Enable configuration of supported challenges

2015-10-31 16:55:59 +09:00 · 2015-10-31 16:55:59 +09:00 · d8c67285cf
parent 53ca4a1bd5
commit d8c67285cf
9 changed files with 53 additions and 32 deletions
--- a/ca/certificate-authority_test.go
+++ b/ca/certificate-authority_test.go
@ -132,7 +132,7 @@ func setup(t *testing.T) *testCtx {

 	paDbMap, err := sa.NewDbMap(vars.DBConnPolicy)
 	test.AssertNotError(t, err, "Could not construct dbMap")
-	pa, err := policy.NewPolicyAuthorityImpl(paDbMap, false)
+	pa, err := policy.NewPolicyAuthorityImpl(paDbMap, false, nil)
 	test.AssertNotError(t, err, "Couldn't create PADB")
 	paDBCleanUp := test.ResetPolicyTestDatabase(t)

--- a/cmd/boulder-ca/main.go
+++ b/cmd/boulder-ca/main.go
@ -36,7 +36,7 @@ func main() {

 		paDbMap, err := sa.NewDbMap(c.PA.DBConnect)
 		cmd.FailOnError(err, "Couldn't connect to policy database")
-		pa, err := policy.NewPolicyAuthorityImpl(paDbMap, c.PA.EnforcePolicyWhitelist)
+		pa, err := policy.NewPolicyAuthorityImpl(paDbMap, c.PA.EnforcePolicyWhitelist, c.PA.ChallengeTypes)
 		cmd.FailOnError(err, "Couldn't create PA")

 		cai, err := ca.NewCertificateAuthorityImpl(c.CA, clock.Default(), stats, c.Common.IssuerCert)
--- a/cmd/boulder-ra/main.go
+++ b/cmd/boulder-ra/main.go
@ -40,7 +40,7 @@ func main() {

 		paDbMap, err := sa.NewDbMap(c.PA.DBConnect)
 		cmd.FailOnError(err, "Couldn't connect to policy database")
-		pa, err := policy.NewPolicyAuthorityImpl(paDbMap, c.PA.EnforcePolicyWhitelist)
+		pa, err := policy.NewPolicyAuthorityImpl(paDbMap, c.PA.EnforcePolicyWhitelist, c.PA.ChallengeTypes)
 		cmd.FailOnError(err, "Couldn't create PA")

 		rateLimitPolicies, err := cmd.LoadRateLimitPolicies(c.RA.RateLimitPoliciesFilename)
--- a/cmd/cert-checker/main.go
+++ b/cmd/cert-checker/main.go
@ -76,8 +76,8 @@ type certChecker struct {
 	issuedReport report
 }

-func newChecker(saDbMap *gorp.DbMap, paDbMap *gorp.DbMap, clk clock.Clock, enforceWhitelist bool) certChecker {
-	pa, err := policy.NewPolicyAuthorityImpl(paDbMap, enforceWhitelist)
+func newChecker(saDbMap *gorp.DbMap, paDbMap *gorp.DbMap, clk clock.Clock, enforceWhitelist bool, challengeTypes []string) certChecker {
+	pa, err := policy.NewPolicyAuthorityImpl(paDbMap, enforceWhitelist, challengeTypes)
 	cmd.FailOnError(err, "Failed to create PA")
 	c := certChecker{
 		pa:    pa,
@ -250,7 +250,7 @@ func main() {
 		paDbMap, err := sa.NewDbMap(c.PA.DBConnect)
 		cmd.FailOnError(err, "Could not connect to policy database")

-		checker := newChecker(saDbMap, paDbMap, clock.Default(), c.PA.EnforcePolicyWhitelist)
+		checker := newChecker(saDbMap, paDbMap, clock.Default(), c.PA.EnforcePolicyWhitelist, c.PA.ChallengeTypes)
 		auditlogger.Info("# Getting certificates issued in the last 90 days")

 		// Since we grab certificates in batches we don't want this to block, when it
--- a/cmd/shell.go
+++ b/cmd/shell.go
@ -255,10 +255,12 @@ type CAConfig struct {
 }

