Add checks for other error types within the PKI plugin (#14195)
* Add checks for other error types within the PKI plugin - The PKI plugin assumes the code it is calling always returns an error of type errutil.UserError or errutil.InternalError. While I believe so far this is still true, it would be easy to add a code path that just returns a generic error and we would completely ignore it. - This was found within some managed key testing where I forgot to wrap an error within one of the expected types * Add changelog
This commit is contained in:
parent
7c11323d71
commit
c1e80aeff9
|
@ -112,13 +112,15 @@ func (b *backend) pathCRLWrite(ctx context.Context, req *logical.Request, d *fra
|
|||
if oldDisable != config.Disable {
|
||||
// It wasn't disabled but now it is, rotate
|
||||
crlErr := buildCRL(ctx, b, req, true)
|
||||
if crlErr != nil {
|
||||
switch crlErr.(type) {
|
||||
case errutil.UserError:
|
||||
return logical.ErrorResponse(fmt.Sprintf("Error during CRL building: %s", crlErr)), nil
|
||||
case errutil.InternalError:
|
||||
default:
|
||||
return nil, fmt.Errorf("error encountered during CRL building: %w", crlErr)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return nil, nil
|
||||
}
|
||||
|
|
|
@ -192,14 +192,16 @@ func (b *backend) pathFetchRead(ctx context.Context, req *logical.Request, data
|
|||
|
||||
if serial == "ca_chain" {
|
||||
caInfo, err := fetchCAInfo(ctx, b, req)
|
||||
if err != nil {
|
||||
switch err.(type) {
|
||||
case errutil.UserError:
|
||||
response = logical.ErrorResponse(err.Error())
|
||||
goto reply
|
||||
case errutil.InternalError:
|
||||
default:
|
||||
retErr = err
|
||||
goto reply
|
||||
}
|
||||
}
|
||||
|
||||
caChain := caInfo.GetCAChain()
|
||||
var certStr string
|
||||
|
@ -232,7 +234,7 @@ func (b *backend) pathFetchRead(ctx context.Context, req *logical.Request, data
|
|||
case errutil.UserError:
|
||||
response = logical.ErrorResponse(funcErr.Error())
|
||||
goto reply
|
||||
case errutil.InternalError:
|
||||
default:
|
||||
retErr = funcErr
|
||||
goto reply
|
||||
}
|
||||
|
@ -260,7 +262,7 @@ func (b *backend) pathFetchRead(ctx context.Context, req *logical.Request, data
|
|||
case errutil.UserError:
|
||||
response = logical.ErrorResponse(funcErr.Error())
|
||||
goto reply
|
||||
case errutil.InternalError:
|
||||
default:
|
||||
retErr = funcErr
|
||||
goto reply
|
||||
}
|
||||
|
|
|
@ -173,14 +173,16 @@ func (b *backend) pathIssueSignCert(ctx context.Context, req *logical.Request, d
|
|||
|
||||
var caErr error
|
||||
signingBundle, caErr := fetchCAInfo(ctx, b, req)
|
||||
if caErr != nil {
|
||||
switch caErr.(type) {
|
||||
case errutil.UserError:
|
||||
return nil, errutil.UserError{Err: fmt.Sprintf(
|
||||
"could not fetch the CA certificate (was one set?): %s", caErr)}
|
||||
case errutil.InternalError:
|
||||
default:
|
||||
return nil, errutil.InternalError{Err: fmt.Sprintf(
|
||||
"error fetching CA certificate: %s", caErr)}
|
||||
}
|
||||
}
|
||||
|
||||
input := &inputBundle{
|
||||
req: req,
|
||||
|
|
|
@ -69,19 +69,21 @@ func (b *backend) pathRotateCRLRead(ctx context.Context, req *logical.Request, d
|
|||
defer b.revokeStorageLock.RUnlock()
|
||||
|
||||
crlErr := buildCRL(ctx, b, req, false)
|
||||
if crlErr != nil {
|
||||
switch crlErr.(type) {
|
||||
case errutil.UserError:
|
||||
return logical.ErrorResponse(fmt.Sprintf("Error during CRL building: %s", crlErr)), nil
|
||||
case errutil.InternalError:
|
||||
return nil, fmt.Errorf("error encountered during CRL building: %w", crlErr)
|
||||
default:
|
||||
return nil, fmt.Errorf("error encountered during CRL building: %w", crlErr)
|
||||
}
|
||||
}
|
||||
|
||||
return &logical.Response{
|
||||
Data: map[string]interface{}{
|
||||
"success": true,
|
||||
},
|
||||
}, nil
|
||||
}
|
||||
}
|
||||
|
||||
const pathRevokeHelpSyn = `
|
||||
Revoke a certificate by serial number.
