From 8cd74bf766433143af58acf325eb495a9ea8dd2a Mon Sep 17 00:00:00 2001 From: Patrick Figel Date: Tue, 12 Jul 2016 21:18:22 +0200 Subject: [PATCH] Make (pending)AuthorizationLifetime configurable (#2028) Introduces the `authorizationLifetimeDays` and `pendingAuthorizationLifetimeDays` configuration options for `RA`. If the values are missing from configuration, the code defaults back to the current values (300/7 days). fixes #2024 --- cmd/boulder-ra/main.go | 27 ++++++++++++++++++++++++++- ra/ra.go | 17 ++++------------- ra/ra_test.go | 2 +- test/config-next/ra.json | 2 ++ wfe/wfe_test.go | 4 +++- 5 files changed, 36 insertions(+), 16 deletions(-) diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go index 29e36e479..c219ee562 100644 --- a/cmd/boulder-ra/main.go +++ b/cmd/boulder-ra/main.go @@ -50,6 +50,17 @@ type config struct { // instructs the RA to reuse the previously created authz in lieu of // creating another. ReuseValidAuthz bool + + // AuthorizationLifetimeDays defines how long authorizations will be + // considered valid for. Given a value of 300 days when used with a 90-day + // cert lifetime, this allows creation of certs that will cover a whole + // year, plus a grace period of a month. + AuthorizationLifetimeDays int + + // PendingAuthorizationLifetimeDays defines how long authorizations may be in + // the pending state. If you can't respond to a challenge this quickly, then + // you need to request a new challenge. + PendingAuthorizationLifetimeDays int } AllowedSigningAlgos *cmd.AllowedSigningAlgos @@ -116,6 +127,18 @@ func main() { sac, err := rpc.NewStorageAuthorityClient(clientName, amqpConf, stats) cmd.FailOnError(err, "Unable to create SA client") + // TODO(patf): remove once RA.authorizationLifetimeDays is deployed + authorizationLifetime := 300 * 24 * time.Hour + if c.RA.AuthorizationLifetimeDays != 0 { + authorizationLifetime = time.Duration(c.RA.AuthorizationLifetimeDays) * 24 * time.Hour + } + + // TODO(patf): remove once RA.pendingAuthorizationLifetimeDays is deployed + pendingAuthorizationLifetime := 7 * 24 * time.Hour + if c.RA.PendingAuthorizationLifetimeDays != 0 { + pendingAuthorizationLifetime = time.Duration(c.RA.PendingAuthorizationLifetimeDays) * 24 * time.Hour + } + rai := ra.NewRegistrationAuthorityImpl( clock.Default(), logger, @@ -124,7 +147,9 @@ func main() { c.AllowedSigningAlgos.KeyPolicy(), c.RA.MaxNames, c.RA.DoNotForceCN, - c.RA.ReuseValidAuthz) + c.RA.ReuseValidAuthz, + authorizationLifetime, + pendingAuthorizationLifetime) policyErr := rai.SetRateLimitPoliciesFile(c.RA.RateLimitPoliciesFilename) cmd.FailOnError(policyErr, "Couldn't load rate limit policies file") diff --git a/ra/ra.go b/ra/ra.go index 1b868996b..06c7bec4f 100644 --- a/ra/ra.go +++ b/ra/ra.go @@ -30,17 +30,6 @@ import ( vaPB "github.com/letsencrypt/boulder/va/proto" ) -// DefaultAuthorizationLifetime is the 10 month default authorization lifetime. -// When used with a 90-day cert lifetime, this allows creation of certs that will -// cover a whole year, plus a grace period of a month. -// TODO(jsha): Read from a config file. -const DefaultAuthorizationLifetime = 300 * 24 * time.Hour - -// DefaultPendingAuthorizationLifetime is one week. If you can't respond to a -// challenge this quickly, then you need to request a new challenge. -// TODO(rlb): Read from a config file -const DefaultPendingAuthorizationLifetime = 7 * 24 * time.Hour - // Note: the issuanceExpvar must be a global. If it is a member of the RA, or // initialized with everything else in NewRegistrationAuthority() then multiple // invocations of the constructor (e.g from unit tests) will panic with a "Reuse @@ -89,14 +78,16 @@ func NewRegistrationAuthorityImpl( maxNames int, forceCNFromSAN bool, reuseValidAuthz bool, + authorizationLifetime time.Duration, + pendingAuthorizationLifetime time.Duration, ) *RegistrationAuthorityImpl { scope := metrics.NewStatsdScope(stats, "RA") ra := &RegistrationAuthorityImpl{ stats: stats, clk: clk, log: logger, - authorizationLifetime: DefaultAuthorizationLifetime, - pendingAuthorizationLifetime: DefaultPendingAuthorizationLifetime, + authorizationLifetime: authorizationLifetime, + pendingAuthorizationLifetime: pendingAuthorizationLifetime, rlPolicies: ratelimit.New(), tiMu: new(sync.RWMutex), maxContactsPerReg: maxContactsPerReg, diff --git a/ra/ra_test.go b/ra/ra_test.go index 9166a0757..2aaf490d4 100644 --- a/ra/ra_test.go +++ b/ra/ra_test.go @@ -241,7 +241,7 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, *sa.SQLStorageAut ra := NewRegistrationAuthorityImpl(fc, log, stats, - 1, testKeyPolicy, 0, true, false) + 1, testKeyPolicy, 0, true, false, 300*24*time.Hour, 7*24*time.Hour) ra.SA = ssa ra.VA = va ra.CA = ca diff --git a/test/config-next/ra.json b/test/config-next/ra.json index 792dc644d..b262d9dd8 100644 --- a/test/config-next/ra.json +++ b/test/config-next/ra.json @@ -9,6 +9,8 @@ "maxNames": 1000, "doNotForceCN": true, "reuseValidAuthz": true, + "authorizationLifetimeDays": 300, + "pendingAuthorizationLifetimeDays": 7, "vaService": { "serverAddresses": ["boulder:9092"], "serverIssuerPath": "test/grpc-creds/ca.pem", diff --git a/wfe/wfe_test.go b/wfe/wfe_test.go index 5fad3bc3a..8de1ca2ae 100644 --- a/wfe/wfe_test.go +++ b/wfe/wfe_test.go @@ -623,7 +623,9 @@ func TestIssueCertificate(t *testing.T) { testKeyPolicy, 0, true, - false) + false, + 300*24*time.Hour, + 7*24*time.Hour) ra.SA = mocks.NewStorageAuthority(fc) ra.CA = &mocks.MockCA{ PEM: mockCertPEM,