Add missing sequester disabled error status to administration API seq…

…uester create/revoke
Scille · Jan 17, 2025 · cfe9ea2 · cfe9ea2
1 parent 7d741e5
commit cfe9ea2
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 9 deletions.
diff --git a/server/parsec/asgi/administration.py b/server/parsec/asgi/administration.py
@@ -575,7 +575,7 @@ async def administration_organization_sequester_services(
         case SequesterGetOrganizationServicesBadOutcome.ORGANIZATION_NOT_FOUND:
             raise HTTPException(status_code=404, detail="Organization not found")
         case SequesterGetOrganizationServicesBadOutcome.SEQUESTER_DISABLED:
-            cooked_services = []
+            raise HTTPException(status_code=400, detail="Sequester disabled")
 
     return JSONResponse(
         status_code=200,
@@ -746,6 +746,8 @@ async def administration_organization_sequester_service_update_config(
             pass
         case SequesterUpdateConfigForServiceStoreBadOutcome.ORGANIZATION_NOT_FOUND:
             raise HTTPException(status_code=404, detail="Organization not found")
+        case SequesterUpdateConfigForServiceStoreBadOutcome.SEQUESTER_DISABLED:
+            raise HTTPException(status_code=400, detail="Sequester disabled")
         case SequesterUpdateConfigForServiceStoreBadOutcome.SEQUESTER_SERVICE_NOT_FOUND:
             raise HTTPException(status_code=404, detail="Sequester service not found")
 

diff --git a/server/parsec/components/memory/sequester.py b/server/parsec/components/memory/sequester.py
@@ -93,15 +93,15 @@ async def create_service(
                 case error:
                     return error
 
-            if certif.service_id in org.sequester_services:
-                return SequesterCreateServiceStoreBadOutcome.SEQUESTER_SERVICE_ALREADY_EXISTS
-
             # Ensure certificate consistency: our certificate must be the very last among
             # the existing sequester (authority & service) certificates.
 
             if sequester_topic_last_timestamp >= certif.timestamp:
                 return RequireGreaterTimestamp(strictly_greater_than=sequester_topic_last_timestamp)
 
+            if certif.service_id in org.sequester_services:
+                return SequesterCreateServiceStoreBadOutcome.SEQUESTER_SERVICE_ALREADY_EXISTS
+
             # All checks are good, now we do the actual insertion
 
             match config:
@@ -139,7 +139,7 @@ async def update_config_for_service(
             return SequesterUpdateConfigForServiceStoreBadOutcome.ORGANIZATION_NOT_FOUND
 
         if org.sequester_services is None:
-            return SequesterUpdateConfigForServiceStoreBadOutcome.SEQUESTER_SERVICE_NOT_FOUND
+            return SequesterUpdateConfigForServiceStoreBadOutcome.SEQUESTER_DISABLED
 
         try:
             service = org.sequester_services[service_id]
@@ -190,15 +190,15 @@ async def revoke_service(
             except KeyError:
                 return SequesterRevokeServiceStoreBadOutcome.SEQUESTER_SERVICE_NOT_FOUND
 
-            if service.is_revoked:
-                return SequesterRevokeServiceStoreBadOutcome.SEQUESTER_SERVICE_ALREADY_REVOKED
-
             # Ensure certificate consistency: our certificate must be the very last among
             # the existing sequester (authority & service) certificates.
 
             if sequester_topic_last_timestamp >= certif.timestamp:
                 return RequireGreaterTimestamp(strictly_greater_than=sequester_topic_last_timestamp)
 
+            if service.is_revoked:
+                return SequesterRevokeServiceStoreBadOutcome.SEQUESTER_SERVICE_ALREADY_REVOKED
+
             # All checks are good, now we do the actual insertion
 
             service.sequester_revoked_service_certificate = revoked_service_certificate

diff --git a/server/parsec/components/postgresql/sequester_update_config_for_service.py b/server/parsec/components/postgresql/sequester_update_config_for_service.py
@@ -12,7 +12,9 @@
 
 _q_lock_sequester_topic_and_update_service = Q("""
 WITH my_organization AS (
-    SELECT _id
+    SELECT
+        _id,
+        sequester_authority_certificate IS NOT NULL AS organization_is_sequestered
     FROM organization
     WHERE
         organization_id = $organization_id
@@ -46,6 +48,10 @@
         (SELECT TRUE FROM my_organization),
         FALSE
     ) AS organization_exists,
+    COALESCE(
+        (SELECT organization_is_sequestered FROM my_organization),
+        FALSE
+    ) AS organization_is_sequestered,
     COALESCE(
         (SELECT TRUE FROM updated_sequester_service),
         FALSE
@@ -83,6 +89,14 @@ async def sequester_update_config_for_service(
         case unknown:
             assert False, repr(unknown)
 
+    match row["organization_is_sequestered"]:
+        case True:
+            pass
+        case False:
+            return SequesterUpdateConfigForServiceStoreBadOutcome.SEQUESTER_DISABLED
+        case unknown:
+            assert False, repr(unknown)
+
     match row["service_exists"]:
         case True:
             pass

diff --git a/server/parsec/components/sequester.py b/server/parsec/components/sequester.py
@@ -134,6 +134,7 @@ class SequesterCreateServiceStoreBadOutcome(BadOutcomeEnum):
 
 class SequesterUpdateConfigForServiceStoreBadOutcome(BadOutcomeEnum):
     ORGANIZATION_NOT_FOUND = auto()
+    SEQUESTER_DISABLED = auto()
     SEQUESTER_SERVICE_NOT_FOUND = auto()