letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SA: Remove NewOrder and NewAuthorizations2 (#6536) 

Delete the NewOrder and NewAuthorizations2 methods from the SA's gRPC
interface. These methods have been replaced by the unified
NewOrderAndAuthzs method, which performs both sets of insertions in a
single transaction.

Also update the SA and RA unittests to not rely on these methods for
setting up test data that other functions-under-test rely on. In most
cases, replace calls to NewOrder with calls to NewOrderAndAuthzs. In the
SA tests specifically, replace calls to NewAuthorizations2 with a
streamlined helper function that simply does the single necessary
database insert.

Fixes #6510
Fixes #5816
This commit is contained in:
Aaron Gable 2022-12-02 14:34:35 -08:00 committed by GitHub
parent a7a2afef7a
commit d8d5a030f4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 848 additions and 1462 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
mocks/mocks.go
View File

@ -352,15 +352,15 @@ func (sa *StorageAuthority) DeactivateRegistration(_ context.Context, _ *sapb.Re
return &emptypb.Empty{}, nil
}
// NewOrder is a mock
func (sa *StorageAuthority) NewOrder(_ context.Context, req *sapb.NewOrderRequest, _ ...grpc.CallOption) (*corepb.Order, error) {
// NewOrderAndAuthzs is a mock
func (sa *StorageAuthority) NewOrderAndAuthzs(_ context.Context, req *sapb.NewOrderAndAuthzsRequest, _ ...grpc.CallOption) (*corepb.Order, error) {
rand.Seed(time.Now().UnixNano())
response := &corepb.Order{
// Fields from the input new order request.
RegistrationID: req.RegistrationID,
Expires: req.Expires,
Names: req.Names,
V2Authorizations: req.V2Authorizations,
RegistrationID: req.NewOrder.RegistrationID,
Expires: req.NewOrder.Expires,
Names: req.NewOrder.Names,
V2Authorizations: req.NewOrder.V2Authorizations,
// Mock new fields generated by the database transaction.
Id: rand.Int63(),
Created: time.Now().UnixNano(),
@ -371,11 +371,6 @@ func (sa *StorageAuthority) NewOrder(_ context.Context, req *sapb.NewOrderReques
return response, nil
}
// NewOrderAndAuthzs is a mock
func (sa *StorageAuthority) NewOrderAndAuthzs(_ context.Context, req *sapb.NewOrderAndAuthzsRequest, _ ...grpc.CallOption) (*corepb.Order, error) {
return sa.NewOrder(context.TODO(), req.NewOrder)
}
// SetOrderProcessing is a mock
func (sa *StorageAuthority) SetOrderProcessing(_ context.Context, req *sapb.OrderRequest, _ ...grpc.CallOption) (*emptypb.Empty, error) {
return &emptypb.Empty{}, nil
@ -450,11 +445,6 @@ func (sa *StorageAuthorityReadOnly) GetOrderForNames(_ context.Context, _ *sapb.
return nil, nil
}
// NewAuthorizations is a mock
func (sa *StorageAuthority) NewAuthorizations2(ctx context.Context, req *sapb.AddPendingAuthorizationsRequest, _ ...grpc.CallOption) (*sapb.Authorization2IDs, error) {
return &sapb.Authorization2IDs{}, nil
}
func (sa *StorageAuthority) FinalizeAuthorization2(ctx context.Context, req *sapb.FinalizeAuthorizationRequest, _ ...grpc.CallOption) (*emptypb.Empty, error) {
return &emptypb.Empty{}, nil
}

