ca: Intercept CSR parsing errors and convert into a custom exception

So that wsgi layer can convert it into a 4xx error, and it stops being a 5xx error + traceback. Add a test.

ca: Intercept CSR parsing errors and convert into a custom exception
So that wsgi layer can convert it into a 4xx error, and it stops being a 5xx error + traceback. Add a test.
cdcf1a20 · Vincent Pelletier · 026c5000 · cdcf1a20 · cdcf1a20 · cdcf1a20
Commit cdcf1a20 authored Oct 21, 2017 by Vincent Pelletier
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 4 deletions

caucase/ca.py caucase/ca.py +8 -2

caucase/exceptions.py caucase/exceptions.py +4 -0

caucase/test.py caucase/test.py +15 -1

caucase/wsgi.py caucase/wsgi.py +4 -1

No files found.
--- a/caucase/ca.py
+++ b/caucase/ca.py
@@ -31,7 +31,10 @@ from cryptography.hazmat.primitives.asymmetric.padding import OAEP, MGF1
 from cryptography.hazmat.primitives import padding
 from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
 from . import utils
-from .exceptions import CertificateVerificationError
+from .exceptions import (
+  CertificateVerificationError,
+  NotACertificateSigningRequest,
+)

 __all__ = ('CertificateAuthority', )

@@ -289,7 +292,10 @@ class CertificateAuthority(object):
    csr_pem (str)
      PEM-encoded certificate signing request.
    """
-    csr = utils.load_certificate_request(csr_pem)
+    try:
+      csr = utils.load_certificate_request(csr_pem)
+    except ValueError:
+      raise NotACertificateSigningRequest
    # Note: requested_amount is None when a known CSR is re-submitted
    csr_id, requested_amount = self._storage.appendCertificateSigningRequest(
      csr_pem=csr_pem,

--- a/caucase/exceptions.py
+++ b/caucase/exceptions.py
@@ -38,3 +38,7 @@ class Found(CertificateAuthorityException):
 class CertificateVerificationError(CertificateAuthorityException):
  """Certificate is not valid, it was not signed by CA"""
  pass
+
+class NotACertificateSigningRequest(CertificateAuthorityException):
+  """Provided value is not a certificate signing request"""
+  pass
--- a/caucase/test.py
+++ b/caucase/test.py
@@ -40,7 +40,7 @@ import unittest
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 from caucase import cli
-from caucase.client import CaucaseError
+from caucase.client import CaucaseError, CaucaseClient
 from caucase import http
 from caucase import utils
 from caucase import exceptions
@@ -714,6 +714,20 @@ class CaucaseTest(unittest.TestCase):
      csr_id + ' not found - either csr id has a typo or CSR was rejected'
    ], out)

+  def testBadCSR(self):
+    """
+    Submitting an invalid CSR.
+
+    Requires bypassing cli, as it does its own checks.
+    """
+    client = CaucaseClient(self._caucase_url + '/cas')
+    try:
+      client.putCSR('Not actually a CSR')
+    except CaucaseError, e:
+      self.assertEqual(e.args[0], 400, e)
+    else:
+      raise AssertionError('Did not raise CaucaseError(400, ...)')
+
  def testUpdateUser(self):
    """
    Verify that CAU certificate and revocation list are created when the

--- a/caucase/wsgi.py
+++ b/caucase/wsgi.py
@@ -285,7 +285,10 @@ class Application(object):
    """
    if subpath:
      raise NotFound
-    csr_id = context.appendCertificateSigningRequest(self._read(environ))
+    try:
+      csr_id = context.appendCertificateSigningRequest(self._read(environ))
+    except exceptions.NotACertificateSigningRequest:
+      raise BadRequest('Not a valid certificate signing request')
    return (
      STATUS_CREATED,
      [