Remove features checks from wfe2 (letsencrypt#2982)

Roland Bracewell Shoemaker · cpu · commit c560fa4fc5fc · 2017-08-16T10:53:47.000-04:00
diff --git a/core/util.go b/core/util.go
@@ -95,10 +95,18 @@ func (e BadNonceError) Error() string           { return string(e) }
 
 // Random stuff
 
+type randSource interface {
+	Read(p []byte) (n int, err error)
+}
+
+// RandReader is used so that it can be replaced in tests that require
+// deterministic output
+var RandReader randSource = rand.Reader
+
 // RandomString returns a randomly generated string of the requested length.
 func RandomString(byteLength int) string {
 	b := make([]byte, byteLength)
-	_, err := io.ReadFull(rand.Reader, b)
+	_, err := io.ReadFull(RandReader, b)
 	if err != nil {
 		panic(fmt.Sprintf("Error reading random bytes: %s", err))
 	}
diff --git a/wfe2/wfe.go b/wfe2/wfe.go
@@ -19,7 +19,6 @@ import (
 	"golang.org/x/net/context"
 
 	"github.com/letsencrypt/boulder/core"
-	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/goodkey"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
@@ -269,7 +268,7 @@ func (wfe *WebFrontEndImpl) relativeDirectory(request *http.Request, directory m
 	// the `BaseURL`. Otherwise, prefix each endpoint using the request protocol
 	// & host.
 	for k, v := range directory {
-		if features.Enabled(features.RandomDirectoryEntry) && v == randomDirKeyExplanationLink {
+		if v == randomDirKeyExplanationLink {
 			relativeDir[k] = v
 			continue
 		}
@@ -308,9 +307,7 @@ func (wfe *WebFrontEndImpl) Handler() http.Handler {
 	wfe.HandleFunc(m, termsPath, wfe.Terms, "GET")
 	wfe.HandleFunc(m, issuerPath, wfe.Issuer, "GET")
 	wfe.HandleFunc(m, buildIDPath, wfe.BuildID, "GET")
-	if features.Enabled(features.AllowKeyRollover) {
-		wfe.HandleFunc(m, rolloverPath, wfe.KeyRollover, "POST")
-	}
+	wfe.HandleFunc(m, rolloverPath, wfe.KeyRollover, "POST")
 	// We don't use our special HandleFunc for "/" because it matches everything,
 	// meaning we can wind up returning 405 when we mean to return 404. See
 	// https://github.com/letsencrypt/boulder/issues/717
@@ -376,26 +373,18 @@ func (wfe *WebFrontEndImpl) Directory(ctx context.Context, logEvent *requestEven
 		"revoke-cert": revokeCertPath,
 	}
 
-	// Versions of Certbot pre-0.6.0 (named LetsEncryptPythonClient at the time) break when they
-	// encounter a directory containing elements they don't expect so we gate
-	// adding new directory fields for clients matching this UA.
-	clientDirChangeIntolerant := strings.HasPrefix(request.UserAgent(), "LetsEncryptPythonClient")
-	if features.Enabled(features.AllowKeyRollover) && !clientDirChangeIntolerant {
-		directoryEndpoints["key-change"] = rolloverPath
-	}
-	if features.Enabled(features.RandomDirectoryEntry) && !clientDirChangeIntolerant {
-		// Add a random key to the directory in order to make sure that clients don't hardcode an
-		// expected set of keys. This ensures that we can properly extend the directory when we
-		// need to add a new endpoint or meta element.
-		directoryEndpoints[core.RandomString(8)] = randomDirKeyExplanationLink
-	}
-	if features.Enabled(features.DirectoryMeta) && !clientDirChangeIntolerant {
-		// ACME since draft-02 describes an optional "meta" directory entry. The
-		// meta entry may optionally contain a "terms-of-service" URI for the
-		// current ToS.
-		directoryEndpoints["meta"] = map[string]string{
-			"terms-of-service": wfe.SubscriberAgreementURL,
-		}
+	directoryEndpoints["key-change"] = rolloverPath
+
+	// Add a random key to the directory in order to make sure that clients don't hardcode an
+	// expected set of keys. This ensures that we can properly extend the directory when we
+	// need to add a new endpoint or meta element.
+	directoryEndpoints[core.RandomString(8)] = randomDirKeyExplanationLink
+
+	// ACME since draft-02 describes an optional "meta" directory entry. The
+	// meta entry may optionally contain a "terms-of-service" URI for the
+	// current ToS.
+	directoryEndpoints["meta"] = map[string]string{
+		"terms-of-service": wfe.SubscriberAgreementURL,
 	}
 
 	response.Header().Set("Content-Type", "application/json")
@@ -707,15 +696,10 @@ func (wfe *WebFrontEndImpl) NewCertificate(ctx context.Context, logEvent *reques
 
