Change the default error type to forbidden in Sign.

The errors will also be propagated from sign options.

Author: maraino

Diff for: authority/tls.go

@@ -94,7 +94,10 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign
 		// Validate the given certificate request.
 		case provisioner.CertificateRequestValidator:
 			if err := k.Valid(csr); err != nil {
-				return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
+				return nil, errs.ApplyOptions(
+					errs.ForbiddenErr(err, "error validating certificate"),
+					opts...,
+				)
 			}
 
 		// Validates the unsigned certificate template.
@@ -131,26 +134,38 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign
 
 	// Set default subject
 	if err := withDefaultASN1DN(a.config.AuthorityConfig.Template).Modify(leaf, signOpts); err != nil {
-		return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
+		return nil, errs.ApplyOptions(
+			errs.ForbiddenErr(err, "error creating certificate"),
+			opts...,
+		)
 	}
 
 	for _, m := range certModifiers {
 		if err := m.Modify(leaf, signOpts); err != nil {
-			return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
+			return nil, errs.ApplyOptions(
+				errs.ForbiddenErr(err, "error creating certificate"),
+				opts...,
+			)
 		}
 	}
 
 	// Certificate validation.
 	for _, v := range certValidators {
 		if err := v.Valid(leaf, signOpts); err != nil {
-			return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
+			return nil, errs.ApplyOptions(
+				errs.ForbiddenErr(err, "error validating certificate"),
+				opts...,
+			)
 		}
 	}
 
 	// Certificate modifiers after validation
 	for _, m := range certEnforcers {
 		if err := m.Enforce(leaf); err != nil {
-			return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
+			return nil, errs.ApplyOptions(
+				errs.ForbiddenErr(err, "error creating certificate"),
+				opts...,
+			)
 		}
 	}
 

Diff for: authority/tls_test.go

@@ -281,8 +281,8 @@ func TestAuthority_Sign(t *testing.T) {
 				csr:       csr,
 				extraOpts: extraOpts,
 				signOpts:  signOpts,
-				err:       errors.New("authority.Sign: default ASN1DN template cannot be nil"),
-				code:      http.StatusUnauthorized,
+				err:       errors.New("default ASN1DN template cannot be nil"),
+				code:      http.StatusForbidden,
 			}
 		},
 		"fail create cert": func(t *testing.T) *signTest {
@@ -309,7 +309,7 @@ func TestAuthority_Sign(t *testing.T) {
 				csr:       csr,
 				extraOpts: extraOpts,
 				signOpts:  _signOpts,
-				err:       errors.New("authority.Sign: requested duration of 25h0m0s is more than the authorized maximum certificate duration of 24h1m0s"),
+				err:       errors.New("requested duration of 25h0m0s is more than the authorized maximum certificate duration of 24h1m0s"),
 				code:      http.StatusBadRequest,
 			}
 		},
@@ -322,7 +322,7 @@ func TestAuthority_Sign(t *testing.T) {
 				csr:       csr,
 				extraOpts: extraOpts,
 				signOpts:  signOpts,
-				err:       errors.New("authority.Sign: certificate request does not contain the valid DNS names - got [test.smallstep.com smallstep test], want [test.smallstep.com]"),
+				err:       errors.New("certificate request does not contain the valid DNS names - got [test.smallstep.com smallstep test], want [test.smallstep.com]"),
 				code:      http.StatusBadRequest,
 			}
 		},
@@ -348,7 +348,7 @@ ZYtQ9Ot36qc=
 				csr:       csr,
 				extraOpts: extraOpts,
 				signOpts:  signOpts,
-				err:       errors.New("authority.Sign: certificate request RSA key must be at least 2048 bits (256 bytes)"),
+				err:       errors.New("certificate request RSA key must be at least 2048 bits (256 bytes)"),
 				code:      http.StatusForbidden,
 			}
 		},