 // PAConfig specifies how a policy authority should connect to its
-// database, and what policies it should enforce.
+// database, what policies it should enforce, and what challenges
+// it should offer.
 type PAConfig struct {
 	DBConnect              string
 	EnforcePolicyWhitelist bool
+	ChallengeTypes         []string
 }

 // KeyConfig should contain either a File path to a PEM-format private key,
--- a/policy/policy-authority.go
+++ b/policy/policy-authority.go
@ -23,11 +23,12 @@ type PolicyAuthorityImpl struct {
 	log *blog.AuditLogger
 	DB  *PolicyAuthorityDatabaseImpl

-	EnforceWhitelist bool
+	EnforceWhitelist    bool
+	supportedChallenges map[string]bool
 }

 // NewPolicyAuthorityImpl constructs a Policy Authority.
-func NewPolicyAuthorityImpl(dbMap *gorp.DbMap, enforceWhitelist bool) (*PolicyAuthorityImpl, error) {
+func NewPolicyAuthorityImpl(dbMap *gorp.DbMap, enforceWhitelist bool, challengeTypes []string) (*PolicyAuthorityImpl, error) {
 	logger := blog.GetAuditLogger()
 	logger.Notice("Policy Authority Starting")

@ -42,6 +43,11 @@ func NewPolicyAuthorityImpl(dbMap *gorp.DbMap, enforceWhitelist bool) (*PolicyAu
 		EnforceWhitelist: enforceWhitelist,
 	}

+	// Take note of which challenges to offer
+	for _, challengeType := range challengeTypes {
+		pa.supportedChallenges[challengeType] = true
+	}
+
 	return &pa, nil
 }

@ -204,13 +210,34 @@ func (pa PolicyAuthorityImpl) WillingToIssue(id core.AcmeIdentifier, regID int64
 //
 // Note: Current implementation is static, but future versions may not be.
 func (pa PolicyAuthorityImpl) ChallengesFor(identifier core.AcmeIdentifier, accountKey *jose.JsonWebKey) (challenges []core.Challenge, combinations [][]int, err error) {
-	// TODO(https://github.com/letsencrypt/boulder/issues/894): Update these lines
-	challenges = []core.Challenge{
-		core.SimpleHTTPChallenge(accountKey),
-		core.DvsniChallenge(accountKey),
-		core.HTTPChallenge01(accountKey),
-		core.TLSSNIChallenge01(accountKey),
+	challenges = []core.Challenge{}
+	combinations = [][]int{}
+
+	// TODO(https://github.com/letsencrypt/boulder/issues/894): Remove this block
+	if pa.supportedChallenges[core.ChallengeTypeSimpleHTTP] {
+		challenges = append(challenges, core.SimpleHTTPChallenge(accountKey))
+	}
+
+	// TODO(https://github.com/letsencrypt/boulder/issues/894): Remove this block
+	if pa.supportedChallenges[core.ChallengeTypeDVSNI] {
+		challenges = append(challenges, core.SimpleHTTPChallenge(accountKey))
+	}
+
+	if pa.supportedChallenges[core.ChallengeTypeHTTP01] {
+		challenges = append(challenges, core.DvsniChallenge(accountKey))
+	}
+
+	if pa.supportedChallenges[core.ChallengeTypeTLSSNI01] {
+		challenges = append(challenges, core.HTTPChallenge01(accountKey))
+	}
+
+	if pa.supportedChallenges[core.ChallengeTypeDNS01] {
+		challenges = append(challenges, core.TLSSNIChallenge01(accountKey))
+	}
+
+	combinations = make([][]int, len(challenges))
+	for i := range combinations {
+		combinations[i] = []int{i}
 	}
-	combinations = [][]int{[]int{0}, []int{1}, []int{2}, []int{3}}
 	return
 }
--- a/policy/policy-authority_test.go
+++ b/policy/policy-authority_test.go
@ -23,7 +23,7 @@ var log = mocks.UseMockLog()

