Add basic support for new tables and types

aarongable · aarongable · commit 7bcc95ace3de · 2025-01-10T17:29:44.000-08:00
diff --git a/sa/database.go b/sa/database.go
@@ -287,6 +287,10 @@ func initTables(dbMap *borp.DbMap) {
 	dbMap.AddTableWithName(revokedCertModel{}, "revokedCertificates").SetKeys(true, "ID")
 	dbMap.AddTableWithName(replacementOrderModel{}, "replacementOrders").SetKeys(true, "ID")
 	dbMap.AddTableWithName(pausedModel{}, "paused")
+	dbMap.AddTableWithName(orders2Model{}, "orders2")
+	dbMap.AddTableWithName(authorizationsModel{}, "authorizations")
+	dbMap.AddTableWithName(validationsModel{}, "validations")
+	dbMap.AddTableWithName(authzReuseModel{}, "authzReuse")
 
 	// Read-only maps used for selecting subsets of columns.
 	dbMap.AddTableWithName(CertStatusMetadata{}, "certificateStatus")
diff --git a/sa/model.go b/sa/model.go
@@ -2,10 +2,12 @@ package sa
 
 import (
 	"context"
+	"crypto/rand"
 	"crypto/sha256"
 	"crypto/x509"
 	"database/sql"
 	"encoding/base64"
+	"encoding/binary"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -59,6 +61,54 @@ func badJSONError(msg string, jsonData []byte, err error) error {
 	}
 }
 
+// newRandomID creates a 64-bit mostly-random number to be used as the unique ID
+// column in a table which no longer uses auto_increment IDs. It takes the
+// current time as an argument so that it can include the current "epoch" as the
+// first byte of the ID, for the sake of easily dropping old data.
+func newRandomID(now time.Time) (int64, error) {
+	idBytes := make([]byte, 8) // 8 bytes is 64 bits
+
+	// Read random bits into the lower 7 bytes of the id.
+	_, err := rand.Read(idBytes[1:])
+	if err != nil {
+		return 0, fmt.Errorf("while generating unique database id: %w", err)
+	}
+
+	// Epochs are arbitrarily chosen to be 90 day chunks counting from the start
+	// of 2024. This gives us 127 * 90 = ~31 years worth of epochs before we have
+	// to worry about a rollover.
+	epoch := uint8(now.Sub(time.Date(2024, 01, 01, 00, 00, 00, 00, time.UTC)) / (90 * 24 * time.Hour))
+	if epoch&0x80 != 0 {
+		// If the first bit is a 1, either the current date is before the epoch
+		// start date, or we've gone too far into the future. Error out before we
+		// accidentally generate a negative ID.
+		return 0, fmt.Errorf("invalid epoch: %d", epoch)
+	}
+	idBytes[0] = epoch
+
+	id := binary.BigEndian.Uint64(idBytes)
+	return int64(id), nil
+}
+
+// looksLikeRandomID returns true if the input ID looks like it might belong to
+// the new schema which uses epoch-prefixed random IDs instead of auto-increment
+// columns. This is only necessary during the migration period when we are
+// reading from both the old and new schemas simultaneously.
+func looksLikeRandomID(id int64, now time.Time) bool {
+	// Compute the current and previous epochs. If the input ID starts with one of
+	// those two epochs, it's one of ours. Otherwise, it came from somewhere
+	// unknown and we should ask the old schema about it just in case.
+	currEpoch := uint8(now.Sub(time.Date(2024, 01, 01, 00, 00, 00, 00, time.UTC)) / (90 * 24 * time.Hour))
+	prevEpoch := uint8(now.Add(-90*24*time.Hour).Sub(time.Date(2024, 01, 01, 00, 00, 00, 00, time.UTC)) / (90 * 24 * time.Hour))
+
+	buf := make([]byte, 8)
+	binary.BigEndian.PutUint64(buf, uint64(id))
+	if buf[0] == currEpoch || buf[0] == prevEpoch {
+		return true
+	}
+	return false
+}
+
 const regFields = "id, jwk, jwk_sha256, contact, agreement, createdAt, LockCol, status"
 
