Integration test for v1 authz reuse when v2 flag is enabled (#4288)
When NewAuthorizationSchema is enabled, we still want v1 authzs to be reusable in new orders. This tests that that code is implemented correctly. Updates #4241
This commit is contained in:
Jacob Hoffman-Andrews
GitHub
parent
2a7437af83
commit
df19fd9e58
|
|
@ -161,8 +161,15 @@ def main():
|
||||||
caa_client = None
|
caa_client = None
|
||||||
if not args.skip_setup:
|
if not args.skip_setup:
|
||||||
now = datetime.datetime.utcnow()
|
now = datetime.datetime.utcnow()
|
||||||
|
|
||||||
|
# In CONFIG_NEXT mode, use the basic, non-next config for setup.
|
||||||
|
# This lets us test the transition to authz2.
|
||||||
|
config = default_config_dir
|
||||||
|
if CONFIG_NEXT:
|
||||||
|
config = "test/config"
|
||||||
|
now = datetime.datetime.utcnow()
|
||||||
twenty_days_ago = now+datetime.timedelta(days=-20)
|
twenty_days_ago = now+datetime.timedelta(days=-20)
|
||||||
if not startservers.start(race_detection=True, fakeclock=fakeclock(twenty_days_ago)):
|
if not startservers.start(race_detection=True, fakeclock=fakeclock(twenty_days_ago), config_dir=config):
|
||||||
raise Exception("startservers failed (mocking twenty days ago)")
|
raise Exception("startservers failed (mocking twenty days ago)")
|
||||||
v1_integration.caa_client = caa_client = chisel.make_client()
|
v1_integration.caa_client = caa_client = chisel.make_client()
|
||||||
setup_twenty_days_ago()
|
setup_twenty_days_ago()
|
||||||
|
|
|
||||||
|
|
@ -43,7 +43,7 @@ def run(cmd, race_detection, fakeclock):
|
||||||
p.cmd = cmd
|
p.cmd = cmd
|
||||||
return p
|
return p
|
||||||
|
|
||||||
def start(race_detection, fakeclock=None):
|
def start(race_detection, fakeclock=None, config_dir=default_config_dir):
|
||||||
"""Return True if everything builds and starts.
|
"""Return True if everything builds and starts.
|
||||||
|
|
||||||
Give up and return False if anything fails to build, or dies at
|
Give up and return False if anything fails to build, or dies at
|
||||||
|
|
@ -63,33 +63,33 @@ def start(race_detection, fakeclock=None):
|
||||||
# before any services that intend to send it RPCs. On shutdown they will be
|
# before any services that intend to send it RPCs. On shutdown they will be
|
||||||
# killed in reverse order.
|
# killed in reverse order.
|
||||||
progs = []
|
progs = []
|
||||||
if default_config_dir.startswith("test/config-next"):
|
if config_dir.startswith("test/config-next"):
|
||||||
# Run the two 'remote' VAs
|
# Run the two 'remote' VAs
|
||||||
progs.extend([
|
progs.extend([
|
||||||
[8011, './bin/boulder-remoteva --config %s' % os.path.join(default_config_dir, "va-remote-a.json")],
|
[8011, './bin/boulder-remoteva --config %s' % os.path.join(config_dir, "va-remote-a.json")],
|
||||||
[8012, './bin/boulder-remoteva --config %s' % os.path.join(default_config_dir, "va-remote-b.json")],
|
[8012, './bin/boulder-remoteva --config %s' % os.path.join(config_dir, "va-remote-b.json")],
|
||||||
])
|
])
|
||||||
progs.extend([
|
progs.extend([
|
||||||
[53, './bin/sd-test-srv --listen :53'], # Service discovery DNS server
|
[53, './bin/sd-test-srv --listen :53'], # Service discovery DNS server
|
||||||
[8003, './bin/boulder-sa --config %s --addr sa1.boulder:9095 --debug-addr :8003' % os.path.join(default_config_dir, "sa.json")],
