Update test/config. (#4923)

This copies over a number of features flags and other settings from
test/config-next that have been applied in prod.

Also, remove the config-next gate on various tests.

cmd/ocsp-updater/main_test.go

@@ -9,8 +9,6 @@ import (
 	"errors"
 	"fmt"
 	"math/big"
-	"os"
-	"strings"
 	"testing"
 	"time"
 
@@ -424,10 +422,6 @@ func (ca *mockOCSPRecordIssuer) GenerateOCSP(_ context.Context, req *caPB.Genera
 }
 
 func TestIssuerInfo(t *testing.T) {
-	if !strings.HasSuffix(os.Getenv("BOULDER_CONFIG_DIR"), "config-next") {
-		return
-	}
-
 	updater, sa, _, fc, cleanUp := setup(t)
 	defer cleanUp()
 	m := mockOCSPRecordIssuer{}

sa/database_test.go

@@ -3,7 +3,6 @@ package sa
 import (
 	"database/sql"
 	"errors"
-	"os"
 	"strings"
 	"testing"
 
@@ -102,14 +101,6 @@ func TestTimeouts(t *testing.T) {
 // databases that have auto_increment columns use BIGINT for the data type. Our
 // data is too big for INT.
 func TestAutoIncrementSchema(t *testing.T) {
-	// TODO(@cpu): Delete this conditional exit when the following migrations have
-	// moved from sa/_db-next to sa/_db:
-	//  * 20191129164412_RemoveOCSPResponses.sql
-	//  * 20191118124728_FixFQDNSetsAndIssuedNamesID.sql
-	if !strings.Contains(os.Getenv("BOULDER_CONFIG_DIR"), "test/config-next") {
-		return
-	}
-
 	dbMap, err := NewDbMap(vars.DBInfoSchemaRoot, 1)
 	test.AssertNotError(t, err, "unexpected err making NewDbMap")
 

test/config-next/notify-mailer.json

@@ -7,8 +7,8 @@
     "dbConnectFile": "test/secrets/mailer_dburl",
     "maxDBConns": 10
   },
-   "syslog": {
+  "syslog": {
     "stdoutLevel": 7,
     "syslogLevel": 7
-   }
+  }
 }

test/config/bad-key-revoker.json

@@ -0,0 +1,33 @@
+{
+    "BadKeyRevoker": {
+        "dbConnectFile": "test/secrets/badkeyrevoker_dburl",
+        "maxDBConns": 10,
+        "debugAddr": ":8020",
+        "tls": {
+            "caCertFile": "test/grpc-creds/minica.pem",
+            "certFile": "test/grpc-creds/bad-key-revoker.boulder/cert.pem",
+            "keyFile": "test/grpc-creds/bad-key-revoker.boulder/key.pem"
+        },
+        "raService": {
+            "serverAddress": "ra.boulder:9094",
+            "timeout": "15s"
+        },
+        "mailer": {
+            "server": "localhost",
+            "port": "9380",
+            "username": "cert-manager@example.com",
+            "from": "bad key revoker <test@example.com>",
+            "passwordFile": "test/secrets/smtp_password",
+            "SMTPTrustedRootFile": "test/mail-test-srv/minica.pem",
+            "emailSubject": "Certificates you've issued have been revoked due to key compromise",
+            "emailTemplate": "test/example-bad-key-revoker-template"
+        },
+        "maximumRevocations": 15,
+        "findCertificatesBatchSize": 10,
+        "interval": "1s"
+    },
+    "syslog": {
+        "stdoutlevel": 6,
+        "sysloglevel": 4
+    }
+}

test/config/ca-a.json

@@ -5,6 +5,7 @@
     "ecdsaProfile": "ecdsaEE",
     "debugAddr": ":8001",
     "weakKeyFile": "test/example-weak-keys.json",
+    "blockedKeyFile": "test/example-blocked-keys.yaml",
     "tls": {
       "caCertFile": "test/grpc-creds/minica.pem",
       "certFile": "test/grpc-creds/ca.boulder/cert.pem",
@@ -67,9 +68,6 @@
                 "Qualifiers": [ {
                   "type": "id-qt-cps",
                   "value": "http://example.com/cps"
-                }, {
-                  "type": "id-qt-unotice",
-                  "value": "Do What Thou Wilt"
                 } ]
               }
             ],
@@ -139,6 +137,7 @@
     "maxConcurrentRPCServerRequests": 100000,
     "orphanQueueDir": "/tmp/orphaned-certificates-a",
     "features": {
+      "StoreIssuerInfo": true
     }
   },
 

