Fix previous impl, add valid authz reuse fix and existing authz validation fix

rolandshoemaker · rolandshoemaker · commit dcd2b438f414 · 2018-01-09T19:53:48.000-08:00
diff --git a/core/interfaces.go b/core/interfaces.go
@@ -108,7 +108,7 @@ type PolicyAuthority interface {
 	WillingToIssue(domain AcmeIdentifier) error
 	WillingToIssueWildcard(domain AcmeIdentifier) error
 	ChallengesFor(domain AcmeIdentifier) (challenges []Challenge, validCombinations [][]int, err error)
-	ChallengeStillAllowed(authz *Authorization) bool
+	ChallengeTypeEnabled(t string) bool
 }
 
 // StorageGetter are the Boulder SA's read-only methods
diff --git a/csr/csr_test.go b/csr/csr_test.go
@@ -37,6 +37,9 @@ func (pa *mockPA) WillingToIssue(id core.AcmeIdentifier) error {
 func (pa *mockPA) WillingToIssueWildcard(id core.AcmeIdentifier) error {
 	return nil
 }
+func (pa *mockPA) ChallengeTypeEnabled(t string) bool {
+	return true
+}
 
 func TestVerifyCSR(t *testing.T) {
 	private, err := rsa.GenerateKey(rand.Reader, 2048)
diff --git a/mocks/mocks.go b/mocks/mocks.go
@@ -368,6 +368,13 @@ func (sa *StorageAuthority) GetValidAuthorizations(_ context.Context, regID int6
 						Type:  "dns",
 						Value: name,
 					},
+					Challenges: []core.Challenge{
+						{
+							Status: core.StatusValid,
+							ID:     23,
+							Type:   core.ChallengeTypeDNS01,
+						},
+					},
 				}
 			}
 		}
diff --git a/policy/pa.go b/policy/pa.go
@@ -454,13 +454,7 @@ func extractDomainIANASuffix(name string) (string, error) {
 	return suffix, nil
 }
 
-// AuthzStillValid checks if the challenge type that was used in a valid authorization
-// is still enabled
-func (pa *AuthorityImpl) ChallengeStillAllowed(authz *core.Authorization) bool {
-	for _, chall := range authz.Challenges {
-		if chall.Status == core.StatusValid {
-			return pa.enabledChallenges[chall.Type]
-		}
-	}
-	return false
+// ChallengeTypeEnabled returns whether the specified challenge type is enabled
+func (pa *AuthorityImpl) ChallengeTypeEnabled(t string) bool {
+	return pa.enabledChallenges[t]
 }
diff --git a/policy/pa_test.go b/policy/pa_test.go
@@ -461,13 +461,3 @@ func TestMalformedExactBlacklist(t *testing.T) {
 	test.AssertError(t, err, "Loaded invalid exact blacklist content without error")
 	test.AssertEquals(t, err.Error(), "Malformed exact blacklist entry, only one label: \"com\"")
 }
-
-func TestChallengeStillAllowed(t *testing.T) {
-	pa := paImpl(t)
-	pa.enabledChallenges[core.ChallengeTypeHTTP01] = false
-	test.Assert(t, !pa.ChallengeStillAllowed(&core.Authorization{}), "pa.ChallengeStillAllowed didn't fail with empty authorization")
-	test.Assert(t, !pa.ChallengeStillAllowed(&core.Authorization{Challenges: []core.Challenge{{Status: core.StatusPending}}}), "pa.ChallengeStillAllowed didn't fail with no valid challenges")
-	test.Assert(t, !pa.ChallengeStillAllowed(&core.Authorization{Challenges: []core.Challenge{{Status: core.StatusValid, Type: core.ChallengeTypeHTTP01}}}), "pa.ChallengeStillAllowed didn't fail with disabled challenge")
-
-	test.Assert(t, pa.ChallengeStillAllowed(&core.Authorization{Challenges: []core.Challenge{{Status: core.StatusValid, Type: core.ChallengeTypeTLSSNI01}}}), "pa.ChallengeStillAllowed failed with enabled challenge")
-}
diff --git a/ra/ra.go b/ra/ra.go
@@ -532,13 +532,14 @@ func (ra *RegistrationAuthorityImpl) NewAuthorization(ctx context.Context, reque
 				ra.log.Warning(fmt.Sprintf("%s: %s", outErr.Error(), existingAuthz.ID))
 				return core.Authorization{}, outErr
 			}
-
-			// The existing authorization must not expire within the next 24 hours for
-			// it to be OK for reuse
-			reuseCutOff := ra.clk.Now().Add(time.Hour * 24)
-			if populatedAuthz.Expires.After(reuseCutOff) {
-				ra.stats.Inc("ReusedValidAuthz", 1)
-				return populatedAuthz, nil
+			if ra.validChallengeStillGood(&populatedAuthz) {
+				// The existing authorization must not expire within the next 24 hours for
+				// it to be OK for reuse
+				reuseCutOff := ra.clk.Now().Add(time.Hour * 24)
+				if populatedAuthz.Expires.After(reuseCutOff) {
+					ra.stats.Inc("ReusedValidAuthz", 1)
+					return populatedAuthz, nil
+				}
 			}
 		}
 	}
@@ -721,7 +722,7 @@ func (ra *RegistrationAuthorityImpl) checkAuthorizationsCAA(
 			// Ensure that CAA is rechecked for this name
 			recheckNames = append(recheckNames, name)
 		}
-		if authz != nil && !ra.PA.ChallengeStillAllowed(authz) {
+		if authz != nil && !ra.validChallengeStillGood(authz) {
 			return berrors.UnauthorizedError("challenge used to validate authorization with ID %q no longer allowed", authz.ID)
 		}
 	}
@@ -1335,6 +1336,10 @@ func (ra *RegistrationAuthorityImpl) UpdateAuthorization(ctx context.Context, ba
 		// )
 	}
 
