Allow forwarding of nonce-service Redeem RPCs from one service… (letsencrypt#4297)

rolandshoemaker · web-flow · commit 844ae26b650f · 2019-06-26T13:04:31.000-07:00
Fixes letsencrypt#4295.
diff --git a/cmd/nonce-service/main.go b/cmd/nonce-service/main.go
@@ -4,10 +4,13 @@ import (
 	"context"
 	"errors"
 	"flag"
+	"sync"
+	"time"
 
 	"github.com/letsencrypt/boulder/cmd"
 	corepb "github.com/letsencrypt/boulder/core/proto"
 	bgrpc "github.com/letsencrypt/boulder/grpc"
+	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/nonce"
 	noncepb "github.com/letsencrypt/boulder/nonce/proto"
 )
@@ -17,18 +20,69 @@ type config struct {
 		cmd.ServiceConfig
 		Syslog  cmd.SyslogConfig
 		MaxUsed int
+
+		RemoteNonceServices []cmd.GRPCClientConfig
 	}
 }
 
 type nonceServer struct {
-	inner *nonce.NonceService
+	inner          *nonce.NonceService
+	remoteServices []noncepb.NonceServiceClient
+	log            blog.Logger
 }
 
-func (ns *nonceServer) Redeem(_ context.Context, msg *noncepb.NonceMessage) (*noncepb.ValidMessage, error) {
+func (ns *nonceServer) remoteRedeem(ctx context.Context, msg *noncepb.NonceMessage) bool {
+	deadline, ok := ctx.Deadline()
+	if !ok {
+		ns.log.Err("Context passed to remoteRedeem does not have a deadline")
+		return false
+	}
+	subCtx, cancel := context.WithDeadline(ctx, deadline.Add(-time.Millisecond*250))
+	defer cancel()
+	forwarded := true
+	msg.Forwarded = &forwarded
+	results := make(chan bool, len(ns.remoteServices))
+	wg := new(sync.WaitGroup)
+	for _, remote := range ns.remoteServices {
+		wg.Add(1)
+		go func(r noncepb.NonceServiceClient) {
+			defer wg.Done()
+			resp, err := r.Redeem(subCtx, msg)
+			if err != nil {
+				ns.log.Errf("remote Redeem call failed: %s", err)
+				return
+			}
+			results <- *resp.Valid
+		}(remote)
+	}
+	go func() {
+		wg.Wait()
+		close(results)
+	}()
+	for result := range results {
+		select {
+		case <-subCtx.Done():
+			return false
+		default:
+			if result {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func (ns *nonceServer) Redeem(ctx context.Context, msg *noncepb.NonceMessage) (*noncepb.ValidMessage, error) {
 	if msg.Nonce == nil {
 		return nil, errors.New("Incomplete gRPC request message")
 	}
 	valid := ns.inner.Valid(*msg.Nonce)
+	// If the nonce was not valid, we have configured remote nonce services,
+	// and this Redeem message wasn't forwarded, then forward it to the
+	// remote services
+	if !valid && len(ns.remoteServices) > 0 && msg.Forwarded != nil && !*msg.Forwarded {
+		valid = ns.remoteRedeem(ctx, msg)
+	}
 	return &noncepb.ValidMessage{Valid: &valid}, nil
 }
 
@@ -41,13 +95,22 @@ func (ns *nonceServer) Nonce(_ context.Context, _ *corepb.Empty) (*noncepb.Nonce
 }
 
 func main() {
+	grpcAddr := flag.String("addr", "", "gRPC listen address override")
+	debugAddr := flag.String("debug-addr", "", "Debug server address override")
 	configFile := flag.String("config", "", "File path to the configuration file for this service")
 	flag.Parse()
 
 	var c config
 	err := cmd.ReadConfigFile(*configFile, &c)
 	cmd.FailOnError(err, "Reading JSON config file into config structure")
 
+	if *grpcAddr != "" {
+		c.NonceService.GRPC.Address = *grpcAddr
+	}
+	if *debugAddr != "" {
+		c.NonceService.DebugAddr = *debugAddr
+	}
+
 	scope, logger := cmd.StatsAndLogging(c.NonceService.Syslog, c.NonceService.DebugAddr)
 	defer logger.AuditPanic()
 	logger.Info(cmd.VersionString())
@@ -57,10 +120,22 @@ func main() {
 
 	tlsConfig, err := c.NonceService.TLS.Load()
 	cmd.FailOnError(err, "tlsConfig config")
+
+	nonceServer := &nonceServer{inner: ns, log: logger}
+	if len(c.NonceService.RemoteNonceServices) > 0 {
+		clientMetrics := bgrpc.NewClientMetrics(scope)
+		clk := cmd.Clock()
+		for _, remoteNonceConfig := range c.NonceService.RemoteNonceServices {
+			rnsConn, err := bgrpc.ClientSetup(&remoteNonceConfig, tlsConfig, clientMetrics, clk)
+			cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to Nonce service")
+			nonceServer.remoteServices = append(nonceServer.remoteServices, noncepb.NewNonceServiceClient(rnsConn))
+		}
+	}
+
 	serverMetrics := bgrpc.NewServerMetrics(scope)
 	grpcSrv, l, err := bgrpc.NewServer(c.NonceService.GRPC, tlsConfig, serverMetrics, cmd.Clock())
 	cmd.FailOnError(err, "Unable to setup nonce service gRPC server")
-	noncepb.RegisterNonceServiceServer(grpcSrv, &nonceServer{inner: ns})
+	noncepb.RegisterNonceServiceServer(grpcSrv, nonceServer)
 
