From 56d581613c0374503902c051339cb6a179b51192 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Wed, 1 Jul 2020 17:59:14 -0700 Subject: [PATCH] Update test/config. (#4923) This copies over a number of features flags and other settings from test/config-next that have been applied in prod. Also, remove the config-next gate on various tests. --- cmd/ocsp-updater/main_test.go | 6 ------ sa/database_test.go | 9 -------- test/config-next/notify-mailer.json | 4 ++-- test/config/bad-key-revoker.json | 33 +++++++++++++++++++++++++++++ test/config/ca-a.json | 5 ++--- test/config/ca-b.json | 5 ++--- test/config/janitor.json | 8 +++++++ test/config/ocsp-responder.json | 4 +++- test/config/ocsp-updater.json | 1 + test/config/publisher.json | 1 + test/config/ra.json | 5 ++++- test/config/sa.json | 4 +++- test/config/va-remote-a.json | 3 ++- test/config/va-remote-b.json | 3 ++- test/config/wfe.json | 16 ++++++++++++++ test/config/wfe2.json | 20 +++++++++++++++++ test/integration/revocation_test.go | 13 ------------ test/startservers.py | 5 +---- wfe/wfe_test.go | 5 ----- wfe2/wfe_test.go | 5 ----- 20 files changed, 100 insertions(+), 55 deletions(-) create mode 100644 test/config/bad-key-revoker.json diff --git a/cmd/ocsp-updater/main_test.go b/cmd/ocsp-updater/main_test.go index 8f5d87843..95f9441f5 100644 --- a/cmd/ocsp-updater/main_test.go +++ b/cmd/ocsp-updater/main_test.go @@ -9,8 +9,6 @@ import ( "errors" "fmt" "math/big" - "os" - "strings" "testing" "time" @@ -424,10 +422,6 @@ func (ca *mockOCSPRecordIssuer) GenerateOCSP(_ context.Context, req *caPB.Genera } func TestIssuerInfo(t *testing.T) { - if !strings.HasSuffix(os.Getenv("BOULDER_CONFIG_DIR"), "config-next") { - return - } - updater, sa, _, fc, cleanUp := setup(t) defer cleanUp() m := mockOCSPRecordIssuer{} diff --git a/sa/database_test.go b/sa/database_test.go index dc3f04e28..76da9d5f7 100644 --- a/sa/database_test.go +++ b/sa/database_test.go @@ -3,7 +3,6 @@ package sa import ( "database/sql" "errors" - "os" "strings" "testing" @@ -102,14 +101,6 @@ func TestTimeouts(t *testing.T) { // databases that have auto_increment columns use BIGINT for the data type. Our // data is too big for INT. func TestAutoIncrementSchema(t *testing.T) { - // TODO(@cpu): Delete this conditional exit when the following migrations have - // moved from sa/_db-next to sa/_db: - // * 20191129164412_RemoveOCSPResponses.sql - // * 20191118124728_FixFQDNSetsAndIssuedNamesID.sql - if !strings.Contains(os.Getenv("BOULDER_CONFIG_DIR"), "test/config-next") { - return - } - dbMap, err := NewDbMap(vars.DBInfoSchemaRoot, 1) test.AssertNotError(t, err, "unexpected err making NewDbMap") diff --git a/test/config-next/notify-mailer.json b/test/config-next/notify-mailer.json index f4fa96f39..73864aeb5 100644 --- a/test/config-next/notify-mailer.json +++ b/test/config-next/notify-mailer.json @@ -7,8 +7,8 @@ "dbConnectFile": "test/secrets/mailer_dburl", "maxDBConns": 10 }, - "syslog": { + "syslog": { "stdoutLevel": 7, "syslogLevel": 7 - } + } } diff --git a/test/config/bad-key-revoker.json b/test/config/bad-key-revoker.json new file mode 100644 index 000000000..482fd85fc --- /dev/null +++ b/test/config/bad-key-revoker.json @@ -0,0 +1,33 @@ +{ + "BadKeyRevoker": { + "dbConnectFile": "test/secrets/badkeyrevoker_dburl", + "maxDBConns": 10, + "debugAddr": ":8020", + "tls": { + "caCertFile": "test/grpc-creds/minica.pem", + "certFile": "test/grpc-creds/bad-key-revoker.boulder/cert.pem", + "keyFile": "test/grpc-creds/bad-key-revoker.boulder/key.pem" + }, + "raService": { + "serverAddress": "ra.boulder:9094", + "timeout": "15s" + }, + "mailer": { + "server": "localhost", + "port": "9380", + "username": "cert-manager@example.com", + "from": "bad