Use a map and set defaults

2015-11-07 12:39:57 -05:00 · 2015-11-07 12:39:57 -05:00 · f61183e144
parent 1f8b60979b
commit f61183e144
9 changed files with 90 additions and 50 deletions
--- a/cmd/boulder-ca/main.go
+++ b/cmd/boulder-ca/main.go
@ -36,7 +36,7 @@ func main() {

 		paDbMap, err := sa.NewDbMap(c.PA.DBConnect)
 		cmd.FailOnError(err, "Couldn't connect to policy database")
-		pa, err := policy.NewPolicyAuthorityImpl(paDbMap, c.PA.EnforcePolicyWhitelist, c.PA.SupportedChallenges())
+		pa, err := policy.NewPolicyAuthorityImpl(paDbMap, c.PA.EnforcePolicyWhitelist, c.PA.Challenges)
 		cmd.FailOnError(err, "Couldn't create PA")

 		cai, err := ca.NewCertificateAuthorityImpl(c.CA, clock.Default(), stats, c.Common.IssuerCert)
--- a/cmd/boulder-ra/main.go
+++ b/cmd/boulder-ra/main.go
@ -40,7 +40,7 @@ func main() {

 		paDbMap, err := sa.NewDbMap(c.PA.DBConnect)
 		cmd.FailOnError(err, "Couldn't connect to policy database")
-		pa, err := policy.NewPolicyAuthorityImpl(paDbMap, c.PA.EnforcePolicyWhitelist, c.PA.SupportedChallenges())
+		pa, err := policy.NewPolicyAuthorityImpl(paDbMap, c.PA.EnforcePolicyWhitelist, c.PA.Challenges)
 		cmd.FailOnError(err, "Couldn't create PA")

 		rateLimitPolicies, err := cmd.LoadRateLimitPolicies(c.RA.RateLimitPoliciesFilename)
--- a/cmd/cert-checker/main.go
+++ b/cmd/cert-checker/main.go
@ -250,7 +250,7 @@ func main() {
 		paDbMap, err := sa.NewDbMap(c.PA.DBConnect)
 		cmd.FailOnError(err, "Could not connect to policy database")

-		checker := newChecker(saDbMap, paDbMap, clock.Default(), c.PA.EnforcePolicyWhitelist, c.PA.SupportedChallenges())
+		checker := newChecker(saDbMap, paDbMap, clock.Default(), c.PA.EnforcePolicyWhitelist, c.PA.Challenges)
 		auditlogger.Info("# Getting certificates issued in the last 90 days")

 		// Since we grab certificates in batches we don't want this to block, when it
--- a/cmd/shell.go
+++ b/cmd/shell.go
@ -265,36 +265,42 @@ type CAConfig struct {
 type PAConfig struct {
 	DBConnect              string
 	EnforcePolicyWhitelist bool
-
-	EnableSimpleHTTP bool // TODO(#894) Remove this line
-	EnableDVSNI      bool // TODO(#894) Remove this line
-	EnableHTTP01     bool
-	EnableTLSSNI01   bool
-	EnableDNS01      bool
+	Challenges             map[string]bool
 }

-// SupportedChallenges returns the set of challenges supported by the
-// configuration, as a map[string]bool.
-func (pa PAConfig) SupportedChallenges() map[string]bool {
-	challenges := map[string]bool{}
-
-	if pa.EnableSimpleHTTP {
-		challenges[core.ChallengeTypeSimpleHTTP] = true
-	}
-	if pa.EnableDVSNI {
-		challenges[core.ChallengeTypeDVSNI] = true
-	}
-	if pa.EnableHTTP01 {
-		challenges[core.ChallengeTypeHTTP01] = true
-	}
-	if pa.EnableTLSSNI01 {
-		challenges[core.ChallengeTypeTLSSNI01] = true
-	}
-	if pa.EnableDNS01 {
-		challenges[core.ChallengeTypeDNS01] = true
+// UnmarshalJSON is really actually vanilla, but with some validity checks and
+// default setting added
+func (pc *PAConfig) UnmarshalJSON(b []byte) error {
+	raw := struct {
+		DBConnect              string
+		EnforcePolicyWhitelist bool
+		Challenges             map[string]bool
+	}{}
+	err := json.Unmarshal(b, &raw)
+	if err != nil {
+		return err
 	}

