Deprecate CAA AccountURI and ValidationMethods feature flags (#7000)

These flags are set to true in all environments.

Author: aarongable

cmd/boulder-va/main.go

@@ -36,7 +36,7 @@ type Config struct {
 
 		Features map[string]bool
 
-		AccountURIPrefixes []string
+		AccountURIPrefixes []string `validate:"min=1,dive,required,url"`
 	}
 
 	Syslog        cmd.SyslogConfig

features/features.go

@@ -17,12 +17,10 @@ const (
 	ROCSPStage6
 	ROCSPStage7
 	StoreLintingCertificateInsteadOfPrecertificate
-
-	//   Currently in-use features
-	// Check CAA and respect validationmethods parameter.
 	CAAValidationMethods
-	// Check CAA and respect accounturi parameter.
 	CAAAccountURI
+
+	//   Currently in-use features
 	// EnforceMultiVA causes the VA to block on remote VA PerformValidation
 	// requests in order to make a valid/invalid decision with the results.
 	EnforceMultiVA

test/config-next/va-remote-a.json

@@ -34,10 +34,7 @@
 				}
 			}
 		},
-		"features": {
-			"CAAValidationMethods": true,
-			"CAAAccountURI": true
-		},
+		"features": {},
 		"accountURIPrefixes": [
 			"http://boulder.service.consul:4000/acme/reg/",
 			"http://boulder.service.consul:4001/acme/acct/"

test/config-next/va-remote-b.json

@@ -34,10 +34,7 @@
 				}
 			}
 		},
-		"features": {
-			"CAAValidationMethods": true,
-			"CAAAccountURI": true
-		},
+		"features": {},
 		"accountURIPrefixes": [
 			"http://boulder.service.consul:4000/acme/reg/",
 			"http://boulder.service.consul:4001/acme/acct/"

test/config-next/va.json

@@ -40,8 +40,6 @@
 			}
 		},
 		"features": {
-			"CAAValidationMethods": true,
-			"CAAAccountURI": true,
 			"EnforceMultiVA": true,
 			"MultiVAFullResults": true
 		},

test/v2_integration.py

@@ -1491,11 +1491,6 @@ def test_caa_extensions():
     for policy in caa_records:
         challSrv.add_caa_issue(policy["domain"], policy["value"])
 
-    # TODO(@4a6f656c): Once the `CAAValidationMethods` feature flag is enabled by
-    # default, remove this early return.
-    if not CONFIG_NEXT:
-        return
-
     chisel2.expect_problem("urn:ietf:params:acme:error:caa",
         lambda: chisel2.auth_and_issue(["dns-01-only.good-caa-reserved.com"], chall_type="http-01"))
 

va/caa.go

@@ -11,7 +11,6 @@ import (
 	"github.com/letsencrypt/boulder/core"
 	corepb "github.com/letsencrypt/boulder/core/proto"
 	berrors "github.com/letsencrypt/boulder/errors"
-	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/identifier"
 	"github.com/letsencrypt/boulder/probs"
 	vapb "github.com/letsencrypt/boulder/va/proto"
@@ -284,15 +283,12 @@ func (va *ValidationAuthorityImpl) validateCAA(caaSet *caaResult, wildcard bool,
 			continue
 		}
 
-		if features.Enabled(features.CAAAccountURI) {
-			if !caaAccountURIMatches(parsedParams, va.accountURIPrefixes, params.accountURIID) {
-				continue
-			}
+		if !caaAccountURIMatches(parsedParams, va.accountURIPrefixes, params.accountURIID) {
+			continue
 		}
-		if features.Enabled(features.CAAValidationMethods) {
-			if !caaValidationMethodMatches(parsedParams, params.validationMethod) {
-				continue
-			}
+
+		if !caaValidationMethodMatches(parsedParams, params.validationMethod) {
+			continue
 		}
 
 		va.metrics.caaCounter.WithLabelValues("authorized").Inc()

va/caa_test.go

@@ -11,7 +11,6 @@ import (
 	"github.com/miekg/dns"
 