key revoker ", + "passwordFile": "test/secrets/smtp_password", + "SMTPTrustedRootFile": "test/mail-test-srv/minica.pem", + "emailSubject": "Certificates you've issued have been revoked due to key compromise", + "emailTemplate": "test/example-bad-key-revoker-template" + }, + "maximumRevocations": 15, + "findCertificatesBatchSize": 10, + "interval": "1s" + }, + "syslog": { + "stdoutlevel": 6, + "sysloglevel": 4 + } +} diff --git a/test/config/ca-a.json b/test/config/ca-a.json index be064a52e..729a1d4ca 100644 --- a/test/config/ca-a.json +++ b/test/config/ca-a.json @@ -5,6 +5,7 @@ "ecdsaProfile": "ecdsaEE", "debugAddr": ":8001", "weakKeyFile": "test/example-weak-keys.json", + "blockedKeyFile": "test/example-blocked-keys.yaml", "tls": { "caCertFile": "test/grpc-creds/minica.pem", "certFile": "test/grpc-creds/ca.boulder/cert.pem", @@ -67,9 +68,6 @@ "Qualifiers": [ { "type": "id-qt-cps", "value": "http://example.com/cps" - }, { - "type": "id-qt-unotice", - "value": "Do What Thou Wilt" } ] } ], @@ -139,6 +137,7 @@ "maxConcurrentRPCServerRequests": 100000, "orphanQueueDir": "/tmp/orphaned-certificates-a", "features": { + "StoreIssuerInfo": true } }, diff --git a/test/config/ca-b.json b/test/config/ca-b.json index ed2498f1a..c18ed2057 100644 --- a/test/config/ca-b.json +++ b/test/config/ca-b.json @@ -5,6 +5,7 @@ "ecdsaProfile": "ecdsaEE", "debugAddr": ":8001", "weakKeyFile": "test/example-weak-keys.json", + "blockedKeyFile": "test/example-blocked-keys.yaml", "tls": { "caCertFile": "test/grpc-creds/minica.pem", "certFile": "test/grpc-creds/ca.boulder/cert.pem", @@ -68,9 +69,6 @@ "Qualifiers": [ { "type": "id-qt-cps", "value": "http://example.com/cps" - }, { - "type": "id-qt-unotice", - "value": "Do What Thou Wilt" } ] } ], @@ -140,6 +138,7 @@ "maxConcurrentRPCServerRequests": 100000, "orphanQueueDir": "/tmp/orphaned-certificates-b", "features": { + "StoreIssuerInfo": true } }, diff --git a/test/config/janitor.json b/test/config/janitor.json index 3c2a91d21..b0af886e6 100644 --- a/test/config/janitor.json +++ b/test/config/janitor.json @@ -29,6 +29,14 @@ "workSleep": "500ms", "parallelism": 2, "maxDPS": 50 + }, + "orders": { + "enabled": true, + "gracePeriod": "2184h", + "batchSize": 100, + "workSleep": "500ms", + "parallelism": 2, + "maxDPS": 50 } } } diff --git a/test/config/ocsp-responder.json b/test/config/ocsp-responder.json index 31d793740..86248cf5e 100644 --- a/test/config/ocsp-responder.json +++ b/test/config/ocsp-responder.json @@ -5,8 +5,10 @@ "path": "/", "listenAddress": "0.0.0.0:4002", "maxAge": "10s", + "timeout": "4.9s", "shutdownStopTimeout": "10s", - "debugAddr": ":8005" + "debugAddr": ":8005", + "requiredSerialPrefixes": ["ff"] }, "syslog": { diff --git a/test/config/ocsp-updater.json b/test/config/ocsp-updater.json index 115b881a5..e9fcc3976 100644 --- a/test/config/ocsp-updater.json +++ b/test/config/ocsp-updater.json @@ -26,6 +26,7 @@ "timeout": "15s" }, "features": { + "StoreIssuerInfo": true } }, diff --git a/test/config/publisher.json b/test/config/publisher.json index f9adc513b..649a99ced 100644 --- a/test/config/publisher.json +++ b/test/config/publisher.json @@ -1,6 +1,7 @@ { "publisher": { "userAgent": "boulder/1.0", + "blockProfileRate": 1000000000, "maxConcurrentRPCServerRequests": 100000, "submissionTimeout": "5s", "debugAddr": ":8009", diff --git