Add a DNS problem type. (letsencrypt#3625)

jsha · cpu · commit 699c7e4c4448 · 2018-04-09T12:21:02.000-04:00
As specified in ACME. Also, include problem type in the stats. Fixes letsencrypt#3613.
diff --git a/probs/probs.go b/probs/probs.go
@@ -19,6 +19,7 @@ const (
 	RejectedIdentifierProblem  = ProblemType("rejectedIdentifier")
 	AccountDoesNotExistProblem = ProblemType("accountDoesNotExist")
 	CAAProblem                 = ProblemType("caa")
+	DNSProblem                 = ProblemType("dns")
 
 	V1ErrorNS = "urn:acme:error:"
 	V2ErrorNS = "urn:ietf:params:acme:error:"
@@ -244,3 +245,12 @@ func CAA(detail string) *ProblemDetails {
 		HTTPStatus: http.StatusForbidden,
 	}
 }
+
+// DNS returns a ProblemDetails representing a DNSProblem
+func DNS(detail string) *ProblemDetails {
+	return &ProblemDetails{
+		Type:       DNSProblem,
+		Detail:     detail,
+		HTTPStatus: http.StatusBadRequest,
+	}
+}
diff --git a/va/caa.go b/va/caa.go
@@ -42,7 +42,7 @@ func (va *ValidationAuthorityImpl) checkCAA(
 	identifier core.AcmeIdentifier) *probs.ProblemDetails {
 	present, valid, err := va.checkCAARecords(ctx, identifier)
 	if err != nil {
-		return probs.ConnectionFailure(err.Error())
+		return probs.DNS(err.Error())
 	}
 	va.log.AuditInfo(fmt.Sprintf(
 		"Checked CAA records for %s, [Present: %t, Valid for issuance: %t]",
diff --git a/va/caa_test.go b/va/caa_test.go
@@ -134,8 +134,8 @@ func TestCAATimeout(t *testing.T) {
 	va, _ := setup(nil, 0)
 	va.dnsClient = caaMockDNS{}
 	err := va.checkCAA(ctx, core.AcmeIdentifier{Type: core.IdentifierDNS, Value: "caa-timeout.com"})
-	if err.Type != probs.ConnectionProblem {
-		t.Errorf("Expected timeout error type %s, got %s", probs.ConnectionProblem, err.Type)
+	if err.Type != probs.DNSProblem {
+		t.Errorf("Expected timeout error type %s, got %s", probs.DNSProblem, err.Type)
 	}
 	expected := "error"
 	if err.Detail != expected {
diff --git a/va/va.go b/va/va.go
@@ -70,7 +70,7 @@ func initMetrics(stats metrics.Scope) *vaMetrics {
 			Help:    "Time taken to validate a challenge",
 			Buckets: metrics.InternetFacingBuckets,
 		},
-		[]string{"type", "result"})
+		[]string{"type", "result", "problemType"})
 	stats.MustRegister(validationTime)
 	remoteValidationTime := prometheus.NewHistogramVec(
 		prometheus.HistogramOpts{
@@ -162,8 +162,7 @@ type verificationRequestEvent struct {
 func (va ValidationAuthorityImpl) getAddr(ctx context.Context, hostname string) (net.IP, []net.IP, *probs.ProblemDetails) {
 	addrs, err := va.dnsClient.LookupHost(ctx, hostname)
 	if err != nil {
-		va.log.Debug(fmt.Sprintf("%s DNS failure: %s", hostname, err))
-		problem := probs.ConnectionFailure(err.Error())
+		problem := probs.DNS(err.Error())
 		return net.IP{}, nil, problem
 	}
 
@@ -683,7 +682,7 @@ func (va *ValidationAuthorityImpl) validateDNS01(ctx context.Context, identifier
 	if err != nil {
 		va.log.Info(fmt.Sprintf("Failed to lookup TXT records for %s. err=[%#v] errStr=[%s]", identifier, err, err))
 
-		return nil, probs.ConnectionFailure(err.Error())
+		return nil, probs.DNS(err.Error())
 	}
 
 	// If there weren't any TXT records return a distinct error message to allow
@@ -872,7 +871,9 @@ func (va *ValidationAuthorityImpl) PerformValidation(ctx context.Context, domain
 		prob = probs.ServerInternal("Records for validation failed sanity check")
 	}
 
