Address #4476 issues (#4504)

Addresses two issues introduced in #4476: * Keep setting the V2 field in modelToAuthzPB so RPCs returned from new components to old don't cause panics * Don't return expired orders from the SA, so that users requesting old orders that contain old style authorizations don't cause breakage in the RA
2019-10-23 13:08:32 -07:00 · 2019-10-23 13:08:32 -07:00 · 83aafd1884
parent 3175b4f9eb
commit 83aafd1884
3 changed files with 31 additions and 7 deletions
--- a/sa/model.go
+++ b/sa/model.go
@ -670,7 +670,9 @@ func modelToAuthzPB(am *authz2Model) (*corepb.Authorization, error) {
 	expires := am.Expires.UTC().UnixNano()
 	id := fmt.Sprintf("%d", am.ID)
 	status := uintToStatus[am.Status]
+	v2 := true
 	pb := &corepb.Authorization{
+		V2:             &v2,
 		Id:             &id,
 		Status:         &status,
 		Identifier:     &am.IdentifierValue,
--- a/sa/sa.go
+++ b/sa/sa.go
@ -1470,6 +1470,11 @@ func (ssa *SQLStorageAuthority) GetOrder(ctx context.Context, req *sapb.OrderReq
 	if err != nil {
 		return nil, err
 	}
+	orderExp := time.Unix(0, *order.Expires)
+	if orderExp.Before(ssa.clk.Now()) {
+		return nil, berrors.NotFoundError("no order found for ID %d", *req.Id)
+	}
+
 	v1AuthzIDs, v2AuthzIDs, err := ssa.authzForOrder(ctx, *order.Id)
 	if err != nil {
 		return nil, err
--- a/sa/sa_test.go
+++ b/sa/sa_test.go
@ -2289,13 +2289,6 @@ func TestStatusForOrder(t *testing.T) {
 			AuthorizationIDs: []string{pendingAuthz.ID, deactivatedAuthz.ID, validAuthz.ID},
 			ExpectedStatus:   string(core.StatusDeactivated),
 		},
-		{
-			Name:             "Order that has expired and references a purged expired authz",
-			OrderExpires:     alreadyExpired.UnixNano(),
-			OrderNames:       []string{"missing.your.order.is.up"},
-			AuthorizationIDs: []string{"this does not exist"},
-			ExpectedStatus:   string(core.StatusInvalid),
-		},
 		{
 			Name:             "Order with a pending authz",
 			OrderNames:       []string{"valid.your.order.is.up", "pending.your.order.is.up"},
@ -2746,7 +2739,9 @@ func TestNewAuthorizations2(t *testing.T) {
 	expires := fc.Now().Add(time.Hour).UTC().UnixNano()
 	challType := string(core.ChallengeTypeDNS01)
 	tokenA := "YXNkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+	v2 := true
 	apbA := &corepb.Authorization{
+		V2:             &v2,
 		Identifier:     &ident,
 		RegistrationID: &reg.ID,
 		Status:         &pending,
@ -2761,6 +2756,7 @@ func TestNewAuthorizations2(t *testing.T) {
 	}
 	tokenB := "ZmdoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 	apbB := &corepb.Authorization{
+		V2:             &v2,
 		Identifier:     &ident,
 		RegistrationID: &reg.ID,
 		Status:         &pending,
@ -3393,3 +3389,24 @@ func TestDisableAuthz2Orders(t *testing.T) {
 	test.AssertError(t, err, "GetOrder didn't fail with DisableAuthz2Orders enabled")
 	test.Assert(t, berrors.Is(err, berrors.NotFound), "GetOrder error was not NotFound")
 }
+
+func TestGetOrderExpired(t *testing.T) {
+	sa, fc, cleanUp := initSA(t)
+	defer cleanUp()
+
+	fc.Add(time.Hour * 5)
+	reg := satest.CreateWorkingRegistration(t, sa)
+	exp := fc.Now().Add(-time.Hour).UnixNano()
+	order, err := sa.NewOrder(context.Background(), &corepb.Order{
+		RegistrationID:   &reg.ID,
+		Expires:          &exp,
+		Names:            []string{"example.com"},
+		V2Authorizations: []int64{666},
+	})
+	test.AssertNotError(t, err, "NewOrder failed")
+	_, err = sa.GetOrder(context.Background(), &sapb.OrderRequest{
+		Id: order.Id,
+	})
+	test.AssertError(t, err, "GetOrder didn't fail for an expired order")
+	test.Assert(t, berrors.Is(err, berrors.NotFound), "GetOrder error wasn't of type NotFound")
+}