letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

wfe2: cleanup some more authz1 leftovers. (#4640) 

After the prev. cleanup of legacy authz1 bits the `authzLookupFunc`
interface and the associated `handleAuthorization` function are only
used in one place for handling authz2 resources. This commit cleans
this now unneeded abstraction up (and also removes the "V2" suffix
from the challenge and authz handlers).
This commit is contained in:
Daniel McCarney 2020-01-13 14:26:23 -05:00 committed by Jacob Hoffman-Andrews
parent 67ec373a96
commit 53171f4674
2 changed files with 41 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
wfe2/wfe.go
View File

@ -353,8 +353,8 @@ func (wfe *WebFrontEndImpl) Handler(stats prometheus.Registerer) http.Handler {
// TODO(@cpu): After November 1st, 2019 support for "GET" to the following // TODO(@cpu): After November 1st, 2019 support for "GET" to the following
// endpoints will be removed, leaving only POST-as-GET support. // endpoints will be removed, leaving only POST-as-GET support.
wfe.HandleFunc(m, orderPath, wfe.GetOrder, "GET", "POST") wfe.HandleFunc(m, orderPath, wfe.GetOrder, "GET", "POST")
wfe.HandleFunc(m, authzv2Path, wfe.AuthorizationV2, "GET", "POST") wfe.HandleFunc(m, authzv2Path, wfe.Authorization, "GET", "POST")
wfe.HandleFunc(m, challengev2Path, wfe.ChallengeV2, "GET", "POST") wfe.HandleFunc(m, challengev2Path, wfe.Challenge, "GET", "POST")
wfe.HandleFunc(m, certPath, wfe.Certificate, "GET", "POST") wfe.HandleFunc(m, certPath, wfe.Certificate, "GET", "POST")
// We don't use our special HandleFunc for "/" because it matches everything, // We don't use our special HandleFunc for "/" because it matches everything,
@ -980,10 +980,10 @@ func (wfe *WebFrontEndImpl) logCsr(request *http.Request, cr core.CertificateReq
wfe.log.AuditObject("Certificate request", csrLog) wfe.log.AuditObject("Certificate request", csrLog)
} }
// ChallengeV2 handles POST requests to challenge URLs belonging to // Challenge handles POST requests to challenge URLs belonging to
// authzv2-style authorizations. Such requests are clients' // authzv2-style authorizations. Such requests are clients'
// responses to the server's challenges. // responses to the server's challenges.
func (wfe *WebFrontEndImpl) ChallengeV2( func (wfe *WebFrontEndImpl) Challenge(
ctx context.Context, ctx context.Context,
logEvent *web.RequestEvent, logEvent *web.RequestEvent,
response http.ResponseWriter, response http.ResponseWriter,
@ -1390,29 +1390,12 @@ func (wfe *WebFrontEndImpl) deactivateAuthorization(
return true return true
} }
// authzLookupFunc is used by handleAuthorization to look up either an authzv1 func (wfe *WebFrontEndImpl) Authorization(
// or an authzv2, as appropriate. ctx context.Context,
type authzLookupFunc func() (*core.Authorization, error) logEvent *web.RequestEvent,
response http.ResponseWriter,
request *http.Request) {
func (wfe *WebFrontEndImpl) AuthorizationV2(ctx context.Context, logEvent *web.RequestEvent, response http.ResponseWriter, request *http.Request) {
wfe.handleAuthorization(ctx, logEvent, response, request, func() (*core.Authorization, error) {
authzID, err := strconv.ParseInt(request.URL.Path, 10, 64)
if err != nil {
return nil, berrors.MalformedError("Invalid authorization ID")
}
authzPB, err := wfe.SA.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: &authzID})
if err != nil {
return nil, err
}
authz, err := bgrpc.PBToAuthz(authzPB)
if err != nil {
return nil, err
}
return &authz, nil
})
}
func (wfe *WebFrontEndImpl) handleAuthorization(ctx context.Context, logEvent *web.RequestEvent, response http.ResponseWriter, request *http.Request, lookupFunc authzLookupFunc) {
if features.Enabled(features.MandatoryPOSTAsGET) && request.Method != http.MethodPost { if features.Enabled(features.MandatoryPOSTAsGET) && request.Method != http.MethodPost {
wfe.sendError(response, logEvent, probs.MethodNotAllowed(), nil) wfe.sendError(response, logEvent, probs.MethodNotAllowed(), nil)
return return
@ -1435,7 +1418,13 @@ func (wfe *WebFrontEndImpl) handleAuthorization(ctx context.Context, logEvent *w
requestBody = body requestBody = body
} }
authz, err := lookupFunc() authzID, err := strconv.ParseInt(request.URL.Path, 10, 64)
if err != nil {