214
ra/ra_test.go
View File

@ -90,14 +90,21 @@ func createPendingAuthorization(t *testing.T, sa sapb.StorageAuthorityClient, do
}
authzPB, err := bgrpc.AuthzToPB(authz)
test.AssertNotError(t, err, "AuthzToPB failed")
ids, err := sa.NewAuthorizations2(context.Background(), &sapb.AddPendingAuthorizationsRequest{
Authz: []*corepb.Authorization{authzPB},
res, err := sa.NewOrderAndAuthzs(context.Background(), &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: Registration.Id,
Expires: exp.UnixNano(),
Names: []string{domain},
},
NewAuthzs: []*corepb.Authorization{authzPB},
})
test.AssertNotError(t, err, "sa.NewAuthorizations2 failed")
return getAuthorization(t, fmt.Sprint(ids.Ids[0]), sa)
test.AssertNotError(t, err, "sa.NewOrderAndAuthzs failed")
return getAuthorization(t, fmt.Sprint(res.V2Authorizations[0]), sa)
}
func createFinalizedAuthorization(t *testing.T, sa sapb.StorageAuthorityClient, domain string, exp time.Time, attemptedAt time.Time) int64 {
func createFinalizedAuthorization(t *testing.T, sa sapb.StorageAuthorityClient, domain string, exp time.Time, chall core.AcmeChallenge, attemptedAt time.Time) int64 {
t.Helper()
pending := createPendingAuthorization(t, sa, domain, exp)
pendingID, err := strconv.ParseInt(pending.Id, 10, 64)
@ -106,7 +113,7 @@ func createFinalizedAuthorization(t *testing.T, sa sapb.StorageAuthorityClient,
Id: pendingID,
Status: "valid",
Expires: exp.UnixNano(),
Attempted: string(core.ChallengeTypeHTTP01),
Attempted: string(chall),
AttemptedAt: attemptedAt.UnixNano(),
})
test.AssertNotError(t, err, "sa.FinalizeAuthorizations2 failed")
@ -896,13 +903,15 @@ func TestCertificateKeyNotEqualAccountKey(t *testing.T) {
exp := ra.clk.Now().Add(365 * 24 * time.Hour)
authzID := createFinalizedAuthorization(t, sa, "www.example.com", exp, ra.clk.Now())
authzID := createFinalizedAuthorization(t, sa, "www.example.com", exp, core.ChallengeTypeHTTP01, ra.clk.Now())
order, err := sa.NewOrder(context.Background(), &sapb.NewOrderRequest{
RegistrationID: Registration.Id,
Expires: exp.UnixNano(),
Names: []string{"www.example.com"},
V2Authorizations: []int64{authzID},
order, err := sa.NewOrderAndAuthzs(context.Background(), &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: Registration.Id,
Expires: exp.UnixNano(),
Names: []string{"www.example.com"},
V2Authorizations: []int64{authzID},
},
})
test.AssertNotError(t, err, "Could not add test order with finalized authz IDs, ready status")
@ -1556,7 +1565,7 @@ func TestDeactivateAuthorization(t *testing.T) {
defer cleanUp()
exp := ra.clk.Now().Add(365 * 24 * time.Hour)
authzID := createFinalizedAuthorization(t, sa, "not-example.com", exp, ra.clk.Now())
authzID := createFinalizedAuthorization(t, sa, "not-example.com", exp, core.ChallengeTypeHTTP01, ra.clk.Now())
dbAuthzPB := getAuthorization(t, fmt.Sprint(authzID), sa)
_, err := ra.DeactivateAuthorization(ctx, dbAuthzPB)
test.AssertNotError(t, err, "Could not deactivate authorization")
@ -2227,18 +2236,11 @@ func (msa *mockSAUnsafeAuthzReuse) GetAuthorizations2(ctx context.Context, req *
}
func (msa *mockSAUnsafeAuthzReuse) NewAuthorizations2(_ context.Context, _ *sapb.AddPendingAuthorizationsRequest, _ ...grpc.CallOption) (*sapb.Authorization2IDs, error) {
return &sapb.Authorization2IDs{
Ids: []int64{5},
}, nil
}
func (msa *mockSAUnsafeAuthzReuse) NewOrderAndAuthzs(ctx context.Context, req *sapb.NewOrderAndAuthzsRequest, _ ...grpc.CallOption) (*corepb.Order, error) {
r := req.NewOrder
for range req.NewAuthzs {
r.V2Authorizations = append(r.V2Authorizations, mrand.Int63())
req.NewOrder.V2Authorizations = append(req.NewOrder.V2Authorizations, mrand.Int63())
}
return msa.NewOrder(ctx, r)
return msa.StorageAuthority.NewOrderAndAuthzs(ctx, req)
}
// TestNewOrderAuthzReuseSafety checks that the RA's safety check for reusing an
@ -2496,12 +2498,6 @@ func (msa *mockSANearExpiredAuthz) GetAuthorizations2(ctx context.Context, req *
return authzMapToPB(authzs)
}
func (msa *mockSANearExpiredAuthz) NewAuthorizations2(_ context.Context, _ *sapb.AddPendingAuthorizationsRequest, _ ...grpc.CallOption) (*sapb.Authorization2IDs, error) {
return &sapb.Authorization2IDs{
Ids: []int64{5},
}, nil
}
func TestNewOrderExpiry(t *testing.T) {
_, _, ra, clk, cleanUp := initAuthorities(t)
defer cleanUp()
@ -2560,8 +2556,8 @@ func TestFinalizeOrder(t *testing.T) {
// Create one finalized authorization for not-example.com and one finalized
// authorization for www.not-example.org
exp := ra.clk.Now().Add(365 * 24 * time.Hour)
authzIDA := createFinalizedAuthorization(t, sa, "not-example.com", exp, ra.clk.Now())
authzIDB := createFinalizedAuthorization(t, sa, "www.not-example.com", exp, ra.clk.Now())
authzIDA := createFinalizedAuthorization(t, sa, "not-example.com", exp, core.ChallengeTypeHTTP01, ra.clk.Now())
authzIDB := createFinalizedAuthorization(t, sa, "www.not-example.com", exp, core.ChallengeTypeHTTP01, ra.clk.Now())
testKey, err := rsa.GenerateKey(rand.Reader, 2048)
test.AssertNotError(t, err, "error generating test key")
@ -2633,11 +2629,13 @@ func TestFinalizeOrder(t *testing.T) {
})
test.AssertNotError(t, err, "Could not add test order for missing authz order ID")
validatedOrder, err := sa.NewOrder(context.Background(), &sapb.NewOrderRequest{
RegistrationID: Registration.Id,
Expires: exp.UnixNano(),
Names: []string{"not-example.com", "www.not-example.com"},
V2Authorizations: []int64{authzIDA, authzIDB},
validatedOrder, err := sa.NewOrderAndAuthzs(context.Background(), &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: Registration.Id,
Expires: exp.UnixNano(),
Names: []string{"not-example.com", "www.not-example.com"},
V2Authorizations: []int64{authzIDA, authzIDB},
},
})
test.AssertNotError(t, err, "Could not add test order with finalized authz IDs, ready status")
@ -2821,15 +2819,17 @@ func TestFinalizeOrderWithMixedSANAndCN(t *testing.T) {
// Create one finalized authorization for Registration.Id for not-example.com and
// one finalized authorization for Registration.Id for www.not-example.org
authzIDA := createFinalizedAuthorization(t, sa, "not-example.com", exp, ra.clk.Now())
authzIDB := createFinalizedAuthorization(t, sa, "www.not-example.com", exp, ra.clk.Now())
authzIDA := createFinalizedAuthorization(t, sa, "not-example.com", exp, core.ChallengeTypeHTTP01, ra.clk.Now())
authzIDB := createFinalizedAuthorization(t, sa, "www.not-example.com", exp, core.ChallengeTypeHTTP01, ra.clk.Now())
// Create a new order to finalize with names in SAN and CN
mixedOrder, err := sa.NewOrder(context.Background(), &sapb.NewOrderRequest{
RegistrationID: Registration.Id,
Expires: exp.UnixNano(),
Names: []string{"not-example.com", "www.not-example.com"},
V2Authorizations: []int64{authzIDA, authzIDB},
mixedOrder, err := sa.NewOrderAndAuthzs(context.Background(), &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: Registration.Id,
Expires: exp.UnixNano(),
Names: []string{"not-example.com", "www.not-example.com"},
V2Authorizations: []int64{authzIDA, authzIDB},
},
})
test.AssertNotError(t, err, "Could not add test order with finalized authz IDs")
testKey, err := rsa.GenerateKey(rand.Reader, 2048)
@ -2921,7 +2921,7 @@ func TestFinalizeOrderWildcard(t *testing.T) {
test.AssertNotError(t, err, "NewOrder failed for wildcard domain order")
// Create one standard finalized authorization for Registration.Id for zombo.com
_ = createFinalizedAuthorization(t, sa, "zombo.com", exp, ra.clk.Now())
_ = createFinalizedAuthorization(t, sa, "zombo.com", exp, core.ChallengeTypeHTTP01, ra.clk.Now())
// Finalizing the order should *not* work since the existing validated authz
// is not a special DNS-01-Wildcard challenge authz, so the order will be
@ -2978,65 +2978,22 @@ func TestIssueCertificateAuditLog(t *testing.T) {
ra.orderLifetime = 24 * time.Hour
exp := ra.clk.Now().Add(24 * time.Hour)
authzForChalType := func(domain, chalType string) int64 {
template := core.Authorization{
Identifier: identifier.ACMEIdentifier{
Type: "dns",
Value: domain,
},
RegistrationID: Registration.Id,
Status: "pending",
Expires: &exp,
}
// Create challenges
token := core.NewToken()
httpChal := core.HTTPChallenge01(token)
dnsChal := core.DNSChallenge01(token)
// Set the selected challenge to valid
switch chalType {
case "http-01":
httpChal.Status = core.StatusValid
case "dns-01":
dnsChal.Status = core.StatusValid
default:
t.Fatalf("Invalid challenge type used with authzForChalType: %q", chalType)
}
// Set the template's challenges
template.Challenges = []core.Challenge{httpChal, dnsChal}
// Create the pending authz
authzPB, err := bgrpc.AuthzToPB(template)
test.AssertNotError(t, err, "bgrpc.AuthzToPB failed")
ids, err := sa.NewAuthorizations2(ctx, &sapb.AddPendingAuthorizationsRequest{
Authz: []*corepb.Authorization{authzPB},
})
test.AssertNotError(t, err, "sa.NewAuthorzations2 failed")
// Finalize the authz
_, err = sa.FinalizeAuthorization2(ctx, &sapb.FinalizeAuthorizationRequest{
Id: ids.Ids[0],
Status: "valid",
Expires: exp.UnixNano(),
Attempted: chalType,
AttemptedAt: ra.clk.Now().UnixNano(),
})
test.AssertNotError(t, err, "sa.FinalizeAuthorization2 failed")
return ids.Ids[0]
}
// Make some valid authorizations for some names using different challenge types
names := []string{"not-example.com", "www.not-example.com", "still.not-example.com", "definitely.not-example.com"}
chalTypes := []string{"http-01", "dns-01", "http-01", "dns-01"}
challs := []core.AcmeChallenge{core.ChallengeTypeHTTP01, core.ChallengeTypeDNS01, core.ChallengeTypeHTTP01, core.ChallengeTypeDNS01}
var authzIDs []int64
for i, name := range names {
authzIDs = append(authzIDs, authzForChalType(name, chalTypes[i]))
authzIDs = append(authzIDs, createFinalizedAuthorization(t, sa, name, exp, challs[i], ra.clk.Now()))
}
// Create a pending order for all of the names
order, err := sa.NewOrder(context.Background(), &sapb.NewOrderRequest{
RegistrationID: Registration.Id,
Expires: exp.UnixNano(),
Names: names,
V2Authorizations: authzIDs,
order, err := sa.NewOrderAndAuthzs(context.Background(), &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: Registration.Id,
Expires: exp.UnixNano(),
Names: names,
V2Authorizations: authzIDs,
},
})
test.AssertNotError(t, err, "Could not add test order with finalized authz IDs")
@ -3132,7 +3089,7 @@ func TestIssueCertificateAuditLog(t *testing.T) {
// The authz entry should have the correct authz ID
test.AssertEquals(t, authzEntry.ID, fmt.Sprintf("%d", authzIDs[i]))
// The authz entry should have the correct challenge type
test.AssertEquals(t, string(authzEntry.ChallengeType), chalTypes[i])
test.AssertEquals(t, authzEntry.ChallengeType, challs[i])
}
}
@ -3219,14 +3176,16 @@ func TestCTPolicyMeasurements(t *testing.T) {
// Create valid authorizations for not-example.com and www.not-example.com
exp := ra.clk.Now().Add(365 * 24 * time.Hour)
authzIDA := createFinalizedAuthorization(t, ssa, "not-example.com", exp, ra.clk.Now())
authzIDB := createFinalizedAuthorization(t, ssa, "www.not-example.com", exp, ra.clk.Now())
authzIDA := createFinalizedAuthorization(t, ssa, "not-example.com", exp, core.ChallengeTypeHTTP01, ra.clk.Now())
authzIDB := createFinalizedAuthorization(t, ssa, "www.not-example.com", exp, core.ChallengeTypeHTTP01, ra.clk.Now())
order, err := ra.SA.NewOrder(context.Background(), &sapb.NewOrderRequest{
RegistrationID: Registration.Id,
Expires: exp.UnixNano(),
Names: []string{"not-example.com", "www.not-example.com"},
V2Authorizations: []int64{authzIDA, authzIDB},
order, err := ra.SA.NewOrderAndAuthzs(context.Background(), &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: Registration.Id,
Expires: exp.UnixNano(),
Names: []string{"not-example.com", "www.not-example.com"},
V2Authorizations: []int64{authzIDA, authzIDB},
},
})
test.AssertNotError(t, err, "error generating test order")
@ -3342,54 +3301,21 @@ func TestIssueCertificateInnerErrs(t *testing.T) {
ra.orderLifetime = 24 * time.Hour
exp := ra.clk.Now().Add(24 * time.Hour)
authzForIdent := func(domain string) int64 {
template := core.Authorization{
Identifier: identifier.ACMEIdentifier{
Type: "dns",
Value: domain,
},
RegistrationID: Registration.Id,
Status: "pending",
Expires: &exp,
}
// Create one valid HTTP challenge
httpChal := core.HTTPChallenge01(core.NewToken())
httpChal.Status = core.StatusValid
// Set the template's challenges
template.Challenges = []core.Challenge{httpChal}
// Create the pending authz
authzPB, err := bgrpc.AuthzToPB(template)
test.AssertNotError(t, err, "bgrpc.AuthzToPB failed")
ids, err := sa.NewAuthorizations2(ctx, &sapb.AddPendingAuthorizationsRequest{
Authz: []*corepb.Authorization{authzPB},
})
test.AssertNotError(t, err, "sa.NewAuthorzations2 failed")
// Finalize the authz
attempted := string(httpChal.Type)
_, err = sa.FinalizeAuthorization2(ctx, &sapb.FinalizeAuthorizationRequest{
Id: ids.Ids[0],
Status: "valid",
Expires: exp.UnixNano(),
Attempted: attempted,
AttemptedAt: ra.clk.Now().UnixNano(),
})
test.AssertNotError(t, err, "sa.FinalizeAuthorization2 failed")
return ids.Ids[0]
}
// Make some valid authorizations for some names
names := []string{"not-example.com", "www.not-example.com", "still.not-example.com", "definitely.not-example.com"}
var authzIDs []int64
for _, name := range names {
authzIDs = append(authzIDs, authzForIdent(name))
authzIDs = append(authzIDs, createFinalizedAuthorization(t, sa, name, exp, core.ChallengeTypeHTTP01, ra.clk.Now()))
}
// Create a pending order for all of the names
order, err := sa.NewOrder(context.Background(), &sapb.NewOrderRequest{
RegistrationID: Registration.Id,
Expires: exp.UnixNano(),
Names: names,
V2Authorizations: authzIDs,
order, err := sa.NewOrderAndAuthzs(context.Background(), &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: Registration.Id,
Expires: exp.UnixNano(),
Names: names,
V2Authorizations: authzIDs,
},
})
test.AssertNotError(t, err, "Could not add test order with finalized authz IDs")

