Fix FasterGetOrderForNames and add tests. (letsencrypt#4331)

jsha · Daniel McCarney · commit 74699486ec33 · 2019-07-11T13:43:42.000-04:00
This rolls forward letsencrypt#4326 after it was reverted in letsencrypt#4328. Resolves letsencrypt#4329 The older query didn't have a `LIMIT 1` so it was returning multiple results, but gorp's `SelectOne` was okay with multiple results when the selection was going into an `int64`. When I changed this to a `struct` in letsencrypt#4326, gorp started producing errors. For this bug to manifest, an account needs to create an order, then fail validation, twice in a row for a given domain name, then create an order once more for the same domain name - that third request will fail because there are multiple orders in the orderFqdnSets table for that domain. Note that the bug condition doesn't happen when an account does three successful issuances in a row, because finalizing an order (that is, issuing a certificate for it) deletes the row in orderFqdnSets. Failing an authorization does not delete the row in orderFqdnSets. I believe this was an intentional design decision because an authorization can participate in many orders, and those orders can have many other authorizations, so computing the updated state of all those orders would be expensive (remember, order state is not persisted in the DB but is calculated dynamically based on the authorizations it contains). This wasn't detected in integration tests because we don't have any tests that fail validation for the same domain multiple times. I filed an issue for an integration test that would have incidentally caught this: letsencrypt#4332. There's also a more specific test case in letsencrypt#4331.
diff --git a/features/featureflag_string.go b/features/featureflag_string.go
diff --git a/features/features.go b/features/features.go
@@ -57,6 +57,8 @@ const (
 	// MandatoryPOSTAsGET forbids legacy unauthenticated GET requests for ACME
 	// resources.
 	MandatoryPOSTAsGET
+	// Use an optimized query for GetOrderForNames.
+	FasterGetOrderForNames
 )
 
 // List of features and their default value, protected by fMu
@@ -82,6 +84,7 @@ var features = map[FeatureFlag]bool{
 	CheckRenewalFirst:        false,
 	MandatoryPOSTAsGET:       false,
 	DisableAuthz2Orders:      false,
+	FasterGetOrderForNames:   false,
 }
 
 var fMu = new(sync.RWMutex)
diff --git a/sa/sa.go b/sa/sa.go
@@ -1812,26 +1812,55 @@ func (ssa *SQLStorageAuthority) GetOrderForNames(
 	// Hash the names requested for lookup in the orderFqdnSets table
 	fqdnHash := hashNames(req.Names)
 
-	var orderID int64
-	err := ssa.dbMap.WithContext(ctx).SelectOne(&orderID, `
-	SELECT orderID
-	FROM orderFqdnSets
-	WHERE setHash = ?
-	AND registrationID = ?
-	AND expires > ?`,
-		fqdnHash, *req.AcctID, ssa.clk.Now())
-
-	// There isn't an unexpired order for the provided AcctID that has the
-	// fqdnHash requested.
+	// Find a possibly-suitable order. We don't include the account ID or order
+	// status in this query because there's no index that includes those, so
+	// including them could require the DB to scan extra rows.
+	// Instead, we select one unexpired order that matches the fqdnSet. If
+	// that order doesn't match the account ID or status we need, just return
+	// nothing. We use `ORDER BY expires ASC` because the index on
+	// (setHash, expires) is in ASC order. DESC would be slightly nicer from a
+	// user experience perspective but would be slow when there are many entries
+	// to sort.
+	// This approach works fine because in most cases there's only one account
+	// issuing for a given name. If there are other accounts issuing for the same
+	// name, it just means order reuse happens less often.
+	var result struct {
+		OrderID        int64
+		RegistrationID int64
+	}
+	var err error
+	if features.Enabled(features.FasterGetOrderForNames) {
+		err = ssa.dbMap.WithContext(ctx).SelectOne(&result, `
+					SELECT orderID, registrationID
+					FROM orderFqdnSets
+					WHERE setHash = ?
+					AND expires > ?
+					ORDER BY expires DESC
+					LIMIT 1`,
+			fqdnHash, ssa.clk.Now())
+	} else {
+		err = ssa.dbMap.WithContext(ctx).SelectOne(&result, `
+					SELECT orderID, registrationID
+					FROM orderFqdnSets
+					WHERE setHash = ?
+					AND registrationID = ?
+					AND expires > ?
+					LIMIT 1`,
+			fqdnHash, *req.AcctID, ssa.clk.Now())
+	}
+
 	if err == sql.ErrNoRows {
 		return nil, berrors.NotFoundError("no order matching request found")
 	} else if err != nil {
-		// An unexpected error occurred
 		return nil, err
 	}
 
