letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

sa: Provide a grace period for recently unpaused identifiers (#7573) 

SA method PauseIdentifiers skips identifiers unpaused within the last 2
weeks, providing a grace period for operators to fix configuration
issues resulting in numerous contiguous validation failures.

Part of #7475
This commit is contained in:
Samantha Frank 2024-07-11 12:11:27 -04:00 committed by GitHub
parent 74eba3bc08
commit 15ad9fc5ab
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 45 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
sa/sa.go
View File

@ -1295,8 +1295,10 @@ func (ssa *SQLStorageAuthority) UpdateCRLShard(ctx context.Context, req *sapb.Up
// PauseIdentifiers pauses a set of identifiers for the provided account. If an // PauseIdentifiers pauses a set of identifiers for the provided account. If an
// identifier is currently paused, this is a no-op. If an identifier was // identifier is currently paused, this is a no-op. If an identifier was
// previously paused and unpaused, it will be repaused. All work is accomplished // previously paused and unpaused, it will be repaused unless it was unpaused
// in a transaction to limit possible race conditions. // less than two weeks ago. The response will indicate how many identifiers were
// paused and how many were repaused. All work is accomplished in a transaction
// to limit possible race conditions.
func (ssa *SQLStorageAuthority) PauseIdentifiers(ctx context.Context, req *sapb.PauseRequest) (*sapb.PauseIdentifiersResponse, error) { func (ssa *SQLStorageAuthority) PauseIdentifiers(ctx context.Context, req *sapb.PauseRequest) (*sapb.PauseIdentifiersResponse, error) {
if core.IsAnyNilOrZero(req.RegistrationID, req.Identifiers) { if core.IsAnyNilOrZero(req.RegistrationID, req.Identifiers) {
return nil, errIncompleteRequest return nil, errIncompleteRequest
@ -1357,6 +1359,10 @@ func (ssa *SQLStorageAuthority) PauseIdentifiers(ctx context.Context, req *sapb.
// Identifier is already paused. // Identifier is already paused.
continue continue
case entry.UnpausedAt.After(ssa.clk.Now().Add(-14 * 24 * time.Hour)):
// Previously unpaused less than two weeks ago, skip this identifier.
continue
case entry.UnpausedAt.After(entry.PausedAt): case entry.UnpausedAt.After(entry.PausedAt):
// Previously paused (and unpaused), repause the identifier. // Previously paused (and unpaused), repause the identifier.
_, err := tx.ExecContext(ctx, ` _, err := tx.ExecContext(ctx, `

44
sa/sa_test.go
View File

@ -4482,6 +4482,9 @@ func TestPauseIdentifiers(t *testing.T) {
return &t return &t
} }
fourWeeksAgo := sa.clk.Now().Add(-4 * 7 * 24 * time.Hour)
threeWeeksAgo := sa.clk.Now().Add(-3 * 7 * 24 * time.Hour)
tests := []struct { tests := []struct {
name string name string
state []pausedModel state []pausedModel
@ -4514,8 +4517,8 @@ func TestPauseIdentifiers(t *testing.T) {
Type: identifierTypeToUint[string(identifier.DNS)], Type: identifierTypeToUint[string(identifier.DNS)],
Value: "example.com", Value: "example.com",
}, },
PausedAt: sa.clk.Now().Add(-time.Hour), PausedAt: fourWeeksAgo,
UnpausedAt: ptrTime(sa.clk.Now().Add(-time.Minute)), UnpausedAt: ptrTime(threeWeeksAgo),
}, },
}, },
req: &sapb.PauseRequest{ req: &sapb.PauseRequest{
@ -4532,6 +4535,33 @@ func TestPauseIdentifiers(t *testing.T) {
Repaused: 1, Repaused: 1,
}, },
}, },
{
name: "One unpaused entry which was previously paused and unpaused less than 2 weeks ago",
state: []pausedModel{
{
RegistrationID: 1,
identifierModel: identifierModel{
Type: identifierTypeToUint[string(identifier.DNS)],
Value: "example.com",
},
PausedAt: fourWeeksAgo,
UnpausedAt: ptrTime(sa.clk.Now().Add(-13 * 24 * time.Hour)),
},
},
req: &sapb.PauseRequest{
RegistrationID: 1,
Identifiers: []*sapb.Identifier{
{
Type: string(identifier.DNS),
Value: "example.com",
},
},
},
want: &sapb.PauseIdentifiersResponse{
Paused: 0,
Repaused: 0,
},
},
{ {
name: "An identifier which is currently paused", name: "An identifier which is currently paused",
state: []pausedModel{ state: []pausedModel{
@ -4541,7 +4571,7 @@ func TestPauseIdentifiers(t *testing.T) {
Type: identifierTypeToUint[string(identifier.DNS)], Type: identifierTypeToUint[string(identifier.DNS)],
Value: "example.com", Value: "example.com",
}, },
PausedAt: sa.clk.Now().Add(-time.Hour), PausedAt: fourWeeksAgo,
}, },
}, },
req: &sapb.PauseRequest{ req: &sapb.PauseRequest{
@ -4567,8 +4597,8 @@ func TestPauseIdentifiers(t *testing.T) {
Type: identifierTypeToUint[string(identifier.DNS)], Type: identifierTypeToUint[string(identifier.DNS)],
Value: "example.com", Value: "example.com",
}, },
PausedAt: sa.clk.Now().Add(-time.Hour), PausedAt: fourWeeksAgo,
UnpausedAt: ptrTime(sa.clk.Now().Add(-time.Minute)), UnpausedAt: ptrTime(threeWeeksAgo),
}, },
{ {
RegistrationID: 1, RegistrationID: 1,
@ -4576,8 +4606,8 @@ func TestPauseIdentifiers(t *testing.T) {
Type: identifierTypeToUint[string(identifier.DNS)], Type: identifierTypeToUint[string(identifier.DNS)],
Value: "example.net", Value: "example.net",
}, },
PausedAt: sa.clk.Now().Add(-time.Hour), PausedAt: fourWeeksAgo,
UnpausedAt: ptrTime(sa.clk.Now().Add(-time.Minute)), UnpausedAt: ptrTime(threeWeeksAgo),
}, },
}, },
req: &sapb.PauseRequest{ req: &sapb.PauseRequest{