1427
sa/proto/sa.pb.go
View File

File diff suppressed because it is too large Load Diff

10
sa/proto/sa.proto
View File

@ -81,8 +81,6 @@ service StorageAuthority {
rpc DeactivateRegistration(RegistrationID) returns (google.protobuf.Empty) {}
rpc FinalizeAuthorization2(FinalizeAuthorizationRequest) returns (google.protobuf.Empty) {}
rpc FinalizeOrder(FinalizeOrderRequest) returns (google.protobuf.Empty) {}
rpc NewAuthorizations2(AddPendingAuthorizationsRequest) returns (Authorization2IDs) {}
rpc NewOrder(NewOrderRequest) returns (core.Order) {}
rpc NewOrderAndAuthzs(NewOrderAndAuthzsRequest) returns (core.Order) {}
rpc NewRegistration(core.Registration) returns (core.Registration) {}
rpc RevokeCertificate(RevokeCertificateRequest) returns (google.protobuf.Empty) {}
@ -265,10 +263,6 @@ message Authorizations {
repeated MapElement authz = 1;
}
message AddPendingAuthorizationsRequest {
repeated core.Authorization authz = 1;
}
message AuthorizationIDs {
repeated string ids = 1;
}
@ -277,10 +271,6 @@ message AuthorizationID2 {
int64 id = 1;
}
message Authorization2IDs {
repeated int64 ids = 1;
}
message RevokeCertificateRequest {
string serial = 1;
int64 reason = 2;

