From 0a095e2f6bd107960313aafa32e44d3eb7acfb86 Mon Sep 17 00:00:00 2001 From: James Renken Date: Thu, 12 Jun 2025 15:25:23 -0700 Subject: [PATCH] policy, ra: Remove default allows for DNS identifiers (#8233) Fixes #8184 --- ca/ca_test.go | 3 ++- policy/pa.go | 8 -------- ra/ra.go | 17 ++++------------- test/config/ca.json | 3 +++ test/config/cert-checker.json | 3 +++ test/config/ra.json | 18 +++++++++++++++--- 6 files changed, 27 insertions(+), 25 deletions(-) diff --git a/ca/ca_test.go b/ca/ca_test.go index db29c62af..3b0a00465 100644 --- a/ca/ca_test.go +++ b/ca/ca_test.go @@ -33,6 +33,7 @@ import ( berrors "github.com/letsencrypt/boulder/errors" "github.com/letsencrypt/boulder/features" "github.com/letsencrypt/boulder/goodkey" + "github.com/letsencrypt/boulder/identifier" "github.com/letsencrypt/boulder/issuance" blog "github.com/letsencrypt/boulder/log" "github.com/letsencrypt/boulder/metrics" @@ -147,7 +148,7 @@ func setup(t *testing.T) *testCtx { fc := clock.NewFake() fc.Add(1 * time.Hour) - pa, err := policy.New(nil, nil, blog.NewMock()) + pa, err := policy.New(map[identifier.IdentifierType]bool{"dns": true}, nil, blog.NewMock()) test.AssertNotError(t, err, "Couldn't create PA") err = pa.LoadHostnamePolicyFile("../test/hostname-policy.yaml") test.AssertNotError(t, err, "Couldn't set hostname policy") diff --git a/policy/pa.go b/policy/pa.go index ca8be1a98..519b095d7 100644 --- a/policy/pa.go +++ b/policy/pa.go @@ -39,14 +39,6 @@ type AuthorityImpl struct { // New constructs a Policy Authority. func New(identifierTypes map[identifier.IdentifierType]bool, challengeTypes map[core.AcmeChallenge]bool, log blog.Logger) (*AuthorityImpl, error) { - // If identifierTypes are not configured (i.e. nil), default to allowing DNS - // identifiers. This default is temporary, to improve deployability. - // - // TODO(#8184): Remove this default. - if identifierTypes == nil { - identifierTypes = map[identifier.IdentifierType]bool{identifier.TypeDNS: true} - } - return &AuthorityImpl{ log: log, enabledChallenges: challengeTypes, diff --git a/ra/ra.go b/ra/ra.go index 2feab347d..02f100098 100644 --- a/ra/ra.go +++ b/ra/ra.go @@ -303,8 +303,8 @@ type ValidationProfileConfig struct { // exists but is empty, the profile is closed to all accounts. AllowList string `validate:"omitempty"` // IdentifierTypes is a list of identifier types that may be issued under - // this profile. If none are specified, it defaults to "dns". - IdentifierTypes []identifier.IdentifierType `validate:"omitempty,dive,oneof=dns ip"` + // this profile. + IdentifierTypes []identifier.IdentifierType `validate:"required,dive,oneof=dns ip"` } // validationProfile holds the attributes of a given validation profile. @@ -330,7 +330,7 @@ type validationProfile struct { // nil, the profile is open to all accounts (everyone is allowed). allowList *allowlist.List[int64] // identifierTypes is a list of identifier types that may be issued under - // this profile. If none are specified, it defaults to "dns". + // this profile. identifierTypes []identifier.IdentifierType } @@ -384,22 +384,13 @@ func NewValidationProfiles(defaultName string, configs map[string]*ValidationPro } } - identifierTypes := config.IdentifierTypes - // If this profile has no identifier types configured, default to DNS. - // This default is temporary, to improve deployability. - // - // TODO(#8184): Remove this default and use config.IdentifierTypes below. - if len(identifierTypes) == 0 { - identifierTypes = []identifier.IdentifierType{identifier.TypeDNS} - } - profiles[name] = &validationProfile{ pendingAuthzLifetime: config.PendingAuthzLifetime.Duration, validAuthzLifetime: config.ValidAuthzLifetime.Duration, orderLifetime: config.OrderLifetime.Duration, maxNames: config.MaxNames, allowList: allowList, - identifierTypes: identifierTypes, + identifierTypes: config.IdentifierTypes, } } diff --git a/test/config/ca.json b/test/config/ca.json index 35843b094..e9a866ee6 100644 --- a/test/config/ca.json +++ b/test/config/ca.json @@ -191,6 +191,9 @@ "http-01": true, "dns-01": true, "tls-alpn-01": true + }, + "identifiers": { + "dns": true } }, "syslog": { diff --git a/test/config/cert-checker.json b/test/config/cert-checker.json index dfc81acfc..b4ba7e0b5 100644 --- a/test/config/cert-checker.json +++ b/test/config/cert-checker.json @@ -24,6 +24,9 @@ "http-01": true, "dns-01": true, "tls-alpn-01": true + }, + "identifiers": { + "dns": true } }, "syslog": { diff --git a/test/config/ra.json b/test/config/ra.json index c16978e12..613c5e1a1 100644 --- a/test/config/ra.json +++ b/test/config/ra.json @@ -41,19 +41,28 @@ "pendingAuthzLifetime": "168h", "validAuthzLifetime": "720h", "orderLifetime": "168h", - "maxNames": 100 + "maxNames": 100, + "identifierTypes": [ + "dns" + ] }, "modern": { "pendingAuthzLifetime": "7h", "validAuthzLifetime": "7h", "orderLifetime": "7h", - "maxNames": 10 + "maxNames": 10, + "identifierTypes": [ + "dns" + ] }, "shortlived": { "pendingAuthzLifetime": "7h", "validAuthzLifetime": "7h", "orderLifetime": "7h", - "maxNames": 10 + "maxNames": 10, + "identifierTypes": [ + "dns" + ] } }, "defaultProfileName": "legacy", @@ -182,6 +191,9 @@ "http-01": true, "dns-01": true, "tls-alpn-01": true + }, + "identifiers": { + "dns": true } }, "syslog": {