wfe.sendError(response, logEvent, probs.Malformed("Invalid authorization ID"), nil)
return
}
authzPB, err := wfe.SA.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: &authzID})
if berrors.Is(err, berrors.NotFound) { if berrors.Is(err, berrors.NotFound) {
wfe.sendError(response, logEvent, probs.NotFound("No such authorization"), nil) wfe.sendError(response, logEvent, probs.NotFound("No such authorization"), nil)
return return
@ -1446,6 +1435,13 @@ func (wfe *WebFrontEndImpl) handleAuthorization(ctx context.Context, logEvent *w
wfe.sendError(response, logEvent, probs.ServerInternal("Problem getting authorization"), err) wfe.sendError(response, logEvent, probs.ServerInternal("Problem getting authorization"), err)
return return
} }
authz, err := bgrpc.PBToAuthz(authzPB)
if err != nil {
wfe.sendError(response, logEvent, probs.ServerInternal("Problem getting authorization"), err)
return
}
if authz.Identifier.Type == identifier.DNS { if authz.Identifier.Type == identifier.DNS {
logEvent.DNSName = authz.Identifier.Value logEvent.DNSName = authz.Identifier.Value
} }
@ -1472,12 +1468,12 @@ func (wfe *WebFrontEndImpl) handleAuthorization(ctx context.Context, logEvent *w
// If the deactivation fails return early as errors and return codes // If the deactivation fails return early as errors and return codes
// have already been set. Otherwise continue so that the user gets // have already been set. Otherwise continue so that the user gets
// sent the deactivated authorization. // sent the deactivated authorization.
if !wfe.deactivateAuthorization(ctx, authz, logEvent, response, requestBody) { if !wfe.deactivateAuthorization(ctx, &authz, logEvent, response, requestBody) {
return return
} }
} }
wfe.prepAuthorizationForDisplay(request, authz) wfe.prepAuthorizationForDisplay(request, &authz)
err = wfe.writeJsonResponse(response, logEvent, http.StatusOK, authz) err = wfe.writeJsonResponse(response, logEvent, http.StatusOK, authz)
if err != nil { if err != nil {

32
wfe2/wfe_test.go
View File

@ -1105,7 +1105,7 @@ func TestGetChallenge(t *testing.T) {
req.URL.Path = "1/-ZfxEw" req.URL.Path = "1/-ZfxEw"
test.AssertNotError(t, err, "Could not make NewRequest") test.AssertNotError(t, err, "Could not make NewRequest")
wfe.ChallengeV2(ctx, newRequestEvent(), resp, req) wfe.Challenge(ctx, newRequestEvent(), resp, req)
test.AssertEquals(t, test.AssertEquals(t,
resp.Code, resp.Code,
http.StatusOK) http.StatusOK)
@ -1196,7 +1196,7 @@ func TestChallenge(t *testing.T) {
for _, tc := range testCases { for _, tc := range testCases {
t.Run(tc.Name, func(t *testing.T) { t.Run(tc.Name, func(t *testing.T) {
responseWriter := httptest.NewRecorder() responseWriter := httptest.NewRecorder()
wfe.ChallengeV2(ctx, newRequestEvent(), responseWriter, tc.Request) wfe.Challenge(ctx, newRequestEvent(), responseWriter, tc.Request)
// Check the response code, headers and body match expected // Check the response code, headers and body match expected
headers := responseWriter.Header() headers := responseWriter.Header()
body := responseWriter.Body.String() body := responseWriter.Body.String()
@ -1230,7 +1230,7 @@ func TestUpdateChallengeFinalizedAuthz(t *testing.T) {
signedURL := "http://localhost/1/-ZfxEw" signedURL := "http://localhost/1/-ZfxEw"
_, _, jwsBody := signRequestKeyID(t, 1, nil, signedURL, `{}`, wfe.nonceService) _, _, jwsBody := signRequestKeyID(t, 1, nil, signedURL, `{}`, wfe.nonceService)
request := makePostRequestWithPath("1/-ZfxEw", jwsBody) request := makePostRequestWithPath("1/-ZfxEw", jwsBody)
wfe.ChallengeV2(ctx, newRequestEvent(), responseWriter, request) wfe.Challenge(ctx, newRequestEvent(), responseWriter, request)
body := responseWriter.Body.String() body := responseWriter.Body.String()
test.AssertUnmarshaledEquals(t, body, `{ test.AssertUnmarshaledEquals(t, body, `{
@ -1254,7 +1254,7 @@ func TestUpdateChallengeRAError(t *testing.T) {
responseWriter := httptest.NewRecorder() responseWriter := httptest.NewRecorder()
request := makePostRequestWithPath("2/-ZfxEw", jwsBody) request := makePostRequestWithPath("2/-ZfxEw", jwsBody)
wfe.ChallengeV2(ctx, newRequestEvent(), responseWriter, request) wfe.Challenge(ctx, newRequestEvent(), responseWriter, request)
// The result should be an internal server error problem. // The result should be an internal server error problem.