72
sa/proto/sa_grpc.pb.go
View File

@ -1214,8 +1214,6 @@ type StorageAuthorityClient interface {
DeactivateRegistration(ctx context.Context, in *RegistrationID, opts ...grpc.CallOption) (*emptypb.Empty, error)
FinalizeAuthorization2(ctx context.Context, in *FinalizeAuthorizationRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
FinalizeOrder(ctx context.Context, in *FinalizeOrderRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
NewAuthorizations2(ctx context.Context, in *AddPendingAuthorizationsRequest, opts ...grpc.CallOption) (*Authorization2IDs, error)
NewOrder(ctx context.Context, in *NewOrderRequest, opts ...grpc.CallOption) (*proto.Order, error)
NewOrderAndAuthzs(ctx context.Context, in *NewOrderAndAuthzsRequest, opts ...grpc.CallOption) (*proto.Order, error)
NewRegistration(ctx context.Context, in *proto.Registration, opts ...grpc.CallOption) (*proto.Registration, error)
RevokeCertificate(ctx context.Context, in *RevokeCertificateRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
@ -1612,24 +1610,6 @@ func (c *storageAuthorityClient) FinalizeOrder(ctx context.Context, in *Finalize
return out, nil
}
func (c *storageAuthorityClient) NewAuthorizations2(ctx context.Context, in *AddPendingAuthorizationsRequest, opts ...grpc.CallOption) (*Authorization2IDs, error) {
out := new(Authorization2IDs)
err := c.cc.Invoke(ctx, "/sa.StorageAuthority/NewAuthorizations2", in, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *storageAuthorityClient) NewOrder(ctx context.Context, in *NewOrderRequest, opts ...grpc.CallOption) (*proto.Order, error) {
out := new(proto.Order)
err := c.cc.Invoke(ctx, "/sa.StorageAuthority/NewOrder", in, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *storageAuthorityClient) NewOrderAndAuthzs(ctx context.Context, in *NewOrderAndAuthzsRequest, opts ...grpc.CallOption) (*proto.Order, error) {
out := new(proto.Order)
err := c.cc.Invoke(ctx, "/sa.StorageAuthority/NewOrderAndAuthzs", in, out, opts...)
@ -1736,8 +1716,6 @@ type StorageAuthorityServer interface {
DeactivateRegistration(context.Context, *RegistrationID) (*emptypb.Empty, error)
FinalizeAuthorization2(context.Context, *FinalizeAuthorizationRequest) (*emptypb.Empty, error)
FinalizeOrder(context.Context, *FinalizeOrderRequest) (*emptypb.Empty, error)
NewAuthorizations2(context.Context, *AddPendingAuthorizationsRequest) (*Authorization2IDs, error)
NewOrder(context.Context, *NewOrderRequest) (*proto.Order, error)
NewOrderAndAuthzs(context.Context, *NewOrderAndAuthzsRequest) (*proto.Order, error)
NewRegistration(context.Context, *proto.Registration) (*proto.Registration, error)
RevokeCertificate(context.Context, *RevokeCertificateRequest) (*emptypb.Empty, error)
@ -1863,12 +1841,6 @@ func (UnimplementedStorageAuthorityServer) FinalizeAuthorization2(context.Contex
func (UnimplementedStorageAuthorityServer) FinalizeOrder(context.Context, *FinalizeOrderRequest) (*emptypb.Empty, error) {
return nil, status.Errorf(codes.Unimplemented, "method FinalizeOrder not implemented")
}
func (UnimplementedStorageAuthorityServer) NewAuthorizations2(context.Context, *AddPendingAuthorizationsRequest) (*Authorization2IDs, error) {
return nil, status.Errorf(codes.Unimplemented, "method NewAuthorizations2 not implemented")
}
func (UnimplementedStorageAuthorityServer) NewOrder(context.Context, *NewOrderRequest) (*proto.Order, error) {
return nil, status.Errorf(codes.Unimplemented, "method NewOrder not implemented")
}
func (UnimplementedStorageAuthorityServer) NewOrderAndAuthzs(context.Context, *NewOrderAndAuthzsRequest) (*proto.Order, error) {
return nil, status.Errorf(codes.Unimplemented, "method NewOrderAndAuthzs not implemented")
}
@ -2575,42 +2547,6 @@ func _StorageAuthority_FinalizeOrder_Handler(srv interface{}, ctx context.Contex
return interceptor(ctx, in, info, handler)
}
func _StorageAuthority_NewAuthorizations2_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(AddPendingAuthorizationsRequest)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(StorageAuthorityServer).NewAuthorizations2(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: "/sa.StorageAuthority/NewAuthorizations2",
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(StorageAuthorityServer).NewAuthorizations2(ctx, req.(*AddPendingAuthorizationsRequest))
}
return interceptor(ctx, in, info, handler)
}
func _StorageAuthority_NewOrder_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(NewOrderRequest)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(StorageAuthorityServer).NewOrder(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: "/sa.StorageAuthority/NewOrder",
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(StorageAuthorityServer).NewOrder(ctx, req.(*NewOrderRequest))
}
return interceptor(ctx, in, info, handler)
}
func _StorageAuthority_NewOrderAndAuthzs_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(NewOrderAndAuthzsRequest)
if err := dec(in); err != nil {
@ -2884,14 +2820,6 @@ var StorageAuthority_ServiceDesc = grpc.ServiceDesc{
MethodName: "FinalizeOrder",
Handler: _StorageAuthority_FinalizeOrder_Handler,
},
{
MethodName: "NewAuthorizations2",
Handler: _StorageAuthority_NewAuthorizations2_Handler,
},
{
MethodName: "NewOrder",
Handler: _StorageAuthority_NewOrder_Handler,
},
{
MethodName: "NewOrderAndAuthzs",
Handler: _StorageAuthority_NewOrderAndAuthzs_Handler,

