letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix RA profile deployability issue (#8002) 

If validation profiles haven't been explicitly configured, use the
default profile for all incoming requests regardless of which profile
they specify.

Fixes https://github.com/letsencrypt/boulder/issues/7605
This commit is contained in:
Aaron Gable 2025-02-10 09:33:58 -08:00 committed by GitHub
parent f6c748c1c3
commit 27cbd1c94c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 64 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ra/ra.go
View File

@ -391,6 +391,9 @@ func NewValidationProfiles(defaultName string, configs map[string]ValidationProf
} }
func (vp *validationProfiles) get(name string) (*validationProfile, error) { func (vp *validationProfiles) get(name string) (*validationProfile, error) {
if vp.defaultName == UnconfiguredDefaultProfileName {
return vp.byName[vp.defaultName], nil
}
if name == "" { if name == "" {
name = vp.defaultName name = vp.defaultName
} }

61
ra/ra_test.go
View File

@ -1763,6 +1763,67 @@ func TestNewOrder_ValidationProfiles(t *testing.T) {
} }
} }
func TestNewOrder_UnconfiguredValidationProfiles(t *testing.T) {
_, _, ra, _, _, cleanUp := initAuthorities(t)
defer cleanUp()
ra.profiles = &validationProfiles{
defaultName: UnconfiguredDefaultProfileName,
byName: map[string]*validationProfile{
UnconfiguredDefaultProfileName: {
pendingAuthzLifetime: 1 * 24 * time.Hour,
validAuthzLifetime: 1 * 24 * time.Hour,
orderLifetime: 1 * 24 * time.Hour,
},
},
}
for _, tc := range []struct {
name string
profile string
wantExpires time.Time
}{
{
// A request with no profile should get an order and authzs with one-day lifetimes.
name: "no profile specified",
profile: "",
wantExpires: ra.clk.Now().Add(1 * 24 * time.Hour),
},
{
// A request for a specific profile should get the same lifetimes.
name: "profile specified",
profile: "test",
wantExpires: ra.clk.Now().Add(1 * 24 * time.Hour),
},
} {
t.Run(tc.name, func(t *testing.T) {
order, err := ra.NewOrder(context.Background(), &rapb.NewOrderRequest{
RegistrationID: Registration.Id,
DnsNames: []string{randomDomain()},
CertificateProfileName: tc.profile,
})
if err != nil {
t.Fatalf("creating order: %s", err)
}
gotExpires := order.Expires.AsTime()
if gotExpires != tc.wantExpires {
t.Errorf("NewOrder(profile: %q).Expires = %s, expected %s", tc.profile, gotExpires, tc.wantExpires)
}
authz, err := ra.GetAuthorization(context.Background(), &rapb.GetAuthorizationRequest{
Id: order.V2Authorizations[0],
})
if err != nil {
t.Fatalf("fetching test authz: %s", err)
}
gotExpires = authz.Expires.AsTime()
if gotExpires != tc.wantExpires {
t.Errorf("GetAuthorization(profile: %q).Expires = %s, expected %s", tc.profile, gotExpires, tc.wantExpires)
}
})
}
}
func TestNewOrder_ProfileSelectionAllowList(t *testing.T) { func TestNewOrder_ProfileSelectionAllowList(t *testing.T) {
_, _, ra, _, _, cleanUp := initAuthorities(t) _, _, ra, _, _, cleanUp := initAuthorities(t)
defer cleanUp() defer cleanUp()