Skip to content

Commit 1d86023

Browse files
jshajsha
authored
sa: NewOrderAndAuthzs checks that nonzero authzs were provided (#8464)
Also document the relevant fields.
1 parent ac08b11 commit 1d86023

File tree

4 files changed

+131
-14
lines changed

4 files changed

+131
-14
lines changed

sa/proto/sa.pb.go

Lines changed: 16 additions & 11 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

sa/proto/sa.proto

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -213,6 +213,8 @@ message NewOrderRequest {
213213
google.protobuf.Timestamp expires = 5;
214214
reserved 3; // Previously dnsNames
215215
repeated core.Identifier identifiers = 9;
216+
// A list of already-existing authorization IDs that should be associated with
217+
// the new Order object. This is for authorization reuse.
216218
repeated int64 v2Authorizations = 4;
217219
string certificateProfileName = 7;
218220
// Replaces is the ARI certificate Id that this order replaces.
@@ -223,9 +225,7 @@ message NewOrderRequest {
223225

224226
}
225227

226-
// NewAuthzRequest starts with all the same fields as corepb.Authorization,
227-
// because it is replacing that type in NewOrderAndAuthzsRequest, and then
228-
// improves from there.
228+
// NewAuthzRequest represents a request to create an authorization.
229229
message NewAuthzRequest {
230230
// Next unused field number: 13
231231
reserved 1; // previously id
@@ -244,6 +244,11 @@ message NewAuthzRequest {
244244

245245
message NewOrderAndAuthzsRequest {
246246
NewOrderRequest newOrder = 1;
247+
// Authorizations to be newly created alongside the order, and associated with it.
248+
// These will be combined with any reused authorizations (newOrder.v2Authorizations)
249+
// to make the overall set of authorizations for the order. This field and
250+
// newOrder.v2Authorizations may both be present, or only one of the two may be
251+
// present, but they may not both be absent.
247252
repeated NewAuthzRequest newAuthzs = 2;
248253
}
249254

sa/sa.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -452,6 +452,9 @@ func (ssa *SQLStorageAuthority) NewOrderAndAuthzs(ctx context.Context, req *sapb
452452
if req.NewOrder == nil {
453453
return nil, errIncompleteRequest
454454
}
455+
if len(req.NewAuthzs) == 0 && len(req.NewOrder.V2Authorizations) == 0 {
456+
return nil, errIncompleteRequest
457+
}
455458

456459
for _, authz := range req.NewAuthzs {
457460
if authz.RegistrationID != req.NewOrder.RegistrationID {

sa/sa_test.go

Lines changed: 104 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1007,6 +1007,110 @@ func TestNewOrderAndAuthzs(t *testing.T) {
10071007
test.AssertDeepEquals(t, authzIDs, []int64{1, 2, 3, 4})
10081008
}
10091009

