Add GREASE to directory (#2731)

Randomly generates and adds a key to the directory object with the value grease. Fixes #2415.
2017-05-08 14:13:35 -07:00 · 2017-05-08 14:13:35 -07:00 · 730318a755
parent 47452d6c6c
commit 730318a755
4 changed files with 18 additions and 3 deletions
--- a/features/featureflag_string.go
+++ b/features/featureflag_string.go
@ -4,9 +4,9 @@ package features

 import "fmt"

-const _FeatureFlag_name = "unusedIDNASupportAllowAccountDeactivationAllowKeyRolloverResubmitMissingSCTsOnlyGoogleSafeBrowsingV4UseAIAIssuerURLAllowTLS02ChallengesGenerateOCSPEarlyCountCertificatesExactIPv6First"
+const _FeatureFlag_name = "unusedIDNASupportAllowAccountDeactivationAllowKeyRolloverResubmitMissingSCTsOnlyGoogleSafeBrowsingV4UseAIAIssuerURLAllowTLS02ChallengesGenerateOCSPEarlyCountCertificatesExactRandomDirectoryEntryIPv6First"

-var _FeatureFlag_index = [...]uint8{0, 6, 17, 41, 57, 80, 100, 115, 135, 152, 174, 183}
+var _FeatureFlag_index = [...]uint8{0, 6, 17, 41, 57, 80, 100, 115, 135, 152, 174, 194, 203}

 func (i FeatureFlag) String() string {
 	if i < 0 || i >= FeatureFlag(len(_FeatureFlag_index)-1) {
--- a/features/features.go
+++ b/features/features.go
@ -21,6 +21,7 @@ const (
 	AllowTLS02Challenges
 	GenerateOCSPEarly
 	CountCertificatesExact
+	RandomDirectoryEntry
 	IPv6First
 )

@ -36,6 +37,7 @@ var features = map[FeatureFlag]bool{
 	AllowTLS02Challenges:     false,
 	GenerateOCSPEarly:        false,
 	CountCertificatesExact:   false,
+	RandomDirectoryEntry:     false,
 	IPv6First:                false,
 }

--- a/test/config-next/wfe.json
+++ b/test/config-next/wfe.json
@ -32,7 +32,8 @@
    "features": {
      "AllowAccountDeactivation": true,
      "AllowKeyRollover": true,
-      "UseAIAIssuerURL": true
+      "UseAIAIssuerURL": true,
+      "RandomDirectoryEntry": true
    }
  },

--- a/wfe/wfe.go
+++ b/wfe/wfe.go
@ -262,6 +262,8 @@ func (wfe *WebFrontEndImpl) relativeEndpoint(request *http.Request, endpoint str
 	return result
 }

+const randomDirKeyExplanationLink = "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
+
 func (wfe *WebFrontEndImpl) relativeDirectory(request *http.Request, directory map[string]string) ([]byte, error) {
 	// Create an empty map sized equal to the provided directory to store the
 	// relative-ized result
@ -272,6 +274,9 @@ func (wfe *WebFrontEndImpl) relativeDirectory(request *http.Request, directory m
 	// the `BaseURL`. Otherwise, prefix each endpoint using the request protocol
 	// & host.
 	for k, v := range directory {
+		if features.Enabled(features.RandomDirectoryEntry) && v == randomDirKeyExplanationLink {
+			continue
+		}
 		relativeDir[k] = wfe.relativeEndpoint(request, v)
 	}

@ -373,6 +378,13 @@ func (wfe *WebFrontEndImpl) Directory(ctx context.Context, logEvent *requestEven
 		// field on a User-Agent header that doesn't start with 'LetsEncryptPythonClient'
 		directoryEndpoints["key-change"] = rolloverPath
 	}
+	if features.Enabled(features.RandomDirectoryEntry) && !strings.HasPrefix(request.UserAgent(), "LetsEncryptPythonClient") {
+		// Add a random key to the directory in order to make sure that clients don't hardcode an
+		// expected set of keys. This ensures that we can properly extend the directory when we
+		// need to add a new endpoint or meta element. Gate on UA not being one of the pre-0.6.0
+		// Certbot clients that we know will be broken by this change.
+		directoryEndpoints[core.RandomString(8)] = randomDirKeyExplanationLink
+	}

 	response.Header().Set("Content-Type", "application/json")