Modify errs.ForbiddenErr to always return an error to the cli.

api/api.go

@@ -348,7 +348,7 @@ func (h *caHandler) ProvisionerKey(w http.ResponseWriter, r *http.Request) {
 func (h *caHandler) Roots(w http.ResponseWriter, r *http.Request) {
 	roots, err := h.Authority.GetRoots()
 	if err != nil {
-		WriteError(w, errs.ForbiddenErr(err))
+		WriteError(w, errs.ForbiddenErr(err, "error getting roots"))
 		return
 	}
 
@@ -366,7 +366,7 @@ func (h *caHandler) Roots(w http.ResponseWriter, r *http.Request) {
 func (h *caHandler) Federation(w http.ResponseWriter, r *http.Request) {
 	federated, err := h.Authority.GetFederation()
 	if err != nil {
-		WriteError(w, errs.ForbiddenErr(err))
+		WriteError(w, errs.ForbiddenErr(err, "error getting federated roots"))
 		return
 	}
 

api/revoke.go

@@ -96,7 +96,7 @@ func (h *caHandler) Revoke(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if err := h.Authority.Revoke(ctx, opts); err != nil {
-		WriteError(w, errs.ForbiddenErr(err))
+		WriteError(w, errs.ForbiddenErr(err, "error revoking certificate"))
 		return
 	}
 

api/sign.go

@@ -74,7 +74,7 @@ func (h *caHandler) Sign(w http.ResponseWriter, r *http.Request) {
 
 	certChain, err := h.Authority.Sign(body.CsrPEM.CertificateRequest, opts, signOpts...)
 	if err != nil {
-		WriteError(w, errs.ForbiddenErr(err))
+		WriteError(w, errs.ForbiddenErr(err, "error signing certificate"))
 		return
 	}
 	certChainPEM := certChainToPEM(certChain)

api/ssh.go

@@ -293,7 +293,7 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
 
 	cert, err := h.Authority.SignSSH(ctx, publicKey, opts, signOpts...)
 	if err != nil {
-		WriteError(w, errs.ForbiddenErr(err))
+		WriteError(w, errs.ForbiddenErr(err, "error signing ssh certificate"))
 		return
 	}
 
@@ -301,7 +301,7 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
 	if addUserPublicKey != nil && authority.IsValidForAddUser(cert) == nil {
 		addUserCert, err := h.Authority.SignSSHAddUser(ctx, addUserPublicKey, cert)
 		if err != nil {
-			WriteError(w, errs.ForbiddenErr(err))
+			WriteError(w, errs.ForbiddenErr(err, "error signing ssh certificate"))
 			return
 		}
 		addUserCertificate = &SSHCertificate{addUserCert}
@@ -326,7 +326,7 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
 
 		certChain, err := h.Authority.Sign(cr, provisioner.SignOptions{}, signOpts...)
 		if err != nil {
-			WriteError(w, errs.ForbiddenErr(err))
+			WriteError(w, errs.ForbiddenErr(err, "error signing identity certificate"))
 			return
 		}
 		identityCertificate = certChainToPEM(certChain)

api/sshRekey.go

@@ -68,7 +68,7 @@ func (h *caHandler) SSHRekey(w http.ResponseWriter, r *http.Request) {
 
 	newCert, err := h.Authority.RekeySSH(ctx, oldCert, publicKey, signOpts...)
 	if err != nil {
-		WriteError(w, errs.ForbiddenErr(err))
+		WriteError(w, errs.ForbiddenErr(err, "error signing ssh certificate"))
 		return
 	}
 
@@ -78,7 +78,7 @@ func (h *caHandler) SSHRekey(w http.ResponseWriter, r *http.Request) {
 
 	identity, err := h.renewIdentityCertificate(r, notBefore, notAfter)
 	if err != nil {
-		WriteError(w, errs.ForbiddenErr(err))
+		WriteError(w, errs.ForbiddenErr(err, "error signing identity certificate"))
 		return
 	}
 

api/sshRenew.go

@@ -60,7 +60,7 @@ func (h *caHandler) SSHRenew(w http.ResponseWriter, r *http.Request) {
 
 	newCert, err := h.Authority.RenewSSH(ctx, oldCert)
 	if err != nil {
-		WriteError(w, errs.ForbiddenErr(err))
+		WriteError(w, errs.ForbiddenErr(err, "error signing ssh certificate"))
 		return
 	}
 
@@ -70,7 +70,7 @@ func (h *caHandler) SSHRenew(w http.ResponseWriter, r *http.Request) {
 
 	identity, err := h.renewIdentityCertificate(r, notBefore, notAfter)
 	if err != nil {
-		WriteError(w, errs.ForbiddenErr(err))
+		WriteError(w, errs.ForbiddenErr(err, "error signing identity certificate"))
 		return
 	}
 

api/sshRevoke.go

@@ -75,7 +75,7 @@ func (h *caHandler) SSHRevoke(w http.ResponseWriter, r *http.Request) {
 	opts.OTT = body.OTT
 
 	if err := h.Authority.Revoke(ctx, opts); err != nil {
-		WriteError(w, errs.ForbiddenErr(err))
+		WriteError(w, errs.ForbiddenErr(err, "error revoking ssh certificate"))
 		return
 	}
 

errs/error.go

@@ -169,7 +169,8 @@ func StatusCodeError(code int, e error, opts ...Option) error {
 	case http.StatusUnauthorized:
 		return UnauthorizedErr(e, opts...)
 	case http.StatusForbidden:
-		return ForbiddenErr(e, opts...)
+		opts = append(opts, withDefaultMessage(ForbiddenDefaultMsg))
+		return NewErr(http.StatusForbidden, e, opts...)
 	case http.StatusInternalServerError:
 		return InternalServerErr(e, opts...)
 	case http.StatusNotImplemented:
@@ -199,12 +200,18 @@ var (
 	// BadRequestPrefix is the prefix added to the bad request messages that are
 	// directly sent to the cli.
 	BadRequestPrefix = "The request could not be completed: "
+
+	// ForbiddenPrefix is the prefix added to the forbidden messates that are
+	// sent to the cli.
+	ForbiddenPrefix = "The request was forbidden by the certificate authority: "
 )
 
 func formatMessage(status int, msg string) string {
 	switch status {
 	case http.StatusBadRequest:
 		return BadRequestPrefix + msg + "."
+	case http.StatusForbidden:
+		return ForbiddenPrefix + msg + "."
 	default:
 		return msg
 	}
@@ -356,14 +363,12 @@ func UnauthorizedErr(err error, opts ...Option) error {
 
 // Forbidden creates a 403 error with the given format and arguments.
 func Forbidden(format string, args ...interface{}) error {
-	args = append(args, withDefaultMessage(ForbiddenDefaultMsg))
+	return New(http.StatusForbidden, format, args...)
-	return Errorf(http.StatusForbidden, format, args...)
 }
 
 // ForbiddenErr returns an 403 error with the given error.
-func ForbiddenErr(err error, opts ...Option) error {
+func ForbiddenErr(err error, format string, args ...interface{}) error {
-	opts = append(opts, withDefaultMessage(ForbiddenDefaultMsg))
+	return NewError(http.StatusForbidden, err, format, args...)
-	return NewErr(http.StatusForbidden, err, opts...)
 }
 
 // NotFound creates a 404 error with the given format and arguments.