boulder

History

Daniel McCarney fa5c917665 RA: Don't lose CA error types when prefixing err msg. (#3633 ) Previously we updated the RA's issueCertificateInner function to prefix errors returned from the CA with meaningful information about which CA RPC caused the failure. Unfortunately by using fmt.Errorf to do this we're discarding the underlying error type. This can cause unexpected server internal errors downstream if (for e.g.) the CA rejects a CSR with a malformed error (see #3632). This PR updates the issueCertificateInner error message prefixing to maintain the error type if the underlying error is a berrors.BoulderError. A RA unit test with several mock CAs is added to test the prefixing occurs as expected without loss of error type. This PR also adds an integration test that ensures we reject a CSR with >100 names with a malformed error. This is not strictly related to this PR but since I wrote it while debugging the root issue I thought I'd include it. To allow this test to pass the pendingAuthorizationsPerAccount in test/rate-limit-policies.yml and associated tests had to be adjusted. Resolves #3632	2018-04-10 11:28:03 -07:00
..
rate-limits.go	Enforce new orders per acct per window rate limit. (#3501 )	2018-03-02 10:47:39 -08:00
rate-limits_test.go	RA: Don't lose CA error types when prefixing err msg. (#3633 )	2018-04-10 11:28:03 -07:00

Daniel McCarney fa5c917665 RA: Don't lose CA error types when prefixing err msg. (#3633 )

Previously we updated the RA's issueCertificateInner function to prefix errors returned from the CA with meaningful information about which CA RPC caused the failure. Unfortunately by using fmt.Errorf to do this we're discarding the underlying error type. This can cause unexpected server internal errors downstream if (for e.g.) the CA rejects a CSR with a malformed error (see #3632).

This PR updates the issueCertificateInner error message prefixing to maintain the error type if the underlying error is a berrors.BoulderError. A RA unit test with several mock CAs is added to test the prefixing occurs as expected without loss of error type.

This PR also adds an integration test that ensures we reject a CSR with >100 names with a malformed error. This is not strictly related to this PR but since I wrote it while debugging the root issue I thought I'd include it. To allow this test to pass the pendingAuthorizationsPerAccount in test/rate-limit-policies.yml and associated tests had to be adjusted.

Resolves #3632

2018-04-10 11:28:03 -07:00

rate-limits.go

Enforce new orders per acct per window rate limit. (#3501 )

2018-03-02 10:47:39 -08:00

rate-limits_test.go

RA: Don't lose CA error types when prefixing err msg. (#3633 )

2018-04-10 11:28:03 -07:00