sa: Support IP identifiers in CountInvalidAuthorizations2 (#8098)

Remove the deprecated `DnsName` field from the
`CountInvalidAuthorizationsRequest` struct. All users of this struct use
`Identifier` instead.

Part of #7311

sa/proto/sa.proto

@@ -153,8 +153,7 @@ message Timestamps {
 message CountInvalidAuthorizationsRequest {
   // Next unused field number: 5
   int64 registrationID = 1;
-  // TODO(#7311): dnsNames are being deprecated in favour of identifiers.
+  reserved 2; // Previously dnsName
-  string dnsName = 2;
   core.Identifier identifier = 4;
   // Count authorizations that expire in this range.
   Range range = 3;

sa/sa_test.go

@@ -17,6 +17,7 @@ import (
 	"math/bits"
 	mrand "math/rand/v2"
 	"net"
+	"net/netip"
 	"reflect"
 	"slices"
 	"strconv"
@@ -2617,51 +2618,33 @@ func TestCountInvalidAuthorizations2(t *testing.T) {
 	sa, fc, cleanUp := initSA(t)
 	defer cleanUp()
 
-	// Create two authorizations, one pending, one invalid
 	fc.Add(time.Hour)
 	reg := createWorkingRegistration(t, sa)
-	ident := identifier.NewDNS("aaa")
+	idents := identifier.ACMEIdentifiers{
-	expiresA := fc.Now().Add(time.Hour).UTC()
+		identifier.NewDNS("aaa"),
-	expiresB := fc.Now().Add(time.Hour * 3).UTC()
+		identifier.NewIP(netip.MustParseAddr("10.10.10.10")),
-	attemptedAt := fc.Now()
+	}
-	_ = createFinalizedAuthorization(t, sa, ident, expiresA, "invalid", attemptedAt)
+	for _, ident := range idents {
-	_ = createPendingAuthorization(t, sa, ident, expiresB)
+		// Create two authorizations, one pending, one invalid
+		expiresA := fc.Now().Add(time.Hour).UTC()
+		expiresB := fc.Now().Add(time.Hour * 3).UTC()
+		attemptedAt := fc.Now()
+		_ = createFinalizedAuthorization(t, sa, ident, expiresA, "invalid", attemptedAt)
+		_ = createPendingAuthorization(t, sa, ident, expiresB)
 
-	earliest := fc.Now().Add(-time.Hour).UTC()
+		earliest := fc.Now().Add(-time.Hour).UTC()
-	latest := fc.Now().Add(time.Hour * 5).UTC()
+		latest := fc.Now().Add(time.Hour * 5).UTC()
-	count, err := sa.CountInvalidAuthorizations2(context.Background(), &sapb.CountInvalidAuthorizationsRequest{
+		count, err := sa.CountInvalidAuthorizations2(context.Background(), &sapb.CountInvalidAuthorizationsRequest{
-		RegistrationID: reg.Id,
+			RegistrationID: reg.Id,
-		DnsName:        ident.Value,
+			Identifier:     ident.ToProto(),
-		Identifier:     ident.ToProto(),
+			Range: &sapb.Range{
-		Range: &sapb.Range{
+				Earliest: timestamppb.New(earliest),
-			Earliest: timestamppb.New(earliest),
+				Latest:   timestamppb.New(latest),
-			Latest:   timestamppb.New(latest),
+			},
-		},
+		})
-	})
+		test.AssertNotError(t, err, "sa.CountInvalidAuthorizations2 failed")
-	test.AssertNotError(t, err, "sa.CountInvalidAuthorizations2 failed")
+		test.AssertEquals(t, count.Count, int64(1))
-	test.AssertEquals(t, count.Count, int64(1))
+	}
-
-	count, err = sa.CountInvalidAuthorizations2(context.Background(), &sapb.CountInvalidAuthorizationsRequest{
-		RegistrationID: reg.Id,
-		DnsName:        ident.Value,
-		Range: &sapb.Range{
-			Earliest: timestamppb.New(earliest),
-			Latest:   timestamppb.New(latest),
-		},
-	})
-	test.AssertNotError(t, err, "sa.CountInvalidAuthorizations2 failed without Identifier")
-	test.AssertEquals(t, count.Count, int64(1))
-
-	count, err = sa.CountInvalidAuthorizations2(context.Background(), &sapb.CountInvalidAuthorizationsRequest{
-		RegistrationID: reg.Id,
-		Identifier:     ident.ToProto(),
-		Range: &sapb.Range{
-			Earliest: timestamppb.New(earliest),
-			Latest:   timestamppb.New(latest),
-		},
-	})
-	test.AssertNotError(t, err, "sa.CountInvalidAuthorizations2 failed without DnsName")
-	test.AssertEquals(t, count.Count, int64(1))
 }
 
 func TestGetValidAuthorizations2(t *testing.T) {

sa/saro.go

@@ -707,14 +707,19 @@ func (ssa *SQLStorageAuthorityRO) GetValidOrderAuthorizations2(ctx context.Conte
 }
 
 // CountInvalidAuthorizations2 counts invalid authorizations for a user expiring
-// in a given time range. This method only supports DNS identifier types.
+// in a given time range.
 func (ssa *SQLStorageAuthorityRO) CountInvalidAuthorizations2(ctx context.Context, req *sapb.CountInvalidAuthorizationsRequest) (*sapb.Count, error) {
-	ident := identifier.FromProtoWithDefault(req)
+	ident := identifier.FromProto(req.Identifier)
 
 	if core.IsAnyNilOrZero(req.RegistrationID, ident, req.Range.Earliest, req.Range.Latest) {
 		return nil, errIncompleteRequest
 	}
 
+	idType, ok := identifierTypeToUint[ident.ToProto().Type]
+	if !ok {
+		return nil, fmt.Errorf("unsupported identifier type %q", ident.ToProto().Type)
+	}
+
 	var count int64
 	err := ssa.dbReadOnlyMap.SelectOne(
 		ctx,
@@ -724,12 +729,12 @@ func (ssa *SQLStorageAuthorityRO) CountInvalidAuthorizations2(ctx context.Contex
 		status = :status AND
 		expires > :expiresEarliest AND
 		expires <= :expiresLatest AND
-		identifierType = :dnsType AND
+		identifierType = :identType AND
-		identifierValue = :ident`,
+		identifierValue = :identValue`,
 		map[string]interface{}{
 			"regID":           req.RegistrationID,
-			"dnsType":         identifierTypeToUint[string(identifier.TypeDNS)],
+			"identType":       idType,
-			"ident":           ident.Value,
+			"identValue":      ident.Value,
 			"expiresEarliest": req.Range.Earliest.AsTime(),
 			"expiresLatest":   req.Range.Latest.AsTime(),
 			"status":          statusUint(core.StatusInvalid),