 // ClearEmail removes the provided email address from one specified registration. If
@@ -1409,3 +1459,47 @@ type pausedModel struct {
 	PausedAt       time.Time  `db:"pausedAt"`
 	UnpausedAt     *time.Time `db:"unpausedAt"`
 }
+
+// orders2Model represents a row in the "orders2" table.
+type orders2Model struct {
+	ID                int64
+	RegistrationID    int64
+	Created           time.Time
+	Expires           time.Time
+	AuthorizationIDs  []int64 // Actually a JSON list of ints
+	Profile           string
+	BeganProcessing   bool
+	Error             []byte
+	CertificateSerial string
+}
+
+// authorizationsModel represents a row in the "authorizations" table.
+type authorizationsModel struct {
+	ID              int64
+	RegistrationID  int64
+	IdentifierType  uint8
+	IdentifierValue string
+	Created         time.Time
+	Expires         time.Time
+	Profile         string
+	Challenges      uint8
+	Token           []byte
+	Status          uint8
+	ValidationIDs   []int64 // Actually a JSON list of ints
+}
+
+// validationsModel represents a row in the "validations" table.
+type validationsModel struct {
+	ID          int64
+	Challenge   uint8
+	AttemptedAt time.Time
+	Status      uint8
+	Record      []byte
+}
+
+// authzReuseModel represents a row in the "authzReuse" table.
+type authzReuseModel struct {
+	ID      int64 `db:"accountID_identifier"`
+	AuthzID int64
+	Expires time.Time
+}
diff --git a/sa/model_test.go b/sa/model_test.go
@@ -8,6 +8,7 @@ import (
 	"crypto/x509/pkix"
 	"database/sql"
 	"encoding/base64"
+	"encoding/binary"
 	"fmt"
 	"math/big"
 	"os"
@@ -27,6 +28,59 @@ import (
 	"github.com/letsencrypt/boulder/test"
 )
 
+func TestNewRandomID(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name         string
+		date         time.Time
+		expectPrefix uint8
+		expectError  string
+	}{
+		{
+			name:        "in the past",
+			date:        time.Date(2023, 01, 01, 00, 00, 00, 00, time.UTC),
+			expectError: "invalid epoch",
+		},
+		{
+			name:         "first epoch",
+			date:         time.Date(2024, 05, 01, 00, 00, 00, 00, time.UTC),
+			expectPrefix: 1,
+		},
+		{
+			name:         "last epoch",
+			date:         time.Date(2055, 07, 01, 00, 00, 00, 00, time.UTC),
+			expectPrefix: 127,
+		},
+		{
+			name:        "far future",
+			date:        time.Date(2056, 01, 01, 00, 00, 00, 00, time.UTC),
+			expectError: "invalid epoch",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			fc := clock.NewFake()
+			fc.Set(tc.date)
+			id, err := newRandomID(fc.Now())
+
+			if tc.expectPrefix != 0 {
+				test.AssertNotError(t, err, "expected success")
+				buf := make([]byte, 8)
+				binary.BigEndian.PutUint64(buf, uint64(id))
+				test.AssertEquals(t, buf[0], tc.expectPrefix)
+			}
+
+			if tc.expectError != "" {
+				test.AssertError(t, err, "expected error")
+				test.AssertContains(t, err.Error(), tc.expectError)
+			}
+		})
+	}
+}
+
 func TestRegistrationModelToPb(t *testing.T) {
 	badCases := []struct {
 		name  string
diff --git a/sa/type-converter.go b/sa/type-converter.go
@@ -20,7 +20,7 @@ type BoulderTypeConverter struct{}
 // ToDb converts a Boulder object to one suitable for the DB representation.
 func (tc BoulderTypeConverter) ToDb(val interface{}) (interface{}, error) {
 	switch t := val.(type) {
-	case identifier.ACMEIdentifier, []core.Challenge, []string, [][]int:
+	case identifier.ACMEIdentifier, []core.Challenge, []string, [][]int, []int64:
 		jsonBytes, err := json.Marshal(t)
 		if err != nil {
 			return nil, err
@@ -56,7 +56,7 @@ func (tc BoulderTypeConverter) ToDb(val interface{}) (interface{}, error) {
 // FromDb converts a DB representation back into a Boulder object.
 func (tc BoulderTypeConverter) FromDb(target interface{}) (borp.CustomScanner, bool) {
 	switch target.(type) {
-	case *identifier.ACMEIdentifier, *[]core.Challenge, *[]string, *[][]int:
+	case *identifier.ACMEIdentifier, *[]core.Challenge, *[]string, *[][]int, *[]int64:
 		binder := func(holder, target interface{}) error {
 			s, ok := holder.(*string)
 			if !ok {
