Move PA construction out of other authority constructors

2015-08-31 15:31:23 -07:00 · 2015-08-31 15:31:23 -07:00 · 1ad7bea579
parent 273b38e459
commit 1ad7bea579
9 changed files with 68 additions and 108 deletions
--- a/ca/certificate-authority.go
+++ b/ca/certificate-authority.go
@ -18,8 +18,6 @@ import (
 	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/core"
 	blog "github.com/letsencrypt/boulder/log"
-	"github.com/letsencrypt/boulder/policy"
-	"github.com/letsencrypt/boulder/sa"

 	cfsslConfig "github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cloudflare/cfssl/config"
 	"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cloudflare/cfssl/crypto/pkcs11key"
@ -68,7 +66,7 @@ type CertificateAuthorityImpl struct {
 // using CFSSL's authenticated signature scheme.  A CA created in this way
 // issues for a single profile on the remote signer, which is indicated
 // by name in this constructor.
-func NewCertificateAuthorityImpl(cadb core.CertificateAuthorityDatabase, config cmd.CAConfig, issuerCert string, paConfig cmd.PAConfig) (*CertificateAuthorityImpl, error) {
+func NewCertificateAuthorityImpl(cadb core.CertificateAuthorityDatabase, config cmd.CAConfig, issuerCert string) (*CertificateAuthorityImpl, error) {
 	var ca *CertificateAuthorityImpl
 	var err error
 	logger := blog.GetAuditLogger()
@ -121,21 +119,10 @@ func NewCertificateAuthorityImpl(cadb core.CertificateAuthorityDatabase, config
 		return nil, err
 	}

-	dbMap, err := sa.NewDbMap(paConfig.DBConnect)
-	if err != nil {
-		return nil, err
-	}
-
-	pa, err := policy.NewPolicyAuthorityImpl(dbMap, paConfig.EnforcePolicyWhitelist)
-	if err != nil {
-		return nil, err
-	}
-
 	ca = &CertificateAuthorityImpl{
 		Signer:     signer,
 		OCSPSigner: ocspSigner,
 		profile:    config.Profile,
-		PA:         pa,
 		DB:         cadb,
 		Prefix:     config.SerialPrefix,
 		log:        logger,
--- a/ca/certificate-authority_test.go
+++ b/ca/certificate-authority_test.go
@ -18,6 +18,7 @@ import (
 	ocspConfig "github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cloudflare/cfssl/ocsp/config"
 	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/mocks"
+	"github.com/letsencrypt/boulder/policy"
 	"github.com/letsencrypt/boulder/sa/satest"

 	"github.com/letsencrypt/boulder/core"
@ -334,10 +335,6 @@ var FarPast = time.Date(1950, 1, 1, 0, 0, 0, 0, time.UTC)

 var log = mocks.UseMockLog()

-var exPA = cmd.PAConfig{
-	DBConnect: paDBConnStr,
-}
-
 // CFSSL config
 const profileName = "ee"
 const caKeyFile = "../test/test-ca.key"
@ -354,6 +351,7 @@ type testCtx struct {
 	sa       core.StorageAuthority
 	caConfig cmd.CAConfig
 	reg      core.Registration
+	pa       core.PolicyAuthority
 	cleanUp  func()
 }

@ -369,9 +367,17 @@ func setup(t *testing.T) *testCtx {
 	}
 	saDBCleanUp := test.ResetTestDatabase(t, dbMap.Db)
 	cadb, caDBCleanUp := caDBImpl(t)
+
+	paDbMap, err := sa.NewDbMap(paDBConnStr)
+	test.AssertNotError(t, err, "Could not construct dbMap")
+	pa, err := policy.NewPolicyAuthorityImpl(paDbMap, false)
+	test.AssertNotError(t, err, "Couldn't create PADB")
+	paDBCleanUp := test.ResetTestDatabase(t, paDbMap.Db)
+
 	cleanUp := func() {
 		saDBCleanUp()
 		caDBCleanUp()
+		paDBCleanUp()
 	}