159
sa/sa.go
View File

@ -6,7 +6,6 @@ import (
"encoding/json"
"errors"
"fmt"
"strings"
"time"
"github.com/jmhodges/clock"
@ -306,95 +305,6 @@ func (ssa *SQLStorageAuthority) DeactivateAuthorization2(ctx context.Context, re
return &emptypb.Empty{}, nil
}
// NewOrder adds a new v2 style order to the database
func (ssa *SQLStorageAuthority) NewOrder(ctx context.Context, req *sapb.NewOrderRequest) (*corepb.Order, error) {
output, err := db.WithTransaction(ctx, ssa.dbMap, func(txWithCtx db.Executor) (interface{}, error) {
// Check new order request fields.
if req.RegistrationID == 0 || req.Expires == 0 || len(req.Names) == 0 {
return nil, errIncompleteRequest
}
order := &orderModel{
RegistrationID: req.RegistrationID,
Expires: time.Unix(0, req.Expires),
Created: ssa.clk.Now(),
}
err := txWithCtx.Insert(order)
if err != nil {
return nil, err
}
for _, id := range req.V2Authorizations {
otoa := &orderToAuthzModel{
OrderID: order.ID,
AuthzID: id,
}
err := txWithCtx.Insert(otoa)
if err != nil {
return nil, err
}
}
for _, name := range req.Names {
reqdName := &requestedNameModel{
OrderID: order.ID,
ReversedName: ReverseName(name),
}
err := txWithCtx.Insert(reqdName)
if err != nil {
return nil, err
}
}
// Add an FQDNSet entry for the order
err = addOrderFQDNSet(txWithCtx, req.Names, order.ID, order.RegistrationID, order.Expires)
if err != nil {
return nil, err
}
// Finally, build the overall Order PB.
res := &corepb.Order{
// Carry some fields over the from input new order request.
RegistrationID: req.RegistrationID,
Expires: req.Expires,
Names: req.Names,
V2Authorizations: req.V2Authorizations,
// Some fields were generated by the database transaction.
Id: order.ID,
Created: order.Created.UnixNano(),
// A new order is never processing because it can't have been finalized yet.
BeganProcessing: false,
}
// Calculate the order status before returning it. Since it may have reused
// all valid authorizations the order may be "born" in a ready status.
status, err := statusForOrder(txWithCtx, res, ssa.clk.Now())
if err != nil {
return nil, err
}
res.Status = status
return res, nil
})
if err != nil {
return nil, err
}
order, ok := output.(*corepb.Order)
if !ok {
return nil, fmt.Errorf("shouldn't happen: casting error in NewOrder")
}
// Increment the order creation count
err = addNewOrdersRateLimit(ssa.dbMap.WithContext(ctx), req.RegistrationID, ssa.clk.Now().Truncate(time.Minute))
if err != nil {
return nil, err
}
return order, nil
}
// NewOrderAndAuthzs adds the given authorizations to the database, adds their
// autogenerated IDs to the given order, and then adds the order to the db.
// This is done inside a single transaction to prevent situations where new
@ -649,75 +559,6 @@ func (ssa *SQLStorageAuthority) FinalizeOrder(ctx context.Context, req *sapb.Fin
return &emptypb.Empty{}, nil
}
// NewAuthorizations2 adds a set of new style authorizations to the database and
// returns either the IDs of the authorizations or an error.
// TODO(#5816): Consider removing this method, as it has no callers.
func (ssa *SQLStorageAuthority) NewAuthorizations2(ctx context.Context, req *sapb.AddPendingAuthorizationsRequest) (*sapb.Authorization2IDs, error) {
if len(req.Authz) == 0 {
return nil, errIncompleteRequest
}
ids := &sapb.Authorization2IDs{}
var queryArgs []interface{}
var questionsBuf strings.Builder
for _, authz := range req.Authz {
if authz.Status != string(core.StatusPending) {
return nil, berrors.InternalServerError("authorization must be pending")
}
am, err := authzPBToModel(authz)
if err != nil {
return nil, err
}
// Each authz needs a (?,?...), in the VALUES block. We need one
// for each element in the authzFields string.
fmt.Fprint(&questionsBuf, "(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?),")
// The query arguments must follow the order of the authzFields string.
queryArgs = append(queryArgs,
am.ID,
am.IdentifierType,
am.IdentifierValue,
am.RegistrationID,
am.Status,
am.Expires,
am.Challenges,
am.Attempted,
am.AttemptedAt,
am.Token,
am.ValidationError,
am.ValidationRecord,
)
}
// At this point, the VALUES block question-string has a trailing comma, we need
// to remove it to make sure we're valid SQL.
questionsTrimmed := strings.TrimRight(questionsBuf.String(), ",")
query := fmt.Sprintf("INSERT INTO authz2 (%s) VALUES %s RETURNING id;", authzFields, questionsTrimmed)
rows, err := ssa.dbMap.Db.QueryContext(ctx, query, queryArgs...)
if err != nil {
return nil, err
}
for rows.Next() {
var idField int64
err = rows.Scan(&idField)
if err != nil {
rows.Close()
return nil, err
}
ids.Ids = append(ids.Ids, idField)
}
// Ensure the query wasn't interrupted before it could complete.
err = rows.Close()
if err != nil {
return nil, err
}
return ids, nil
}
// FinalizeAuthorization2 moves a pending authorization to either the valid or invalid status. If
// the authorization is being moved to invalid the validationError field must be set. If the
// authorization is being moved to valid the validationRecord and expires fields must be set.