-	return challenges
+	// Set a default list of challenges if non are provided
+	if len(raw.Challenges) == 0 {
+		raw.Challenges = map[string]bool{}
+		raw.Challenges[core.ChallengeTypeSimpleHTTP] = true
+		raw.Challenges[core.ChallengeTypeDVSNI] = true
+		raw.Challenges[core.ChallengeTypeHTTP01] = true
+		raw.Challenges[core.ChallengeTypeTLSSNI01] = true
+	}
+
+	// Check that the entries in the challenges map are valid
+	for name := range raw.Challenges {
+		if !core.ValidChallenge(name) {
+			return fmt.Errorf("Invalid challenge in PA config: %s", name)
+		}
+	}
+
+	pc.DBConnect = raw.DBConnect
+	pc.EnforcePolicyWhitelist = raw.EnforcePolicyWhitelist
+	pc.Challenges = raw.Challenges
+	return nil
 }

 // KeyConfig should contain either a File path to a PEM-format private key,
--- a/core/core_test.go
+++ b/core/core_test.go
@ -15,6 +15,7 @@ import (
 	"time"

 	"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/letsencrypt/go-jose"
+	"github.com/letsencrypt/boulder/test"
 )

 // challenges.go
@ -56,6 +57,15 @@ func TestChallenges(t *testing.T) {
 	if !dns01.IsSane(false) {
 		t.Errorf("New dns-01 challenge is not sane: %v", dns01)
 	}
+
+	// TODO(#894): Remove these lines
+	test.Assert(t, ValidChallenge(ChallengeTypeSimpleHTTP), "Refused valid challenge")
+	test.Assert(t, ValidChallenge(ChallengeTypeDVSNI), "Refused valid challenge")
+
+	test.Assert(t, ValidChallenge(ChallengeTypeHTTP01), "Refused valid challenge")
+	test.Assert(t, ValidChallenge(ChallengeTypeTLSSNI01), "Refused valid challenge")
+	test.Assert(t, ValidChallenge(ChallengeTypeDNS01), "Refused valid challenge")
+	test.Assert(t, !ValidChallenge("nonsense-71"), "Accepted invalid challenge")
 }

 // objects.go
--- a/core/objects.go
+++ b/core/objects.go
@ -97,6 +97,27 @@ const (
 	ChallengeTypeDNS01      = "dns-01"
 )

+// ValidChallenge tests whether the provided string names a known challenge
+func ValidChallenge(name string) bool {
+	switch name {
+	// TODO(#894): Delete these lines
+	case ChallengeTypeSimpleHTTP:
+		fallthrough
+	case ChallengeTypeDVSNI:
+		fallthrough
+
+	case ChallengeTypeHTTP01:
+		fallthrough
+	case ChallengeTypeTLSSNI01:
+		fallthrough
+	case ChallengeTypeDNS01:
+		return true
+
+	default:
+		return false
+	}
+}
+
 // TLSSNISuffix is appended to pseudo-domain names in DVSNI challenges
 const TLSSNISuffix = "acme.invalid"

--- a/policy/policy-authority.go
+++ b/policy/policy-authority.go
@ -23,8 +23,8 @@ type PolicyAuthorityImpl struct {
 	log *blog.AuditLogger
 	DB  *PolicyAuthorityDatabaseImpl

-	EnforceWhitelist    bool
-	supportedChallenges map[string]bool
+	EnforceWhitelist  bool
+	enabledChallenges map[string]bool
 }

 // NewPolicyAuthorityImpl constructs a Policy Authority.
@ -37,11 +37,12 @@ func NewPolicyAuthorityImpl(dbMap *gorp.DbMap, enforceWhitelist bool, challengeT
 	if err != nil {
 		return nil, err
 	}
+
 	pa := PolicyAuthorityImpl{
-		log:                 logger,
-		DB:                  padb,
-		EnforceWhitelist:    enforceWhitelist,
-		supportedChallenges: challengeTypes,
+		log:               logger,
+		DB:                padb,
+		EnforceWhitelist:  enforceWhitelist,
+		enabledChallenges: challengeTypes,
 	}

 	return &pa, nil
@ -210,24 +211,24 @@ func (pa PolicyAuthorityImpl) ChallengesFor(identifier core.AcmeIdentifier, acco
 	combinations = [][]int{}