 	// TODO(jmhodges): use of this pkg here is a bug caused by using a real SA
@ -422,7 +428,7 @@ func setup(t *testing.T) *testCtx {
 			},
 		},
 	}
-	return &testCtx{cadb, ssa, caConfig, reg, cleanUp}
+	return &testCtx{cadb, ssa, caConfig, reg, pa, cleanUp}
 }

 func TestFailNoSerial(t *testing.T) {
@ -430,14 +436,15 @@ func TestFailNoSerial(t *testing.T) {
 	defer ctx.cleanUp()

 	ctx.caConfig.SerialPrefix = 0
-	_, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, caCertFile, exPA)
+	_, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, caCertFile)
 	test.AssertError(t, err, "CA should have failed with no SerialPrefix")
 }

 func TestRevoke(t *testing.T) {
 	ctx := setup(t)
 	defer ctx.cleanUp()
-	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, caCertFile, exPA)
+	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, caCertFile)
+	ca.PA = ctx.pa
 	test.AssertNotError(t, err, "Failed to create CA")
 	if err != nil {
 		return
@ -470,8 +477,9 @@ func TestRevoke(t *testing.T) {
 func TestIssueCertificate(t *testing.T) {
 	ctx := setup(t)
 	defer ctx.cleanUp()
-	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, caCertFile, exPA)
+	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, caCertFile)
 	test.AssertNotError(t, err, "Failed to create CA")
+	ca.PA = ctx.pa
 	ca.SA = ctx.sa
 	ca.MaxKeySize = 4096

@ -547,8 +555,9 @@ func TestIssueCertificate(t *testing.T) {
 func TestRejectNoName(t *testing.T) {
 	ctx := setup(t)
 	defer ctx.cleanUp()
-	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, caCertFile, exPA)
+	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, caCertFile)
 	test.AssertNotError(t, err, "Failed to create CA")
+	ca.PA = ctx.pa
 	ca.SA = ctx.sa
 	ca.MaxKeySize = 4096

@ -564,8 +573,9 @@ func TestRejectNoName(t *testing.T) {
 func TestRejectTooManyNames(t *testing.T) {
 	ctx := setup(t)
 	defer ctx.cleanUp()
-	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, caCertFile, exPA)
+	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, caCertFile)
 	test.AssertNotError(t, err, "Failed to create CA")
+	ca.PA = ctx.pa
 	ca.SA = ctx.sa

 	// Test that the CA rejects a CSR with too many names
@ -578,8 +588,9 @@ func TestRejectTooManyNames(t *testing.T) {
 func TestDeduplication(t *testing.T) {
 	ctx := setup(t)
 	defer ctx.cleanUp()
-	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, caCertFile, exPA)
+	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, caCertFile)
 	test.AssertNotError(t, err, "Failed to create CA")
+	ca.PA = ctx.pa
 	ca.SA = ctx.sa
 	ca.MaxKeySize = 4096

@ -608,8 +619,9 @@ func TestDeduplication(t *testing.T) {
 func TestRejectValidityTooLong(t *testing.T) {
 	ctx := setup(t)
 	defer ctx.cleanUp()
-	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, caCertFile, exPA)
+	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, caCertFile)
 	test.AssertNotError(t, err, "Failed to create CA")
+	ca.PA = ctx.pa
 	ca.SA = ctx.sa
 	ca.MaxKeySize = 4096

@ -630,7 +642,8 @@ func TestRejectValidityTooLong(t *testing.T) {
 func TestShortKey(t *testing.T) {
 	ctx := setup(t)
 	defer ctx.cleanUp()
-	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, caCertFile, exPA)
+	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, caCertFile)
+	ca.PA = ctx.pa
 	ca.SA = ctx.sa
 	ca.MaxKeySize = 4096

@ -644,7 +657,8 @@ func TestShortKey(t *testing.T) {
 func TestRejectBadAlgorithm(t *testing.T) {
 	ctx := setup(t)
 	defer ctx.cleanUp()
-	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, caCertFile, exPA)
+	ca, err := NewCertificateAuthorityImpl(ctx.caDB, ctx.caConfig, caCertFile)
+	ca.PA = ctx.pa
 	ca.SA = ctx.sa
 	ca.MaxKeySize = 4096

--- a/cmd/boulder-ca/main.go
+++ b/cmd/boulder-ca/main.go
@ -10,6 +10,7 @@ import (
 	"github.com/letsencrypt/boulder/ca"
 	"github.com/letsencrypt/boulder/cmd"
 	blog "github.com/letsencrypt/boulder/log"
+	"github.com/letsencrypt/boulder/policy"
 	"github.com/letsencrypt/boulder/rpc"
 	"github.com/letsencrypt/boulder/sa"
 )
@ -37,9 +38,15 @@ func main() {
 		cadb, err := ca.NewCertificateAuthorityDatabaseImpl(dbMap)
 		cmd.FailOnError(err, "Failed to create CA database")