 	go cmd.CatchSignals(logger, grpcSrv.GracefulStop)
 
diff --git a/cmd/nonce-service/main_test.go b/cmd/nonce-service/main_test.go
@@ -0,0 +1,118 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"testing"
+	"time"
+
+	corepb "github.com/letsencrypt/boulder/core/proto"
+	blog "github.com/letsencrypt/boulder/log"
+	"github.com/letsencrypt/boulder/metrics"
+	"github.com/letsencrypt/boulder/nonce"
+	noncepb "github.com/letsencrypt/boulder/nonce/proto"
+	"github.com/letsencrypt/boulder/test"
+	"google.golang.org/grpc"
+)
+
+type workingRemote struct{ resp bool }
+
+func (wr *workingRemote) Redeem(ctx context.Context, in *noncepb.NonceMessage, opts ...grpc.CallOption) (*noncepb.ValidMessage, error) {
+	return &noncepb.ValidMessage{
+		Valid: &wr.resp,
+	}, nil
+}
+
+func (wr *workingRemote) Nonce(ctx context.Context, in *corepb.Empty, opts ...grpc.CallOption) (*noncepb.NonceMessage, error) {
+	return nil, nil
+}
+
+type sleepingRemote struct{}
+
+func (sr *sleepingRemote) Redeem(ctx context.Context, in *noncepb.NonceMessage, opts ...grpc.CallOption) (*noncepb.ValidMessage, error) {
+	time.Sleep(time.Millisecond * 50)
+	valid := true
+	return &noncepb.ValidMessage{
+		Valid: &valid,
+	}, nil
+}
+
+func (sr *sleepingRemote) Nonce(ctx context.Context, in *corepb.Empty, opts ...grpc.CallOption) (*noncepb.NonceMessage, error) {
+	return nil, nil
+}
+
+type brokenRemote struct{}
+
+func (br *brokenRemote) Redeem(ctx context.Context, in *noncepb.NonceMessage, opts ...grpc.CallOption) (*noncepb.ValidMessage, error) {
+	return nil, errors.New("BROKE!")
+}
+
+func (br *brokenRemote) Nonce(ctx context.Context, in *corepb.Empty, opts ...grpc.CallOption) (*noncepb.NonceMessage, error) {
+	return nil, nil
+}
+
+func TestRemoteRedeem(t *testing.T) {
+	l := blog.NewMock()
+
+	innerNs, err := nonce.NewNonceService(metrics.NewNoopScope(), 1)
+	test.AssertNotError(t, err, "NewNonceService failed")
+	ns := nonceServer{log: l, inner: innerNs}
+
+	// Working remote returning valid nonce message
+	ns.remoteServices = []noncepb.NonceServiceClient{
+		&workingRemote{resp: false},
+		&workingRemote{resp: true},
+	}
+	nonce := "asd"
+	forwarded := false
+	ctx, cancel := context.WithDeadline(context.Background(), time.Now().Add(time.Hour))
+	resp, err := ns.Redeem(ctx, &noncepb.NonceMessage{Nonce: &nonce, Forwarded: &forwarded})
+	cancel()
+	test.AssertNotError(t, err, "Redeem failed")
+	test.Assert(t, *resp.Valid, "Redeem returned the wrong response")
+
+	// Working remotes returning invalid nonce message
+	ns.remoteServices = []noncepb.NonceServiceClient{
+		&workingRemote{resp: false},
+		&workingRemote{resp: false},
+	}
+	ctx, cancel = context.WithDeadline(context.Background(), time.Now().Add(time.Hour))
+	resp, err = ns.Redeem(ctx, &noncepb.NonceMessage{Nonce: &nonce, Forwarded: &forwarded})
+	cancel()
+	test.AssertNotError(t, err, "Redeem failed")
+	test.Assert(t, !*resp.Valid, "Redeem returned the wrong response")
+
+	// Sleeping remotes returns valid nonce message, but after 50ms, Redeem should return false
+	ns.remoteServices = []noncepb.NonceServiceClient{
+		&sleepingRemote{},
+		&sleepingRemote{},
+	}
+	ctx, cancel = context.WithDeadline(context.Background(), time.Now().Add(time.Millisecond))
+	resp, err = ns.Redeem(ctx, &noncepb.NonceMessage{Nonce: &nonce, Forwarded: &forwarded})
+	cancel()
+	test.AssertNotError(t, err, "Redeem failed")
+	test.Assert(t, !*resp.Valid, "Redeem returned the wrong response")
+
+	// Already forwarded message, Redeem should return false
+	ns.remoteServices = []noncepb.NonceServiceClient{
+		&workingRemote{resp: true},
+		&workingRemote{resp: true},
+	}
+	forwarded = true
+	ctx, cancel = context.WithDeadline(context.Background(), time.Now().Add(time.Hour))
+	resp, err = ns.Redeem(ctx, &noncepb.NonceMessage{Nonce: &nonce, Forwarded: &forwarded})
+	cancel()
+	test.AssertNotError(t, err, "Redeem failed")
+	test.Assert(t, !*resp.Valid, "Redeem returned the wrong response")
+
+	// Broken remotes, Redeem should return false
+	ns.remoteServices = []noncepb.NonceServiceClient{
+		&brokenRemote{},
+		&brokenRemote{},
+	}
+	ctx, cancel = context.WithDeadline(context.Background(), time.Now().Add(time.Millisecond))
+	resp, err = ns.Redeem(ctx, &noncepb.NonceMessage{Nonce: &nonce, Forwarded: &forwarded})
+	cancel()
+	test.AssertNotError(t, err, "Redeem failed")
+	test.Assert(t, !*resp.Valid, "Redeem returned the wrong response")
+}
diff --git a/nonce/proto/nonce.pb.go b/nonce/proto/nonce.pb.go
diff --git a/nonce/proto/nonce.proto b/nonce/proto/nonce.proto
@@ -12,6 +12,7 @@ service NonceService {
 