398
sa/sa_test.go
View File

@ -7,6 +7,7 @@ import (
"crypto/rsa"
"crypto/x509"
"database/sql"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
@ -29,7 +30,6 @@ import (
berrors "github.com/letsencrypt/boulder/errors"
"github.com/letsencrypt/boulder/features"
bgrpc "github.com/letsencrypt/boulder/grpc"
"github.com/letsencrypt/boulder/identifier"
blog "github.com/letsencrypt/boulder/log"
"github.com/letsencrypt/boulder/metrics"
"github.com/letsencrypt/boulder/probs"
@ -105,26 +105,25 @@ func createWorkingRegistration(t *testing.T, sa *SQLStorageAuthority) *corepb.Re
func createPendingAuthorization(t *testing.T, sa *SQLStorageAuthority, domain string, exp time.Time) int64 {
t.Helper()
authz := core.Authorization{
Identifier: identifier.DNSIdentifier(domain),
RegistrationID: 1,
Status: "pending",
Expires: &exp,
Challenges: []core.Challenge{
{
Token: core.NewToken(),
Type: core.ChallengeTypeHTTP01,
Status: core.StatusPending,
},
},
tokenStr := core.NewToken()
token, err := base64.RawURLEncoding.DecodeString(tokenStr)
test.AssertNotError(t, err, "computing test authorization challenge token")
am := authzModel{
IdentifierType: 0, // dnsName
IdentifierValue: domain,
RegistrationID: 1,
Status: statusToUint[core.StatusPending],
Expires: exp,
Challenges: 1 << challTypeToUint[string(core.ChallengeTypeHTTP01)],
Token: token,
}
authzPB, err := bgrpc.AuthzToPB(authz)
test.AssertNotError(t, err, "AuthzToPB failed")
ids, err := sa.NewAuthorizations2(context.Background(), &sapb.AddPendingAuthorizationsRequest{
Authz: []*corepb.Authorization{authzPB},
})
test.AssertNotError(t, err, "sa.NewAuthorizations2 failed")
return ids.Ids[0]
err = sa.dbMap.Insert(&am)
test.AssertNotError(t, err, "creating test authorization")
t.Log(am.ID)
return am.ID
}
func createFinalizedAuthorization(t *testing.T, sa *SQLStorageAuthority, domain string, exp time.Time,
@ -932,40 +931,6 @@ func TestReverseName(t *testing.T) {
}
}
func TestNewOrder(t *testing.T) {
sa, _, cleanup := initSA(t)
defer cleanup()
// Create a test registration to reference
key, _ := jose.JSONWebKey{Key: &rsa.PublicKey{N: big.NewInt(1), E: 1}}.MarshalJSON()
initialIP, _ := net.ParseIP("42.42.42.42").MarshalText()
reg, err := sa.NewRegistration(ctx, &corepb.Registration{
Key: key,
InitialIP: initialIP,
})
test.AssertNotError(t, err, "Couldn't create test registration")
order, err := sa.NewOrder(context.Background(), &sapb.NewOrderRequest{
RegistrationID: reg.Id,
Expires: 1,
Names: []string{"example.com", "just.another.example.com"},
V2Authorizations: []int64{1, 2, 3},
})
test.AssertNotError(t, err, "sa.NewOrder failed")
test.AssertEquals(t, order.Id, int64(1))
var authzIDs []int64
_, err = sa.dbMap.Select(&authzIDs, "SELECT authzID FROM orderToAuthz2 WHERE orderID = ?;", order.Id)
test.AssertNotError(t, err, "Failed to count orderToAuthz entries")
test.AssertEquals(t, len(authzIDs), 3)
test.AssertDeepEquals(t, authzIDs, []int64{1, 2, 3})
names, err := sa.namesForOrder(context.Background(), order.Id)
test.AssertNotError(t, err, "namesForOrder errored")
test.AssertEquals(t, len(names), 2)
test.AssertDeepEquals(t, names, []string{"com.example", "com.example.another.just"})
}
func TestNewOrderAndAuthzs(t *testing.T) {
sa, _, cleanup := initSA(t)
defer cleanup()
@ -1011,7 +976,7 @@ func TestNewOrderAndAuthzs(t *testing.T) {
},
},
})
test.AssertNotError(t, err, "sa.NewOrder failed")
test.AssertNotError(t, err, "sa.NewOrderAndAuthzs failed")
test.AssertEquals(t, order.Id, int64(1))
test.AssertDeepEquals(t, order.V2Authorizations, []int64{1, 2, 3, 4})
@ -1045,21 +1010,16 @@ func TestSetOrderProcessing(t *testing.T) {
attemptedAt := fc.Now()
authzID := createFinalizedAuthorization(t, sa, "example.com", expires, "valid", attemptedAt)
order := &corepb.Order{
RegistrationID: reg.Id,
Expires: sa.clk.Now().Add(365 * 24 * time.Hour).UnixNano(),
Names: []string{"example.com"},
V2Authorizations: []int64{authzID},
}
// Add a new order in pending status with no certificate serial
order, err = sa.NewOrder(context.Background(), &sapb.NewOrderRequest{
RegistrationID: order.RegistrationID,
Expires: order.Expires,
Names: order.Names,
V2Authorizations: order.V2Authorizations,
order, err := sa.NewOrderAndAuthzs(context.Background(), &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: reg.Id,
Expires: sa.clk.Now().Add(365 * 24 * time.Hour).UnixNano(),
Names: []string{"example.com"},
V2Authorizations: []int64{authzID},
},
})
test.AssertNotError(t, err, "NewOrder failed")
test.AssertNotError(t, err, "NewOrderAndAuthzs failed")
// Set the order to be processing
_, err = sa.SetOrderProcessing(context.Background(), &sapb.OrderRequest{Id: order.Id})
@ -1098,21 +1058,16 @@ func TestFinalizeOrder(t *testing.T) {
attemptedAt := fc.Now()
authzID := createFinalizedAuthorization(t, sa, "example.com", expires, "valid", attemptedAt)
order := &corepb.Order{
RegistrationID: reg.Id,
Expires: sa.clk.Now().Add(365 * 24 * time.Hour).UnixNano(),
Names: []string{"example.com"},
V2Authorizations: []int64{authzID},
}
// Add a new order with an empty certificate serial
order, err = sa.NewOrder(context.Background(), &sapb.NewOrderRequest{
RegistrationID: order.RegistrationID,
Expires: order.Expires,
Names: order.Names,
V2Authorizations: order.V2Authorizations,
// Add a new order in pending status with no certificate serial
order, err := sa.NewOrderAndAuthzs(context.Background(), &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: reg.Id,
Expires: sa.clk.Now().Add(365 * 24 * time.Hour).UnixNano(),
Names: []string{"example.com"},
V2Authorizations: []int64{authzID},
},
})
test.AssertNotError(t, err, "NewOrder failed")
test.AssertNotError(t, err, "NewOrderAndAuthzs failed")
// Set the order to processing so it can be finalized
_, err = sa.SetOrderProcessing(ctx, &sapb.OrderRequest{Id: order.Id})
@ -1160,18 +1115,20 @@ func TestOrder(t *testing.T) {
}
// Create the order
order, err := sa.NewOrder(context.Background(), &sapb.NewOrderRequest{
RegistrationID: inputOrder.RegistrationID,
Expires: inputOrder.Expires,
Names: inputOrder.Names,
V2Authorizations: inputOrder.V2Authorizations,
order, err := sa.NewOrderAndAuthzs(context.Background(), &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: inputOrder.RegistrationID,
Expires: inputOrder.Expires,
Names: inputOrder.Names,
V2Authorizations: inputOrder.V2Authorizations,
},
})
test.AssertNotError(t, err, "sa.NewOrder failed")
test.AssertNotError(t, err, "sa.NewOrderAndAuthzs failed")
// The Order from GetOrder should match the following expected order
expectedOrder := &corepb.Order{
// The registration ID, authorizations, expiry, and names should match the
// input to NewOrder
// input to NewOrderAndAuthzs
RegistrationID: inputOrder.RegistrationID,
V2Authorizations: inputOrder.V2Authorizations,
Names: inputOrder.Names,
@ -1244,7 +1201,7 @@ func TestGetAuthorizations2(t *testing.T) {
})
test.AssertNotError(t, err, "sa.dbMap.Insert failed")
// Set an expiry cut off of 1 day in the future similar to `RA.NewOrder`. This
// Set an expiry cut off of 1 day in the future similar to `RA.NewOrderAndAuthzs`. This
// should exclude pending authorization C based on its nearbyExpires expiry
// value.
expiryCutoff := fc.Now().AddDate(0, 0, 1).UnixNano()
@ -1297,11 +1254,13 @@ func TestCountOrders(t *testing.T) {
authzID := createPendingAuthorization(t, sa, "example.com", expires)
// Add one pending order
order, err := sa.NewOrder(ctx, &sapb.NewOrderRequest{
RegistrationID: reg.Id,
Expires: expires.UnixNano(),
Names: []string{"example.com"},
V2Authorizations: []int64{authzID},
order, err := sa.NewOrderAndAuthzs(ctx, &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: reg.Id,
Expires: expires.UnixNano(),
Names: []string{"example.com"},
V2Authorizations: []int64{authzID},
},
})
test.AssertNotError(t, err, "Couldn't create new pending order")
@ -1339,21 +1298,25 @@ func TestFasterGetOrderForNames(t *testing.T) {
authzIDs := createPendingAuthorization(t, sa, domain, expires)
expiresNano := expires.UnixNano()
_, err = sa.NewOrder(ctx, &sapb.NewOrderRequest{
RegistrationID: reg.Id,
Expires: expiresNano,
V2Authorizations: []int64{authzIDs},
Names: []string{domain},
_, err = sa.NewOrderAndAuthzs(ctx, &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: reg.Id,
Expires: expiresNano,
V2Authorizations: []int64{authzIDs},
Names: []string{domain},
},
})
test.AssertNotError(t, err, "sa.NewOrder failed")
test.AssertNotError(t, err, "sa.NewOrderAndAuthzs failed")
_, err = sa.NewOrder(ctx, &sapb.NewOrderRequest{
RegistrationID: reg.Id,
Expires: expiresNano,
V2Authorizations: []int64{authzIDs},
Names: []string{domain},
_, err = sa.NewOrderAndAuthzs(ctx, &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: reg.Id,
Expires: expiresNano,
V2Authorizations: []int64{authzIDs},
Names: []string{domain},
},
})
test.AssertNotError(t, err, "sa.NewOrder failed")
test.AssertNotError(t, err, "sa.NewOrderAndAuthzs failed")
_, err = sa.GetOrderForNames(ctx, &sapb.GetOrderForNamesRequest{
AcctID: reg.Id,
@ -1402,19 +1365,21 @@ func TestGetOrderForNames(t *testing.T) {
test.Assert(t, result == nil, "sa.GetOrderForNames for non-existent order returned non-nil result")
// Add a new order for a set of names
order, err := sa.NewOrder(ctx, &sapb.NewOrderRequest{
RegistrationID: regA.Id,
Expires: expires,
V2Authorizations: []int64{authzIDA, authzIDB},
Names: names,
order, err := sa.NewOrderAndAuthzs(ctx, &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: regA.Id,
Expires: expires,
V2Authorizations: []int64{authzIDA, authzIDB},
Names: names,
},
})
// It shouldn't error
test.AssertNotError(t, err, "sa.NewOrder failed")
test.AssertNotError(t, err, "sa.NewOrderAndAuthzs failed")
// The order ID shouldn't be nil
test.AssertNotNil(t, order.Id, "NewOrder returned with a nil Id")
test.AssertNotNil(t, order.Id, "NewOrderAndAuthzs returned with a nil Id")
// Call GetOrderForNames with the same account ID and set of names as the
// above NewOrder call
// above NewOrderAndAuthzs call
result, err = sa.GetOrderForNames(ctx, &sapb.GetOrderForNamesRequest{
AcctID: regA.Id,
Names: names,
@ -1425,7 +1390,7 @@ func TestGetOrderForNames(t *testing.T) {
test.AssertNotNil(t, result, "Returned order was nil")
test.AssertEquals(t, result.Id, order.Id)
// Call GetOrderForNames with a different account ID from the NewOrder call
// Call GetOrderForNames with a different account ID from the NewOrderAndAuthzs call
regB := int64(1337)
result, err = sa.GetOrderForNames(ctx, &sapb.GetOrderForNamesRequest{
AcctID: regB,
