PA: restructure error for single bad name in multi-name req (letsencrypt#4319)

Roland Bracewell Shoemaker · Daniel McCarney · commit 0d9b48e28010 · 2019-07-03T13:47:31.000-04:00
diff --git a/policy/pa.go b/policy/pa.go
@@ -346,16 +346,22 @@ func (pa *AuthorityImpl) WillingToIssueWildcards(idents []identifier.ACMEIdentif
 		}
 	}
 	if len(subErrors) > 0 {
-		var detail string
 		// If there was only one error, then use it as the top level error that is
 		// returned.
 		if len(subErrors) == 1 {
-			return subErrors[0].BoulderError
+			return berrors.RejectedIdentifierError(
+				"Cannot issue for %q: %s",
+				subErrors[0].Identifier.Value,
+				subErrors[0].BoulderError.Detail,
+			)
 		}
 
-		detail = fmt.Sprintf("Policy forbids issuing for %q and %d more identifiers. "+
-			"Refer to sub-problems for more information",
-			firstBadIdent.Value, len(subErrors)-1)
+		detail := fmt.Sprintf(
+			"Cannot issue for %q: %s (and %d more problems. Refer to sub-problems for more information.)",
+			firstBadIdent.Value,
+			subErrors[0].BoulderError.Detail,
+			len(subErrors)-1,
+		)
 		return (&berrors.BoulderError{
 			Type:   berrors.RejectedIdentifier,
 			Detail: detail,
diff --git a/policy/pa_test.go b/policy/pa_test.go
@@ -338,6 +338,7 @@ func TestWillingToIssueWildcards(t *testing.T) {
 	berr, ok := err.(*berrors.BoulderError)
 	test.AssertEquals(t, ok, true)
 	test.AssertEquals(t, len(berr.SubErrors), 2)
+	test.AssertEquals(t, berr.Error(), "Cannot issue for \"ok.*.this.is.a.*.weird.one.com\": Policy forbids issuing for name (and 1 more problems. Refer to sub-problems for more information.)")
 
 	subErrMap := make(map[string]berrors.SubBoulderError, len(berr.SubErrors))
 
@@ -364,6 +365,7 @@ func TestWillingToIssueWildcards(t *testing.T) {
 	test.AssertEquals(t, ok, true)
 	// There should be *no* suberrors because there was only one error overall.
 	test.AssertEquals(t, len(berr.SubErrors), 0)
+	test.AssertEquals(t, berr.Error(), "Cannot issue for \"letsdecrypt.org\": Policy forbids issuing for name")
 }
 
 var accountKeyJSON = `{
diff --git a/ra/ra_test.go b/ra/ra_test.go
@@ -2092,7 +2092,7 @@ func TestNewOrder(t *testing.T) {
 		Names:          []string{"a"},
 	})
 	test.AssertError(t, err, "NewOrder with invalid names did not error")
-	test.AssertEquals(t, err.Error(), "DNS name does not have enough labels")
+	test.AssertEquals(t, err.Error(), "Cannot issue for \"a\": DNS name does not have enough labels")
 }
 
 // TestNewOrderLegacyAuthzReuse tests that a legacy acme v1 authorization from
@@ -3110,7 +3110,7 @@ func TestFinalizeOrder(t *testing.T) {
 				},
 				Csr: policyForbidCSR,
 			},
-			ExpectedErrMsg: "Policy forbids issuing for name",
+			ExpectedErrMsg: "Cannot issue for \"example.org\": Policy forbids issuing for name",
 		},
 		{
 			Name: "Order with missing registration",
diff --git a/test/v2_integration.py b/test/v2_integration.py
@@ -935,7 +935,7 @@ def test_new_order_policy_errs():
         ok = True
         if e.typ != "urn:ietf:params:acme:error:rejectedIdentifier":
             raise(Exception('Expected rejectedIdentifier type problem, got {0}'.format(e.typ)))
-        if e.detail != 'Error creating new order :: Policy forbids issuing for "out-addr.in-addr.arpa" and 1 more identifiers. Refer to sub-problems for more information':
+        if e.detail != 'Error creating new order :: Cannot issue for "out-addr.in-addr.arpa": Policy forbids issuing for name (and 1 more problems. Refer to sub-problems for more information.)':
             raise(Exception('Order problem detail did not match expected'))
     if not ok:
         raise(Exception('Expected problem, got no error'))
