wsgi: Set "Cache-Control" header to "private" when authentication was used.

c66a652d · Vincent Pelletier · feaedb4f · c66a652d
Commit c66a652d authored Oct 18, 2017 by Vincent Pelletier
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 17 deletions

caucase/wsgi.py caucase/wsgi.py +18 -17

No files found.
--- a/caucase/wsgi.py
+++ b/caucase/wsgi.py
@@ -189,11 +189,12 @@ class Application(object):
      raise TooLarge('Content-Length limit exceeded')
    return environ['wsgi.input'].read(length)

-  def _authenticate(self, environ):
+  def _authenticate(self, environ, header_list):
    """
    Verify user authentication.

    Raises NotFound if authentication does not pass checks.
+    On success, appends a "Cache-Control" header.
    """
    # Note on NotFound usage here: HTTP specs do not describe how to request
    # client to provide transport-level authentication mechanism (x509 cert)
@@ -213,6 +214,7 @@ class Application(object):
      )
    except (exceptions.CertificateVerificationError, ValueError):
      raise NotFound
+    header_list.append(('Cache-Control', 'private'))

  def _readJSON(self, environ):
    """
@@ -250,6 +252,7 @@ class Application(object):
    """
    Handle GET /{context}/csr/{csr_id} and GET /{context}/csr.
    """
+    header_list = []
    if subpath:
      try:
        csr_id, = subpath
@@ -262,17 +265,12 @@ class Application(object):
      data = context.getCertificateSigningRequest(csr_id)
      content_type = 'application/pkcs10'
    else:
-      self._authenticate(environ)
+      self._authenticate(environ, header_list)
      data = json.dumps(context.getCertificateRequestList())
      content_type = 'application/json'
-    return (
-      STATUS_OK,
-      [
-        ('Content-Type', content_type),
-        ('Content-Length', str(len(data))),
-      ],
-      [data],
-    )
+    header_list.append(('Content-Type', content_type))
+    header_list.append(('Content-Length', str(len(data))))
+    return (STATUS_OK, header_list, [data])

  def putCSR(self, context, environ, subpath):
    """
@@ -297,12 +295,13 @@ class Application(object):
      csr_id, = subpath
    except ValueError:
      raise NotFound
-    self._authenticate(environ)
+    header_list = []
+    self._authenticate(environ, header_list)
    try:
      context.deletePendingCertificateSigningRequest(csr_id)
    except exceptions.NotFound:
      raise NotFound
-    return (STATUS_NO_CONTENT, [], [])
+    return (STATUS_NO_CONTENT, header_list, [])

  def getCRT(self, context, environ, subpath):
    """
@@ -361,13 +360,14 @@ class Application(object):
        [data],
      )
    elif crt_id == 'revoke':
+      header_list = []
      data = self._readJSON(environ)
      if data['digest'] is None:
-        self._authenticate(environ)
+        self._authenticate(environ, header_list)
        payload = utils.nullUnwrap(data)
        if 'revoke_crt_pem' not in payload:
          context.revokeSerial(payload['revoke_serial'])
-          return (STATUS_NO_CONTENT, [], [])
+          return (STATUS_NO_CONTENT, header_list, [])
      else:
        payload = utils.unwrap(
          data,
@@ -377,7 +377,7 @@ class Application(object):
      context.revoke(
        crt_pem=payload['revoke_crt_pem'].encode('ascii'),
      )
-      return (STATUS_NO_CONTENT, [], [])
+      return (STATUS_NO_CONTENT, header_list, [])
    else:
      try:
        crt_id = int(crt_id)
@@ -390,9 +390,10 @@ class Application(object):
        template_csr = utils.load_certificate_request(body)
      else:
        raise BadRequest('Bad Content-Type')
-      self._authenticate(environ)
+      header_list = []
+      self._authenticate(environ, header_list)
      context.createCertificate(
        csr_id=crt_id,
        template_csr=template_csr,
      )
-      return (STATUS_NO_CONTENT, [], [])
+      return (STATUS_NO_CONTENT, header_list, [])