Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RVA: Recheck CAA records #7221

Merged
merged 25 commits into from
Jan 25, 2024
Merged

RVA: Recheck CAA records #7221

Show file tree
Hide file tree
Changes from 22 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
e77d6e9
RVAs now recheck CAA records
pgporada Dec 15, 2023
bb7742b
Fix comment
pgporada Dec 16, 2023
fdac51f
Fix tests
pgporada Dec 16, 2023
2f01ef8
Move caaRecheckTime metric
pgporada Dec 16, 2023
280afb7
Musical test fixing
pgporada Dec 19, 2023
d6bc007
Only test CAA rechecking when using MultiVAFullResults to avoid test …
pgporada Jan 2, 2024
ffc0ead
Instantiate like variables on the same line
pgporada Jan 2, 2024
18ca500
Use type conversion
pgporada Jan 3, 2024
482dcff
Addressing comments
pgporada Jan 8, 2024
29acfad
broken
pgporada Jan 9, 2024
d6a5b61
Keep on addressing comments
pgporada Jan 12, 2024
408266e
Keep addressing comments
pgporada Jan 12, 2024
00b06d0
Finish addressing comments
pgporada Jan 16, 2024
1736f25
Merge branch 'main' into rva-caa-recheck-hooray
pgporada Jan 16, 2024
c4672b9
Move prospective failure counters
pgporada Jan 16, 2024
00d3b29
Revert some error logging changes
pgporada Jan 16, 2024
f5f2588
Update va/caa.go
pgporada Jan 19, 2024
cf64c7f
Use a supported formatting verb
pgporada Jan 22, 2024
f1091ad
processRemoteCAAResults only sends to the results channel
pgporada Jan 22, 2024
123064e
processRemoteCAAResults only needs to receive from the remoteResultsChan
pgporada Jan 22, 2024
6ef6935
Use a supported formatting verb
pgporada Jan 22, 2024
2d1a467
Move firstProb check
pgporada Jan 22, 2024
c24dd54
Address comments
pgporada Jan 24, 2024
3700cd8
Fix nil pointer dereference in a metric counter
pgporada Jan 25, 2024
4ddf7c1
Remove type from CAACheckTime metrics
pgporada Jan 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions cmd/boulder-va/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,8 +125,11 @@ func main() {
remotes = append(
remotes,
va.RemoteVA{
VAClient: vapb.NewVAClient(vaConn),
Address: rva.ServerAddress,
RemoteClients: va.RemoteClients{
VAClient: vapb.NewVAClient(vaConn),
CAAClient: vapb.NewCAAClient(vaConn),
},
Address: rva.ServerAddress,
},
)
}
Expand Down
9 changes: 9 additions & 0 deletions features/features.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,15 @@ type Config struct {

// DOH enables DNS-over-HTTPS queries for validation
DOH bool

// EnforceMultiCAA causes the VA to block on remote VA CAA recheck requests
// in order to make a valid/invalid decision with the results.
EnforceMultiCAA bool

// MultiCAAFullResults will cause the main VA to wait for all of the remote
// VA CAA recheck results, not just the threshold required to make a
// decision.
MultiCAAFullResults bool
}

var fMu = new(sync.RWMutex)
Expand Down
2 changes: 1 addition & 1 deletion ra/ra.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -878,7 +878,7 @@ func (ra *RegistrationAuthorityImpl) checkAuthorizationsCAA(
return nil
}

// recheckCAA accepts a list of of names that need to have their CAA records
// recheckCAA accepts a list of names that need to have their CAA records
// rechecked because their associated authorizations are sufficiently old and
// performs the CAA checks required for each. If any of the rechecks fail an
// error is returned.
Expand Down
24 changes: 13 additions & 11 deletions ra/ra_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,14 +157,14 @@ func numAuthorizations(o *corepb.Order) int {
}

type DummyValidationAuthority struct {
request chan *vapb.PerformValidationRequest
ResultError error
ResultReturn *vapb.ValidationResult
performValidationRequest chan *vapb.PerformValidationRequest
PerformValidationRequestResultError error
PerformValidationRequestResultReturn *vapb.ValidationResult
}

func (dva *DummyValidationAuthority) PerformValidation(ctx context.Context, req *vapb.PerformValidationRequest, _ ...grpc.CallOption) (*vapb.ValidationResult, error) {
dva.request <- req
return dva.ResultReturn, dva.ResultError
dva.performValidationRequest <- req
return dva.PerformValidationRequestResultReturn, dva.PerformValidationRequestResultError
}

var (
Expand Down Expand Up @@ -323,7 +323,9 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, sapb.StorageAutho

saDBCleanUp := test.ResetBoulderTestDatabase(t)

va := &DummyValidationAuthority{request: make(chan *vapb.PerformValidationRequest, 1)}
va := &DummyValidationAuthority{
performValidationRequest: make(chan *vapb.PerformValidationRequest, 1),
}

pa, err := policy.New(map[core.AcmeChallenge]bool{
core.ChallengeTypeHTTP01: true,
Expand Down Expand Up @@ -818,7 +820,7 @@ func TestPerformValidationAlreadyValid(t *testing.T) {
authzPB, err := bgrpc.AuthzToPB(authz)
test.AssertNotError(t, err, "bgrpc.AuthzToPB failed")

va.ResultReturn = &vapb.ValidationResult{
va.PerformValidationRequestResultReturn = &vapb.ValidationResult{
Records: []*corepb.ValidationRecord{
{
AddressUsed: []byte("192.168.0.1"),
Expand Down Expand Up @@ -847,7 +849,7 @@ func TestPerformValidationSuccess(t *testing.T) {
// We know this is OK because of TestNewAuthorization
authzPB := createPendingAuthorization(t, sa, Identifier, fc.Now().Add(12*time.Hour))

va.ResultReturn = &vapb.ValidationResult{
va.PerformValidationRequestResultReturn = &vapb.ValidationResult{
Records: []*corepb.ValidationRecord{
{
AddressUsed: []byte("192.168.0.1"),
Expand All @@ -869,7 +871,7 @@ func TestPerformValidationSuccess(t *testing.T) {

var vaRequest *vapb.PerformValidationRequest
select {
case r := <-va.request:
case r := <-va.performValidationRequest:
vaRequest = r
case <-time.After(time.Second):
t.Fatal("Timed out waiting for DummyValidationAuthority.PerformValidation to complete")
Expand Down Expand Up @@ -908,7 +910,7 @@ func TestPerformValidationVAError(t *testing.T) {

authzPB := createPendingAuthorization(t, sa, Identifier, fc.Now().Add(12*time.Hour))

va.ResultError = fmt.Errorf("Something went wrong")
va.PerformValidationRequestResultError = fmt.Errorf("Something went wrong")

challIdx := dnsChallIdx(t, authzPB.Challenges)
authzPB, err := ra.PerformValidation(ctx, &rapb.PerformValidationRequest{
Expand All @@ -920,7 +922,7 @@ func TestPerformValidationVAError(t *testing.T) {

var vaRequest *vapb.PerformValidationRequest
select {
case r := <-va.request:
case r := <-va.performValidationRequest:
vaRequest = r
case <-time.After(time.Second):
t.Fatal("Timed out waiting for DummyValidationAuthority.PerformValidation to complete")
Expand Down
2 changes: 2 additions & 0 deletions test/config-next/va.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@
"EnforceMultiVA": true,
"MultiVAFullResults": true,
"CAAAfterValidation": true,
"EnforceMultiCAA": true,
"MultiCAAFullResults": true,
"DOH": true
},
"remoteVAs": [
Expand Down
Loading