Improve redis rate limit construction errors (#7525)

Change ratelimits.validateIdForName to call the appropriate validate
function based on the contents of the to-be-validated ID, rather than
falling back and potentially performing multiple validations.

Previously, if an ID like "12345:bad.domain" was passed into this
function, it would fail the first validateRegIdDomain validation due to
having a bad domain name (no TLD), fall back to the simpler
validateRegId function, and then fail that because it contains a colon.
This obscured the true reason for the failure. Changing this code to not
fall back means that the true reason for the id validation failure will
be exposed in the error message.

Author: aarongable

ratelimits/limit_test.go

@@ -56,83 +56,6 @@ func TestValidateLimit(t *testing.T) {
 	}
 }
 
-func TestValidateIdForName(t *testing.T) {
-	// 'enum:ipAddress'
-	// Valid IPv4 address.
-	err := validateIdForName(NewRegistrationsPerIPAddress, "10.0.0.1")
-	test.AssertNotError(t, err, "valid ipv4 address")
-
-	// 'enum:ipAddress'
-	// Valid IPv6 address.
-	err = validateIdForName(NewRegistrationsPerIPAddress, "2001:0db8:85a3:0000:0000:8a2e:0370:7334")
-	test.AssertNotError(t, err, "valid ipv6 address")
-
-	// 'enum:ipv6rangeCIDR'
-	// Valid IPv6 address range.
-	err = validateIdForName(NewRegistrationsPerIPv6Range, "2001:0db8:0000::/48")
-	test.AssertNotError(t, err, "should not error")
-
-	// 'enum:regId'
-	// Valid regId.
-	err = validateIdForName(NewOrdersPerAccount, "1234567890")
-	test.AssertNotError(t, err, "valid regId")
-
-	// 'enum:domain'
-	// Valid regId and domain.
-	err = validateIdForName(CertificatesPerDomain, "example.com")
-	test.AssertNotError(t, err, "valid regId and domain")
-
-	// 'enum:fqdnSet'
-	// Valid fqdnSet containing a single domain.
-	err = validateIdForName(CertificatesPerFQDNSet, "example.com")
-	test.AssertNotError(t, err, "valid regId and FQDN set containing a single domain")
-
-	// 'enum:fqdnSet'
-	// Valid fqdnSet containing multiple domains.
-	err = validateIdForName(CertificatesPerFQDNSet, "example.com,example.org")
-	test.AssertNotError(t, err, "valid regId and FQDN set containing multiple domains")
-
-	// Empty string.
-	err = validateIdForName(NewRegistrationsPerIPAddress, "")
-	test.AssertError(t, err, "Id is an empty string")
-
-	// One space.
-	err = validateIdForName(NewRegistrationsPerIPAddress, " ")
-	test.AssertError(t, err, "Id is a single space")
-
-	// Invalid IPv4 address.
-	err = validateIdForName(NewRegistrationsPerIPAddress, "10.0.0.9000")
-	test.AssertError(t, err, "invalid IPv4 address")
-
-	// Invalid IPv6 address.
-	err = validateIdForName(NewRegistrationsPerIPAddress, "2001:0db8:85a3:0000:0000:8a2e:0370:7334:9000")
-	test.AssertError(t, err, "invalid IPv6 address")
-
-	// Invalid IPv6 CIDR range.
-	err = validateIdForName(NewRegistrationsPerIPv6Range, "2001:0db8:0000::/128")
-	test.AssertError(t, err, "invalid IPv6 CIDR range")
-
-	// Invalid IPv6 CIDR.
-	err = validateIdForName(NewRegistrationsPerIPv6Range, "2001:0db8:0000::/48/48")
-	test.AssertError(t, err, "invalid IPv6 CIDR")
-
-	// IPv4 CIDR when we expect IPv6 CIDR range.
-	err = validateIdForName(NewRegistrationsPerIPv6Range, "10.0.0.0/16")
-	test.AssertError(t, err, "ipv4 cidr when we expect ipv6 cidr range")
-
-	// Invalid regId.
-	err = validateIdForName(NewOrdersPerAccount, "lol")
-	test.AssertError(t, err, "invalid regId")
-
-	// Invalid domain, malformed.
-	err = validateIdForName(CertificatesPerDomain, "example:.com")
-	test.AssertError(t, err, "valid regId with bad domain")
-
-	// Invalid domain, empty.
-	err = validateIdForName(CertificatesPerDomain, "")
-	test.AssertError(t, err, "valid regId with empty domain")
-}
-
 func TestLoadAndParseOverrideLimits(t *testing.T) {
 	// Load a single valid override limit with Id formatted as 'enum:RegId'.
 	l, err := loadAndParseOverrideLimits("testdata/working_override.yml")

ratelimits/names.go

@@ -212,22 +212,22 @@ func validateIdForName(name Name, id string) error {
 		return validateRegId(id)
 
 	case FailedAuthorizationsPerDomainPerAccount:
-		// 'enum:regId:domain' for transaction
-		err := validateRegIdDomain(id)
-		if err == nil {
-			return nil
+		if strings.Contains(id, ":") {
+			// 'enum:regId:domain' for transaction
+			return validateRegIdDomain(id)
+		} else {
+			// 'enum:regId' for overrides
+			return validateRegId(id)
 		}
-		// 'enum:regId' for overrides
-		return validateRegId(id)
 
 	case CertificatesPerDomainPerAccount:
-		// 'enum:regId:domain' for transaction
-		err := validateRegIdDomain(id)
-		if err == nil {
-			return nil
+		if strings.Contains(id, ":") {
+			// 'enum:regId:domain' for transaction
+			return validateRegIdDomain(id)
+		} else {
+			// 'enum:regId' for overrides
+			return validateRegId(id)
 		}
-		// 'enum:regId' for overrides
-		return validateRegId(id)
 
 	case CertificatesPerDomain:
 		// 'enum:domain'

ratelimits/names_test.go

@@ -1,6 +1,7 @@
 package ratelimits
 
 import (
+	"fmt"
 	"testing"
 
