Commit c66a652d authored by Vincent Pelletier's avatar Vincent Pelletier

wsgi: Set "Cache-Control" header to "private" when authentication was used.

parent feaedb4f
...@@ -189,11 +189,12 @@ class Application(object): ...@@ -189,11 +189,12 @@ class Application(object):
raise TooLarge('Content-Length limit exceeded') raise TooLarge('Content-Length limit exceeded')
return environ['wsgi.input'].read(length) return environ['wsgi.input'].read(length)
def _authenticate(self, environ): def _authenticate(self, environ, header_list):
""" """
Verify user authentication. Verify user authentication.
Raises NotFound if authentication does not pass checks. Raises NotFound if authentication does not pass checks.
On success, appends a "Cache-Control" header.
""" """
# Note on NotFound usage here: HTTP specs do not describe how to request # Note on NotFound usage here: HTTP specs do not describe how to request
# client to provide transport-level authentication mechanism (x509 cert) # client to provide transport-level authentication mechanism (x509 cert)
...@@ -213,6 +214,7 @@ class Application(object): ...@@ -213,6 +214,7 @@ class Application(object):
) )
except (exceptions.CertificateVerificationError, ValueError): except (exceptions.CertificateVerificationError, ValueError):
raise NotFound raise NotFound
header_list.append(('Cache-Control', 'private'))
def _readJSON(self, environ): def _readJSON(self, environ):
""" """
...@@ -250,6 +252,7 @@ class Application(object): ...@@ -250,6 +252,7 @@ class Application(object):
""" """
Handle GET /{context}/csr/{csr_id} and GET /{context}/csr. Handle GET /{context}/csr/{csr_id} and GET /{context}/csr.
""" """
header_list = []
if subpath: if subpath:
try: try:
csr_id, = subpath csr_id, = subpath
...@@ -262,17 +265,12 @@ class Application(object): ...@@ -262,17 +265,12 @@ class Application(object):
data = context.getCertificateSigningRequest(csr_id) data = context.getCertificateSigningRequest(csr_id)
content_type = 'application/pkcs10' content_type = 'application/pkcs10'
else: else:
self._authenticate(environ) self._authenticate(environ, header_list)
data = json.dumps(context.getCertificateRequestList()) data = json.dumps(context.getCertificateRequestList())
content_type = 'application/json' content_type = 'application/json'
return ( header_list.append(('Content-Type', content_type))
STATUS_OK, header_list.append(('Content-Length', str(len(data))))
[ return (STATUS_OK, header_list, [data])
('Content-Type', content_type),
('Content-Length', str(len(data))),
],
[data],
)
def putCSR(self, context, environ, subpath): def putCSR(self, context, environ, subpath):
""" """
...@@ -297,12 +295,13 @@ class Application(object): ...@@ -297,12 +295,13 @@ class Application(object):
csr_id, = subpath csr_id, = subpath
except ValueError: except ValueError:
raise NotFound raise NotFound
self._authenticate(environ) header_list = []
self._authenticate(environ, header_list)
try: try:
context.deletePendingCertificateSigningRequest(csr_id) context.deletePendingCertificateSigningRequest(csr_id)
except exceptions.NotFound: except exceptions.NotFound:
raise NotFound raise NotFound
return (STATUS_NO_CONTENT, [], []) return (STATUS_NO_CONTENT, header_list, [])
def getCRT(self, context, environ, subpath): def getCRT(self, context, environ, subpath):
""" """
...@@ -361,13 +360,14 @@ class Application(object): ...@@ -361,13 +360,14 @@ class Application(object):
[data], [data],
) )
elif crt_id == 'revoke': elif crt_id == 'revoke':
header_list = []
data = self._readJSON(environ) data = self._readJSON(environ)
if data['digest'] is None: if data['digest'] is None:
self._authenticate(environ) self._authenticate(environ, header_list)
payload = utils.nullUnwrap(data) payload = utils.nullUnwrap(data)
if 'revoke_crt_pem' not in payload: if 'revoke_crt_pem' not in payload:
context.revokeSerial(payload['revoke_serial']) context.revokeSerial(payload['revoke_serial'])
return (STATUS_NO_CONTENT, [], []) return (STATUS_NO_CONTENT, header_list, [])
else: else:
payload = utils.unwrap( payload = utils.unwrap(
data, data,
...@@ -377,7 +377,7 @@ class Application(object): ...@@ -377,7 +377,7 @@ class Application(object):
context.revoke( context.revoke(
crt_pem=payload['revoke_crt_pem'].encode('ascii'), crt_pem=payload['revoke_crt_pem'].encode('ascii'),
) )
return (STATUS_NO_CONTENT, [], []) return (STATUS_NO_CONTENT, header_list, [])
else: else:
try: try:
crt_id = int(crt_id) crt_id = int(crt_id)
...@@ -390,9 +390,10 @@ class Application(object): ...@@ -390,9 +390,10 @@ class Application(object):
template_csr = utils.load_certificate_request(body) template_csr = utils.load_certificate_request(body)
else: else:
raise BadRequest('Bad Content-Type') raise BadRequest('Bad Content-Type')
self._authenticate(environ) header_list = []
self._authenticate(environ, header_list)
context.createCertificate( context.createCertificate(
csr_id=crt_id, csr_id=crt_id,
template_csr=template_csr, template_csr=template_csr,
) )
return (STATUS_NO_CONTENT, [], []) return (STATUS_NO_CONTENT, header_list, [])
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment