Commit Graph

14 Commits

Author SHA1 Message Date
Aaron Gable 61b484c13b
Update to math/rand/v2 (#7657)
Replace all of Boulder's usage of the Go stdlib "math/rand" package with
the newer "math/rand/v2" package which first became available in go1.22.
This package has an improved API and faster performance across the
board.

See https://go.dev/blog/randv2 and https://go.dev/blog/chacha8rand for
details.
2024-08-12 09:17:09 -07:00
Jacob Hoffman-Andrews c9e9918b80
ocsp-responder(redis): sample logs at configured rate (#7102)
In #6478, we stopped passing through Redis errors to the top-level
Responder object, preferring instead to live-sign. As part of that
change, we logged the Redis errors so they wouldn't disappear. However,
the sample rate for those errors was hard coded to 1-in-1000, instead of
following the LogSampleRate configured in the JSON.

This adds a field to redisSource for logSampleRate, and passes it
through from the JSON config in ocsp-responder/main.go.

Part of #7091
2023-10-02 17:02:24 -07:00
Aaron Gable aae7fb3551
Use go1.21's context.WithoutCancel (#7073)
This new standard library method returns a context with all of the
original metadata (e.g. tracing spans) still attached, but which will
not be canceled by any cancel funcs, deadlines, or timeouts set on the
parent context. We do this manually in a few places to prevent client
cancellations (usually disconnects) from disrupting our work, so this
just makes that code slightly simpler.

Fixes https://github.com/letsencrypt/boulder/issues/5506
2023-09-11 09:01:50 -07:00
Phil Porada 439517543b
CI: Run staticcheck standalone (#7055)
Run staticcheck as a standalone binary rather than as a library via
golangci-lint. From the golangci-lint help out,
> staticcheck (megacheck): It's a set of rules from staticcheck. It's
not the same thing as the staticcheck binary. The author of staticcheck
doesn't support or approve the use of staticcheck as a library inside
golangci-lint.

We decided to disable ST1000 which warns about incorrect or missing
package comments.

For SA4011, I chose to change the semantics[1] of the for loop rather
than ignoring the SA4011 lint for that line.

Fixes https://github.com/letsencrypt/boulder/issues/6988

1. https://go.dev/ref/spec#Continue_statements
2023-08-31 21:09:40 -07:00
Matthew McPherrin 8427245675
OTel Integration test using jaeger (#6842)
This adds Jaeger's all-in-one dev container (with no persistent storage)
to boulder's dev docker-compose. It configures config-next/ to send all
traces there.

A new integration test creates an account and issues a cert, then
verifies the trace contains some set of expected spans.

This test found that async finalize broke spans, so I fixed that and a
few related spots where we make a new context.
2023-05-05 10:41:29 -04:00
Matthew McPherrin e1ed1a2ac2
Remove beeline tracing (#6733)
Remove tracing using Beeline from Boulder. The only remnant left behind
is the deprecated configuration, to ensure deployability.

We had previously planned to swap in OpenTelemetry in a single PR, but
that adds significant churn in a single change, so we're doing this as
multiple steps that will each be significantly easier to reason about
and review.

Part of #6361
2023-03-14 15:14:27 -07:00
Jacob Hoffman-Andrews c23e59ba59
wfe2: don't pass through client-initiated cancellation (#6608)
And clean up the code and tests that were used for cancellation
pass-through.

Fixes #6603
2023-01-26 17:26:15 -08:00
Jacob Hoffman-Andrews b86113e208
rocsp: when Redis lookup fails, live sign (#6478)
Fixes #6455
2022-11-02 10:45:38 -07:00
Jacob Hoffman-Andrews 797f3c7217
responder: return InternalError for expired responses (#6377)
This was masking a bug, because the integration test for OCSP responses
for expired certificates was looking for the "unauthorized" OCSP
response status. Which we were returning, even though our HTTP-level
response code was 533.
2022-09-14 11:24:46 -07:00
Jacob Hoffman-Andrews 8a9caabb5b
ocsp/responder: add sampled logging of errors (#6351)
The allows us to emit errors from the ocsp-responder but not
flood our logs in case of outages.

Fixes #6340
2022-09-02 17:17:32 -07:00
Aaron Gable 9c197e1f43
Use io and os instead of deprecated ioutil (#6286)
The iotuil package has been deprecated since go1.16; the various
functions it provided now exist in the os and io packages. Replace all
instances of ioutil with either io or os, as appropriate.
2022-08-10 13:30:17 -07:00
Nina b8b3605404
ocsp-responder: handle expired ocsp responses (#6183)
Return 533 if we would otherwise serve an expired response.

Closes #6175
2022-06-29 17:58:33 -07:00
Aaron Gable 8cb01a0c34
Enable additional linters (#6106)
These new linters are almost all part of golangci-lint's collection
of default linters, that would all be running if we weren't setting
`disable-all: true`. By adding them, we now have parity with the
default configuration, as well as the additional linters we like.

Adds the following linters:
* unconvert
* deadcode
* structcheck
* typecheck
* varcheck
* wastedassign
2022-05-11 13:58:58 -07:00
Aaron Gable 0a22f83c0b
Major OCSP refactor (#5863)
Completely refactor the way we organize our code related to OCSP.

- Move it all into one `//ocsp/` package, rather than having multiple
  top-level packages.
- Merge the OCSP updater's config sub-package with its parent
  (since it isn't necessary to break it out to avoid cyclic imports).
- Remove all `Source` logic from ocsp-responder's `main.go`, because
  it was difficult to mentally trace the control flow there.
- Replace that logic with a set of composable `Source`s in the
  `//ocsp/responder/` package, each of which is good at just one thing.
- Update the way the filters work to make sure that the request's
  `IssuerKeyHash` and the response's `ResponderName` can both
  be derived from the same issuer certificate, ensuring that the req and
  resp are correctly matched.
- Split the metrics into a separate metric for each `Source`, so we can
  tell what all of them are doing, not just aggregate behavior.
- Split the tests into individual files for each `Source`, and update them
  for the new public interfaces.
2022-02-04 12:01:34 -08:00