+	if result.RegistrationID != *req.AcctID {
+		return nil, berrors.NotFoundError("no order matching request found")
+	}
+
 	// Get the order
-	order, err := ssa.GetOrder(ctx, &sapb.OrderRequest{Id: &orderID, UseV2Authorizations: req.UseV2Authorizations})
+	order, err := ssa.GetOrder(ctx, &sapb.OrderRequest{Id: &result.OrderID, UseV2Authorizations: req.UseV2Authorizations})
 	if err != nil {
 		return nil, err
 	}
diff --git a/sa/sa_test.go b/sa/sa_test.go
@@ -1979,6 +1979,51 @@ func TestCountOrders(t *testing.T) {
 	test.AssertEquals(t, count, 0)
 }
 
+func TestFasterGetOrderForNames(t *testing.T) {
+	sa, fc, cleanUp := initSA(t)
+	defer cleanUp()
+
+	domain := "example.com"
+	expires := fc.Now().Add(time.Hour)
+
+	reg, err := sa.NewRegistration(ctx, core.Registration{
+		Key:       satest.GoodJWK(),
+		InitialIP: net.ParseIP("42.42.42.42"),
+	})
+	test.AssertNotError(t, err, "Couldn't create test registration")
+
+	authz, err := sa.NewPendingAuthorization(ctx, core.Authorization{
+		Identifier:     identifier.DNSIdentifier(domain),
+		RegistrationID: reg.ID,
+		Status:         core.StatusPending,
+		Expires:        &expires,
+	})
+	test.AssertNotError(t, err, "creating authorization")
+
+	expiresNano := expires.UnixNano()
+	_, err = sa.NewOrder(ctx, &corepb.Order{
+		RegistrationID: &reg.ID,
+		Expires:        &expiresNano,
+		Authorizations: []string{authz.ID},
+		Names:          []string{domain},
+	})
+	test.AssertNotError(t, err, "sa.NewOrder failed")
+
+	_, err = sa.NewOrder(ctx, &corepb.Order{
+		RegistrationID: &reg.ID,
+		Expires:        &expiresNano,
+		Authorizations: []string{authz.ID},
+		Names:          []string{domain},
+	})
+	test.AssertNotError(t, err, "sa.NewOrder failed")
+
+	_, err = sa.GetOrderForNames(ctx, &sapb.GetOrderForNamesRequest{
+		AcctID: &reg.ID,
+		Names:  []string{domain},
+	})
+	test.AssertNotError(t, err, "sa.GetOrderForNames failed")
+}
+
 func TestGetOrderForNames(t *testing.T) {
 	sa, fc, cleanUp := initSA(t)
 	defer cleanUp()
diff --git a/test/config-next/sa.json b/test/config-next/sa.json
@@ -24,6 +24,7 @@
       ]
     },
     "features": {
+      "FasterGetOrderForNames": true
     }
   },
 
diff --git a/test/v2_integration.py b/test/v2_integration.py
@@ -104,6 +104,26 @@ def test_http_challenge_broken_redirect():
 
     challSrv.remove_http_redirect(challengePath)
 
+def test_fail_thrice():
+    """
+    Fail a challenge for the same domain, with the same account, three times in
+    a row. This tests a fix for
+    https://github.com/letsencrypt/boulder/issues/4329. We expect to get
+    ValidationErrors, but no 500s.
+    """
+    domain = "failthrice." + random_domain()
+    csr_pem = chisel2.make_csr([domain])
+    client = chisel2.make_client()
+    for _ in range(3):
+        order = client.new_order(csr_pem)
+        chall = order.authorizations[0].body.challenges[0]
+        client.answer_challenge(chall, chall.response(client.net.key))
+        try:
+            client.poll_and_finalize(order)
+        except errors.ValidationError as e:
+            pass
+
+
 def test_http_challenge_loop_redirect():
     client = chisel2.make_client()
 

Original file line number	Diff line number	Diff line change
`@@ -57,6 +57,8 @@ const (`
`57`	`57`	`// MandatoryPOSTAsGET forbids legacy unauthenticated GET requests for ACME`
`58`	`58`	`// resources.`
`59`	`59`	`MandatoryPOSTAsGET`
	`60`	`+ // Use an optimized query for GetOrderForNames.`
	`61`	`+ FasterGetOrderForNames`
`60`	`62`	`)`
`61`	`63`
`62`	`64`	`// List of features and their default value, protected by fMu`
`@@ -82,6 +84,7 @@ var features = map[FeatureFlag]bool{`
`82`	`84`	`CheckRenewalFirst: false,`
`83`	`85`	`MandatoryPOSTAsGET: false,`
`84`	`86`	`DisableAuthz2Orders: false,`
	`87`	`+ FasterGetOrderForNames: false,`
`85`	`88`	`}`
`86`	`89`
`87`	`90`	`var fMu = new(sync.RWMutex)`
Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@`
`24`	`24`	`]`
`25`	`25`	`},`
`26`	`26`	`"features": {`
	`27`	`+ "FasterGetOrderForNames": true`
`27`	`28`	`}`
`28`	`29`	`},`
`29`	`30`