenDefaultMsg))
|
||||
return Errorf(http.StatusForbidden, format, args...)
|
||||
return New(http.StatusForbidden, format, args...)
|
||||
}
|
||||
|
||||
// ForbiddenErr returns an 403 error with the given error.
|
||||
func ForbiddenErr(err error, opts ...Option) error {
|
||||
opts = append(opts, withDefaultMessage(ForbiddenDefaultMsg))
|
||||
return NewErr(http.StatusForbidden, err, opts...)
|
||||
func ForbiddenErr(err error, format string, args ...interface{}) error {
|
||||
return NewError(http.StatusForbidden, err, format, args...)
|
||||
}
|
||||
|
||||
// NotFound creates a 404 error with the given format and arguments.
|
||||
|
|
Loading…
Reference in a new issue