a/test/config/ra.json b/test/config/ra.json index dcec1fd7f..46350be98 100644 --- a/test/config/ra.json +++ b/test/config/ra.json @@ -10,6 +10,7 @@ "authorizationLifetimeDays": 30, "pendingAuthorizationLifetimeDays": 7, "weakKeyFile": "test/example-weak-keys.json", + "blockedKeyFile": "test/example-blocked-keys.yaml", "orderLifetime": "168h", "issuerCertPath": "/tmp/intermediate-cert-rsa-a.pem", "tls": { @@ -41,10 +42,12 @@ "address": ":9094", "clientNames": [ "wfe.boulder", - "admin-revoker.boulder" + "admin-revoker.boulder", + "bad-key-revoker.boulder" ] }, "features": { + "StoreRevokerInfo": true }, "CTLogGroups2": [ { diff --git a/test/config/sa.json b/test/config/sa.json index 713a09cf2..bab9c7e3d 100644 --- a/test/config/sa.json +++ b/test/config/sa.json @@ -24,7 +24,9 @@ ] }, "features": { - "WriteIssuedNamesPrecert": true + "StoreIssuerInfo": true, + "StoreKeyHashes": true, + "StoreRevokerInfo": true } }, diff --git a/test/config/va-remote-a.json b/test/config/va-remote-a.json index 1565fb3c6..70d87265d 100644 --- a/test/config/va-remote-a.json +++ b/test/config/va-remote-a.json @@ -30,7 +30,8 @@ "CAAAccountURI": true }, "accountURIPrefixes": [ - "http://boulder:4000/acme/reg/" + "http://boulder:4000/acme/reg/", + "http://boulder:4001/acme/acct/" ] }, diff --git a/test/config/va-remote-b.json b/test/config/va-remote-b.json index dd06a7c64..717897294 100644 --- a/test/config/va-remote-b.json +++ b/test/config/va-remote-b.json @@ -30,7 +30,8 @@ "CAAAccountURI": true }, "accountURIPrefixes": [ - "http://boulder:4000/acme/reg/" + "http://boulder:4000/acme/reg/", + "http://boulder:4001/acme/acct/" ] }, diff --git a/test/config/wfe.json b/test/config/wfe.json index 36f52f009..51c00c382 100644 --- a/test/config/wfe.json +++ b/test/config/wfe.json @@ -10,6 +10,7 @@ "debugAddr": ":8000", "directoryCAAIdentity": "happy-hacker-ca.invalid", "directoryWebsite": "https://github.com/letsencrypt/boulder", + "blockedKeyFile": "test/example-blocked-keys.yaml", "tls": { "caCertFile": "test/grpc-creds/minica.pem", "certFile": "test/grpc-creds/wfe.boulder/cert.pem", @@ -23,7 +24,22 @@ "serverAddress": "sa.boulder:9095", "timeout": "15s" }, + "getNonceService": { + "serverAddress": "nonce.boulder:9101", + "timeout": "15s" + }, + "redeemNonceServices": { + "taro": { + "serverAddress": "nonce1.boulder:9101", + "timeout": "15s" + }, + "zinc": { + "serverAddress": "nonce2.boulder:9101", + "timeout": "15s" + } + }, "features": { + "StripDefaultSchemePort": true } }, diff --git a/test/config/wfe2.json b/test/config/wfe2.json index ccdfcd4d5..76abfe832 100644 --- a/test/config/wfe2.json +++ b/test/config/wfe2.json @@ -11,6 +11,7 @@ "directoryCAAIdentity": "happy-hacker-ca.invalid", "directoryWebsite": "https://github.com/letsencrypt/boulder", "legacyKeyIDPrefix": "http://boulder:4000/reg/", + "blockedKeyFile": "test/example-blocked-keys.yaml", "tls": { "caCertFile": "test/grpc-creds/minica.pem", "certFile": "test/grpc-creds/wfe.boulder/cert.pem", @@ -24,11 +25,30 @@ "serverAddress": "sa.boulder:9095", "timeout": "15s" }, + "getNonceService": { + "serverAddress": "nonce.boulder:9101", + "timeout": "15s" + }, + "redeemNonceServices": { + "taro": { + "serverAddress": "nonce1.boulder:9101", + "timeout": "15s" + }, + "zinc": { + "serverAddress": "nonce2.boulder:9101", + "timeout": "15s" + } + }, "certificateChains": { "http://boulder:4430/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ], "http://127.0.0.1:4000/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ] }, + "staleTimeout": "5m", + "authorizationLifetimeDays": 