From df19fd9e58e39ed25c08684e58be9e9b28326b9b Mon Sep 17 00:00:00 2001
From: Jacob Hoffman-Andrews <github@hoffman-andrews.com>
Date: Tue, 25 Jun 2019 10:50:58 -0700
Subject: [PATCH] Integration test for v1 authz reuse when v2 flag is enabled
 (#4288)

When NewAuthorizationSchema is enabled, we still want v1 authzs to be reusable in
new orders. This tests that that code is implemented correctly.

Updates #4241
---
 test/integration-test.py |  9 ++++++++-
 test/startservers.py     | 40 ++++++++++++++++++++--------------------
 test/v2_integration.py   | 33 +++++++++++++++++++++++++++++++++
 3 files changed, 61 insertions(+), 21 deletions(-)

diff --git a/test/integration-test.py b/test/integration-test.py
index ee011093c..973ba6b93 100644
--- a/test/integration-test.py
+++ b/test/integration-test.py
@@ -161,8 +161,15 @@ def main():
     caa_client = None
     if not args.skip_setup:
         now = datetime.datetime.utcnow()
+
+        # In CONFIG_NEXT mode, use the basic, non-next config for setup.
+        # This lets us test the transition to authz2.
+        config = default_config_dir
+        if CONFIG_NEXT:
+            config = "test/config"
+        now = datetime.datetime.utcnow()
         twenty_days_ago = now+datetime.timedelta(days=-20)
-        if not startservers.start(race_detection=True, fakeclock=fakeclock(twenty_days_ago)):
+        if not startservers.start(race_detection=True, fakeclock=fakeclock(twenty_days_ago), config_dir=config):
             raise Exception("startservers failed (mocking twenty days ago)")
         v1_integration.caa_client = caa_client = chisel.make_client()
         setup_twenty_days_ago()
diff --git a/test/startservers.py b/test/startservers.py
index a61b9f917..e7998f8b6 100644
--- a/test/startservers.py
+++ b/test/startservers.py
@@ -43,7 +43,7 @@ def run(cmd, race_detection, fakeclock):
     p.cmd = cmd
     return p
 
-def start(race_detection, fakeclock=None):
+def start(race_detection, fakeclock=None, config_dir=default_config_dir):
     """Return True if everything builds and starts.
 