 	"github.com/letsencrypt/boulder/test"
@@ -27,3 +28,180 @@ func TestNameIsValid(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateIdForName(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		limit Name
+		desc  string
+		id    string
+		err   string
+	}{
+		{
+			limit: NewRegistrationsPerIPAddress,
+			desc:  "valid IPv4 address",
+			id:    "10.0.0.1",
+		},
+		{
+			limit: NewRegistrationsPerIPAddress,
+			desc:  "valid IPv6 address",
+			id:    "2001:0db8:85a3:0000:0000:8a2e:0370:7334",
+		},
+		{
+			limit: NewRegistrationsPerIPAddress,
+			desc:  "empty string",
+			id:    "",
+			err:   "must be an IP address",
+		},
+		{
+			limit: NewRegistrationsPerIPAddress,
+			desc:  "one space",
+			id:    " ",
+			err:   "must be an IP address",
+		},
+		{
+			limit: NewRegistrationsPerIPAddress,
+			desc:  "invalid IPv4 address",
+			id:    "10.0.0.9000",
+			err:   "must be an IP address",
+		},
+		{
+			limit: NewRegistrationsPerIPAddress,
+			desc:  "invalid IPv6 address",
+			id:    "2001:0db8:85a3:0000:0000:8a2e:0370:7334:9000",
+			err:   "must be an IP address",
+		},
+		{
+			limit: NewRegistrationsPerIPv6Range,
+			desc:  "valid IPv6 address range",
+			id:    "2001:0db8:0000::/48",
+		},
+		{
+			limit: NewRegistrationsPerIPv6Range,
+			desc:  "invalid IPv6 CIDR range",
+			id:    "2001:0db8:0000::/128",
+			err:   "must be /48",
+		},
+		{
+			limit: NewRegistrationsPerIPv6Range,
+			desc:  "invalid IPv6 CIDR",
+			id:    "2001:0db8:0000::/48/48",
+			err:   "must be an IPv6 CIDR range",
+		},
+		{
+			limit: NewRegistrationsPerIPv6Range,
+			desc:  "IPv4 CIDR when we expect IPv6 CIDR range",
+			id:    "10.0.0.0/16",
+			err:   "must be /48",
+		},
+		{
+			limit: NewOrdersPerAccount,
+			desc:  "valid regId",
+			id:    "1234567890",
+		},
+		{
+			limit: NewOrdersPerAccount,
+			desc:  "invalid regId",
+			id:    "lol",
+			err:   "must be an ACME registration Id",
+		},
+		{
+			limit: FailedAuthorizationsPerDomainPerAccount,
+			desc:  "transaction: valid regId and domain",
+			id:    "12345:example.com",
+		},
+		{
+			limit: FailedAuthorizationsPerDomainPerAccount,
+			desc:  "transaction: invalid regId",
+			id:    "12ea5:example.com",
+			err:   "invalid regId",
+		},
+		{
+			limit: FailedAuthorizationsPerDomainPerAccount,
+			desc:  "transaction: invalid domain",
+			id:    "12345:examplecom",
+			err:   "name needs at least one dot",
+		},
+		{
+			limit: FailedAuthorizationsPerDomainPerAccount,
+			desc:  "override: valid regId",
+			id:    "12345",
+		},
+		{
+			limit: FailedAuthorizationsPerDomainPerAccount,
+			desc:  "override: invalid regId",
+			id:    "12ea5",
+			err:   "invalid regId",
+		},
+		{
+			limit: CertificatesPerDomainPerAccount,
+			desc:  "transaction: valid regId and domain",
+			id:    "12345:example.com",
+		},
+		{
+			limit: CertificatesPerDomainPerAccount,
+			desc:  "transaction: invalid regId",
+			id:    "12ea5:example.com",
+			err:   "invalid regId",
+		},
+		{
+			limit: CertificatesPerDomainPerAccount,
+			desc:  "transaction: invalid domain",
+			id:    "12345:examplecom",
+			err:   "name needs at least one dot",
+		},
+		{
+			limit: CertificatesPerDomainPerAccount,
+			desc:  "override: valid regId",
+			id:    "12345",
+		},
+		{
+			limit: CertificatesPerDomainPerAccount,
+			desc:  "override: invalid regId",
+			id:    "12ea5",
+			err:   "invalid regId",
+		},
+		{
+			limit: CertificatesPerDomain,
+			desc:  "valid domain",
+			id:    "example.com",
+		},
+		{
+			limit: CertificatesPerDomain,
+			desc:  "malformed domain",
+			id:    "example:.com",
+			err:   "name contains an invalid character",
+		},
+		{
+			limit: CertificatesPerDomain,
+			desc:  "empty domain",
+			id:    "",
+			err:   "name is empty",
+		},
+		{
+			limit: CertificatesPerFQDNSet,
+			desc:  "valid fqdnSet containing a single domain",
+			id:    "example.com",
+		},
+		{
+			limit: CertificatesPerFQDNSet,
+			desc:  "valid fqdnSet containing multiple domains",
+			id:    "example.com,example.org",
+		},
+	}
+
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(fmt.Sprintf("%s/%s", tc.limit, tc.desc), func(t *testing.T) {
+			t.Parallel()
+			err := validateIdForName(tc.limit, tc.id)
+			if tc.err != "" {
+				test.AssertError(t, err, "should have failed")
+				test.AssertContains(t, err.Error(), tc.err)
+			} else {
+				test.AssertNotError(t, err, "should have succeeded")
+			}
+		})
+	}
+}