test/config/ca-b.json

@@ -5,6 +5,7 @@
     "ecdsaProfile": "ecdsaEE",
     "debugAddr": ":8001",
     "weakKeyFile": "test/example-weak-keys.json",
+    "blockedKeyFile": "test/example-blocked-keys.yaml",
     "tls": {
       "caCertFile": "test/grpc-creds/minica.pem",
       "certFile": "test/grpc-creds/ca.boulder/cert.pem",
@@ -68,9 +69,6 @@
                 "Qualifiers": [ {
                   "type": "id-qt-cps",
                   "value": "http://example.com/cps"
-                }, {
-                  "type": "id-qt-unotice",
-                  "value": "Do What Thou Wilt"
                 } ]
               }
             ],
@@ -140,6 +138,7 @@
     "maxConcurrentRPCServerRequests": 100000,
     "orphanQueueDir": "/tmp/orphaned-certificates-b",
     "features": {
+      "StoreIssuerInfo": true
     }
   },
 

test/config/janitor.json

@@ -29,6 +29,14 @@
         "workSleep": "500ms",
         "parallelism": 2,
         "maxDPS": 50
+    },
+    "orders": {
+        "enabled": true,
+        "gracePeriod": "2184h",
+        "batchSize": 100,
+        "workSleep": "500ms",
+        "parallelism": 2,
+        "maxDPS": 50
     }
   }
 }

test/config/ocsp-responder.json

@@ -5,8 +5,10 @@
     "path": "/",
     "listenAddress": "0.0.0.0:4002",
     "maxAge": "10s",
+    "timeout": "4.9s",
     "shutdownStopTimeout": "10s",
-    "debugAddr": ":8005"
+    "debugAddr": ":8005",
+    "requiredSerialPrefixes": ["ff"]
   },
 
   "syslog": {

test/config/ocsp-updater.json

@@ -26,6 +26,7 @@
       "timeout": "15s"
     },
     "features": {
+      "StoreIssuerInfo": true
     }
   },
 

test/config/publisher.json

@@ -1,6 +1,7 @@
 {
   "publisher": {
     "userAgent": "boulder/1.0",
+    "blockProfileRate": 1000000000,
     "maxConcurrentRPCServerRequests": 100000,
     "submissionTimeout": "5s",
     "debugAddr": ":8009",

test/config/ra.json

@@ -10,6 +10,7 @@
     "authorizationLifetimeDays": 30,
     "pendingAuthorizationLifetimeDays": 7,
     "weakKeyFile": "test/example-weak-keys.json",
+    "blockedKeyFile": "test/example-blocked-keys.yaml",
     "orderLifetime": "168h",
     "issuerCertPath":  "/tmp/intermediate-cert-rsa-a.pem",
     "tls": {
@@ -41,10 +42,12 @@
       "address": ":9094",
       "clientNames": [
         "wfe.boulder",
-        "admin-revoker.boulder"
+        "admin-revoker.boulder",
+        "bad-key-revoker.boulder"
       ]
     },
     "features": {
+      "StoreRevokerInfo": true
     },
     "CTLogGroups2": [
       {

test/config/sa.json

@@ -24,7 +24,9 @@
       ]
     },
     "features": {
-      "WriteIssuedNamesPrecert": true
+      "StoreIssuerInfo": true,
+      "StoreKeyHashes": true,
+      "StoreRevokerInfo": true
     }
   },
 

test/config/va-remote-a.json

@@ -30,7 +30,8 @@
       "CAAAccountURI": true
     },
     "accountURIPrefixes": [
-      "http://boulder:4000/acme/reg/"
+      "http://boulder:4000/acme/reg/",
+      "http://boulder:4001/acme/acct/"
     ]
   },
 

test/config/va-remote-b.json

@@ -30,7 +30,8 @@
       "CAAAccountURI": true
     },
     "accountURIPrefixes": [
-      "http://boulder:4000/acme/reg/"
+      "http://boulder:4000/acme/reg/",
+      "http://boulder:4001/acme/acct/"
     ]
   },
 

test/config/wfe.json

@@ -10,6 +10,7 @@
     "debugAddr": ":8000",
     "directoryCAAIdentity": "happy-hacker-ca.invalid",
     "directoryWebsite": "https://github.com/letsencrypt/boulder",
+    "blockedKeyFile": "test/example-blocked-keys.yaml",
     "tls": {
       "caCertFile": "test/grpc-creds/minica.pem",
       "certFile": "test/grpc-creds/wfe.boulder/cert.pem",
@@ -23,7 +24,22 @@
       "serverAddress": "sa.boulder:9095",
       "timeout": "15s"
     },
+    "getNonceService": {
+      "serverAddress": "nonce.boulder:9101",
+      "timeout": "15s"
+    },
+    "redeemNonceServices": {
+      "taro": {
+        "serverAddress": "nonce1.boulder:9101",
+        "timeout": "15s"
+      },
+      "zinc": {
+        "serverAddress": "nonce2.boulder:9101",
+        "timeout": "15s"
+      }
+    },
     "features": {
+      "StripDefaultSchemePort": true
     }
   },
 