body := responseWriter.Body.String() body := responseWriter.Body.String()
@ -1559,7 +1559,7 @@ func TestGetAuthorization(t *testing.T) {
// Expired authorizations should be inaccessible // Expired authorizations should be inaccessible
authzURL := "3" authzURL := "3"
responseWriter := httptest.NewRecorder() responseWriter := httptest.NewRecorder()
wfe.AuthorizationV2(ctx, newRequestEvent(), responseWriter, &http.Request{ wfe.Authorization(ctx, newRequestEvent(), responseWriter, &http.Request{
Method: "GET", Method: "GET",
URL: mustParseURL(authzURL), URL: mustParseURL(authzURL),
}) })
@ -1569,7 +1569,7 @@ func TestGetAuthorization(t *testing.T) {
responseWriter.Body.Reset() responseWriter.Body.Reset()
// Ensure that a valid authorization can't be reached with an invalid URL // Ensure that a valid authorization can't be reached with an invalid URL
wfe.AuthorizationV2(ctx, newRequestEvent(), responseWriter, &http.Request{ wfe.Authorization(ctx, newRequestEvent(), responseWriter, &http.Request{
URL: mustParseURL("1d"), URL: mustParseURL("1d"),
Method: "GET", Method: "GET",
}) })
@ -1581,7 +1581,7 @@ func TestGetAuthorization(t *testing.T) {
responseWriter = httptest.NewRecorder() responseWriter = httptest.NewRecorder()
// Ensure that a POST-as-GET to an authorization works // Ensure that a POST-as-GET to an authorization works
wfe.AuthorizationV2(ctx, newRequestEvent(), responseWriter, postAsGet) wfe.Authorization(ctx, newRequestEvent(), responseWriter, postAsGet)
test.AssertEquals(t, responseWriter.Code, http.StatusOK) test.AssertEquals(t, responseWriter.Code, http.StatusOK)
body := responseWriter.Body.String() body := responseWriter.Body.String()
test.AssertUnmarshaledEquals(t, body, ` test.AssertUnmarshaledEquals(t, body, `
@ -1618,7 +1618,7 @@ func TestAuthorization500(t *testing.T) {
wfe, _ := setupWFE(t) wfe, _ := setupWFE(t)
responseWriter := httptest.NewRecorder() responseWriter := httptest.NewRecorder()
wfe.AuthorizationV2(ctx, newRequestEvent(), responseWriter, &http.Request{ wfe.Authorization(ctx, newRequestEvent(), responseWriter, &http.Request{
Method: "GET", Method: "GET",
URL: mustParseURL("4"), URL: mustParseURL("4"),
}) })
@ -1641,7 +1641,7 @@ func TestAuthorizationChallengeNamespace(t *testing.T) {
// For "oldNS" the SA mock returns an authorization with a failed challenge // For "oldNS" the SA mock returns an authorization with a failed challenge
// that has an error with the type already prefixed by the v1 error NS // that has an error with the type already prefixed by the v1 error NS
responseWriter := httptest.NewRecorder() responseWriter := httptest.NewRecorder()
wfe.AuthorizationV2(ctx, newRequestEvent(), responseWriter, &http.Request{ wfe.Authorization(ctx, newRequestEvent(), responseWriter, &http.Request{
Method: "GET", Method: "GET",
URL: mustParseURL("55"), URL: mustParseURL("55"),
}) })
@ -1656,7 +1656,7 @@ func TestAuthorizationChallengeNamespace(t *testing.T) {
// For "failed" the SA mock returns an authorization with a failed challenge // For "failed" the SA mock returns an authorization with a failed challenge
// that has an error with the type not prefixed by an error namespace. // that has an error with the type not prefixed by an error namespace.
