integration: test for DisableAuthz2Orders. (letsencrypt#4390)

jsha · web-flow · commit b7250c1d431f · 2019-08-08T17:07:29.000-07:00
To make this work, I changed the twenty_days_ago setup to use
`config-next` when the main test phase is running `config`. That, in
turn, made the recheck_caa test fail, so I added a tweak to that.

I also moved the authzv2 migrations into `db`. Without that change,
the integration test would fail during the twenty_days_ago setup because
Boulder would attempt to create authzv2 objects but the table wouldn't
exist yet.
diff --git a/sa/_db/migrations/20190221140139_AddAuthz2.sql b/sa/_db/migrations/20190221140139_AddAuthz2.sql
diff --git a/sa/_db/migrations/20190524120239_AddAuthz2ExpiresIndex.sql b/sa/_db/migrations/20190524120239_AddAuthz2ExpiresIndex.sql
diff --git a/test/config/sa.json b/test/config/sa.json
@@ -24,6 +24,7 @@
       ]
     },
     "features": {
+      "DisableAuthz2Orders": true,
       "DeleteUnusedChallenges": true
     }
   },
diff --git a/test/integration-test.py b/test/integration-test.py
@@ -244,6 +244,8 @@ def main():
         config = default_config_dir
         if CONFIG_NEXT:
             config = "test/config"
+        else:
+            config = "test/config-next"
         now = datetime.datetime.utcnow()
 
         six_months_ago = now+datetime.timedelta(days=-30*6)
diff --git a/test/v1_integration.py b/test/v1_integration.py
@@ -449,6 +449,13 @@ def test_recheck_caa():
        was good. We'll set a new CAA record forbidding issuance; the CAA should
        recheck CAA and reject the request.
     """
+    # TODO(jsha): We can't do this test in non-CONFIG_NEXT mode
+    # because of authzv2. We do the twenty_days setup in CONFIG_NEXT
+    # mode (creating an authzv2), then restart Boulder with the authzv2
+    # flag disabled, which causes the authz to 404. Remove this check once
+    # authzv2 is live.
+    if not CONFIG_NEXT:
+        return
     if len(caa_recheck_authzs) == 0:
         raise Exception("CAA authzs not prepared for test_caa")
     domains = []
diff --git a/test/v2_integration.py b/test/v2_integration.py
@@ -936,6 +936,36 @@ def test_z1_reuse():
     if len(authz_uris) != 0:
         raise Exception("Failed to reuse all authzs. Remaining: %s" % authz_uris)
 
+z2_disable_client = None
+z2_disable_authz = None
+z2_disable_order = None
+@register_twenty_days_ago
+def z2_disable_setup():
+    global z2_disable_client
+    global z2_disable_authz
+    global z2_disable_order
+    z2_disable_client = chisel2.make_client()
+    z2_disable_order = chisel2.auth_and_issue([random_domain()])
+    z2_disable_authz = z2_disable_order.authorizations[0]
+
+def test_z2_disable():
+    """Test the DisableAuthz2Orders feature flag. Only runs when
+       that flag is set (that is, not in CONFIG_NEXT mode)."""
+    if CONFIG_NEXT:
+        return
+    response = requests.get(z2_disable_authz.uri)
+    if response.status_code != 404:
+        raise Exception("Expected authorization to be disabled. Got %s" %
+            response)
+    response = requests.get(z2_disable_order.uri)
+    if response.status_code != 404:
+        raise Exception("Expected order to be disabled. Got %s" %
+            response)
+    o = z2_disable_client.new_order(
+        chisel2.make_csr([z2_disable_authz.body.identifier.value]))
+    if o.authorizations[0].uri == z2_disable_authz.uri:
+        raise Exception("Expected authzv2 authorization not to be reused")
+
 def test_new_order_policy_errs():
     """
     Test that creating an order with policy blocked identifiers returns

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@`
`24`	`24`	`]`
`25`	`25`	`},`
`26`	`26`	`"features": {`
	`27`	`+ "DisableAuthz2Orders": true,`
`27`	`28`	`"DeleteUnusedChallenges": true`
`28`	`29`	`}`
`29`	`30`	`},`