+	var problemType string
 	if prob != nil {
+		problemType = string(prob.Type)
 		challenge.Status = core.StatusInvalid
 		challenge.Error = prob
 		logEvent.Error = prob.Error()
@@ -896,8 +897,9 @@ func (va *ValidationAuthorityImpl) PerformValidation(ctx context.Context, domain
 	logEvent.Challenge = challenge
 
 	va.metrics.validationTime.With(prometheus.Labels{
-		"type":   string(challenge.Type),
-		"result": string(challenge.Status),
+		"type":        string(challenge.Type),
+		"result":      string(challenge.Status),
+		"problemType": problemType,
 	}).Observe(time.Since(vStart).Seconds())
 
 	va.log.AuditObject("Validation result", logEvent)
diff --git a/va/va_test.go b/va/va_test.go
@@ -772,8 +772,9 @@ func TestPerformValidationInvalid(t *testing.T) {
 	test.Assert(t, prob != nil, "validation succeeded")
 
 	samples := test.CountHistogramSamples(va.metrics.validationTime.With(prometheus.Labels{
-		"type":   "dns-01",
-		"result": "invalid",
+		"type":        "dns-01",
+		"result":      "invalid",
+		"problemType": "unauthorized",
 	}))
 	if samples != 1 {
 		t.Errorf("Wrong number of samples for invalid validation. Expected 1, got %d", samples)
@@ -792,8 +793,9 @@ func TestDNSValidationEmpty(t *testing.T) {
 	test.AssertEquals(t, prob.Error(), "unauthorized :: No TXT record found at _acme-challenge.empty-txts.com")
 
 	samples := test.CountHistogramSamples(va.metrics.validationTime.With(prometheus.Labels{
-		"type":   "dns-01",
-		"result": "invalid",
+		"type":        "dns-01",
+		"result":      "invalid",
+		"problemType": "unauthorized",
 	}))
 	if samples != 1 {
 		t.Errorf("Wrong number of samples for invalid validation. Expected 1, got %d", samples)
@@ -856,8 +858,9 @@ func TestPerformValidationValid(t *testing.T) {
 	test.Assert(t, prob == nil, fmt.Sprintf("validation failed: %#v", prob))
 
 	samples := test.CountHistogramSamples(va.metrics.validationTime.With(prometheus.Labels{
-		"type":   "dns-01",
-		"result": "valid",
+		"type":        "dns-01",
+		"result":      "valid",
+		"problemType": "",
 	}))
 	if samples != 1 {
 		t.Errorf("Wrong number of samples for successful validation. Expected 1, got %d", samples)
@@ -885,8 +888,9 @@ func TestPerformValidationWildcard(t *testing.T) {
 	test.Assert(t, prob == nil, fmt.Sprintf("validation failed: %#v", prob))
 
 	samples := test.CountHistogramSamples(va.metrics.validationTime.With(prometheus.Labels{
-		"type":   "dns-01",
-		"result": "valid",
+		"type":        "dns-01",
+		"result":      "valid",
+		"problemType": "",
 	}))
 	if samples != 1 {
 		t.Errorf("Wrong number of samples for successful validation. Expected 1, got %d", samples)
@@ -971,7 +975,7 @@ func TestDNSValidationServFail(t *testing.T) {
 
 	_, prob := va.validateChallenge(ctx, dnsi("servfail.com"), chalDNS)
 
-	test.AssertEquals(t, prob.Type, probs.ConnectionProblem)
+	test.AssertEquals(t, prob.Type, probs.DNSProblem)
 }
 
 func TestDNSValidationNoServer(t *testing.T) {
@@ -987,7 +991,7 @@ func TestDNSValidationNoServer(t *testing.T) {
 
 	_, prob := va.validateChallenge(ctx, dnsi("localhost"), chalDNS)
 
-	test.AssertEquals(t, prob.Type, probs.ConnectionProblem)
+	test.AssertEquals(t, prob.Type, probs.DNSProblem)
 }
 
 func TestDNSValidationOK(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ func (va *ValidationAuthorityImpl) checkCAA(`
`42`	`42`	`identifier core.AcmeIdentifier) *probs.ProblemDetails {`
`43`	`43`	`present, valid, err := va.checkCAARecords(ctx, identifier)`
`44`	`44`	`if err != nil {`
`45`		`- return probs.ConnectionFailure(err.Error())`
	`45`	`+ return probs.DNS(err.Error())`
`46`	`46`	`}`
`47`	`47`	`va.log.AuditInfo(fmt.Sprintf(`
`48`	`48`	`"Checked CAA records for %s, [Present: %t, Valid for issuance: %t]",`