Merge branch main into better-check-finalize

go.mod

@@ -24,7 +24,8 @@ require (
 	github.com/nxadm/tail v1.4.11
 	github.com/prometheus/client_golang v1.15.1
 	github.com/prometheus/client_model v0.4.0
-	github.com/redis/go-redis/v9 v9.4.0
+	github.com/redis/go-redis/extra/redisotel/v9 v9.5.3
+	github.com/redis/go-redis/v9 v9.5.3
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
 	github.com/weppos/publicsuffix-go v0.30.3-0.20240510084413-5f1d03393b3d
 	github.com/zmap/zcrypto v0.0.0-20231219022726-a1f61fb1661c
@@ -78,6 +79,7 @@ require (
 	github.com/poy/onpar v1.1.2 // indirect
 	github.com/prometheus/common v0.42.0 // indirect
 	github.com/prometheus/procfs v0.9.0 // indirect
+	github.com/redis/go-redis/extra/rediscmd/v9 v9.5.3 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 // indirect
 	go.opentelemetry.io/otel/metric v1.27.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.2.0 // indirect

go.sum

@@ -214,8 +214,12 @@ github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7z
 github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI=
 github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
-github.com/redis/go-redis/v9 v9.4.0 h1:Yzoz33UZw9I/mFhx4MNrB6Fk+XHO1VukNcCa1+lwyKk=
-github.com/redis/go-redis/v9 v9.4.0/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
+github.com/redis/go-redis/extra/rediscmd/v9 v9.5.3 h1:1/BDligzCa40GTllkDnY3Y5DTHuKCONbB2JcRyIfl20=
+github.com/redis/go-redis/extra/rediscmd/v9 v9.5.3/go.mod h1:3dZmcLn3Qw6FLlWASn1g4y+YO9ycEFUOM+bhBmzLVKQ=
+github.com/redis/go-redis/extra/redisotel/v9 v9.5.3 h1:kuvuJL/+MZIEdvtb/kTBRiRgYaOmx1l+lYJyVdrRUOs=
+github.com/redis/go-redis/extra/redisotel/v9 v9.5.3/go.mod h1:7f/FMrf5RRRVHXgfk7CzSVzXHiWeuOQUu2bsVqWoa+g=
+github.com/redis/go-redis/v9 v9.5.3 h1:fOAp1/uJG+ZtcITgZOfYFmTKPE7n4Vclj1wZFgRciUU=
+github.com/redis/go-redis/v9 v9.5.3/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=

ra/ra.go

@@ -2633,7 +2633,7 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
 
 	// Loop through each of the names missing authzs and create a new pending
 	// authorization for each.
-	var newAuthzs []*corepb.Authorization
+	var newAuthzs []*sapb.NewAuthzRequest
 	for _, name := range missingAuthzNames {
 		pb, err := ra.createPendingAuthz(newOrder.RegistrationID, identifier.ACMEIdentifier{
 			Type:  identifier.DNS,
@@ -2701,9 +2701,13 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
 // createPendingAuthz checks that a name is allowed for issuance and creates the
 // necessary challenges for it and puts this and all of the relevant information
 // into a corepb.Authorization for transmission to the SA to be stored
-func (ra *RegistrationAuthorityImpl) createPendingAuthz(reg int64, identifier identifier.ACMEIdentifier) (*corepb.Authorization, error) {
-	authz := &corepb.Authorization{
-		Identifier:     identifier.Value,
+func (ra *RegistrationAuthorityImpl) createPendingAuthz(reg int64, identifier identifier.ACMEIdentifier) (*sapb.NewAuthzRequest, error) {
+	authz := &sapb.NewAuthzRequest{
+		IdentifierValue: identifier.Value,
+		Identifier: &sapb.Identifier{
+			Type:  string(identifier.Type),
+			Value: identifier.Value,
+		},
 		RegistrationID: reg,
 		Status:         string(core.StatusPending),
 		Expires:        timestamppb.New(ra.clk.Now().Add(ra.pendingAuthorizationLifetime).Truncate(time.Second)),
@@ -2718,6 +2722,8 @@ func (ra *RegistrationAuthorityImpl) createPendingAuthz(reg int64, identifier id
 		return nil, berrors.InternalServerError(err.Error())
 	}
 	// Check each challenge for sanity.
+	var token string
+	var challTypes []string
 	for _, challenge := range challenges {
 		err := challenge.CheckPending()
 		if err != nil {
@@ -2726,12 +2732,31 @@ func (ra *RegistrationAuthorityImpl) createPendingAuthz(reg int64, identifier id
 			err = berrors.InternalServerError("challenge didn't pass sanity check: %+v", challenge)
 			return nil, err
 		}
+
+		if token == "" {
+			token = challenge.Token
+		} else {
+			if challenge.Token != token {
+				return nil, berrors.InternalServerError("generated different tokens for challenges within the same authz")
+			}
+		}
+
+		if slices.Contains(challTypes, string(challenge.Type)) {
+			return nil, berrors.InternalServerError("generated multiple challenges of the same type within the same authz")
+		} else {
+			challTypes = append(challTypes, string(challenge.Type))
+		}
+
 		challPB, err := bgrpc.ChallengeToPB(challenge)
 		if err != nil {
 			return nil, err
 		}
 		authz.Challenges = append(authz.Challenges, challPB)
 	}
+
+	authz.Token = token
+	authz.ChallengeTypes = challTypes
+
 	return authz, nil
 }
 

ra/ra_test.go

@@ -72,40 +72,28 @@ import (
 func createPendingAuthorization(t *testing.T, sa sapb.StorageAuthorityClient, domain string, exp time.Time) *corepb.Authorization {
 	t.Helper()
 