1010+
func TestNewOrderAndAuthzs_ReuseOnly(t *testing.T) {
1011+
sa, fc, cleanup := initSA(t)
1012+
defer cleanup()
1013+
1014+
reg := createWorkingRegistration(t, sa)
1015+
expires := fc.Now().Add(2 * time.Hour)
1016+
1017+
// Insert two pre-existing authorizations to reference
1018+
idA := createPendingAuthorization(t, sa, identifier.NewDNS("a.com"), sa.clk.Now().Add(time.Hour))
1019+
idB := createPendingAuthorization(t, sa, identifier.NewDNS("b.com"), sa.clk.Now().Add(time.Hour))
1020+
test.AssertEquals(t, idA, int64(1))
1021+
test.AssertEquals(t, idB, int64(2))
1022+
req := &sapb.NewOrderAndAuthzsRequest{
1023+
// Insert an order for four names, two of which already have authzs
1024+
NewOrder: &sapb.NewOrderRequest{
1025+
RegistrationID: reg.Id,
1026+
Expires: timestamppb.New(expires),
1027+
Identifiers: []*corepb.Identifier{
1028+
identifier.NewDNS("a.com").ToProto(),
1029+
identifier.NewDNS("b.com").ToProto(),
1030+
},
1031+
V2Authorizations: []int64{1, 2},
1032+
},
1033+
}
1034+
order, err := sa.NewOrderAndAuthzs(context.Background(), req)
1035+
if err != nil {
1036+
t.Fatal("sa.NewOrderAndAuthzs:", err)
1037+
}
1038+
if !reflect.DeepEqual(order.V2Authorizations, []int64{1, 2}) {
1039+
t.Errorf("sa.NewOrderAndAuthzs().V2Authorizations: want [1, 2], got %v", order.V2Authorizations)
1040+
}
1041+
}
1042+
1043+
func TestNewOrderAndAuthzs_CreateOnly(t *testing.T) {
1044+
sa, fc, cleanup := initSA(t)
1045+
defer cleanup()
1046+
1047+
reg := createWorkingRegistration(t, sa)
1048+
expires := fc.Now().Add(2 * time.Hour)
1049+
1050+
// Insert two pre-existing authorizations to reference
1051+
idA := createPendingAuthorization(t, sa, identifier.NewDNS("a.com"), sa.clk.Now().Add(time.Hour))
1052+
idB := createPendingAuthorization(t, sa, identifier.NewDNS("b.com"), sa.clk.Now().Add(time.Hour))
1053+
test.AssertEquals(t, idA, int64(1))
1054+
test.AssertEquals(t, idB, int64(2))
1055+
req := &sapb.NewOrderAndAuthzsRequest{
1056+
// Insert an order for four names, two of which already have authzs
1057+
NewOrder: &sapb.NewOrderRequest{
1058+
RegistrationID: reg.Id,
1059+
Expires: timestamppb.New(expires),
1060+
Identifiers: []*corepb.Identifier{
1061+
identifier.NewDNS("a.com").ToProto(),
1062+
identifier.NewDNS("b.com").ToProto(),
1063+
},
1064+
},
1065+
NewAuthzs: []*sapb.NewAuthzRequest{
1066+
{
1067+
Identifier: &corepb.Identifier{Type: "dns", Value: "a.com"},
1068+
RegistrationID: reg.Id,
1069+
Expires: timestamppb.New(expires),
1070+
ChallengeTypes: []string{string(core.ChallengeTypeDNS01)},
1071+
Token: core.NewToken(),
1072+
},
1073+
},
1074+
}
1075+
order, err := sa.NewOrderAndAuthzs(context.Background(), req)
1076+
if err != nil {
1077+
t.Fatal("sa.NewOrderAndAuthzs:", err)
1078+
}
1079+
if len(order.V2Authorizations) != 1 {
1080+
t.Fatalf("len(sa.NewOrderAndAuthzs().V2Authorizations): want 1, got %v", len(order.V2Authorizations))
1081+
}
1082+
gotAuthz, err := sa.GetAuthorization2(context.Background(), &sapb.AuthorizationID2{Id: order.V2Authorizations[0]})
1083+
if err != nil {
1084+
t.Fatalf("retrieving inserted authz: %s", err)
1085+
}
1086+
if gotAuthz.Identifier.Value != "a.com" {
1087+
t.Errorf("New order authz identifier = %v, want %v", gotAuthz.Identifier.Value, "a.com")
1088+
}
1089+
}
1090+
1091+
func TestNewOrderAndAuthzs_NoAuthzsError(t *testing.T) {
1092+
sa, fc, cleanup := initSA(t)
1093+
defer cleanup()
1094+
1095+
reg := createWorkingRegistration(t, sa)
1096+
expires := fc.Now().Add(2 * time.Hour)
1097+
1098+
// Insert two pre-existing authorizations to reference
1099+
req := &sapb.NewOrderAndAuthzsRequest{
1100+
// Insert an order for four names, two of which already have authzs
1101+
NewOrder: &sapb.NewOrderRequest{
1102+
RegistrationID: reg.Id,
1103+
Expires: timestamppb.New(expires),
1104+
Identifiers: nil,
1105+
},
1106+
NewAuthzs: nil,
1107+
}
1108+
_, err := sa.NewOrderAndAuthzs(context.Background(), req)
1109+
if err != errIncompleteRequest {
1110+
t.Errorf("sa.NewOrderAndAuthzs with no authzs: want %v, got %v", errIncompleteRequest, err)
1111+
}
1112+
}
1113+
10101114
// TestNewOrderAndAuthzs_NonNilInnerOrder verifies that a nil
10111115
// sapb.NewOrderAndAuthzsRequest NewOrder object returns an error.
10121116
func TestNewOrderAndAuthzs_NonNilInnerOrder(t *testing.T) {

0 commit comments

Comments
 (0)