wsgi: Set "Cache-Control" header to "private" when authentication was used.

caucase/wsgi.py

@@ -189,11 +189,12 @@ class Application(object):
       raise TooLarge('Content-Length limit exceeded')
     return environ['wsgi.input'].read(length)
 
-  def _authenticate(self, environ):
+  def _authenticate(self, environ, header_list):
     """
     Verify user authentication.
 
     Raises NotFound if authentication does not pass checks.
+    On success, appends a "Cache-Control" header.
     """
     # Note on NotFound usage here: HTTP specs do not describe how to request
     # client to provide transport-level authentication mechanism (x509 cert)
@@ -213,6 +214,7 @@ class Application(object):
       )
     except (exceptions.CertificateVerificationError, ValueError):
       raise NotFound
+    header_list.append(('Cache-Control', 'private'))
 
   def _readJSON(self, environ):
     """
@@ -250,6 +252,7 @@ class Application(object):
     """
     Handle GET /{context}/csr/{csr_id} and GET /{context}/csr.
     """
+    header_list = []
     if subpath:
       try:
         csr_id, = subpath
@@ -262,17 +265,12 @@ class Application(object):
       data = context.getCertificateSigningRequest(csr_id)
       content_type = 'application/pkcs10'
     else:
-      self._authenticate(environ)
+      self._authenticate(environ, header_list)
       data = json.dumps(context.getCertificateRequestList())
       content_type = 'application/json'
-    return (
-      STATUS_OK,
-      [
-        ('Content-Type', content_type),
-        ('Content-Length', str(len(data))),
-      ],
-      [data],
-    )
+    header_list.append(('Content-Type', content_type))
+    header_list.append(('Content-Length', str(len(data))))
+    return (STATUS_OK, header_list, [data])
 
   def putCSR(self, context, environ, subpath):
     """
@@ -297,12 +295,13 @@ class Application(object):
       csr_id, = subpath
     except ValueError:
       raise NotFound
-    self._authenticate(environ)
+    header_list = []
+    self._authenticate(environ, header_list)
     try:
       context.deletePendingCertificateSigningRequest(csr_id)
     except exceptions.NotFound:
       raise NotFound
-    return (STATUS_NO_CONTENT, [], [])
+    return (STATUS_NO_CONTENT, header_list, [])
 
   def getCRT(self, context, environ, subpath):
     """
@@ -361,13 +360,14 @@ class Application(object):
         [data],
       )
     elif crt_id == 'revoke':
+      header_list = []
       data = self._readJSON(environ)
       if data['digest'] is None:
-        self._authenticate(environ)
+        self._authenticate(environ, header_list)
         payload = utils.nullUnwrap(data)
         if 'revoke_crt_pem' not in payload:
           context.revokeSerial(payload['revoke_serial'])
-          return (STATUS_NO_CONTENT, [], [])
+          return (STATUS_NO_CONTENT, header_list, [])
       else:
         payload = utils.unwrap(
           data,
@@ -377,7 +377,7 @@ class Application(object):
       context.revoke(
         crt_pem=payload['revoke_crt_pem'].encode('ascii'),
       )
-      return (STATUS_NO_CONTENT, [], [])
+      return (STATUS_NO_CONTENT, header_list, [])
     else:
       try:
         crt_id = int(crt_id)
@@ -390,9 +390,10 @@ class Application(object):
         template_csr = utils.load_certificate_request(body)
       else:
         raise BadRequest('Bad Content-Type')
-      self._authenticate(environ)
+      header_list = []
+      self._authenticate(environ, header_list)
       context.createCertificate(
         csr_id=crt_id,
         template_csr=template_csr,
       )
-      return (STATUS_NO_CONTENT, [], [])
+      return (STATUS_NO_CONTENT, header_list, [])