Add certificatesPerName rate limit to integration test (letsencrypt#1940)

benileo · rolandshoemaker · commit 67fd6ef67ce8 · 2016-06-17T16:10:05.000-07:00
This PR, covers the code path where the certificatesPerName rate limit is exceeded. Additionally, a node package (cli) was upgraded as the spinner was preventing the redirection of I/O. See this commit: node-js-libs/cli@ff064fe. Fixes letsencrypt#1614 letsencrypt#1940
diff --git a/ratelimit/rate-limits_test.go b/ratelimit/rate-limits_test.go
@@ -84,6 +84,7 @@ func TestLoadPolicies(t *testing.T) {
 	test.AssertEquals(t, certsPerName.Threshold, 2)
 	test.AssertDeepEquals(t, certsPerName.Overrides, map[string]int{
 		"ratelimit.me":          1,
+		"lim.it":                0,
 		"le.wtf":                10000,
 		"le1.wtf":               10000,
 		"le2.wtf":               10000,
diff --git a/test/integration-test.py b/test/integration-test.py
@@ -265,6 +265,29 @@ def expect(target_time, num):
     expect(now, 0)
     expect(after_grace_period, 1)
 
+def run_certificates_per_name_test():
+    try:
+        # This command will return a non zero error code. In order
+        # to avoid a CalledProcessException we use Popen.
+        handle = subprocess.Popen(
+            '''node test.js --email %s --domains %s''' % ('test@lim.it', 'lim.it'),
+            shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+        handle.wait()
+        out, err = handle.communicate()
+    except subprocess.CalledProcessError as e:
+        print("\nFailure while running certificates per name test %s" % e)
+        die(ExitStatus.PythonFailure)
+
+    expected = [
+        "urn:acme:error:rateLimited",
+        "Error creating new cert :: Too many certificates already issued for: lim.it",
+        "429"
+    ]
+    for s in expected:
+        if s not in out:
+            print("\nCertificates per name test: expected %s not present in output" % s)
+            die(ExitStatus.Error)
+
 @atexit.register
 def cleanup():
     import shutil
@@ -328,6 +351,8 @@ def main():
 
         run_expired_authz_purger_test()
 
+        run_certificates_per_name_test()
+
     # Simulate a disconnection from RabbitMQ to make sure reconnects work.
     startservers.bounce_forward()
 
diff --git a/test/js/package.json b/test/js/package.json
@@ -4,7 +4,7 @@
   "repository": "https://github.com/letsencrypt/boulder",
   "version": "0.0.1",
   "dependencies": {
-    "cli": "^0.6.5",
+    "cli": "^0.7.1",
     "colors": "^1.1.0",
     "inquirer": "^0.8.2",
     "node-forge": "^0.6.21",
diff --git a/test/rate-limit-policies-b.yml b/test/rate-limit-policies-b.yml
@@ -7,6 +7,7 @@ certificatesPerName:
   threshold: 99
   overrides:
     ratelimit.me: 1
+    lim.it: 0
     # Hostnames used by the letsencrypt client integration test.
     le.wtf: 9999
     le1.wtf: 9999
diff --git a/test/rate-limit-policies.yml b/test/rate-limit-policies.yml
@@ -7,6 +7,7 @@ certificatesPerName:
   threshold: 2
   overrides:
     ratelimit.me: 1
+    lim.it: 0
     # Hostnames used by the letsencrypt client integration test.
     le.wtf: 10000
     le1.wtf: 10000
diff --git a/wfe/wfe.go b/wfe/wfe.go
@@ -808,7 +808,7 @@ func (wfe *WebFrontEndImpl) NewCertificate(ctx context.Context, logEvent *reques
 	// TODO IMPORTANT: The RA trusts the WFE to provide the correct key. If the
 	// WFE is compromised, *and* the attacker knows the public key of an account
 	// authorized for target site, they could cause issuance for that site by
-	// lying to the RA. We should probably pass a copy of the whole rquest to the
+	// lying to the RA. We should probably pass a copy of the whole request to the
 	// RA for secondary validation.
 	cert, err := wfe.RA.NewCertificate(ctx, certificateRequest, reg.ID)
 	if err != nil {