|
||||
|
|
|
@ -137,7 +137,8 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request,
|
|||
}
|
||||
if entry != nil {
|
||||
resp := &logical.Response{}
|
||||
resp.AddWarning(fmt.Sprintf("Refusing to generate a root certificate over an existing root certificate. If you really want to destroy the original root certificate, please issue a delete against %sroot.", req.MountPoint))
|
||||
resp.AddWarning(fmt.Sprintf("Refusing to generate a root certificate over an existing root certificate. "+
|
||||
"If you really want to destroy the original root certificate, please issue a delete against %s root.", req.MountPoint))
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
|
@ -162,8 +163,6 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request,
|
|||
switch err.(type) {
|
||||
case errutil.UserError:
|
||||
return logical.ErrorResponse(err.Error()), nil
|
||||
case errutil.InternalError:
|
||||
return nil, err
|
||||
default:
|
||||
return nil, err
|
||||
}
|
||||
|
@ -296,14 +295,16 @@ func (b *backend) pathCASignIntermediate(ctx context.Context, req *logical.Reque
|
|||
|
||||
var caErr error
|
||||
signingBundle, caErr := fetchCAInfo(ctx, b, req)
|
||||
if caErr != nil {
|
||||
switch caErr.(type) {
|
||||
case errutil.UserError:
|
||||
return nil, errutil.UserError{Err: fmt.Sprintf(
|
||||
"could not fetch the CA certificate (was one set?): %s", caErr)}
|
||||
case errutil.InternalError:
|
||||
default:
|
||||
return nil, errutil.InternalError{Err: fmt.Sprintf(
|
||||
"error fetching CA certificate: %s", caErr)}
|
||||
}
|
||||
}
|
||||
|
||||
useCSRValues := data.Get("use_csr_values").(bool)
|
||||
|
||||
|
@ -323,8 +324,9 @@ func (b *backend) pathCASignIntermediate(ctx context.Context, req *logical.Reque
|
|||
switch err.(type) {
|
||||
case errutil.UserError:
|
||||
return logical.ErrorResponse(err.Error()), nil
|
||||
case errutil.InternalError:
|
||||
return nil, err
|
||||
default:
|
||||
return nil, errutil.InternalError{Err: fmt.Sprintf(
|
||||
"error signing cert: %s", err)}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -422,13 +424,14 @@ func (b *backend) pathCASignSelfIssued(ctx context.Context, req *logical.Request
|
|||
|
||||
var caErr error
|
||||
signingBundle, caErr := fetchCAInfo(ctx, b, req)
|
||||
if caErr != nil {
|
||||
switch caErr.(type) {
|
||||
case errutil.UserError:
|
||||
return nil, errutil.UserError{Err: fmt.Sprintf(
|
||||
"could not fetch the CA certificate (was one set?): %s", caErr)}
|
||||
case errutil.InternalError:
|
||||
return nil, errutil.InternalError{Err: fmt.Sprintf(
|
||||
"error fetching CA certificate: %s", caErr)}
|
||||
default:
|
||||
return nil, errutil.InternalError{Err: fmt.Sprintf("error fetching CA certificate: %s", caErr)}
|
||||
}
|
||||
}
|
||||
|
||||
signingCB, err := signingBundle.ToCertBundle()
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:improvement
|
||||
secrets/pki: Add error handling for error types other than UserError or InternalError
|
||||
```
|
Loading…
Reference in New Issue