-		cai, err := ca.NewCertificateAuthorityImpl(cadb, c.CA, c.Common.IssuerCert, c.PA)
+		paDbMap, err := sa.NewDbMap(c.PA.DBConnect)
+		cmd.FailOnError(err, "Couldn't connect to policy database")
+		pa, err := policy.NewPolicyAuthorityImpl(paDbMap, c.PA.EnforcePolicyWhitelist)
+		cmd.FailOnError(err, "Couldn't create PA")
+
+		cai, err := ca.NewCertificateAuthorityImpl(cadb, c.CA, c.Common.IssuerCert)
 		cmd.FailOnError(err, "Failed to create CA impl")
 		cai.MaxKeySize = c.Common.MaxKeySize
+		cai.PA = pa

 		go cmd.ProfileCmd("CA", stats)

--- a/cmd/boulder-ra/main.go
+++ b/cmd/boulder-ra/main.go
@ -10,6 +10,8 @@ import (

 	"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cactus/go-statsd-client/statsd"
 	"github.com/letsencrypt/boulder/core"
+	"github.com/letsencrypt/boulder/policy"
+	"github.com/letsencrypt/boulder/sa"

 	"github.com/letsencrypt/boulder/cmd"
 	blog "github.com/letsencrypt/boulder/log"
@ -35,10 +37,15 @@ func main() {

 		go cmd.DebugServer(c.RA.DebugAddr)

-		rai, err := ra.NewRegistrationAuthorityImpl(c.PA)
-		cmd.FailOnError(err, "Couldn't create RA")
+		paDbMap, err := sa.NewDbMap(c.PA.DBConnect)
+		cmd.FailOnError(err, "Couldn't connect to policy database")
+		pa, err := policy.NewPolicyAuthorityImpl(paDbMap, c.PA.EnforcePolicyWhitelist)
+		cmd.FailOnError(err, "Couldn't create PA")
+
+		rai := ra.NewRegistrationAuthorityImpl()
 		rai.AuthzBase = c.Common.BaseURL + wfe.AuthzPath
 		rai.MaxKeySize = c.Common.MaxKeySize
+		rai.PA = pa
 		raDNSTimeout, err := time.ParseDuration(c.Common.DNSTimeout)
 		cmd.FailOnError(err, "Couldn't parse RA DNS timeout")
 		rai.DNSResolver = core.NewDNSResolverImpl(raDNSTimeout, []string{c.Common.DNSResolver})
--- a/cmd/policy-loader/base-rules.json
+++ b/cmd/policy-loader/base-rules.json
@ -1,38 +1,3 @@
-[
-    {
-      "host": "in-addr.arpa",
-      "type": "blacklist"
-    },
-    {
-      "host": "example",
-      "type": "blacklist"
-    },
-    {
-      "host": "example.com",
-      "type": "blacklist"
-    },
-    {
-      "host": "example.net",
-      "type": "blacklist"
-    },
-    {
-      "host": "example.org",
-      "type": "blacklist"
-    },
-    {
-      "host": "invalid",
-      "type": "blacklist"
-    },
-    {
-      "host": "local",
-      "type": "blacklist"
-    },
-    {
-      "host": "localhost",
-      "type": "blacklist"
-    },
-    {
-      "host": "test",
-      "type": "blacklist"
-    }
-  ]
+{
+  "Blacklist": ["in-addr.arpa", "example", "example.com", "example.net", "example.org", "invalid", "local", "localhost", "test"]
+}
--- a/cmd/policy-loader/format.md
+++ b/cmd/policy-loader/format.md
@ -7,14 +7,8 @@ a number of blacklist rules for special-use domains but this should be built upo
 further with high-value domains.

 ```
-[
-  {
-    "host": "example.com",
-    "type": "blacklist"
-  },
-  {
-    "host": "another-example.com",
-    "type": "whitelist"
-  }
-]
+{
+  "Blacklist": ["example.com", ...],
+  "Whitelist:" ["another-example.com", ...]
+}
 ```
--- a/ra/registration-authority.go
+++ b/ra/registration-authority.go
@ -15,11 +15,8 @@ import (
 	"strings"
 	"time"