 	"github.com/letsencrypt/boulder/core"
-	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/identifier"
 	"github.com/letsencrypt/boulder/probs"
 	"github.com/letsencrypt/boulder/test"
@@ -411,11 +410,9 @@ func TestCAAChecking(t *testing.T) {
 	params := &caaParams{accountURIID: accountURIID, validationMethod: method}
 
 	va, _ := setup(nil, 0, "", nil)
-	err := features.Set(map[string]bool{"CAAValidationMethods": true, "CAAAccountURI": true})
-	test.AssertNotError(t, err, "failed to enable features")
-
 	va.dnsClient = caaMockDNS{}
 	va.accountURIPrefixes = []string{"https://letsencrypt.org/acct/reg/"}
+
 	for _, caaTest := range testCases {
 		mockLog := va.log.(*blog.Mock)
 		mockLog.Clear()
@@ -433,49 +430,6 @@ func TestCAAChecking(t *testing.T) {
 			}
 		})
 	}
-
-	// Reset to disable CAAValidationMethods/CAAAccountURI.
-	features.Reset()
-
-	// present-dns-only.com should now be valid even with http-01
-	ident := identifier.DNSIdentifier("present-dns-only.com")
-	foundAt, valid, _, err := va.checkCAARecords(ctx, ident, params)
-	test.AssertNotError(t, err, "present-dns-only.com")
-	test.AssertEquals(t, foundAt, "present-dns-only.com")
-	test.Assert(t, valid, "Valid should be true")
-
-	// present-incorrect-accounturi.com should now be also be valid
-	ident = identifier.DNSIdentifier("present-incorrect-accounturi.com")
-	foundAt, valid, _, err = va.checkCAARecords(ctx, ident, params)
-	test.AssertNotError(t, err, "present-incorrect-accounturi.com")
-	test.AssertEquals(t, foundAt, "present-incorrect-accounturi.com")
-	test.Assert(t, valid, "Valid should be true")
-
-	// nil params should be valid, too
-	foundAt, valid, _, err = va.checkCAARecords(ctx, ident, nil)
-	test.AssertNotError(t, err, "present-incorrect-accounturi.com")
-	test.AssertEquals(t, foundAt, "present-incorrect-accounturi.com")
-	test.Assert(t, valid, "Valid should be true")
-
-	ident.Value = "servfail.com"
-	foundAt, valid, _, err = va.checkCAARecords(ctx, ident, nil)
-	test.AssertError(t, err, "servfail.com")
-	test.AssertEquals(t, foundAt, "")
-	test.Assert(t, !valid, "Valid should be false")
-
-	if _, _, _, err := va.checkCAARecords(ctx, ident, nil); err == nil {
-		t.Errorf("Should have returned error on CAA lookup, but did not: %s", ident.Value)
-	}
-
-	ident.Value = "servfail.present.com"
-	foundAt, valid, _, err = va.checkCAARecords(ctx, ident, nil)
-	test.AssertError(t, err, "servfail.present.com")
-	test.AssertEquals(t, foundAt, "")
-	test.Assert(t, !valid, "Valid should be false")
-
-	if _, _, _, err := va.checkCAARecords(ctx, ident, nil); err == nil {
-		t.Errorf("Should have returned error on CAA lookup, but did not: %s", ident.Value)
-	}
 }
 
 func TestCAALogging(t *testing.T) {

va/va.go

@@ -229,7 +229,7 @@ func NewValidationAuthorityImpl(
 	accountURIPrefixes []string,
 ) (*ValidationAuthorityImpl, error) {
 
-	if features.Enabled(features.CAAAccountURI) && len(accountURIPrefixes) == 0 {
+	if len(accountURIPrefixes) == 0 {
 		return nil, errors.New("no account URI prefixes configured")
 	}