-	authz := core.Authorization{
-		Identifier:     identifier.DNSIdentifier(domain),
-		RegistrationID: Registration.Id,
-		Status:         "pending",
-		Expires:        &exp,
-		Challenges: []core.Challenge{
-			{
-				Token:  core.NewToken(),
-				Type:   core.ChallengeTypeHTTP01,
-				Status: core.StatusPending,
-			},
-			{
-				Token:  core.NewToken(),
-				Type:   core.ChallengeTypeDNS01,
-				Status: core.StatusPending,
+	res, err := sa.NewOrderAndAuthzs(
+		context.Background(),
+		&sapb.NewOrderAndAuthzsRequest{
+			NewOrder: &sapb.NewOrderRequest{
+				RegistrationID: Registration.Id,
+				Expires:        timestamppb.New(exp),
+				Names:          []string{domain},
 			},
-			{
-				Token:  core.NewToken(),
-				Type:   core.ChallengeTypeTLSALPN01,
-				Status: core.StatusPending,
+			NewAuthzs: []*sapb.NewAuthzRequest{
+				{
+					Identifier:     &sapb.Identifier{Type: string(core.ChallengeTypeDNS01), Value: domain},
+					RegistrationID: Registration.Id,
+					Expires:        timestamppb.New(exp),
+					ChallengeTypes: []string{
+						string(core.ChallengeTypeHTTP01),
+						string(core.ChallengeTypeDNS01),
+						string(core.ChallengeTypeTLSALPN01)},
+					Token: core.NewToken(),
+				},
 			},
 		},
-	}
-	authzPB, err := bgrpc.AuthzToPB(authz)
-	test.AssertNotError(t, err, "AuthzToPB failed")
-
-	res, err := sa.NewOrderAndAuthzs(context.Background(), &sapb.NewOrderAndAuthzsRequest{
-		NewOrder: &sapb.NewOrderRequest{
-			RegistrationID: Registration.Id,
-			Expires:        timestamppb.New(exp),
-			Names:          []string{domain},
-		},
-		NewAuthzs: []*corepb.Authorization{authzPB},
-	})
+	)
 	test.AssertNotError(t, err, "sa.NewOrderAndAuthzs failed")
 
 	return getAuthorization(t, fmt.Sprint(res.V2Authorizations[0]), sa)

redis/config.go

@@ -3,11 +3,13 @@ package redis
 import (
 	"fmt"
 
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/redis/go-redis/extra/redisotel/v9"
+	"github.com/redis/go-redis/v9"
+
 	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/config"
 	blog "github.com/letsencrypt/boulder/log"
-	"github.com/prometheus/client_golang/prometheus"
-	"github.com/redis/go-redis/v9"
 )
 
 // Config contains the configuration needed to act as a Redis client.
@@ -163,6 +165,11 @@ func NewRingFromConfig(c Config, stats prometheus.Registerer, log blog.Logger) (
 		lookup.start()
 	}
 
+	err = redisotel.InstrumentTracing(inner)
+	if err != nil {
+		return nil, err
+	}
+
 	return &Ring{
 		Ring:   inner,
 		lookup: lookup,

sa/model.go

@@ -682,6 +682,46 @@ func hasMultipleNonPendingChallenges(challenges []*corepb.Challenge) bool {
 	return false
 }
 
+// newAuthzReqToModel converts an sapb.NewAuthzRequest to the authzModel storage
+// representation. It hardcodes the status to "pending" because it should be
+// impossible to create an authz in any other state.
+func newAuthzReqToModel(authz *sapb.NewAuthzRequest) (*authzModel, error) {
+	if authz.Token == "" && len(authz.ChallengeTypes) == 0 {
+		// This is actually a corepb.Authorization, sent to us by a not-yet-updated
+		// RA. Use the old code-path instead.
+		// TODO(#5913): Remove this fallback.
+		return authzPBToModel(&corepb.Authorization{
+			Id:             authz.Id,
+			Identifier:     authz.IdentifierValue,
+			RegistrationID: authz.RegistrationID,
+			Status:         string(core.StatusPending),
+			Expires:        authz.Expires,
+			Challenges:     authz.Challenges,
+		})
+	}
+
+	am := &authzModel{
+		IdentifierType:  identifierTypeToUint[authz.Identifier.Type],
+		IdentifierValue: authz.Identifier.Value,
+		RegistrationID:  authz.RegistrationID,
+		Status:          statusToUint[core.StatusPending],
+		Expires:         authz.Expires.AsTime(),
+	}
+
+	for _, challType := range authz.ChallengeTypes {
+		// Set the challenge type bit in the bitmap
+		am.Challenges |= 1 << challTypeToUint[challType]
+	}
+
+	token, err := base64.RawURLEncoding.DecodeString(authz.Token)
+	if err != nil {
+		return nil, err
+	}
+	am.Token = token
+
+	return am, nil
+}
+
 // authzPBToModel converts a protobuf authorization representation to the
 // authzModel storage representation.
 func authzPBToModel(authz *corepb.Authorization) (*authzModel, error) {