Fix tests and GetOrderAuthorizations

2018-01-09 20:38:52 -08:00 · 2018-01-09 20:38:52 -08:00 · 1a3a76438c
parent dcd2b438f4
commit 1a3a76438c
6 changed files with 68 additions and 30 deletions
--- a/features/featureflag_string.go
+++ b/features/featureflag_string.go
@ -2,15 +2,15 @@

 package features

-import "strconv"
+import "fmt"

-const _FeatureFlag_name = "unusedAllowAccountDeactivationAllowKeyRolloverResubmitMissingSCTsOnlyUseAIAIssuerURLAllowTLS02ChallengesGenerateOCSPEarlyReusePendingAuthzCountCertificatesExactRandomDirectoryEntryIPv6FirstDirectoryMetaAllowRenewalFirstRLRecheckCAAUDPDNSROCACheckWildcardDomains"
+const _FeatureFlag_name = "unusedAllowAccountDeactivationAllowKeyRolloverResubmitMissingSCTsOnlyUseAIAIssuerURLAllowTLS02ChallengesGenerateOCSPEarlyReusePendingAuthzCountCertificatesExactRandomDirectoryEntryIPv6FirstDirectoryMetaAllowRenewalFirstRLRecheckCAAUDPDNSROCACheckWildcardDomainsEnforceChallengeDisable"

-var _FeatureFlag_index = [...]uint16{0, 6, 30, 46, 69, 84, 104, 121, 138, 160, 180, 189, 202, 221, 231, 237, 246, 261}
+var _FeatureFlag_index = [...]uint16{0, 6, 30, 46, 69, 84, 104, 121, 138, 160, 180, 189, 202, 221, 231, 237, 246, 261, 284}

 func (i FeatureFlag) String() string {
 	if i < 0 || i >= FeatureFlag(len(_FeatureFlag_index)-1) {
-		return "FeatureFlag(" + strconv.FormatInt(int64(i), 10) + ")"
+		return fmt.Sprintf("FeatureFlag(%d)", i)
 	}
 	return _FeatureFlag_name[_FeatureFlag_index[i]:_FeatureFlag_index[i+1]]
 }
--- a/features/features.go
+++ b/features/features.go
@ -30,6 +30,8 @@ const (
 	ROCACheck
 	// Allow issuance of wildcard domains for ACMEv2
 	WildcardDomains
+	// Enforce prevention of use of disabled challenge types
+	EnforceChallengeDisable
 )

 // List of features and their default value, protected by fMu
@ -51,6 +53,7 @@ var features = map[FeatureFlag]bool{
 	UDPDNS:                   false,
 	ROCACheck:                false,
 	WildcardDomains:          false,
+	EnforceChallengeDisable:  false,
 }

 var fMu = new(sync.RWMutex)
--- a/ra/ra.go
+++ b/ra/ra.go
@ -532,7 +532,7 @@ func (ra *RegistrationAuthorityImpl) NewAuthorization(ctx context.Context, reque
 				ra.log.Warning(fmt.Sprintf("%s: %s", outErr.Error(), existingAuthz.ID))
 				return core.Authorization{}, outErr
 			}
-			if ra.validChallengeStillGood(&populatedAuthz) {
+			if !features.Enabled(features.EnforceChallengeDisable) || ra.validChallengeStillGood(&populatedAuthz) {
 				// The existing authorization must not expire within the next 24 hours for
 				// it to be OK for reuse
 				reuseCutOff := ra.clk.Now().Add(time.Hour * 24)
@ -722,7 +722,7 @@ func (ra *RegistrationAuthorityImpl) checkAuthorizationsCAA(
 			// Ensure that CAA is rechecked for this name
 			recheckNames = append(recheckNames, name)
 		}
-		if authz != nil && !ra.validChallengeStillGood(authz) {
+		if authz != nil && features.Enabled(features.EnforceChallengeDisable) && !ra.validChallengeStillGood(authz) {
 			return berrors.UnauthorizedError("challenge used to validate authorization with ID %q no longer allowed", authz.ID)
 		}
 	}
@ -1336,7 +1336,7 @@ func (ra *RegistrationAuthorityImpl) UpdateAuthorization(ctx context.Context, ba
 		// )
 	}

