Remove common config from publisher (#5353)

The old `config.Common.CT.IntermediateBundleFilename` format is no longer used in any production configs, and can be removed safely. Part of #5162 Part of #5242 Fixes #5269
2021-03-18 16:59:06 -07:00 · 2021-03-18 16:59:06 -07:00 · 91473b384b
parent 5a92926b0c
commit 91473b384b
6 changed files with 43 additions and 126 deletions
--- a/cmd/boulder-publisher/main.go
+++ b/cmd/boulder-publisher/main.go
@ -10,7 +10,6 @@ import (
 	healthpb "google.golang.org/grpc/health/grpc_health_v1"

 	"github.com/letsencrypt/boulder/cmd"
-	"github.com/letsencrypt/boulder/core"
 	"github.com/letsencrypt/boulder/features"
 	bgrpc "github.com/letsencrypt/boulder/grpc"
 	"github.com/letsencrypt/boulder/issuance"
@ -36,13 +35,6 @@ type config struct {
 	}

 	Syslog cmd.SyslogConfig
-
-	// TODO(5269): Remove this after all configs have migrated to `Chains`.
-	Common struct {
-		CT struct {
-			IntermediateBundleFilename string
-		}
-	}
 }

 func main() {
@ -77,29 +69,18 @@ func main() {
 	defer logger.AuditPanic()
 	logger.Info(cmd.VersionString())

-	// TODO(5269): Refactor this after all configs have migrated to `Chains`.
-	if c.Common.CT.IntermediateBundleFilename == "" && c.Publisher.Chains == nil {
-		logger.AuditErr("No CT submission bundle file or chain files provided")
+	if c.Publisher.Chains == nil {
+		logger.AuditErr("No chain files provided")
 		os.Exit(1)
 	}

 	bundles := make(map[issuance.IssuerNameID][]ct.ASN1Cert)
-	if len(c.Publisher.Chains) > 0 {
-		for _, files := range c.Publisher.Chains {
-			chain, err := issuance.LoadChain(files)
-			cmd.FailOnError(err, "failed to load chain.")
-			issuer := chain[0]
-			id := issuer.NameID()
-			bundles[id] = publisher.GetCTBundleForChain(chain)
-		}
-	} else {
-		// TODO(5269): Remove this after all configs have migrated to
-		// `Chains`.
-		certs, err := core.LoadCertBundle(c.Common.CT.IntermediateBundleFilename)
-		cmd.FailOnError(err, "failed to load certs from PEM file")
-		issuer := &issuance.Certificate{Certificate: certs[0]}
+	for _, files := range c.Publisher.Chains {
+		chain, err := issuance.LoadChain(files)
+		cmd.FailOnError(err, "failed to load chain.")
+		issuer := chain[0]
 		id := issuer.NameID()
-		bundles[id] = publisher.GetCTBundleForCerts(certs)
+		bundles[id] = publisher.GetCTBundleForChain(chain)
 	}

 	tlsConfig, err := c.Publisher.TLS.Load()
--- a/core/util.go
+++ b/core/util.go
@ -247,37 +247,6 @@ func UniqueLowerNames(names []string) (unique []string) {
 	return
 }

-// LoadCertBundle loads a PEM bundle of certificates from disk
-func LoadCertBundle(filename string) ([]*x509.Certificate, error) {
-	bundleBytes, err := ioutil.ReadFile(filename)
-	if err != nil {
-		return nil, err
-	}
-	var bundle []*x509.Certificate
-	var block *pem.Block
-	rest := bundleBytes
-	for {
-		block, rest = pem.Decode(rest)
-		if block == nil {
-			break
-		}
-		if block.Type != "CERTIFICATE" {
-			return nil, fmt.Errorf("Block has invalid type: %s", block.Type)
-		}
-		cert, err := x509.ParseCertificate(block.Bytes)
-		if err != nil {
-			return nil, err
-		}
-		bundle = append(bundle, cert)
-	}
-
-	if len(bundle) == 0 {
-		return nil, fmt.Errorf("Bundle doesn't contain any certificates")
-	}
-
-	return bundle, nil
-}
-
 // LoadCert loads a PEM certificate specified by filename or returns an error
 func LoadCert(filename string) (*x509.Certificate, error) {
 	certPEM, err := ioutil.ReadFile(filename)
--- a/publisher/publisher.go
+++ b/publisher/publisher.go
@ -405,15 +405,3 @@ func GetCTBundleForChain(chain []*issuance.Certificate) []ct.ASN1Cert {
 	}
 	return ctBundle
 }
-
-// GetCTBundleForCerts takes a slice of *x509.Certificate(s)
-// representing a certificate chain and returns a slice of
-// ct.ANS1Cert(s) in the same order
-// TODO(5269): Remove this after all configs have migrated to `Chains`.
-func GetCTBundleForCerts(chain []*x509.Certificate) []ct.ASN1Cert {
-	var ctBundle []ct.ASN1Cert
-	for _, cert := range chain {
-		ctBundle = append(ctBundle, ct.ASN1Cert{Data: cert.Raw})
-	}
-	return ctBundle
-}
--- a/publisher/publisher_test.go
+++ b/publisher/publisher_test.go
@ -140,21 +140,11 @@ func setup(t *testing.T) (*Impl, *x509.Certificate, *ecdsa.PrivateKey) {
 	})
 	test.AssertNotError(t, err, "failed to load chain3.")