     Give up and return False if anything fails to build, or dies at
@@ -63,33 +63,33 @@ def start(race_detection, fakeclock=None):
     # before any services that intend to send it RPCs. On shutdown they will be
     # killed in reverse order.
     progs = []
-    if default_config_dir.startswith("test/config-next"):
+    if config_dir.startswith("test/config-next"):
         # Run the two 'remote' VAs
         progs.extend([
-            [8011, './bin/boulder-remoteva --config %s' % os.path.join(default_config_dir, "va-remote-a.json")],
-            [8012, './bin/boulder-remoteva --config %s' % os.path.join(default_config_dir, "va-remote-b.json")],
+            [8011, './bin/boulder-remoteva --config %s' % os.path.join(config_dir, "va-remote-a.json")],
+            [8012, './bin/boulder-remoteva --config %s' % os.path.join(config_dir, "va-remote-b.json")],
         ])
     progs.extend([
         [53, './bin/sd-test-srv --listen :53'], # Service discovery DNS server
-        [8003, './bin/boulder-sa --config %s --addr sa1.boulder:9095 --debug-addr :8003' % os.path.join(default_config_dir, "sa.json")],
-        [8103, './bin/boulder-sa --config %s --addr sa2.boulder:9095 --debug-addr :8103' % os.path.join(default_config_dir, "sa.json")],
+        [8003, './bin/boulder-sa --config %s --addr sa1.boulder:9095 --debug-addr :8003' % os.path.join(config_dir, "sa.json")],
+        [8103, './bin/boulder-sa --config %s --addr sa2.boulder:9095 --debug-addr :8103' % os.path.join(config_dir, "sa.json")],
         [4500, './bin/ct-test-srv --config test/ct-test-srv/ct-test-srv.json'],
-        [8009, './bin/boulder-publisher --config %s --addr publisher1.boulder:9091 --debug-addr :8009' % os.path.join(default_config_dir, "publisher.json")],
-        [8109, './bin/boulder-publisher --config %s --addr publisher2.boulder:9091 --debug-addr :8109' % os.path.join(default_config_dir, "publisher.json")],
+        [8009, './bin/boulder-publisher --config %s --addr publisher1.boulder:9091 --debug-addr :8009' % os.path.join(config_dir, "publisher.json")],
+        [8109, './bin/boulder-publisher --config %s --addr publisher2.boulder:9091 --debug-addr :8109' % os.path.join(config_dir, "publisher.json")],
         [9380, './bin/mail-test-srv --closeFirst 5 --cert test/mail-test-srv/localhost/cert.pem --key test/mail-test-srv/localhost/key.pem'],
-        [8005, './bin/ocsp-responder --config %s' % os.path.join(default_config_dir, "ocsp-responder.json")],
-        [8004, './bin/boulder-va --config %s --addr va1.boulder:9092 --debug-addr :8004' % os.path.join(default_config_dir, "va.json")],
-        [8104, './bin/boulder-va --config %s --addr va2.boulder:9092 --debug-addr :8104' % os.path.join(default_config_dir, "va.json")],
-        [8001, './bin/boulder-ca --config %s --ca-addr ca1.boulder:9093 --ocsp-addr ca1.boulder:9096 --debug-addr :8001' % os.path.join(default_config_dir, "ca-a.json")],
-        [8101, './bin/boulder-ca --config %s --ca-addr ca2.boulder:9093 --ocsp-addr ca2.boulder:9096 --debug-addr :8101' % os.path.join(default_config_dir, "ca-b.json")],
+        [8005, './bin/ocsp-responder --config %s' % os.path.join(config_dir, "ocsp-responder.json")],
+        [8004, './bin/boulder-va --config %s --addr va1.boulder:9092 --debug-addr :8004' % os.path.join(config_dir, "va.json")],
+        [8104, './bin/boulder-va --config %s --addr va2.boulder:9092 --debug-addr :8104' % os.path.join(config_dir, "va.json")],
+        [8001, './bin/boulder-ca --config %s --ca-addr ca1.boulder:9093 --ocsp-addr ca1.boulder:9096 --debug-addr :8001' % os.path.join(config_dir, "ca-a.json")],
+        [8101, './bin/boulder-ca --config %s --ca-addr ca2.boulder:9093 --ocsp-addr ca2.boulder:9096 --debug-addr :8101' % os.path.join(config_dir, "ca-b.json")],
         [6789, './bin/akamai-test-srv --listen localhost:6789 --secret its-a-secret'],
-        [9666, './bin/akamai-purger --config %s' % os.path.join(default_config_dir, "akamai-purger.json")],
-        [8006, './bin/ocsp-updater --config %s' % os.path.join(default_config_dir, "ocsp-updater.json")],
-        [8002, './bin/boulder-ra --config %s --addr ra1.boulder:9094 --debug-addr :8002' % os.path.join(default_config_dir, "ra.json")],
-        [8102, './bin/boulder-ra --config %s --addr ra2.boulder:9094 --debug-addr :8102' % os.path.join(default_config_dir, "ra.json")],
-        [8111, './bin/nonce-service --config %s' % os.path.join(default_config_dir, "nonce.json")],
-        [4431, './bin/boulder-wfe2 --config %s' % os.path.join(default_config_dir, "wfe2.json")],
-        [4000, './bin/boulder-wfe --config %s' % os.path.join(default_config_dir, "wfe.json")],
+        [9666, './bin/akamai-purger --config %s' % os.path.join(config_dir, "akamai-purger.json")],
+        [8006, './bin/ocsp-updater --config %s' % os.path.join(config_dir, "ocsp-updater.json")],
+        [8002, './bin/boulder-ra --config %s --addr ra1.boulder:9094 --debug-addr :8002' % os.path.join(config_dir, "ra.json")],
+        [8102, './bin/boulder-ra --config %s --addr ra2.boulder:9094 --debug-addr :8102' % os.path.join(config_dir, "ra.json")],
+        [8111, './bin/nonce-service --config %s' % os.path.join(config_dir, "nonce.json")],
+        [4431, './bin/boulder-wfe2 --config %s' % os.path.join(config_dir, "wfe2.json")],
+        [4000, './bin/boulder-wfe --config %s' % os.path.join(config_dir, "wfe.json")],
     ])
     for (port, prog) in progs:
         try:
diff --git a/test/v2_integration.py b/test/v2_integration.py
index c3013e6c0..b81d83d95 100644
--- a/test/v2_integration.py
+++ b/test/v2_integration.py
@@ -875,6 +875,39 @@ def test_http2_http01_challenge():
         server.server_close()
         thread.join()
 
+z1_reuse_client = None
+z1_reuse_authzs = []
+@register_twenty_days_ago
+def z1_reuse_setup():
+    """Runs during "setup_twenty_days_ago" phase."""
+    global z1_reuse_client
+    global z1_reuse_authzs
+    z1_reuse_client = chisel2.make_client()
+    order = chisel2.auth_and_issue([random_domain(), random_domain()], client=z1_reuse_client)
+    for a in order.authorizations:
+        z1_reuse_authzs.append(a)
+
+def test_z1_reuse():
+    """Test that authzv1's get reused alongside authzv2's once the
+       NewAuthorizationSchema flag is turned on.
+       This relies on the fact that when CONFIG_NEXT is true, the n_days_ago
+       setup phases get run with `test/config` rather than `test/config-next`.
+    """
+    if not CONFIG_NEXT:
+        return
+    reuse_domains = []
+    authz_uris = set()
+    for a in z1_reuse_authzs:
+        authz_uris.add(a.uri)
+        reuse_domains.append(a.body.identifier.value)
+    new_domains = [random_domain(), random_domain()]
+    order = chisel2.auth_and_issue(reuse_domains + new_domains, client=z1_reuse_client)
+    for a in order.authorizations:
+        if a.uri in authz_uris:
+            authz_uris.remove(a.uri)
+    if len(authz_uris) != 0:
+        raise Exception("Failed to reuse all authzs. Remaining: %s" % authz_uris)
+
 def test_new_order_policy_errs():
     """
     Test that creating an order with policy blocked identifiers returns