 	// TODO(https://github.com/letsencrypt/boulder/issues/894): Remove this block
-	if pa.supportedChallenges[core.ChallengeTypeSimpleHTTP] {
+	if pa.enabledChallenges[core.ChallengeTypeSimpleHTTP] {
 		challenges = append(challenges, core.SimpleHTTPChallenge(accountKey))
 	}

 	// TODO(https://github.com/letsencrypt/boulder/issues/894): Remove this block
-	if pa.supportedChallenges[core.ChallengeTypeDVSNI] {
+	if pa.enabledChallenges[core.ChallengeTypeDVSNI] {
 		challenges = append(challenges, core.DvsniChallenge(accountKey))
 	}

-	if pa.supportedChallenges[core.ChallengeTypeHTTP01] {
+	if pa.enabledChallenges[core.ChallengeTypeHTTP01] {
 		challenges = append(challenges, core.HTTPChallenge01(accountKey))
 	}

-	if pa.supportedChallenges[core.ChallengeTypeTLSSNI01] {
+	if pa.enabledChallenges[core.ChallengeTypeTLSSNI01] {
 		challenges = append(challenges, core.TLSSNIChallenge01(accountKey))
 	}

-	if pa.supportedChallenges[core.ChallengeTypeDNS01] {
+	if pa.enabledChallenges[core.ChallengeTypeDNS01] {
 		challenges = append(challenges, core.DNSChallenge01(accountKey))
 	}

--- a/policy/policy-authority_test.go
+++ b/policy/policy-authority_test.go
@ -21,7 +21,7 @@ import (

 var log = mocks.UseMockLog()

-var supportedChallenges = map[string]bool{
+var enabledChallenges = map[string]bool{
 	core.ChallengeTypeSimpleHTTP: true,
 	core.ChallengeTypeDVSNI:      true,
 	core.ChallengeTypeHTTP01:     true,
@ -31,7 +31,7 @@ var supportedChallenges = map[string]bool{

 func paImpl(t *testing.T) (*PolicyAuthorityImpl, func()) {
 	dbMap, cleanUp := paDBMap(t)
-	pa, err := NewPolicyAuthorityImpl(dbMap, false, supportedChallenges)
+	pa, err := NewPolicyAuthorityImpl(dbMap, false, enabledChallenges)
 	if err != nil {
 		cleanUp()
 		t.Fatalf("Couldn't create policy implementation: %s", err)
@ -215,10 +215,10 @@ func TestChallengesFor(t *testing.T) {
 		t.Errorf("Error generating challenges: %v", err)
 	}

-	test.Assert(t, len(challenges) == len(supportedChallenges), "Wrong number of challenges returned")
-	test.Assert(t, len(combinations) == len(supportedChallenges), "Wrong number of combinations returned")
+	test.Assert(t, len(challenges) == len(enabledChallenges), "Wrong number of challenges returned")
+	test.Assert(t, len(combinations) == len(enabledChallenges), "Wrong number of combinations returned")
 	for i, challenge := range challenges {
-		test.Assert(t, supportedChallenges[challenge.Type], "Unsupported challenge returned")
+		test.Assert(t, enabledChallenges[challenge.Type], "Unsupported challenge returned")
 		test.AssertEquals(t, len(combinations[i]), 1)
 		test.AssertEquals(t, combinations[i][0], i)
 	}
--- a/test/boulder-config.json
+++ b/test/boulder-config.json
@ -117,11 +117,13 @@

  "pa": {
    "dbConnect": "mysql+tcp://policy@localhost:3306/boulder_policy_integration",
-    "enableSimpleHTTP": true,
-    "enableDVSNI": true,
-    "enableHTTP01": true,
-    "enableTLSSNI01": true,
-    "enableDNS01": true
+    "challenges": {
+      "simpleHttp": true,
+      "dvsni": true,
+      "http-01": true,
+      "tls-sni-01": true,
+      "dns-01": true
+    }
  },

  "ra": {