WFE2: Fix GET API when used with MandatoryPOSTAsGET (#4656)

2020-01-23 11:24:05 -08:00 · 2020-01-23 11:24:05 -08:00 · af5b41f4c2
parent c66fd76840
commit af5b41f4c2
2 changed files with 20 additions and 5 deletions
--- a/wfe2/wfe.go
+++ b/wfe2/wfe.go
@ -218,7 +218,6 @@ func (wfe *WebFrontEndImpl) HandleFunc(mux *http.ServeMux, pattern string, h web
 				if wfe.remoteNonceService != nil {
 					nonceMsg, err := wfe.remoteNonceService.Nonce(ctx, &corepb.Empty{})
 					if err != nil {
 						fmt.Println("fucking broken", err)
 						wfe.sendError(response, logEvent, probs.ServerInternal("unable to get nonce"), err)
 						return
 					}
@ -1052,7 +1051,7 @@ func (wfe *WebFrontEndImpl) Challenge(
 		return
 	}
-	if features.Enabled(features.MandatoryPOSTAsGET) && request.Method != http.MethodPost {
+	if features.Enabled(features.MandatoryPOSTAsGET) && request.Method != http.MethodPost && !requiredStale(request, logEvent) {
 		wfe.sendError(response, logEvent, probs.MethodNotAllowed(), nil)
 		return
 	}
@ -1433,7 +1432,7 @@ func (wfe *WebFrontEndImpl) Authorization(
 	response http.ResponseWriter,
 	request *http.Request) {
-	if features.Enabled(features.MandatoryPOSTAsGET) && request.Method != http.MethodPost {
+	if features.Enabled(features.MandatoryPOSTAsGET) && request.Method != http.MethodPost && !requiredStale(request, logEvent) {
 		wfe.sendError(response, logEvent, probs.MethodNotAllowed(), nil)
 		return
 	}
@ -1532,7 +1531,7 @@ var allHex = regexp.MustCompile("^[0-9a-f]+$")
 // Certificate is used by clients to request a copy of their current certificate, or to
 // request a reissuance of the certificate.
 func (wfe *WebFrontEndImpl) Certificate(ctx context.Context, logEvent *web.RequestEvent, response http.ResponseWriter, request *http.Request) {
-	if features.Enabled(features.MandatoryPOSTAsGET) && request.Method != http.MethodPost {
+	if features.Enabled(features.MandatoryPOSTAsGET) && request.Method != http.MethodPost && !requiredStale(request, logEvent) {
 		wfe.sendError(response, logEvent, probs.MethodNotAllowed(), nil)
 		return
 	}
@ -1963,7 +1962,7 @@ func (wfe *WebFrontEndImpl) NewOrder(
 // GetOrder is used to retrieve a existing order object
 func (wfe *WebFrontEndImpl) GetOrder(ctx context.Context, logEvent *web.RequestEvent, response http.ResponseWriter, request *http.Request) {
-	if features.Enabled(features.MandatoryPOSTAsGET) && request.Method != http.MethodPost {
+	if features.Enabled(features.MandatoryPOSTAsGET) && request.Method != http.MethodPost && !requiredStale(request, logEvent) {
 		wfe.sendError(response, logEvent, probs.MethodNotAllowed(), nil)
 		return
 	}
--- a/wfe2/wfe_test.go
+++ b/wfe2/wfe_test.go
@ -3276,3 +3276,19 @@ func TestGETAPIChallenge(t *testing.T) {
 		}
 	}
 }
 func TestGetAPIAndMandatoryPOSTAsGET(t *testing.T) {
 	wfe, _ := setupWFE(t)
 	makeGet := func(path, endpoint string) (*http.Request, *web.RequestEvent) {
 		return &http.Request{URL: &url.URL{Path: path}, Method: "GET"},
 			&web.RequestEvent{Endpoint: endpoint, Extra: map[string]interface{}{}}
 	}
 	_ = features.Set(map[string]bool{"MandatoryPOSTAsGET": true})
 	defer features.Reset()
 	oldSerial := "0000000000000000000000000000000000b2"
 	req, event := makeGet(oldSerial, getCertPath)
 	resp := httptest.NewRecorder()
 	wfe.Certificate(context.Background(), event, resp, req)
 	test.AssertEquals(t, resp.Code, 200)
 }