-	// Load our fourth chain using core.LoadCertBundle
-	// TODO(5269): Remove this after all configs have migrated to
-	// `Chains`.
-	chain4, err := core.LoadCertBundle("test/testIntermediate.pem")
-	test.AssertNotError(t, err, "failed to load chain4.")
-	chain4Issuer := issuance.Certificate{Certificate: chain4[0]}
-
 	// Create an example issuerNameID to CT bundle mapping
 	issuerBundles := map[issuance.IssuerNameID][]ct.ASN1Cert{
 		chain1[0].NameID(): GetCTBundleForChain(chain1),
 		chain2[0].NameID(): GetCTBundleForChain(chain2),
 		chain3[0].NameID(): GetCTBundleForChain(chain3),
-		// TODO(5269): Remove this after all configs have migrated to
-		// `Chains`.
-		chain4Issuer.NameID(): GetCTBundleForCerts(chain4),
 	}
 	pub := New(
 		issuerBundles,
@ -408,26 +398,3 @@ func Test_GetCTBundleForChain(t *testing.T) {
 		})
 	}
 }
-
-// TODO(5269): Remove this after all configs have migrated to `Chains`.
-func Test_GetCTBundleForBundle(t *testing.T) {
-	bundle, err := core.LoadCertBundle("test/testIntermediate.pem")
-	want := []ct.ASN1Cert{{Data: bundle[0].Raw}}
-	test.AssertNotError(t, err, "Unable to read test/testIntermediate.pem")
-	type args struct {
-		chain []*x509.Certificate
-	}
-	tests := []struct {
-		name string
-		args args
-		want []ct.ASN1Cert
-	}{
-		{"Create a ct bundle with a single intermediate", args{bundle}, want},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			bundle := GetCTBundleForCerts(tt.args.chain)
-			test.AssertDeepEquals(t, bundle, tt.want)
-		})
-	}
-}
--- a/test/config-next/publisher.json
+++ b/test/config-next/publisher.json
@ -2,23 +2,6 @@
  "publisher": {
    "userAgent": "boulder/1.0",
    "blockProfileRate": 1000000000,
-    "debugAddr": ":8009",
-    "grpc": {
-      "maxConnectionAge": "30s",
-      "address": ":9091",
-      "clientNames": [
-        "health-checker.boulder",
-        "ocsp-updater.boulder",
-        "ra.boulder"
-      ]
-    },
-    "tls": {
-      "caCertFile": "test/grpc-creds/minica.pem",
-      "certFile": "test/grpc-creds/publisher.boulder/cert.pem",
-      "keyFile": "test/grpc-creds/publisher.boulder/key.pem"
-    },
-    "features": {
-    },
    "chains": [
      [
        "/tmp/intermediate-cert-rsa-a.pem",
@ -36,7 +19,24 @@
        "/tmp/intermediate-cert-ecdsa-b.pem",
        "/tmp/root-cert-ecdsa.pem"
      ]
-    ]
+    ],
+    "debugAddr": ":8009",
+    "grpc": {
+      "maxConnectionAge": "30s",
+      "address": ":9091",
+      "clientNames": [
+        "health-checker.boulder",
+        "ocsp-updater.boulder",
+        "ra.boulder"
+      ]
+    },
+    "tls": {
+      "caCertFile": "test/grpc-creds/minica.pem",
+      "certFile": "test/grpc-creds/publisher.boulder/cert.pem",
+      "keyFile": "test/grpc-creds/publisher.boulder/key.pem"
+    },
+    "features": {
+    }
  },

  "syslog": {
--- a/test/config/publisher.json
+++ b/test/config/publisher.json
@ -2,6 +2,24 @@
  "publisher": {
    "userAgent": "boulder/1.0",
    "blockProfileRate": 1000000000,
+    "chains": [
+      [
+        "/tmp/intermediate-cert-rsa-a.pem",
+        "/tmp/root-cert-rsa.pem"
+      ],
+      [
+        "/tmp/intermediate-cert-rsa-b.pem",
+        "/tmp/root-cert-rsa.pem"
+      ],
+      [
+        "/tmp/intermediate-cert-ecdsa-a.pem",
+        "/tmp/root-cert-ecdsa.pem"
+      ],
+      [
+        "/tmp/intermediate-cert-ecdsa-b.pem",
+        "/tmp/root-cert-ecdsa.pem"
+      ]
+    ],
    "debugAddr": ":8009",
    "grpc": {
      "address": ":9091",
@ -23,11 +41,5 @@
  "syslog": {
    "stdoutlevel": 6,
    "sysloglevel": 6
-  },
-
-  "common": {
-    "ct": {
-      "intermediateBundleFilename": "/tmp/intermediate-cert-rsa-a.pem"
-    }
  }
 }