|
[8003, './bin/boulder-sa --config %s --addr sa1.boulder:9095 --debug-addr :8003' % os.path.join(config_dir, "sa.json")],
|
||||||
[8103, './bin/boulder-sa --config %s --addr sa2.boulder:9095 --debug-addr :8103' % os.path.join(default_config_dir, "sa.json")],
|
[8103, './bin/boulder-sa --config %s --addr sa2.boulder:9095 --debug-addr :8103' % os.path.join(config_dir, "sa.json")],
|
||||||
[4500, './bin/ct-test-srv --config test/ct-test-srv/ct-test-srv.json'],
|
[4500, './bin/ct-test-srv --config test/ct-test-srv/ct-test-srv.json'],
|
||||||
[8009, './bin/boulder-publisher --config %s --addr publisher1.boulder:9091 --debug-addr :8009' % os.path.join(default_config_dir, "publisher.json")],
|
[8009, './bin/boulder-publisher --config %s --addr publisher1.boulder:9091 --debug-addr :8009' % os.path.join(config_dir, "publisher.json")],
|
||||||
[8109, './bin/boulder-publisher --config %s --addr publisher2.boulder:9091 --debug-addr :8109' % os.path.join(default_config_dir, "publisher.json")],
|
[8109, './bin/boulder-publisher --config %s --addr publisher2.boulder:9091 --debug-addr :8109' % os.path.join(config_dir, "publisher.json")],
|
||||||
[9380, './bin/mail-test-srv --closeFirst 5 --cert test/mail-test-srv/localhost/cert.pem --key test/mail-test-srv/localhost/key.pem'],
|
[9380, './bin/mail-test-srv --closeFirst 5 --cert test/mail-test-srv/localhost/cert.pem --key test/mail-test-srv/localhost/key.pem'],
|
||||||
[8005, './bin/ocsp-responder --config %s' % os.path.join(default_config_dir, "ocsp-responder.json")],
|
[8005, './bin/ocsp-responder --config %s' % os.path.join(config_dir, "ocsp-responder.json")],
|
||||||
[8004, './bin/boulder-va --config %s --addr va1.boulder:9092 --debug-addr :8004' % os.path.join(default_config_dir, "va.json")],
|
[8004, './bin/boulder-va --config %s --addr va1.boulder:9092 --debug-addr :8004' % os.path.join(config_dir, "va.json")],
|
||||||
[8104, './bin/boulder-va --config %s --addr va2.boulder:9092 --debug-addr :8104' % os.path.join(default_config_dir, "va.json")],
|
[8104, './bin/boulder-va --config %s --addr va2.boulder:9092 --debug-addr :8104' % os.path.join(config_dir, "va.json")],
|
||||||
[8001, './bin/boulder-ca --config %s --ca-addr ca1.boulder:9093 --ocsp-addr ca1.boulder:9096 --debug-addr :8001' % os.path.join(default_config_dir, "ca-a.json")],
|
[8001, './bin/boulder-ca --config %s --ca-addr ca1.boulder:9093 --ocsp-addr ca1.boulder:9096 --debug-addr :8001' % os.path.join(config_dir, "ca-a.json")],
|
||||||
[8101, './bin/boulder-ca --config %s --ca-addr ca2.boulder:9093 --ocsp-addr ca2.boulder:9096 --debug-addr :8101' % os.path.join(default_config_dir, "ca-b.json")],
|
[8101, './bin/boulder-ca --config %s --ca-addr ca2.boulder:9093 --ocsp-addr ca2.boulder:9096 --debug-addr :8101' % os.path.join(config_dir, "ca-b.json")],
|
||||||
[6789, './bin/akamai-test-srv --listen localhost:6789 --secret its-a-secret'],
|
[6789, './bin/akamai-test-srv --listen localhost:6789 --secret its-a-secret'],
|
||||||
[9666, './bin/akamai-purger --config %s' % os.path.join(default_config_dir, "akamai-purger.json")],
|
[9666, './bin/akamai-purger --config %s' % os.path.join(config_dir, "akamai-purger.json")],
|
||||||