@ -1442,7 +1407,7 @@ func TestGetOrderForNames(t *testing.T) {
fc.Add(2 * orderLifetime)
// Call GetOrderForNames again with the same account ID and set of names as
// the initial NewOrder call
// the initial NewOrderAndAuthzs call
result, err = sa.GetOrderForNames(ctx, &sapb.GetOrderForNamesRequest{
AcctID: regA.Id,
Names: names,
@ -1463,19 +1428,21 @@ func TestGetOrderForNames(t *testing.T) {
// Add a fresh order that uses the authorizations created above
names = []string{"zombo.com", "welcome.to.zombo.com"}
order, err = sa.NewOrder(ctx, &sapb.NewOrderRequest{
RegistrationID: regA.Id,
Expires: fc.Now().Add(orderLifetime).UnixNano(),
V2Authorizations: []int64{authzIDC, authzIDD},
Names: names,
order, err = sa.NewOrderAndAuthzs(ctx, &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: regA.Id,
Expires: fc.Now().Add(orderLifetime).UnixNano(),
V2Authorizations: []int64{authzIDC, authzIDD},
Names: names,
},
})
// It shouldn't error
test.AssertNotError(t, err, "sa.NewOrder failed")
test.AssertNotError(t, err, "sa.NewOrderAndAuthzs failed")
// The order ID shouldn't be nil
test.AssertNotNil(t, order.Id, "NewOrder returned with a nil Id")
test.AssertNotNil(t, order.Id, "NewOrderAndAuthzs returned with a nil Id")
// Call GetOrderForNames with the same account ID and set of names as
// the earlier NewOrder call
// the earlier NewOrderAndAuthzs call
result, err = sa.GetOrderForNames(ctx, &sapb.GetOrderForNamesRequest{
AcctID: regA.Id,
Names: names,
@ -1496,7 +1463,7 @@ func TestGetOrderForNames(t *testing.T) {
test.AssertNotError(t, err, "sa.FinalizeOrder failed")
// Call GetOrderForNames with the same account ID and set of names as
// the earlier NewOrder call
// the earlier NewOrderAndAuthzs call
result, err = sa.GetOrderForNames(ctx, &sapb.GetOrderForNamesRequest{
AcctID: regA.Id,
Names: names,
@ -1610,13 +1577,15 @@ func TestStatusForOrder(t *testing.T) {
if orderExpiry == 0 {
orderExpiry = expiresNano
}
newOrder, err := sa.NewOrder(ctx, &sapb.NewOrderRequest{
RegistrationID: reg.Id,
Expires: orderExpiry,
V2Authorizations: tc.AuthorizationIDs,
Names: tc.OrderNames,
newOrder, err := sa.NewOrderAndAuthzs(ctx, &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: reg.Id,
Expires: orderExpiry,
V2Authorizations: tc.AuthorizationIDs,
Names: tc.OrderNames,
},
})
test.AssertNotError(t, err, "NewOrder errored unexpectedly")
test.AssertNotError(t, err, "NewOrderAndAuthzs errored unexpectedly")
// If requested, set the order to processing
if tc.SetProcessing {
_, err := sa.SetOrderProcessing(ctx, &sapb.OrderRequest{Id: newOrder.Id})
@ -2050,119 +2019,19 @@ func TestCountCertificatesRenewalBit(t *testing.T) {
test.AssertEquals(t, countName(t, "not-example.com"), int64(2))
}
func TestNewAuthorizations2(t *testing.T) {
sa, fc, cleanUp := initSA(t)
defer cleanUp()
reg := createWorkingRegistration(t, sa)
expires := fc.Now().Add(time.Hour).UTC().UnixNano()
apbA := &corepb.Authorization{
Identifier: "aaa",
RegistrationID: reg.Id,
Status: string(core.StatusPending),
Expires: expires,
Challenges: []*corepb.Challenge{
{
Status: string(core.StatusPending),
Type: string(core.ChallengeTypeDNS01),
Token: "YXNkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
},
},
}
apbB := &corepb.Authorization{
Identifier: "aaa",
RegistrationID: reg.Id,
Status: string(core.StatusPending),
Expires: expires,
Challenges: []*corepb.Challenge{
{
Status: string(core.StatusPending),
Type: string(core.ChallengeTypeDNS01),
Token: "ZmdoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
},
},
}
req := &sapb.AddPendingAuthorizationsRequest{Authz: []*corepb.Authorization{apbA, apbB}}
ids, err := sa.NewAuthorizations2(context.Background(), req)
test.AssertNotError(t, err, "sa.NewAuthorizations failed")
test.AssertEquals(t, len(ids.Ids), 2)
for i, id := range ids.Ids {
dbVer, err := sa.GetAuthorization2(context.Background(), &sapb.AuthorizationID2{Id: id})
test.AssertNotError(t, err, "sa.GetAuthorization2 failed")
// Everything but ID should match.
req.Authz[i].Id = dbVer.Id
test.AssertDeepEquals(t, req.Authz[i], dbVer)
}
}
func TestNewAuthorizations2_100(t *testing.T) {
sa, fc, cleanUp := initSA(t)
defer cleanUp()
reg := createWorkingRegistration(t, sa)
expires := fc.Now().Add(time.Hour).UnixNano()
allAuthz := make([]*corepb.Authorization, 100)
for i := 0; i < 100; i++ {
allAuthz[i] = &corepb.Authorization{
Identifier: fmt.Sprintf("%08x", i),
RegistrationID: reg.Id,
Status: string(core.StatusPending),
Expires: expires,
Challenges: []*corepb.Challenge{
{
Status: string(core.StatusPending),
Type: string(core.ChallengeTypeDNS01),
Token: core.NewToken(),
},
},
}
}
req := &sapb.AddPendingAuthorizationsRequest{Authz: allAuthz}
ids, err := sa.NewAuthorizations2(context.Background(), req)
test.AssertNotError(t, err, "sa.NewAuthorizations failed")
test.AssertEquals(t, len(ids.Ids), 100)
for i, id := range ids.Ids {
dbVer, err := sa.GetAuthorization2(context.Background(), &sapb.AuthorizationID2{Id: id})
test.AssertNotError(t, err, "sa.GetAuthorization2 failed")
// Everything but the ID should match.
req.Authz[i].Id = dbVer.Id
test.AssertDeepEquals(t, req.Authz[i], dbVer)
}
}
func TestFinalizeAuthorization2(t *testing.T) {
sa, fc, cleanUp := initSA(t)
defer cleanUp()
reg := createWorkingRegistration(t, sa)
expires := fc.Now().Add(time.Hour).UTC().UnixNano()
apb := &corepb.Authorization{
Identifier: "aaa",
RegistrationID: reg.Id,
Status: string(core.StatusPending),
Expires: expires,
Challenges: []*corepb.Challenge{
{
Status: string(core.StatusPending),
Type: string(core.ChallengeTypeDNS01),
Token: "YXNkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
},
},
}
ids, err := sa.NewAuthorizations2(context.Background(), &sapb.AddPendingAuthorizationsRequest{Authz: []*corepb.Authorization{apb}})
test.AssertNotError(t, err, "sa.NewAuthorization failed")
fc.Set(time.Date(2021, 1, 1, 0, 0, 0, 0, time.UTC))
expires = fc.Now().Add(time.Hour * 2).UTC().UnixNano()
attemptedAt := fc.Now().UnixNano()
authzID := createPendingAuthorization(t, sa, "aaa", fc.Now().Add(time.Hour))
expires := fc.Now().Add(time.Hour * 2).UTC().UnixNano()
attemptedAt := fc.Now().UnixNano()
ip, _ := net.ParseIP("1.1.1.1").MarshalText()
_, err = sa.FinalizeAuthorization2(context.Background(), &sapb.FinalizeAuthorizationRequest{
Id: ids.Ids[0],
_, err := sa.FinalizeAuthorization2(context.Background(), &sapb.FinalizeAuthorizationRequest{
Id: authzID,
ValidationRecords: []*corepb.ValidationRecord{
{
Hostname: "aaa",
@ -2173,12 +2042,12 @@ func TestFinalizeAuthorization2(t *testing.T) {
},
Status: string(core.StatusValid),
Expires: expires,
Attempted: string(core.ChallengeTypeDNS01),
Attempted: string(core.ChallengeTypeHTTP01),
AttemptedAt: attemptedAt,
})
test.AssertNotError(t, err, "sa.FinalizeAuthorization2 failed")
dbVer, err := sa.GetAuthorization2(context.Background(), &sapb.AuthorizationID2{Id: ids.Ids[0]})
dbVer, err := sa.GetAuthorization2(context.Background(), &sapb.AuthorizationID2{Id: authzID})
test.AssertNotError(t, err, "sa.GetAuthorization2 failed")
test.AssertEquals(t, dbVer.Status, string(core.StatusValid))
test.AssertEquals(t, time.Unix(0, dbVer.Expires).UTC(), fc.Now().Add(time.Hour*2).UTC())
@ -2186,24 +2055,11 @@ func TestFinalizeAuthorization2(t *testing.T) {
test.AssertEquals(t, len(dbVer.Challenges[0].Validationrecords), 1)
test.AssertEquals(t, time.Unix(0, dbVer.Challenges[0].Validated).UTC(), fc.Now().UTC())
apb2 := &corepb.Authorization{
Identifier: "aaa",
RegistrationID: reg.Id,
Status: string(core.StatusPending),
Expires: expires,
Challenges: []*corepb.Challenge{
{
Status: string(core.StatusPending),
Type: string(core.ChallengeTypeDNS01),
Token: "ZmdoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
},
},
}
ids, err = sa.NewAuthorizations2(context.Background(), &sapb.AddPendingAuthorizationsRequest{Authz: []*corepb.Authorization{apb2}})
test.AssertNotError(t, err, "sa.NewAuthorization failed")
authzID = createPendingAuthorization(t, sa, "aaa", fc.Now().Add(time.Hour))
prob, _ := bgrpc.ProblemDetailsToPB(probs.ConnectionFailure("it went bad captain"))
_, err = sa.FinalizeAuthorization2(context.Background(), &sapb.FinalizeAuthorizationRequest{
Id: ids.Ids[0],
Id: authzID,
ValidationRecords: []*corepb.ValidationRecord{
{
Hostname: "aaa",
@ -2214,12 +2070,12 @@ func TestFinalizeAuthorization2(t *testing.T) {
},
ValidationError: prob,
Status: string(core.StatusInvalid),
Attempted: string(core.ChallengeTypeDNS01),
Attempted: string(core.ChallengeTypeHTTP01),
Expires: expires,
})
test.AssertNotError(t, err, "sa.FinalizeAuthorization2 failed")
dbVer, err = sa.GetAuthorization2(context.Background(), &sapb.AuthorizationID2{Id: ids.Ids[0]})
dbVer, err = sa.GetAuthorization2(context.Background(), &sapb.AuthorizationID2{Id: authzID})
test.AssertNotError(t, err, "sa.GetAuthorization2 failed")
test.AssertEquals(t, dbVer.Status, string(core.StatusInvalid))
test.AssertEquals(t, dbVer.Challenges[0].Status, string(core.StatusInvalid))
@ -2378,11 +2234,13 @@ func TestGetValidOrderAuthorizations2(t *testing.T) {
authzIDA := createFinalizedAuthorization(t, sa, identA, expires, "valid", attemptedAt)
authzIDB := createFinalizedAuthorization(t, sa, identB, expires, "valid", attemptedAt)
order, err := sa.NewOrder(context.Background(), &sapb.NewOrderRequest{
RegistrationID: reg.Id,
Expires: fc.Now().Truncate(time.Second).UnixNano(),
Names: []string{"a.example.com", "b.example.com"},
V2Authorizations: []int64{authzIDA, authzIDB},
order, err := sa.NewOrderAndAuthzs(context.Background(), &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: reg.Id,
Expires: fc.Now().Truncate(time.Second).UnixNano(),
Names: []string{"a.example.com", "b.example.com"},
V2Authorizations: []int64{authzIDA, authzIDB},
},
})
test.AssertNotError(t, err, "AddOrder failed")
@ -2488,13 +2346,15 @@ func TestGetOrderExpired(t *testing.T) {
fc.Add(time.Hour * 5)
reg := createWorkingRegistration(t, sa)
order, err := sa.NewOrder(context.Background(), &sapb.NewOrderRequest{
RegistrationID: reg.Id,
Expires: fc.Now().Add(-time.Hour).UnixNano(),
Names: []string{"example.com"},
V2Authorizations: []int64{666},
order, err := sa.NewOrderAndAuthzs(context.Background(), &sapb.NewOrderAndAuthzsRequest{
NewOrder: &sapb.NewOrderRequest{
RegistrationID: reg.Id,
Expires: fc.Now().Add(-time.Hour).UnixNano(),
Names: []string{"example.com"},
V2Authorizations: []int64{666},
},
})
test.AssertNotError(t, err, "NewOrder failed")
test.AssertNotError(t, err, "NewOrderAndAuthzs failed")
_, err = sa.GetOrder(context.Background(), &sapb.OrderRequest{
Id: order.Id,
})