-	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/core"
 	blog "github.com/letsencrypt/boulder/log"
-	"github.com/letsencrypt/boulder/policy"
-	"github.com/letsencrypt/boulder/sa"
 )

 // RegistrationAuthorityImpl defines an RA.
@ -39,23 +36,11 @@ type RegistrationAuthorityImpl struct {
 }

 // NewRegistrationAuthorityImpl constructs a new RA object.
-func NewRegistrationAuthorityImpl(paConfig cmd.PAConfig) (ra RegistrationAuthorityImpl, err error) {
+func NewRegistrationAuthorityImpl() (ra RegistrationAuthorityImpl) {
 	logger := blog.GetAuditLogger()
 	logger.Notice("Registration Authority Starting")
-
-	dbMap, err := sa.NewDbMap(paConfig.DBConnect)
-	if err != nil {
-		return RegistrationAuthorityImpl{}, err
-	}
-
 	ra.log = logger
-	pa, err := policy.NewPolicyAuthorityImpl(dbMap, paConfig.EnforcePolicyWhitelist)
-	if err != nil {
-		return RegistrationAuthorityImpl{}, err
-	}
-	ra.PA = pa
-
-	return ra, nil
+	return ra
 }

 var allButLastPathSegment = regexp.MustCompile("^.*/")
--- a/ra/registration-authority_test.go
+++ b/ra/registration-authority_test.go
@ -22,7 +22,6 @@ import (
 	"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cloudflare/cfssl/signer/local"
 	jose "github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/letsencrypt/go-jose"
 	"github.com/letsencrypt/boulder/ca"
-	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/core"
 	"github.com/letsencrypt/boulder/mocks"
 	"github.com/letsencrypt/boulder/policy"
@ -123,10 +122,6 @@ var (
 	AuthzFinal   = core.Authorization{}

 	log = mocks.UseMockLog()
-
-	common = cmd.PAConfig{
-		DBConnect: paDBConnStr,
-	}
 )

 const (
@ -210,8 +205,7 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, *sa.SQLStorageAut

 	Registration, _ = ssa.NewRegistration(core.Registration{Key: AccountKeyA})

-	ra, err := NewRegistrationAuthorityImpl(common)
-	test.AssertNotError(t, err, "Couldn't create RA")
+	ra := NewRegistrationAuthorityImpl()
 	ra.SA = ssa
 	ra.VA = va
 	ra.CA = &ca
--- a/wfe/web-front-end_test.go
+++ b/wfe/web-front-end_test.go
@ -27,7 +27,6 @@ import (
 	"time"

 	"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cactus/go-statsd-client/statsd"
-	"github.com/letsencrypt/boulder/cmd"

 	jose "github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/letsencrypt/go-jose"
 	"github.com/letsencrypt/boulder/core"
@ -315,6 +314,16 @@ func (ca *MockCA) RevokeCertificate(serial string, reasonCode int) (err error) {
 	return
 }

+type MockPA struct{}
+
+func (pa *MockPA) ChallengesFor(identifier core.AcmeIdentifier) (challenges []core.Challenge, combinations [][]int) {
+	return
+}
+
+func (pa *MockPA) WillingToIssue(id core.AcmeIdentifier) error {
+	return nil
+}
+
 func makeBody(s string) io.ReadCloser {
 	return ioutil.NopCloser(strings.NewReader(s))
 }
@ -513,12 +522,10 @@ func TestIssueCertificate(t *testing.T) {
 	mockLog := wfe.log.SyslogWriter.(*mocks.MockSyslogWriter)

 	// TODO: Use a mock RA so we can test various conditions of authorized, not authorized, etc.
-	common := cmd.PAConfig{
-		DBConnect: "mysql+tcp://boulder@localhost:3306/boulder_policy_test",
-	}
-	ra, _ := ra.NewRegistrationAuthorityImpl(common)
+	ra := ra.NewRegistrationAuthorityImpl()
 	ra.SA = &MockSA{}
 	ra.CA = &MockCA{}
+	ra.PA = &MockPA{}
 	wfe.SA = &MockSA{}
 	wfe.RA = &ra
 	wfe.Stats, _ = statsd.NewNoopClient()