30, + "pendingAuthorizationLifetimeDays": 7, "features": { + "PrecertificateRevocation": true, + "StripDefaultSchemePort": true } }, diff --git a/test/integration/revocation_test.go b/test/integration/revocation_test.go index 34627d0ce..a87c6103a 100644 --- a/test/integration/revocation_test.go +++ b/test/integration/revocation_test.go @@ -36,11 +36,6 @@ func isPrecert(cert *x509.Certificate) bool { // authentication mechansims. func TestPrecertificateRevocation(t *testing.T) { t.Parallel() - // This test is gated on the PrecertificateRevocation feature flag. - if !strings.Contains(os.Getenv("BOULDER_CONFIG_DIR"), "test/config-next") { - return - } - // Create a base account to use for revocation tests. os.Setenv("DIRECTORY", "http://boulder:4001/directory") c, err := makeClient("mailto:example@letsencrypt.org") @@ -145,10 +140,6 @@ func TestPrecertificateRevocation(t *testing.T) { func TestRevokeWithKeyCompromise(t *testing.T) { t.Parallel() - if !strings.HasSuffix(os.Getenv("BOULDER_CONFIG_DIR"), "config-next") { - return - } - os.Setenv("DIRECTORY", "http://boulder:4001/directory") c, err := makeClient("mailto:example@letsencrypt.org") test.AssertNotError(t, err, "creating acme client") @@ -183,10 +174,6 @@ func TestRevokeWithKeyCompromise(t *testing.T) { func TestBadKeyRevoker(t *testing.T) { t.Parallel() - if !strings.HasSuffix(os.Getenv("BOULDER_CONFIG_DIR"), "config-next") { - return - } - os.Setenv("DIRECTORY", "http://boulder:4001/directory") cA, err := makeClient("mailto:bad-key-revoker-revoker@letsencrypt.org", "mailto:bad-key-revoker-revoker-2@letsencrypt.org") test.AssertNotError(t, err, "creating acme client") diff --git a/test/startservers.py b/test/startservers.py index 541c16a82..f9ed5faca 100644 --- a/test/startservers.py +++ b/test/startservers.py @@ -65,11 +65,8 @@ def start(race_detection, fakeclock): # before any services that intend to send it RPCs. On shutdown they will be # killed in reverse order. progs = [] - if CONFIG_NEXT: - progs.extend([ - [8020, './bin/bad-key-revoker --config %s' % os.path.join(config_dir, "bad-key-revoker.json")], - ]) progs.extend([ + [8020, './bin/bad-key-revoker --config %s' % os.path.join(config_dir, "bad-key-revoker.json")], [8011, './bin/boulder-remoteva --config %s' % os.path.join(config_dir, "va-remote-a.json")], [8012, './bin/boulder-remoteva --config %s' % os.path.join(config_dir, "va-remote-b.json")], [53, './bin/sd-test-srv --listen :53'], # Service discovery DNS server diff --git a/wfe/wfe_test.go b/wfe/wfe_test.go index 04fdd7997..e4ca1cd4d 100644 --- a/wfe/wfe_test.go +++ b/wfe/wfe_test.go @@ -15,7 +15,6 @@ import ( "net/http" "net/http/httptest" "net/url" - "os" "sort" "strconv" "strings" @@ -1096,10 +1095,6 @@ func TestGetChallenge(t *testing.T) { } func TestGetChallengeV2UpRel(t *testing.T) { - if !strings.HasSuffix(os.Getenv("BOULDER_CONFIG_DIR"), "config-next") { - return - } - wfe, _ := setupWFE(t) challengeURL := "http://localhost/acme/chall-v3/1/-ZfxEw" diff --git a/wfe2/wfe_test.go b/wfe2/wfe_test.go index 4f52aeffe..e34a8d6ac 100644 --- a/wfe2/wfe_test.go +++ b/wfe2/wfe_test.go @@ -18,7 +18,6 @@ import ( "net/http" "net/http/httptest" "net/url" - "os" "sort" "strconv" "strings" @@ -3191,10 +3190,6 @@ func TestMandatoryPOSTAsGET(t *testing.T) { } func TestGetChallengeUpRel(t *testing.T) { - if !strings.HasSuffix(os.Getenv("BOULDER_CONFIG_DIR"), "config-next") { - return - } - wfe, _ := setupWFE(t) challengeURL := "http://localhost/acme/chall-v3/1/-ZfxEw"