Add special handling for *json.UnmarshalTypeError

2022-01-12 11:15:39 +01:00 · 2022-01-12 11:15:39 +01:00 · a3cf6bac36
commit a3cf6bac36
parent 0475a4d26f
5 changed files with 58 additions and 7 deletions
--- a/authority/ssh_test.go
+++ b/authority/ssh_test.go
@ -172,8 +172,12 @@ func TestAuthority_SignSSH(t *testing.T) {
 		SSH: &provisioner.SSHOptions{Template: `{{ fail "an error"}}`},
 	}, sshutil.CreateTemplateData(sshutil.UserCert, "key-id", []string{"user"}))
 	assert.FatalError(t, err)
-	userFailTemplateFile, err := provisioner.TemplateSSHOptions(&provisioner.Options{
-		SSH: &provisioner.SSHOptions{TemplateFile: "./testdata/templates/badjson.tpl"},
+	userJSONSyntaxErrorTemplateFile, err := provisioner.TemplateSSHOptions(&provisioner.Options{
+		SSH: &provisioner.SSHOptions{TemplateFile: "./testdata/templates/badjsonsyntax.tpl"},
+	}, sshutil.CreateTemplateData(sshutil.UserCert, "key-id", []string{"user"}))
+	assert.FatalError(t, err)
+	userJSONValueErrorTemplateFile, err := provisioner.TemplateSSHOptions(&provisioner.Options{
+		SSH: &provisioner.SSHOptions{TemplateFile: "./testdata/templates/badjsonvalue.tpl"},
 	}, sshutil.CreateTemplateData(sshutil.UserCert, "key-id", []string{"user"}))
 	assert.FatalError(t, err)

@ -226,7 +230,8 @@ func TestAuthority_SignSSH(t *testing.T) {
 		{"fail-no-host-key", fields{signer, nil}, args{pub, provisioner.SignSSHOptions{CertType: "host"}, []provisioner.SignOption{hostTemplate}}, want{}, true},
 		{"fail-bad-type", fields{signer, nil}, args{pub, provisioner.SignSSHOptions{}, []provisioner.SignOption{userTemplate, sshTestModifier{CertType: 100}}}, want{}, true},
 		{"fail-custom-template", fields{signer, signer}, args{pub, provisioner.SignSSHOptions{}, []provisioner.SignOption{userFailTemplate, userOptions}}, want{}, true},
-		{"fail-custom-template-file", fields{signer, signer}, args{pub, provisioner.SignSSHOptions{}, []provisioner.SignOption{userFailTemplateFile, userOptions}}, want{}, true},
+		{"fail-custom-template-syntax-error-file", fields{signer, signer}, args{pub, provisioner.SignSSHOptions{}, []provisioner.SignOption{userJSONSyntaxErrorTemplateFile, userOptions}}, want{}, true},
+		{"fail-custom-template-syntax-value-file", fields{signer, signer}, args{pub, provisioner.SignSSHOptions{}, []provisioner.SignOption{userJSONValueErrorTemplateFile, userOptions}}, want{}, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/authority/testdata/templates/badjsonsyntax.tpl
+++ b/authority/testdata/templates/badjsonsyntax.tpl
--- a/authority/testdata/templates/badjsonvalue.tpl
+++ b/authority/testdata/templates/badjsonvalue.tpl
@ -0,0 +1,10 @@
+{
+    "subject": 1,
+    "sans": {{ toJson .SANs }},
+{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
+    "keyUsage": ["keyEncipherment", "digitalSignature"],
+{{- else }}
+    "keyUsage": ["digitalSignature"],
+{{- end }}
+    "extKeyUsage": ["serverAuth", "clientAuth"]
+}
--- a/authority/tls.go
+++ b/authority/tls.go
@ -566,10 +566,17 @@ func (a *Authority) GetTLSCertificate() (*tls.Certificate, error) {
 // this to the error message.
 func templatingError(err error) error {
 	cause := errors.Cause(err)
-	var syntaxError *json.SyntaxError
+	var (
+		syntaxError *json.SyntaxError
+		typeError   *json.UnmarshalTypeError
+	)
 	if errors.As(err, &syntaxError) {
 		// offset is arguably not super clear to the user, but it's the best we can do here
 		cause = fmt.Errorf("%s at offset %d", cause.Error(), syntaxError.Offset)
 	}
+	if errors.As(err, &typeError) {
+		// slightly rewriting the default error message to include the offset
+		cause = fmt.Errorf("cannot unmarshal %s at offset %d into Go value of type %s", typeError.Value, typeError.Offset, typeError.Type)
+	}
 	return errors.Wrap(cause, "error applying certificate template")
 }
--- a/authority/tls_test.go
+++ b/authority/tls_test.go
@ -396,7 +396,7 @@ ZYtQ9Ot36qc=
 				code:      http.StatusBadRequest,
 			}
 		},
-		"fail bad JSON template file": func(t *testing.T) *signTest {
+		"fail bad JSON syntax template file": func(t *testing.T) *signTest {
 			csr := getCSR(t, priv)
 			testAuthority := testAuthority(t)
 			p, ok := testAuthority.provisioners.Load("step-cli:4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc")
@ -405,7 +405,7 @@ ZYtQ9Ot36qc=
 			}
 			p.(*provisioner.JWK).Options = &provisioner.Options{
 				X509: &provisioner.X509Options{
-					TemplateFile: "./testdata/templates/badjson.tpl",
+					TemplateFile: "./testdata/templates/badjsonsyntax.tpl",
 				},
 			}
 			testExtraOpts, err := testAuthority.Authorize(ctx, token)
@ -421,7 +421,36 @@ ZYtQ9Ot36qc=
 				csr:       csr,
 				extraOpts: testExtraOpts,
 				signOpts:  signOpts,
-				err:       errors.New("error applying certificate template"),
+				err:       errors.New("error applying certificate template: invalid character"),
+				code:      http.StatusInternalServerError,
+			}
+		},
+		"fail bad JSON value template file": func(t *testing.T) *signTest {
+			csr := getCSR(t, priv)
+			testAuthority := testAuthority(t)
+			p, ok := testAuthority.provisioners.Load("step-cli:4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc")
+			if !ok {
+				t.Fatal("provisioner not found")
+			}
+			p.(*provisioner.JWK).Options = &provisioner.Options{
+				X509: &provisioner.X509Options{
+					TemplateFile: "./testdata/templates/badjsonvalue.tpl",
+				},
+			}
+			testExtraOpts, err := testAuthority.Authorize(ctx, token)
+			assert.FatalError(t, err)
+			testAuthority.db = &db.MockAuthDB{
+				MStoreCertificate: func(crt *x509.Certificate) error {
+					assert.Equals(t, crt.Subject.CommonName, "smallstep test")
+					return nil
+				},
+			}
+			return &signTest{
+				auth:      testAuthority,
+				csr:       csr,
+				extraOpts: testExtraOpts,
+				signOpts:  signOpts,
+				err:       errors.New("error applying certificate template: cannot unmarshal"),
 				code:      http.StatusInternalServerError,
 			}
 		},