Return an error if we fail get get the Root cert. (#416)

* Return an error if we fail get get the Root cert. Fixes: #415 Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * use a fake CA for testing Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
sigstore · Feb 17, 2022 · 167dcb1 · 167dcb1
1 parent 1ebcf1c
commit 167dcb1
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 1 deletion.
diff --git a/pkg/api/api_test.go b/pkg/api/api_test.go
@@ -16,6 +16,7 @@
 package api
 
 import (
+	"context"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
@@ -25,6 +26,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -34,15 +36,42 @@ import (
 	"testing"
 	"time"
 
+	"github.com/sigstore/fulcio/pkg/ca"
 	"github.com/sigstore/fulcio/pkg/ca/ephemeralca"
+	"github.com/sigstore/fulcio/pkg/challenges"
 	"github.com/sigstore/fulcio/pkg/config"
 	"github.com/sigstore/fulcio/pkg/ctl"
 	"gopkg.in/square/go-jose.v2"
 	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 // base64 encoded placeholder for SCT
-const testSCT = "ZXhhbXBsZXNjdAo="
+const (
+	testSCT               = "ZXhhbXBsZXNjdAo="
+	expectedNoRootMessage = "{\"code\":500,\"message\":\"error communicating with CA backend\"}\n"
+)
+
+func TestMissingRootFails(t *testing.T) {
+	h := New(nil, &FailingCertificateAuthority{})
+	server := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+		h.ServeHTTP(rw, r)
+	}))
+	t.Cleanup(server.Close)
+
+	// Create an API client that speaks to the API endpoint we created above.
+	u, err := url.Parse(server.URL)
+	if err != nil {
+		t.Fatalf("url.Parse() = %v", err)
+	}
+	// Check that we get the CA root back as well.
+	_, err = NewClient(u).RootCert()
+	if err == nil {
+		t.Fatal("RootCert did not fail", err)
+	}
+	if err.Error() != expectedNoRootMessage {
+		t.Errorf("Got an unexpected error: %q wanted: %q", err, expectedNoRootMessage)
+	}
+}
 
 func TestAPI(t *testing.T) {
 	signer, issuer := newOIDCIssuer(t)
@@ -264,3 +293,13 @@ func fakeCTLogServer(t *testing.T) *httptest.Server {
 		fmt.Fprint(w, string(responseBytes))
 	}))
 }
+
+type FailingCertificateAuthority struct {
+}
+
+func (fca *FailingCertificateAuthority) CreateCertificate(ctx context.Context, challenge *challenges.ChallengeResult) (*ca.CodeSigningCertificate, error) {
+	return nil, errors.New("CreateCertificate always fails for testing")
+}
+func (fca *FailingCertificateAuthority) Root(ctx context.Context) ([]byte, error) {
+	return nil, errors.New("Root always fails for testing")
+}
diff --git a/pkg/api/ca.go b/pkg/api/ca.go
@@ -246,6 +246,8 @@ func (a *api) rootCert(w http.ResponseWriter, req *http.Request) {
 	root, err := a.ca.Root(ctx)
 	if err != nil {
 		logger.Error("Error retrieving root cert: ", err)
+		handleFulcioAPIError(w, req, http.StatusInternalServerError, err, genericCAError)
+		return
 	}
 	w.Header().Add("Content-Type", "application/pem-certificate-chain")
 	if _, err := w.Write(root); err != nil {