test/config/wfe2.json

@@ -11,6 +11,7 @@
     "directoryCAAIdentity": "happy-hacker-ca.invalid",
     "directoryWebsite": "https://github.com/letsencrypt/boulder",
     "legacyKeyIDPrefix": "http://boulder:4000/reg/",
+    "blockedKeyFile": "test/example-blocked-keys.yaml",
     "tls": {
       "caCertFile": "test/grpc-creds/minica.pem",
       "certFile": "test/grpc-creds/wfe.boulder/cert.pem",
@@ -24,11 +25,30 @@
       "serverAddress": "sa.boulder:9095",
       "timeout": "15s"
     },
+    "getNonceService": {
+      "serverAddress": "nonce.boulder:9101",
+      "timeout": "15s"
+    },
+    "redeemNonceServices": {
+      "taro": {
+        "serverAddress": "nonce1.boulder:9101",
+        "timeout": "15s"
+      },
+      "zinc": {
+        "serverAddress": "nonce2.boulder:9101",
+        "timeout": "15s"
+      }
+    },
     "certificateChains": {
       "http://boulder:4430/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ],
       "http://127.0.0.1:4000/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ]
     },
+    "staleTimeout": "5m",
+    "authorizationLifetimeDays": 30,
+    "pendingAuthorizationLifetimeDays": 7,
     "features": {
+      "PrecertificateRevocation": true,
+      "StripDefaultSchemePort": true
     }
   },
 

test/integration/revocation_test.go

@@ -36,11 +36,6 @@ func isPrecert(cert *x509.Certificate) bool {
 // authentication mechansims.
 func TestPrecertificateRevocation(t *testing.T) {
 	t.Parallel()
-	// This test is gated on the PrecertificateRevocation feature flag.
-	if !strings.Contains(os.Getenv("BOULDER_CONFIG_DIR"), "test/config-next") {
-		return
-	}
-
 	// Create a base account to use for revocation tests.
 	os.Setenv("DIRECTORY", "http://boulder:4001/directory")
 	c, err := makeClient("mailto:example@letsencrypt.org")
@@ -145,10 +140,6 @@ func TestPrecertificateRevocation(t *testing.T) {
 
 func TestRevokeWithKeyCompromise(t *testing.T) {
 	t.Parallel()
-	if !strings.HasSuffix(os.Getenv("BOULDER_CONFIG_DIR"), "config-next") {
-		return
-	}
-
 	os.Setenv("DIRECTORY", "http://boulder:4001/directory")
 	c, err := makeClient("mailto:example@letsencrypt.org")
 	test.AssertNotError(t, err, "creating acme client")
@@ -183,10 +174,6 @@ func TestRevokeWithKeyCompromise(t *testing.T) {
 
 func TestBadKeyRevoker(t *testing.T) {
 	t.Parallel()
-	if !strings.HasSuffix(os.Getenv("BOULDER_CONFIG_DIR"), "config-next") {
-		return
-	}
-
 	os.Setenv("DIRECTORY", "http://boulder:4001/directory")
 	cA, err := makeClient("mailto:bad-key-revoker-revoker@letsencrypt.org", "mailto:bad-key-revoker-revoker-2@letsencrypt.org")
 	test.AssertNotError(t, err, "creating acme client")

test/startservers.py

@@ -65,11 +65,8 @@ def start(race_detection, fakeclock):
     # before any services that intend to send it RPCs. On shutdown they will be
     # killed in reverse order.
     progs = []
-    if CONFIG_NEXT:
-        progs.extend([
-            [8020, './bin/bad-key-revoker --config %s' % os.path.join(config_dir, "bad-key-revoker.json")],
-        ])
     progs.extend([
+        [8020, './bin/bad-key-revoker --config %s' % os.path.join(config_dir, "bad-key-revoker.json")],
         [8011, './bin/boulder-remoteva --config %s' % os.path.join(config_dir, "va-remote-a.json")],
         [8012, './bin/boulder-remoteva --config %s' % os.path.join(config_dir, "va-remote-b.json")],
         [53, './bin/sd-test-srv --listen :53'], # Service discovery DNS server

wfe/wfe_test.go

@@ -15,7 +15,6 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
-	"os"
 	"sort"
 	"strconv"
 	"strings"
@@ -1096,10 +1095,6 @@ func TestGetChallenge(t *testing.T) {
 }
 
 func TestGetChallengeV2UpRel(t *testing.T) {
-	if !strings.HasSuffix(os.Getenv("BOULDER_CONFIG_DIR"), "config-next") {
-		return
-	}
-
 	wfe, _ := setupWFE(t)
 
 	challengeURL := "http://localhost/acme/chall-v3/1/-ZfxEw"

wfe2/wfe_test.go

@@ -18,7 +18,6 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
-	"os"
 	"sort"
 	"strconv"
 	"strings"
@@ -3191,10 +3190,6 @@ func TestMandatoryPOSTAsGET(t *testing.T) {
 }
 
 func TestGetChallengeUpRel(t *testing.T) {
-	if !strings.HasSuffix(os.Getenv("BOULDER_CONFIG_DIR"), "config-next") {
-		return
-	}
-
 	wfe, _ := setupWFE(t)
 
 	challengeURL := "http://localhost/acme/chall-v3/1/-ZfxEw"