Change the default error type to forbidden in Sign.

The errors will also be propagated from sign options.
This commit is contained in:
Mariano Cano 2021-11-23 18:58:16 -08:00
parent b9beab071d
commit ff04873a2a
2 changed files with 25 additions and 10 deletions

View file

@ -94,7 +94,10 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign
// Validate the given certificate request.
case provisioner.CertificateRequestValidator:
if err := k.Valid(csr); err != nil {
return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
return nil, errs.ApplyOptions(
errs.ForbiddenErr(err, "error validating certificate"),
opts...,
)
}
// Validates the unsigned certificate template.
@ -131,26 +134,38 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign
// Set default subject
if err := withDefaultASN1DN(a.config.AuthorityConfig.Template).Modify(leaf, signOpts); err != nil {
return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
return nil, errs.ApplyOptions(
errs.ForbiddenErr(err, "error creating certificate"),
opts...,
)
}
for _, m := range certModifiers {
if err := m.Modify(leaf, signOpts); err != nil {
return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
return nil, errs.ApplyOptions(
errs.ForbiddenErr(err, "error creating certificate"),
opts...,
)
}
}
// Certificate validation.
for _, v := range certValidators {
if err := v.Valid(leaf, signOpts); err != nil {
return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
return nil, errs.ApplyOptions(
errs.ForbiddenErr(err, "error validating certificate"),
opts...,
)
}
}
// Certificate modifiers after validation
for _, m := range certEnforcers {
if err := m.Enforce(leaf); err != nil {
return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
return nil, errs.ApplyOptions(
errs.ForbiddenErr(err, "error creating certificate"),
opts...,
)
}
}

View file

@ -281,8 +281,8 @@ func TestAuthority_Sign(t *testing.T) {
csr: csr,
extraOpts: extraOpts,
signOpts: signOpts,
err: errors.New("authority.Sign: default ASN1DN template cannot be nil"),
code: http.StatusUnauthorized,
err: errors.New("default ASN1DN template cannot be nil"),
code: http.StatusForbidden,
}
},
"fail create cert": func(t *testing.T) *signTest {
@ -309,7 +309,7 @@ func TestAuthority_Sign(t *testing.T) {
csr: csr,
extraOpts: extraOpts,
signOpts: _signOpts,
err: errors.New("authority.Sign: requested duration of 25h0m0s is more than the authorized maximum certificate duration of 24h1m0s"),
err: errors.New("requested duration of 25h0m0s is more than the authorized maximum certificate duration of 24h1m0s"),
code: http.StatusBadRequest,
}
},
@ -322,7 +322,7 @@ func TestAuthority_Sign(t *testing.T) {
csr: csr,
extraOpts: extraOpts,
signOpts: signOpts,
err: errors.New("authority.Sign: certificate request does not contain the valid DNS names - got [test.smallstep.com smallstep test], want [test.smallstep.com]"),
err: errors.New("certificate request does not contain the valid DNS names - got [test.smallstep.com smallstep test], want [test.smallstep.com]"),
code: http.StatusBadRequest,
}
},
@ -348,7 +348,7 @@ ZYtQ9Ot36qc=
csr: csr,
extraOpts: extraOpts,
signOpts: signOpts,
err: errors.New("authority.Sign: certificate request RSA key must be at least 2048 bits (256 bytes)"),
err: errors.New("certificate request RSA key must be at least 2048 bits (256 bytes)"),
code: http.StatusForbidden,
}
},