 func paImpl(t *testing.T) (*PolicyAuthorityImpl, func()) {
 	dbMap, cleanUp := paDBMap(t)
-	pa, err := NewPolicyAuthorityImpl(dbMap, false)
+	pa, err := NewPolicyAuthorityImpl(dbMap, false, []string{core.ChallengeTypeHTTP01, core.ChallengeTypeTLSSNI01})
 	if err != nil {
 		cleanUp()
 		t.Fatalf("Couldn't create policy implementation: %s", err)
@ -225,7 +225,7 @@ func TestChallengesFor(t *testing.T) {
 func TestWillingToIssueWithWhitelist(t *testing.T) {
 	dbMap, cleanUp := paDBMap(t)
 	defer cleanUp()
-	pa, err := NewPolicyAuthorityImpl(dbMap, true)
+	pa, err := NewPolicyAuthorityImpl(dbMap, true, nil)
 	test.AssertNotError(t, err, "Couldn't create policy implementation")
 	googID := core.AcmeIdentifier{
 		Type:  core.IdentifierDNS,
--- a/ra/registration-authority_test.go
+++ b/ra/registration-authority_test.go
@ -189,7 +189,7 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, *sa.SQLStorageAut
 		t.Fatalf("Failed to create dbMap: %s", err)
 	}
 	policyDBCleanUp := test.ResetPolicyTestDatabase(t)
-	pa, err := policy.NewPolicyAuthorityImpl(paDbMap, false)
+	pa, err := policy.NewPolicyAuthorityImpl(paDbMap, false, []string{core.ChallengeTypeHTTP01, core.ChallengeTypeTLSSNI01})
 	test.AssertNotError(t, err, "Couldn't create PA")
 	ca := ca.CertificateAuthorityImpl{
 		Signer:         signer,
@ -391,21 +391,12 @@ func TestNewAuthorization(t *testing.T) {

 	// TODO Verify that challenges are correct
 	// TODO(https://github.com/letsencrypt/boulder/issues/894): Update these lines
-	test.Assert(t, len(authz.Challenges) == 4, "Incorrect number of challenges returned")
-	test.Assert(t, authz.Challenges[0].Type == core.ChallengeTypeSimpleHTTP, "Challenge 0 not SimpleHTTP")
-	test.Assert(t, authz.Challenges[1].Type == core.ChallengeTypeDVSNI, "Challenge 1 not DVSNI")
-
-	// TODO(https://github.com/letsencrypt/boulder/issues/894): Delete these lines
-	test.Assert(t, authz.Challenges[2].Type == core.ChallengeTypeHTTP01, "Challenge 2 not http-00")
-	test.Assert(t, authz.Challenges[3].Type == core.ChallengeTypeTLSSNI01, "Challenge 3 not tlssni-00")
-
+	test.Assert(t, len(authz.Challenges) == 2, "Incorrect number of challenges returned")
+	test.Assert(t, authz.Challenges[0].Type == core.ChallengeTypeHTTP01, "Challenge 0 not SimpleHTTP")
+	test.Assert(t, authz.Challenges[1].Type == core.ChallengeTypeTLSSNI01, "Challenge 1 not DVSNI")
 	test.Assert(t, authz.Challenges[0].IsSane(false), "Challenge 0 is not sane")
 	test.Assert(t, authz.Challenges[1].IsSane(false), "Challenge 1 is not sane")

-	// TODO(https://github.com/letsencrypt/boulder/issues/894): Delete these lines
-	test.Assert(t, authz.Challenges[2].IsSane(false), "Challenge 2 is not sane")
-	test.Assert(t, authz.Challenges[3].IsSane(false), "Challenge 3 is not sane")
-
 	t.Log("DONE TestNewAuthorization")
 }

--- a/test/create_db.sh
+++ b/test/create_db.sh
@ -10,13 +10,14 @@ if [[ ! -z "MYSQL_CONTAINER" ]]; then
 fi

 # Drop all users to get a fresh start
-mysql $dbconn < test/drop_users.sql
+#mysql $dbconn < test/drop_users.sql

 for svc in $SERVICES; do
 	for dbenv in $DBENVS; do
 		(
 		db="boulder_${svc}_${dbenv}"
 		create_script="drop database if exists \`${db}\`; create database if not exists \`${db}\`;"
+    echo $create_script

 		mysql $dbconn -e "$create_script" || die "unable to create ${db}"