[8006, './bin/ocsp-updater --config %s' % os.path.join(default_config_dir, "ocsp-updater.json")],
|
[8006, './bin/ocsp-updater --config %s' % os.path.join(config_dir, "ocsp-updater.json")],
|
||||||
[8002, './bin/boulder-ra --config %s --addr ra1.boulder:9094 --debug-addr :8002' % os.path.join(default_config_dir, "ra.json")],
|
[8002, './bin/boulder-ra --config %s --addr ra1.boulder:9094 --debug-addr :8002' % os.path.join(config_dir, "ra.json")],
|
||||||
[8102, './bin/boulder-ra --config %s --addr ra2.boulder:9094 --debug-addr :8102' % os.path.join(default_config_dir, "ra.json")],
|
[8102, './bin/boulder-ra --config %s --addr ra2.boulder:9094 --debug-addr :8102' % os.path.join(config_dir, "ra.json")],
|
||||||
[8111, './bin/nonce-service --config %s' % os.path.join(default_config_dir, "nonce.json")],
|
[8111, './bin/nonce-service --config %s' % os.path.join(config_dir, "nonce.json")],
|
||||||
[4431, './bin/boulder-wfe2 --config %s' % os.path.join(default_config_dir, "wfe2.json")],
|
[4431, './bin/boulder-wfe2 --config %s' % os.path.join(config_dir, "wfe2.json")],
|
||||||
[4000, './bin/boulder-wfe --config %s' % os.path.join(default_config_dir, "wfe.json")],
|
[4000, './bin/boulder-wfe --config %s' % os.path.join(config_dir, "wfe.json")],
|
||||||
])
|
])
|
||||||
for (port, prog) in progs:
|
for (port, prog) in progs:
|
||||||
try:
|
try:
|
||||||
|
|
|
||||||
|
|
@ -875,6 +875,39 @@ def test_http2_http01_challenge():
|
||||||
server.server_close()
|
server.server_close()
|
||||||
thread.join()
|
thread.join()
|
||||||
|
|
||||||
|
z1_reuse_client = None
|
||||||
|
z1_reuse_authzs = []
|
||||||
|
@register_twenty_days_ago
|
||||||
|
def z1_reuse_setup():
|
||||||
|
"""Runs during "setup_twenty_days_ago" phase."""
|
||||||
|
global z1_reuse_client
|
||||||
|
global z1_reuse_authzs
|
||||||
|
z1_reuse_client = chisel2.make_client()
|
||||||
|
order = chisel2.auth_and_issue([random_domain(), random_domain()], client=z1_reuse_client)
|
||||||
|
for a in order.authorizations:
|
||||||
|
z1_reuse_authzs.append(a)
|
||||||
|
|
||||||
|
def test_z1_reuse():
|
||||||
|
"""Test that authzv1's get reused alongside authzv2's once the
|
||||||
|
NewAuthorizationSchema flag is turned on.
|
||||||
|
This relies on the fact that when CONFIG_NEXT is true, the n_days_ago
|
||||||
|
setup phases get run with `test/config` rather than `test/config-next`.
|
||||||
|
"""
|
||||||
|
if not CONFIG_NEXT:
|
||||||
|
return
|
||||||
|
reuse_domains = []
|
||||||
|
authz_uris = set()
|
||||||
|
for a in z1_reuse_authzs:
|
||||||
|
authz_uris.add(a.uri)
|
||||||
|
reuse_domains.append(a.body.identifier.value)
|
||||||
|
new_domains = [random_domain(), random_domain()]
|
||||||
|
order = chisel2.auth_and_issue(reuse_domains + new_domains, client=z1_reuse_client)
|
||||||
|
for a in order.authorizations:
|
||||||
|
if a.uri in authz_uris:
|
||||||
|
authz_uris.remove(a.uri)
|
||||||
|
if len(authz_uris) != 0:
|
||||||
|
raise Exception("Failed to reuse all authzs. Remaining: %s" % authz_uris)
|
||||||
|
|
||||||
def test_new_order_policy_errs():
|
def test_new_order_policy_errs():
|
||||||
"""
|
"""
|
||||||
Test that creating an order with policy blocked identifiers returns
|
Test that creating an order with policy blocked identifiers returns
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue