letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Integration test for v1 authz reuse when v2 flag is enabled (#4288) 

When NewAuthorizationSchema is enabled, we still want v1 authzs to be reusable in
new orders. This tests that that code is implemented correctly.

Updates #4241
This commit is contained in:
Jacob Hoffman-Andrews 2019-06-25 10:50:58 -07:00 committed by GitHub
parent 2a7437af83
commit df19fd9e58
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 61 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
test/integration-test.py
View File

@ -161,8 +161,15 @@ def main():
caa_client = None
if not args.skip_setup:
now = datetime.datetime.utcnow()
# In CONFIG_NEXT mode, use the basic, non-next config for setup.
# This lets us test the transition to authz2.
config = default_config_dir
if CONFIG_NEXT:
config = "test/config"
now = datetime.datetime.utcnow()
twenty_days_ago = now+datetime.timedelta(days=-20)
if not startservers.start(race_detection=True, fakeclock=fakeclock(twenty_days_ago)):
if not startservers.start(race_detection=True, fakeclock=fakeclock(twenty_days_ago), config_dir=config):
raise Exception("startservers failed (mocking twenty days ago)")
v1_integration.caa_client = caa_client = chisel.make_client()
setup_twenty_days_ago()

40
test/startservers.py
View File

@ -43,7 +43,7 @@ def run(cmd, race_detection, fakeclock):
p.cmd = cmd
return p
def start(race_detection, fakeclock=None):
def start(race_detection, fakeclock=None, config_dir=default_config_dir):
"""Return True if everything builds and starts.
Give up and return False if anything fails to build, or dies at
@ -63,33 +63,33 @@ def start(race_detection, fakeclock=None):
# before any services that intend to send it RPCs. On shutdown they will be
# killed in reverse order.
progs = []
if default_config_dir.startswith("test/config-next"):
if config_dir.startswith("test/config-next"):
# Run the two 'remote' VAs
progs.extend([
[8011, './bin/boulder-remoteva --config %s' % os.path.join(default_config_dir, "va-remote-a.json")],
[8012, './bin/boulder-remoteva --config %s' % os.path.join(default_config_dir, "va-remote-b.json")],
[8011, './bin/boulder-remoteva --config %s' % os.path.join(config_dir, "va-remote-a.json")],
[8012, './bin/boulder-remoteva --config %s' % os.path.join(config_dir, "va-remote-b.json")],
])
progs.extend([
[53, './bin/sd-test-srv --listen :53'], # Service discovery DNS server
[8003, './bin/boulder-sa --config %s --addr sa1.boulder:9095 --debug-addr :8003' % os.path.join(default_config_dir, "sa.json")],
[8103, './bin/boulder-sa --config %s --addr sa2.boulder:9095 --debug-addr :8103' % os.path.join(default_config_dir, "sa.json")],
[8003, './bin/boulder-sa --config %s --addr sa1.boulder:9095 --debug-addr :8003' % os.path.join(config_dir, "sa.json")],
[8103, './bin/boulder-sa --config %s --addr sa2.boulder:9095 --debug-addr :8103' % os.path.join(config_dir, "sa.json")],
[4500, './bin/ct-test-srv --config test/ct-test-srv/ct-test-srv.json'],
[8009, './bin/boulder-publisher --config %s --addr publisher1.boulder:9091 --debug-addr :8009' % os.path.join(default_config_dir, "publisher.json")],
[8109, './bin/boulder-publisher --config %s --addr publisher2.boulder:9091 --debug-addr :8109' % os.path.join(default_config_dir, "publisher.json")],
[8009, './bin/boulder-publisher --config %s --addr publisher1.boulder:9091 --debug-addr :8009' % os.path.join(config_dir, "publisher.json")],
[8109, './bin/boulder-publisher --config %s --addr publisher2.boulder:9091 --debug-addr :8109' % os.path.join(config_dir, "publisher.json")],
[9380, './bin/mail-test-srv --closeFirst 5 --cert test/mail-test-srv/localhost/cert.pem --key test/mail-test-srv/localhost/key.pem'],
[8005, './bin/ocsp-responder --config %s' % os.path.join(default_config_dir, "ocsp-responder.json")],
[8004, './bin/boulder-va --config %s --addr va1.boulder:9092 --debug-addr :8004' % os.path.join(default_config_dir, "va.json")],
[8104, './bin/boulder-va --config %s --addr va2.boulder:9092 --debug-addr :8104' % os.path.join(default_config_dir, "va.json")],
[8001, './bin/boulder-ca --config %s --ca-addr ca1.boulder:9093 --ocsp-addr ca1.boulder:9096 --debug-addr :8001' % os.path.join(default_config_dir, "ca-a.json")],
[8101, './bin/boulder-ca --config %s --ca-addr ca2.boulder:9093 --ocsp-addr ca2.boulder:9096 --debug-addr :8101' % os.path.join(default_config_dir, "ca-b.json")],
[8005, './bin/ocsp-responder --config %s' % os.path.join(config_dir, "ocsp-responder.json")],
[8004, './bin/boulder-va --config %s --addr va1.boulder:9092 --debug-addr :8004' % os.path.join(config_dir, "va.json")],
[8104, './bin/boulder-va --config %s --addr va2.boulder:9092 --debug-addr :8104' % os.path.join(config_dir, "va.json")],
[8001, './bin/boulder-ca --config %s --ca-addr ca1.boulder:9093 --ocsp-addr ca1.boulder:9096 --debug-addr :8001' % os.path.join(config_dir, "ca-a.json")],
[8101, './bin/boulder-ca --config %s --ca-addr ca2.boulder:9093 --ocsp-addr ca2.boulder:9096 --debug-addr :8101' % os.path.join(config_dir, "ca-b.json")],
[6789, './bin/akamai-test-srv --listen localhost:6789 --secret its-a-secret'],
[9666, './bin/akamai-purger --config %s' % os.path.join(default_config_dir, "akamai-purger.json")],
[8006, './bin/ocsp-updater --config %s' % os.path.join(default_config_dir, "ocsp-updater.json")],
[8002, './bin/boulder-ra --config %s --addr ra1.boulder:9094 --debug-addr :8002' % os.path.join(default_config_dir, "ra.json")],
[8102, './bin/boulder-ra --config %s --addr ra2.boulder:9094 --debug-addr :8102' % os.path.join(default_config_dir, "ra.json")],
[8111, './bin/nonce-service --config %s' % os.path.join(default_config_dir, "nonce.json")],
[4431, './bin/boulder-wfe2 --config %s' % os.path.join(default_config_dir, "wfe2.json")],
[4000, './bin/boulder-wfe --config %s' % os.path.join(default_config_dir, "wfe.json")],
[9666, './bin/akamai-purger --config %s' % os.path.join(config_dir, "akamai-purger.json")],
[8006, './bin/ocsp-updater --config %s' % os.path.join(config_dir, "ocsp-updater.json")],
[8002, './bin/boulder-ra --config %s --addr ra1.boulder:9094 --debug-addr :8002' % os.path.join(config_dir, "ra.json")],
[8102, './bin/boulder-ra --config %s --addr ra2.boulder:9094 --debug-addr :8102' % os.path.join(config_dir, "ra.json")],
[8111, './bin/nonce-service --config %s' % os.path.join(config_dir, "nonce.json")],
[4431, './bin/boulder-wfe2 --config %s' % os.path.join(config_dir, "wfe2.json")],
[4000, './bin/boulder-wfe --config %s' % os.path.join(config_dir, "wfe.json")],
])
for (port, prog) in progs:
try:

33
test/v2_integration.py
View File

@ -875,6 +875,39 @@ def test_http2_http01_challenge():
server.server_close()
thread.join()
z1_reuse_client = None
z1_reuse_authzs = []
@register_twenty_days_ago
def z1_reuse_setup():
"""Runs during "setup_twenty_days_ago" phase."""
global z1_reuse_client
global z1_reuse_authzs
z1_reuse_client = chisel2.make_client()
order = chisel2.auth_and_issue([random_domain(), random_domain()], client=z1_reuse_client)
for a in order.authorizations:
z1_reuse_authzs.append(a)
def test_z1_reuse():
"""Test that authzv1's get reused alongside authzv2's once the
NewAuthorizationSchema flag is turned on.
This relies on the fact that when CONFIG_NEXT is true, the n_days_ago
setup phases get run with `test/config` rather than `test/config-next`.
"""
if not CONFIG_NEXT:
return
reuse_domains = []
authz_uris = set()
for a in z1_reuse_authzs:
authz_uris.add(a.uri)
reuse_domains.append(a.body.identifier.value)
new_domains = [random_domain(), random_domain()]
order = chisel2.auth_and_issue(reuse_domains + new_domains, client=z1_reuse_client)
for a in order.authorizations:
if a.uri in authz_uris:
authz_uris.remove(a.uri)
if len(authz_uris) != 0:
raise Exception("Failed to reuse all authzs. Remaining: %s" % authz_uris)
def test_new_order_policy_errs():
"""
Test that creating an order with policy blocked identifiers returns