wsgi: Use Unauthorized with non-standard scheme when authentication fails

caucase/test.py

@@ -1197,7 +1197,7 @@ class CaucaseTest(unittest.TestCase):
       # pylint: enable=unbalanced-tuple-unpacking
       status, reason = status.split(' ', 1)
       return int(status), reason, header_list, ''.join(body)
-    UNAUTHORISED_STATUS = 404
+    UNAUTHORISED_STATUS = 401
 
     self.assertEqual(request({
       'PATH_INFO': '/',

caucase/wsgi.py

@@ -48,6 +48,17 @@ class BadRequest(ApplicationError):
   """
   status = _getStatus(httplib.BAD_REQUEST)
 
+class Unauthorized(ApplicationError):
+  """
+  HTTP unauthorized error
+  """
+  status = _getStatus(httplib.UNAUTHORIZED)
+  _response_headers = [
+    # XXX: non standard scheme, suggested in
+    # https://www.ietf.org/mail-archive/web/httpbisa/current/msg03764.html
+    ('WWW-Authenticate', 'transport'),
+  ]
+
 class NotFound(ApplicationError):
   """
   HTTP not found error
@@ -198,12 +209,6 @@ class Application(object):
     Raises NotFound if authentication does not pass checks.
     On success, appends a "Cache-Control" header.
     """
-    # Note on NotFound usage here: HTTP specs do not describe how to request
-    # client to provide transport-level authentication mechanism (x509 cert)
-    # so 401 is not applicable. 403 is not applicable either as spec requests
-    # client to not retry the request. 404 is recommended when server does not
-    # wish to disclose the reason why it rejected the access, so let's use
-    # this.
     try:
       ca_list = self._cau.getCACertificateList()
       utils.load_certificate(
@@ -215,7 +220,7 @@ class Application(object):
         ),
       )
     except (exceptions.CertificateVerificationError, ValueError):
-      raise NotFound
+      raise Unauthorized
     header_list.append(('Cache-Control', 'private'))
 
   def _readJSON(self, environ):