From bc7d3118064da32367d2fb3604790cd3f9c816ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stanis=C5=82aw=20Pitucha?= <stanislaw.pitucha@hp.com>
Date: Fri, 19 Feb 2016 13:58:18 +1100
Subject: [PATCH] Handle missing CA better

Change-Id: I6fdbf15141d0bc2b3d56ac8a368769f8f492b995
---
 anchor/certificate_ops.py     |  7 +++++--
 tests/test_certificate_ops.py | 11 +++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/anchor/certificate_ops.py b/anchor/certificate_ops.py
index e234b67..9a55bfb 100644
--- a/anchor/certificate_ops.py
+++ b/anchor/certificate_ops.py
@@ -113,8 +113,11 @@ def get_ca(ra_name):
     if not ca_path:
         pecan.abort(404, "CA certificate not available")
 
-    with open(ca_path) as f:
-        return f.read()
+    try:
+        with open(ca_path) as f:
+            return f.read()
+    except IOError:
+        pecan.abort(500, "CA certificate not available")
 
 
 def dispatch_sign(ra_name, csr):
diff --git a/tests/test_certificate_ops.py b/tests/test_certificate_ops.py
index 7d9baec..faf96a7 100644
--- a/tests/test_certificate_ops.py
+++ b/tests/test_certificate_ops.py
@@ -135,3 +135,14 @@ class CertificateOpsTests(tests.DefaultConfigMixin, tests.DefaultRequestMixin,
             with self.assertRaises(http_status.HTTPException) as cm:
                 certificate_ops.dispatch_sign('default_ra', csr_obj)
         self.assertEqual(cm.exception.code, 500)
+
+    def test_ca_cert_not_configured(self):
+        """Test CA cert read failure."""
+        config = "anchor.jsonloader.conf._config"
+        self.sample_conf_ca['default_ca']['cert_path'] = None
+        data = self.sample_conf
+
+        with mock.patch.dict(config, data):
+            with self.assertRaises(http_status.HTTPException) as cm:
+                certificate_ops.get_ca('default_ra')
+        self.assertEqual(cm.exception.code, 404)