-	if !ra.PA.ChallengeTypeEnabled(ch.Type) {
+	if features.Enabled(features.EnforceChallengeDisable) && !ra.PA.ChallengeTypeEnabled(ch.Type) {
 		return core.Authorization{}, berrors.MalformedError("challenge type %q no longer allowed", ch.Type)
 	}

@ -1762,8 +1762,10 @@ func (ra *RegistrationAuthorityImpl) createPendingAuthz(ctx context.Context, reg
 func (ra *RegistrationAuthorityImpl) validChallengeStillGood(authz *core.Authorization) bool {
 	for _, chall := range authz.Challenges {
 		if chall.Status == core.StatusValid {
+			fmt.Println("TYPE", chall.Type)
 			return ra.PA.ChallengeTypeEnabled(chall.Type)
 		}
 	}
+	fmt.Println("NO TYPE", authz)
 	return false
 }
--- a/ra/ra_test.go
+++ b/ra/ra_test.go
@ -673,6 +673,7 @@ func TestReuseValidAuthorization(t *testing.T) {

 	// Test that a valid authorization that used a challenge which has been disabled
 	// is not reused
+	_ = features.Set(map[string]bool{"EnforceChallengeDisable": true})
 	pa, err := policy.New(map[string]bool{
 		core.ChallengeTypeHTTP01:   false,
 		core.ChallengeTypeTLSSNI01: true,
@ -1169,6 +1170,8 @@ func TestNewOrderRateLimiting(t *testing.T) {
 	_, _, ra, fc, cleanUp := initAuthorities(t)
 	defer cleanUp()

+	_ = features.Set(map[string]bool{"EnforceChallengeDisable": true})
+
 	// Create a dummy rate limit config that sets a PendingOrdersPerAccount rate
 	// limit with a very low threshold
 	ra.rlPolicies = &dummyRateLimitConfig{
@ -2895,6 +2898,8 @@ func TestDisabledChallengeValidAuthz(t *testing.T) {
 	test.AssertNotError(t, err, "Couldn't create PA")
 	ra.PA = pa

+	_ = features.Set(map[string]bool{"EnforceChallengeDisable": true})
+
 	exp := fc.Now().Add(10 * time.Hour)

 	err = ra.checkAuthorizationsCAA(
@ -2935,6 +2940,8 @@ func TestValidChallengeStillGood(t *testing.T) {
 	test.AssertNotError(t, err, "Couldn't create PA")
 	ra.PA = pa

+	_ = features.Set(map[string]bool{"EnforceChallengeDisable": true})
+
 	test.Assert(t, !ra.validChallengeStillGood(&core.Authorization{}), "ra.validChallengeStillGood didn't fail with empty authorization")
 	test.Assert(t, !ra.validChallengeStillGood(&core.Authorization{Challenges: []core.Challenge{{Status: core.StatusPending}}}), "ra.validChallengeStillGood didn't fail with no valid challenges")
 	test.Assert(t, !ra.validChallengeStillGood(&core.Authorization{Challenges: []core.Challenge{{Status: core.StatusValid, Type: core.ChallengeTypeHTTP01}}}), "ra.validChallengeStillGood didn't fail with disabled challenge")
@ -2943,14 +2950,18 @@ func TestValidChallengeStillGood(t *testing.T) {
 }

 func TestUpdateAuthorizationBadChallengeType(t *testing.T) {
-	_, _, ra, _, cleanUp := initAuthorities(t)
+	_, _, ra, fc, cleanUp := initAuthorities(t)
 	defer cleanUp()
 	pa, err := policy.New(map[string]bool{})
 	test.AssertNotError(t, err, "Couldn't create PA")
 	ra.PA = pa