 	// TODO Content negotiation
 	response.Header().Add("Location", certURL)
-	if features.Enabled(features.UseAIAIssuerURL) {
-		if err = wfe.addIssuingCertificateURLs(response, parsedCertificate.IssuingCertificateURL); err != nil {
-			logEvent.AddError("unable to parse IssuingCertificateURL: %s", err)
-			wfe.sendError(response, logEvent, probs.ServerInternal("unable to parse IssuingCertificateURL"), err)
-			return
-		}
-	} else {
-		relativeIssuerPath := wfe.relativeEndpoint(request, issuerPath)
-		response.Header().Add("Link", link(relativeIssuerPath, "up"))
+	if err = wfe.addIssuingCertificateURLs(response, parsedCertificate.IssuingCertificateURL); err != nil {
+		logEvent.AddError("unable to parse IssuingCertificateURL: %s", err)
+		wfe.sendError(response, logEvent, probs.ServerInternal("unable to parse IssuingCertificateURL"), err)
+		return
 	}
 	response.Header().Set("Content-Type", "application/pkix-cert")
 	response.WriteHeader(http.StatusCreated)
@@ -953,7 +937,7 @@ func (wfe *WebFrontEndImpl) Registration(
 	// If a user tries to send both a deactivation request and an update to their
 	// contacts or subscriber agreement URL the deactivation will take place and
 	// return before an update would be performed.
-	if features.Enabled(features.AllowAccountDeactivation) && (update.Status != "" && update.Status != currReg.Status) {
+	if update.Status != "" && update.Status != currReg.Status {
 		if update.Status != core.StatusDeactivated {
 			wfe.sendError(response, logEvent, probs.Malformed("Invalid value provided for status field"), nil)
 			return
@@ -1127,22 +1111,18 @@ func (wfe *WebFrontEndImpl) Certificate(ctx context.Context, logEvent *requestEv
 
 	// TODO Content negotiation
 	response.Header().Set("Content-Type", "application/pkix-cert")
-	if features.Enabled(features.UseAIAIssuerURL) {
-		parsedCertificate, err := x509.ParseCertificate([]byte(cert.DER))
-		if err != nil {
-			logEvent.AddError("unable to parse certificate: %s", err)
-			wfe.sendError(response, logEvent, probs.ServerInternal("Unable to parse certificate"), err)
-			return
-		}
-		if err = wfe.addIssuingCertificateURLs(response, parsedCertificate.IssuingCertificateURL); err != nil {
-			logEvent.AddError("unable to parse IssuingCertificateURL: %s", err)
-			wfe.sendError(response, logEvent, probs.ServerInternal("unable to parse IssuingCertificateURL"), err)
-			return
-		}
-	} else {
-		relativeIssuerPath := wfe.relativeEndpoint(request, issuerPath)
-		response.Header().Add("Link", link(relativeIssuerPath, "up"))
+	parsedCertificate, err := x509.ParseCertificate([]byte(cert.DER))
+	if err != nil {
+		logEvent.AddError("unable to parse certificate: %s", err)
+		wfe.sendError(response, logEvent, probs.ServerInternal("Unable to parse certificate"), err)
+		return
 	}
+	if err = wfe.addIssuingCertificateURLs(response, parsedCertificate.IssuingCertificateURL); err != nil {
+		logEvent.AddError("unable to parse IssuingCertificateURL: %s", err)
+		wfe.sendError(response, logEvent, probs.ServerInternal("unable to parse IssuingCertificateURL"), err)
+		return
+	}
+
 	response.WriteHeader(http.StatusOK)
 	if _, err = response.Write(cert.DER); err != nil {
 		logEvent.AddError(err.Error())
diff --git a/wfe2/wfe_test.go b/wfe2/wfe_test.go