 message NonceMessage {
 	optional string nonce = 1;
+	optional bool forwarded = 2;
 }
 
 message ValidMessage {
diff --git a/test/config-next/nonce.json b/test/config-next/nonce.json
@@ -8,13 +8,24 @@
         "grpc": {
             "address": ":9101",
             "clientNames": [
-                "wfe.boulder"
+                "wfe.boulder",
+                "nonce.boulder"
             ]
         },
         "tls": {
             "caCertFile": "test/grpc-creds/minica.pem",
             "certFile": "test/grpc-creds/nonce.boulder/cert.pem",
             "keyFile": "test/grpc-creds/nonce.boulder/key.pem"
-        }
+        },
+        "remoteNonceServices": [
+            {
+                "serverAddress": "nonce.boulder:9102",
+                "timeout": "15s"
+            },
+            {
+                "serverAddress": "nonce.boulder:9101",
+                "timeout": "15s"
+            }
+        ]
     }
 }
diff --git a/test/grpc-creds/generate.sh b/test/grpc-creds/generate.sh
@@ -10,7 +10,7 @@ command -v minica >/dev/null 2>&1 || {
 }
 
 for HOSTNAME in admin-revoker.boulder expiration-mailer.boulder \
-  ocsp-updater.boulder orphan-finder.boulder wfe.boulder akamai-purger.boulder ; do
+  ocsp-updater.boulder orphan-finder.boulder wfe.boulder akamai-purger.boulder nonce.boulder ; do
   minica -domains ${HOSTNAME}
 done
 
diff --git a/test/startservers.py b/test/startservers.py
@@ -88,6 +88,7 @@ def start(race_detection, fakeclock=None, config_dir=default_config_dir):
         [8002, './bin/boulder-ra --config %s --addr ra1.boulder:9094 --debug-addr :8002' % os.path.join(config_dir, "ra.json")],
         [8102, './bin/boulder-ra --config %s --addr ra2.boulder:9094 --debug-addr :8102' % os.path.join(config_dir, "ra.json")],
         [8111, './bin/nonce-service --config %s' % os.path.join(config_dir, "nonce.json")],
+        [8112, './bin/nonce-service --config %s --addr nonce.boulder:9102 --debug-addr :8112' % os.path.join(config_dir, "nonce.json")],
         [4431, './bin/boulder-wfe2 --config %s' % os.path.join(config_dir, "wfe2.json")],
         [4000, './bin/boulder-wfe --config %s' % os.path.join(config_dir, "wfe.json")],
     ])

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ service NonceService {`
`12`	`12`
`13`	`13`	`message NonceMessage {`
`14`	`14`	`optional string nonce = 1;`
	`15`	`+ optional bool forwarded = 2;`
`15`	`16`	`}`
`16`	`17`
`17`	`18`	`message ValidMessage {`
Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ command -v minica >/dev/null 2>&1 \|\| {`
`10`	`10`	`}`
`11`	`11`
`12`	`12`	`for HOSTNAME in admin-revoker.boulder expiration-mailer.boulder \`
`13`		`- ocsp-updater.boulder orphan-finder.boulder wfe.boulder akamai-purger.boulder ; do`
	`13`	`+ ocsp-updater.boulder orphan-finder.boulder wfe.boulder akamai-purger.boulder nonce.boulder ; do`
`14`	`14`	`minica -domains ${HOSTNAME}`
`15`	`15`	`done`
`16`	`16`