responseWriter = httptest.NewRecorder() responseWriter = httptest.NewRecorder()
wfe.AuthorizationV2(ctx, newRequestEvent(), responseWriter, &http.Request{ wfe.Authorization(ctx, newRequestEvent(), responseWriter, &http.Request{
Method: "GET", Method: "GET",
URL: mustParseURL("56"), URL: mustParseURL("56"),
}) })
@ -2001,7 +2001,7 @@ func TestDeactivateAuthorization(t *testing.T) {
_, _, body := signRequestKeyID(t, 1, nil, "http://localhost/1", payload, wfe.nonceService) _, _, body := signRequestKeyID(t, 1, nil, "http://localhost/1", payload, wfe.nonceService)
request := makePostRequestWithPath("1", body) request := makePostRequestWithPath("1", body)
wfe.AuthorizationV2(ctx, newRequestEvent(), responseWriter, request) wfe.Authorization(ctx, newRequestEvent(), responseWriter, request)
test.AssertUnmarshaledEquals(t, test.AssertUnmarshaledEquals(t,
responseWriter.Body.String(), responseWriter.Body.String(),
`{"type": "`+probs.V2ErrorNS+`malformed","detail": "Invalid status value","status": 400}`) `{"type": "`+probs.V2ErrorNS+`malformed","detail": "Invalid status value","status": 400}`)
@ -2011,7 +2011,7 @@ func TestDeactivateAuthorization(t *testing.T) {
_, _, body = signRequestKeyID(t, 1, nil, "http://localhost/1", payload, wfe.nonceService) _, _, body = signRequestKeyID(t, 1, nil, "http://localhost/1", payload, wfe.nonceService)
request = makePostRequestWithPath("1", body) request = makePostRequestWithPath("1", body)
wfe.AuthorizationV2(ctx, newRequestEvent(), responseWriter, request) wfe.Authorization(ctx, newRequestEvent(), responseWriter, request)
test.AssertUnmarshaledEquals(t, test.AssertUnmarshaledEquals(t,
responseWriter.Body.String(), responseWriter.Body.String(),
`{ `{
@ -3071,13 +3071,13 @@ func TestMandatoryPOSTAsGET(t *testing.T) {
// GET requests to a mocked authorization path should return an error // GET requests to a mocked authorization path should return an error
name: "GET Authz", name: "GET Authz",
path: "1", path: "1",
handler: wfe.AuthorizationV2, handler: wfe.Authorization,
}, },
{ {
// GET requests to a mocked challenge path should return an error // GET requests to a mocked challenge path should return an error
name: "GET Chall", name: "GET Chall",
path: "1/-ZfxEw", path: "1/-ZfxEw",
handler: wfe.ChallengeV2, handler: wfe.Challenge,
}, },
{ {
// GET requests to a mocked certificate serial path should return an error // GET requests to a mocked certificate serial path should return an error
@ -3097,7 +3097,7 @@ func TestMandatoryPOSTAsGET(t *testing.T) {
} }
} }
func TestGetChallengeV2UpRel(t *testing.T) { func TestGetChallengeUpRel(t *testing.T) {
if !strings.HasSuffix(os.Getenv("BOULDER_CONFIG_DIR"), "config-next") { if !strings.HasSuffix(os.Getenv("BOULDER_CONFIG_DIR"), "config-next") {
return return
} }
@ -3111,7 +3111,7 @@ func TestGetChallengeV2UpRel(t *testing.T) {
test.AssertNotError(t, err, "Could not make NewRequest") test.AssertNotError(t, err, "Could not make NewRequest")
req.URL.Path = "1/-ZfxEw" req.URL.Path = "1/-ZfxEw"
wfe.ChallengeV2(ctx, newRequestEvent(), resp, req) wfe.Challenge(ctx, newRequestEvent(), resp, req)
test.AssertEquals(t, test.AssertEquals(t,
resp.Code, resp.Code,
http.StatusOK) http.StatusOK)