8
test/inmem/sa/sa.go
View File

@ -41,10 +41,6 @@ func (sa SA) DeactivateRegistration(ctx context.Context, req *sapb.RegistrationI
return sa.Impl.DeactivateRegistration(ctx, req)
}
func (sa SA) NewAuthorizations2(ctx context.Context, req *sapb.AddPendingAuthorizationsRequest, _ ...grpc.CallOption) (*sapb.Authorization2IDs, error) {
return sa.Impl.NewAuthorizations2(ctx, req)
}
func (sa SA) GetAuthorization2(ctx context.Context, req *sapb.AuthorizationID2, _ ...grpc.CallOption) (*corepb.Authorization, error) {
return sa.Impl.GetAuthorization2(ctx, req)
}
@ -77,10 +73,6 @@ func (sa SA) FinalizeAuthorization2(ctx context.Context, req *sapb.FinalizeAutho
return sa.Impl.FinalizeAuthorization2(ctx, req)
}
func (sa SA) NewOrder(ctx context.Context, req *sapb.NewOrderRequest, _ ...grpc.CallOption) (*corepb.Order, error) {
return sa.Impl.NewOrder(ctx, req)
}
func (sa SA) NewOrderAndAuthzs(ctx context.Context, req *sapb.NewOrderAndAuthzsRequest, _ ...grpc.CallOption) (*corepb.Order, error) {
return sa.Impl.NewOrderAndAuthzs(ctx, req)
}