sfe: Implement self-service frontend for account pausing/unpausing #7500
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pgporada
changed the title
beautifulentropy
changed the title
pgporada
force-pushed
the
self-service-frontend
branch
from
771cf9d
to
6700d16
Compare
|
@pgporada, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values. |
|
The |
pgporada
force-pushed
the
self-service-frontend
branch
from
6700d16
to
076940a
Compare
pgporada
force-pushed
the
self-service-frontend
branch
from
076940a
to
0680b46
Compare
beautifulentropy
requested changes
Jun 13, 2024
beautifulentropy
requested changes
Jun 18, 2024
pgporada
force-pushed
the
self-service-frontend
branch
from
28b4e34
to
b5fbe6b
Compare
pgporada
dismissed
jsha’s stale review
Comments have been addressed, please re-review this.
beautifulentropy
previously requested changes
Jul 8, 2024
aarongable
reviewed
Jul 9, 2024
pgporada
added a commit
that referenced
this pull request
Jul 9, 2024
Originating from a comment [here](#7500 (comment)), I've inlined the `setupWFE(..)` function into `main()`.
pgporada
dismissed
beautifulentropy’s stale review
All comments have been addressed.
aarongable
approved these changes
Jul 9, 2024
beautifulentropy
approved these changes
Jul 10, 2024
pgporada
added a commit
that referenced
this pull request
Jul 12, 2024
Improve the SFE route handler by using go1.22 [HandleFunc](https://go.dev/blog/routing-enhancements) "VERB /path" and removing manual HTTP method acceptance code. Addresses comments from the original SFE PR [here](#7500 (review)). Fixes #7584 Fixes #7499
aarongable
pushed a commit
that referenced
this pull request
Jul 16, 2024
Add SFE as an RPC client of SARO and RA in `test/config`. #7500 added same in `test/config-next`.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds a new boulder component named
sfeaka the Self-service FrontEnd which is dedicated to non-ACME related Subscriber functions. This change implements one such function which is a web interface and handlers for account unpausing.When paused, an ACME client receives a log line URL with a JWT parameter from the WFE. For the observant Subscriber, manually clicking the link opens their web browser and displays a page with a pre-filled HTML form. Upon clicking the form button, the SFE sends an HTTP POST back to itself and either validates the JWT and issues an RA gRPC request to unpause the account, or returns an HTML error page.
The SFE and WFE should share a 32 byte seed value e.g. the output of
openssl rand -hex 16which will be used as a go-jose symmetric signer using the HS256 algorithm. The SFE will check various RFC 7519 claims on the JWT such as theiss,aud,nbf,exp,iat, and a customapiVersionclaim.The SFE should not yet be relied upon or deployed to staging/production environments. It is very much a work in progress, but this change is big enough as-is.
Related to #7406
Part of #7499