-	_, err = ra.UpdateAuthorization(context.Background(), core.Authorization{}, 0, core.Challenge{})
+	_ = features.Set(map[string]bool{"EnforceChallengeDisable": true})
+
+	exp := fc.Now().Add(10 * time.Hour)
+	_, err = ra.UpdateAuthorization(context.Background(), core.Authorization{Challenges: []core.Challenge{{Status: core.StatusValid, Type: core.ChallengeTypeTLSSNI01}}, Expires: &exp}, 0, core.Challenge{})
 	test.AssertError(t, err, "ra.UpdateAuthorization allowed a update to a authorization")
+	test.AssertEquals(t, err.Error(), "challenge type \"tls-sni-01\" no longer allowed")
 }

 var CAkeyPEM = `
--- a/sa/sa.go
+++ b/sa/sa.go
@ -1545,6 +1545,27 @@ func (ssa *SQLStorageAuthority) GetOrderAuthorizations(
 		}
 		existing, present := byName[auth.Identifier.Value]
 		if !present || auth.Expires.After(*existing.Expires) {
+
+			// Retrieve challenges for the authzvar challObjs []challModel
+			var challObjs []challModel
+			_, err = ssa.dbMap.Select(
+				&challObjs,
+				getChallengesQuery,
+				map[string]interface{}{"authID": auth.ID},
+			)
+			if err != nil {
+				return nil, err
+			}
+			var challs []core.Challenge
+			for _, c := range challObjs {
+				chall, err := modelToChallenge(&c)
+				if err != nil {
+					return nil, err
+				}
+				challs = append(challs, chall)
+			}
+			auth.Challenges = challs
+
 			byName[auth.Identifier.Value] = auth
 		}
 	}
@ -1622,31 +1643,31 @@ func (ssa *SQLStorageAuthority) getAuthorizations(ctx context.Context, table str
 			continue
 		}

-		// Retrieve challenges for the authzvar challObjs []challModel
-		var challObjs []challModel
-		_, err = ssa.dbMap.Select(
-			&challObjs,
-			getChallengesQuery,
-			map[string]interface{}{"authID": auth.ID},
-		)
-		if err != nil {
-			return nil, err
-		}
-		var challs []core.Challenge
-		for _, c := range challObjs {
-			chall, err := modelToChallenge(&c)
-			if err != nil {
-				return nil, err
-			}
-			challs = append(challs, chall)
-		}
-		auth.Challenges = challs
-
 		if auth.Identifier.Type != core.IdentifierDNS {
 			return nil, fmt.Errorf("unknown identifier type: %q on authz id %q", auth.Identifier.Type, auth.ID)
 		}
 		existing, present := byName[auth.Identifier.Value]
 		if !present || auth.Expires.After(*existing.Expires) {
+			// Retrieve challenges for the authzvar challObjs []challModel
+			var challObjs []challModel
+			_, err = ssa.dbMap.Select(
+				&challObjs,
+				getChallengesQuery,
+				map[string]interface{}{"authID": auth.ID},
+			)
+			if err != nil {
+				return nil, err
+			}
+			var challs []core.Challenge
+			for _, c := range challObjs {
+				chall, err := modelToChallenge(&c)
+				if err != nil {
+					return nil, err
+				}
+				challs = append(challs, chall)
+			}
+			auth.Challenges = challs
+
 			byName[auth.Identifier.Value] = auth
 		}
 	}
--- a/test/config-next/ra.json
+++ b/test/config-next/ra.json
@ -47,7 +47,8 @@
      "AllowTLS02Challenges": true,
      "CountCertificatesExact": true,
      "RecheckCAA": true,
-      "ReusePendingAuthz": true
+      "ReusePendingAuthz": true,
+      "EnforceChallengeDisable": true
    }
  },