mbiryukova/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Modify errs.Wrap with forbidden errors.

Browse source
This commit is contained in:
Mariano Cano 2021-11-23 12:04:51 -08:00
parent b5db3f5706
commit bb26799583
1 changed files with 9 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
authority/ssh.go
View file

@ -9,7 +9,6 @@ import (
"strings"
"time"
"github.com/pkg/errors"
"github.com/smallstep/certificates/authority/config"
"github.com/smallstep/certificates/authority/provisioner"
"github.com/smallstep/certificates/db"
@ -174,7 +173,7 @@ func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisi
// validate the given SSHOptions
case provisioner.SSHCertOptionsValidator:
if err := o.Valid(opts); err != nil {
return nil, errs.Wrap(http.StatusForbidden, err, "authority.SignSSH")
return nil, errs.ForbiddenErr(err, "error validating ssh certificate options")
}
default:
@ -214,7 +213,7 @@ func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisi
// Use provisioner modifiers.
for _, m := range mods {
if err := m.Modify(certTpl, opts); err != nil {
return nil, errs.Wrap(http.StatusForbidden, err, "authority.SignSSH")
return nil, errs.ForbiddenErr(err, "error creating ssh certificate")
}
}
@ -244,7 +243,7 @@ func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisi
// User provisioners validators.
for _, v := range validators {
if err := v.Valid(cert, opts); err != nil {
return nil, errs.Wrap(http.StatusForbidden, err, "authority.SignSSH")
return nil, errs.ForbiddenErr(err, "error validating ssh certificate")
}
}
@ -382,7 +381,7 @@ func (a *Authority) RekeySSH(ctx context.Context, oldCert *ssh.Certificate, pub
// Apply validators from provisioner.
for _, v := range validators {
if err := v.Valid(cert, provisioner.SignSSHOptions{Backdate: backdate}); err != nil {
return nil, errs.Wrap(http.StatusForbidden, err, "rekeySSH")
return nil, errs.ForbiddenErr(err, "error validating ssh certificate")
}
}
@ -407,12 +406,12 @@ func (a *Authority) storeSSHCertificate(cert *ssh.Certificate) error {
// the given certificate.
func IsValidForAddUser(cert *ssh.Certificate) error {
if cert.CertType != ssh.UserCert {
return errors.New("certificate is not a user certificate")
return errs.Forbidden("certificate is not a user certificate")
}
switch len(cert.ValidPrincipals) {
case 0:
return errors.New("certificate does not have any principals")
return errs.Forbidden("certificate does not have any principals")
case 1:
return nil
case 2:
@ -421,9 +420,9 @@ func IsValidForAddUser(cert *ssh.Certificate) error {
if strings.Index(cert.ValidPrincipals[1], "@") > 0 {
return nil
}
return errors.New("certificate does not have only one principal")
return errs.Forbidden("certificate does not have only one principal")
default:
return errors.New("certificate does not have only one principal")
return errs.Forbidden("certificate does not have only one principal")
}
}
@ -433,7 +432,7 @@ func (a *Authority) SignSSHAddUser(ctx context.Context, key ssh.PublicKey, subje
return nil, errs.NotImplemented("signSSHAddUser: user certificate signing is not enabled")
}
if err := IsValidForAddUser(subject); err != nil {
return nil, errs.Wrap(http.StatusForbidden, err, "signSSHAddUser")
return nil, err
}
nonce, err := randutil.ASCII(32)