sa: Support IP identifiers in CountInvalidAuthorizations2 (#8098)

Remove the deprecated `DnsName` field from the `CountInvalidAuthorizationsRequest` struct. All users of this struct use `Identifier` instead. Part of #7311
2025-04-08 13:15:08 -04:00 · 2025-04-08 13:15:08 -04:00 · 38a7197909
parent 26ae6f83a3
commit 38a7197909
4 changed files with 674 additions and 697 deletions
--- a/sa/proto/sa.pb.go
+++ b/sa/proto/sa.pb.go
--- a/sa/proto/sa.proto
+++ b/sa/proto/sa.proto
@ -153,8 +153,7 @@ message Timestamps {
 message CountInvalidAuthorizationsRequest {
  // Next unused field number: 5
  int64 registrationID = 1;
-  // TODO(#7311): dnsNames are being deprecated in favour of identifiers.
-  string dnsName = 2;
+  reserved 2; // Previously dnsName
  core.Identifier identifier = 4;
  // Count authorizations that expire in this range.
  Range range = 3;
--- a/sa/sa_test.go
+++ b/sa/sa_test.go
@ -17,6 +17,7 @@ import (
 	"math/bits"
 	mrand "math/rand/v2"
 	"net"
+	"net/netip"
 	"reflect"
 	"slices"
 	"strconv"
@ -2617,51 +2618,33 @@ func TestCountInvalidAuthorizations2(t *testing.T) {
 	sa, fc, cleanUp := initSA(t)
 	defer cleanUp()

-	// Create two authorizations, one pending, one invalid
 	fc.Add(time.Hour)
 	reg := createWorkingRegistration(t, sa)
-	ident := identifier.NewDNS("aaa")
-	expiresA := fc.Now().Add(time.Hour).UTC()
-	expiresB := fc.Now().Add(time.Hour * 3).UTC()
-	attemptedAt := fc.Now()
-	_ = createFinalizedAuthorization(t, sa, ident, expiresA, "invalid", attemptedAt)
-	_ = createPendingAuthorization(t, sa, ident, expiresB)
+	idents := identifier.ACMEIdentifiers{
+		identifier.NewDNS("aaa"),
+		identifier.NewIP(netip.MustParseAddr("10.10.10.10")),
+	}
+	for _, ident := range idents {
+		// Create two authorizations, one pending, one invalid
+		expiresA := fc.Now().Add(time.Hour).UTC()
+		expiresB := fc.Now().Add(time.Hour * 3).UTC()
+		attemptedAt := fc.Now()
+		_ = createFinalizedAuthorization(t, sa, ident, expiresA, "invalid", attemptedAt)
+		_ = createPendingAuthorization(t, sa, ident, expiresB)

-	earliest := fc.Now().Add(-time.Hour).UTC()
-	latest := fc.Now().Add(time.Hour * 5).UTC()
-	count, err := sa.CountInvalidAuthorizations2(context.Background(), &sapb.CountInvalidAuthorizationsRequest{
-		RegistrationID: reg.Id,
-		DnsName:        ident.Value,
-		Identifier:     ident.ToProto(),
-		Range: &sapb.Range{
-			Earliest: timestamppb.New(earliest),
-			Latest:   timestamppb.New(latest),
-		},
-	})
-	test.AssertNotError(t, err, "sa.CountInvalidAuthorizations2 failed")
-	test.AssertEquals(t, count.Count, int64(1))
-
-	count, err = sa.CountInvalidAuthorizations2(context.Background(), &sapb.CountInvalidAuthorizationsRequest{
-		RegistrationID: reg.Id,
-		DnsName:        ident.Value,
-		Range: &sapb.Range{
-			Earliest: timestamppb.New(earliest),
-			Latest:   timestamppb.New(latest),
-		},
-	})
-	test.AssertNotError(t, err, "sa.CountInvalidAuthorizations2 failed without Identifier")
-	test.AssertEquals(t, count.Count, int64(1))
-
-	count, err = sa.CountInvalidAuthorizations2(context.Background(), &sapb.CountInvalidAuthorizationsRequest{
-		RegistrationID: reg.Id,
-		Identifier:     ident.ToProto(),
-		Range: &sapb.Range{
-			Earliest: timestamppb.New(earliest),
-			Latest:   timestamppb.New(latest),
-		},
-	})
-	test.AssertNotError(t, err, "sa.CountInvalidAuthorizations2 failed without DnsName")
-	test.AssertEquals(t, count.Count, int64(1))
+		earliest := fc.Now().Add(-time.Hour).UTC()
+		latest := fc.Now().Add(time.Hour * 5).UTC()
+		count, err := sa.CountInvalidAuthorizations2(context.Background(), &sapb.CountInvalidAuthorizationsRequest{
+			RegistrationID: reg.Id,
+			Identifier:     ident.ToProto(),
+			Range: &sapb.Range{
+				Earliest: timestamppb.New(earliest),
+				Latest:   timestamppb.New(latest),
+			},
+		})
+		test.AssertNotError(t, err, "sa.CountInvalidAuthorizations2 failed")
+		test.AssertEquals(t, count.Count, int64(1))
+	}
 }

 func TestGetValidAuthorizations2(t *testing.T) {
--- a/sa/saro.go
+++ b/sa/saro.go
@ -707,14 +707,19 @@ func (ssa *SQLStorageAuthorityRO) GetValidOrderAuthorizations2(ctx context.Conte
 }

 // CountInvalidAuthorizations2 counts invalid authorizations for a user expiring
-// in a given time range. This method only supports DNS identifier types.
+// in a given time range.
 func (ssa *SQLStorageAuthorityRO) CountInvalidAuthorizations2(ctx context.Context, req *sapb.CountInvalidAuthorizationsRequest) (*sapb.Count, error) {
-	ident := identifier.FromProtoWithDefault(req)
+	ident := identifier.FromProto(req.Identifier)

 	if core.IsAnyNilOrZero(req.RegistrationID, ident, req.Range.Earliest, req.Range.Latest) {
 		return nil, errIncompleteRequest
 	}

+	idType, ok := identifierTypeToUint[ident.ToProto().Type]
+	if !ok {
+		return nil, fmt.Errorf("unsupported identifier type %q", ident.ToProto().Type)
+	}
+
 	var count int64
 	err := ssa.dbReadOnlyMap.SelectOne(
 		ctx,
@ -724,12 +729,12 @@ func (ssa *SQLStorageAuthorityRO) CountInvalidAuthorizations2(ctx context.Contex
 		status = :status AND
 		expires > :expiresEarliest AND
 		expires <= :expiresLatest AND
-		identifierType = :dnsType AND
-		identifierValue = :ident`,
+		identifierType = :identType AND
+		identifierValue = :identValue`,
 		map[string]interface{}{
 			"regID":           req.RegistrationID,
-			"dnsType":         identifierTypeToUint[string(identifier.TypeDNS)],
-			"ident":           ident.Value,
+			"identType":       idType,
+			"identValue":      ident.Value,
 			"expiresEarliest": req.Range.Earliest.AsTime(),
 			"expiresLatest":   req.Range.Latest.AsTime(),
 			"status":          statusUint(core.StatusInvalid),