+	if !ra.PA.ChallengeTypeEnabled(ch.Type) {
+		return core.Authorization{}, berrors.MalformedError("challenge type %q no longer allowed", ch.Type)
+	}
+
 	// When configured with `reuseValidAuthz` we can expect some clients to try
 	// and update a challenge for an authorization that is already valid. In this
 	// case we don't need to process the challenge update. It wouldn't be helpful,
@@ -1751,3 +1756,14 @@ func (ra *RegistrationAuthorityImpl) createPendingAuthz(ctx context.Context, reg
 	authz.Combinations = comboBytes
 	return authz, nil
 }
+
+// validChallengeStillGood checks whether the valid challenge in an authorization uses a type
+// which is still enabled
+func (ra *RegistrationAuthorityImpl) validChallengeStillGood(authz *core.Authorization) bool {
+	for _, chall := range authz.Challenges {
+		if chall.Status == core.StatusValid {
+			return ra.PA.ChallengeTypeEnabled(chall.Type)
+		}
+	}
+	return false
+}
diff --git a/ra/ra_test.go b/ra/ra_test.go
@@ -71,6 +71,7 @@ var (
 	SupportedChallenges = map[string]bool{
 		core.ChallengeTypeHTTP01:   true,
 		core.ChallengeTypeTLSSNI01: true,
+		core.ChallengeTypeDNS01:    true,
 	}
 
 	// These values we simulate from the client
@@ -622,6 +623,7 @@ func TestReuseValidAuthorization(t *testing.T) {
 	exp := ra.clk.Now().Add(365 * 24 * time.Hour)
 	finalAuthz.Expires = &exp
 	finalAuthz.Challenges[0].Status = "valid"
+	finalAuthz.Challenges[0].Type = core.ChallengeTypeHTTP01
 	finalAuthz.RegistrationID = Registration.ID
 	finalAuthz, err := sa.NewPendingAuthorization(ctx, finalAuthz)
 	test.AssertNotError(t, err, "Could not store test pending authorization")
@@ -668,6 +670,21 @@ func TestReuseValidAuthorization(t *testing.T) {
 	test.AssertNotError(t, err, "UpdateAuthorization on secondAuthz sni failed")
 	test.AssertEquals(t, finalAuthz.ID, secondAuthz.ID)
 	test.AssertEquals(t, secondAuthz.Status, core.StatusValid)
+
+	// Test that a valid authorization that used a challenge which has been disabled
+	// is not reused
+	pa, err := policy.New(map[string]bool{
+		core.ChallengeTypeHTTP01:   false,
+		core.ChallengeTypeTLSSNI01: true,
+		core.ChallengeTypeDNS01:    true,
+	})
+	test.AssertNotError(t, err, "Couldn't create PA")
+	err = pa.SetHostnamePolicyFile("../test/hostname-policy.json")
+	test.AssertNotError(t, err, "Couldn't set hostname policy")
+	ra.PA = pa
+	newAuthz, err := ra.NewAuthorization(ctx, AuthzRequest, Registration.ID)
+	test.AssertNotError(t, err, "NewAuthorization for secondAuthz failed")
+	test.Assert(t, finalAuthz.ID != newAuthz.ID, "NewAuthorization reused a valid authz with a disabled challenge type")
 }
 
 func TestReusePendingAuthorization(t *testing.T) {
@@ -902,7 +919,7 @@ func TestUpdateAuthorizationAlreadyValid(t *testing.T) {
 
 	response, err := makeResponse(finalAuthz.Challenges[ResponseIndex])
 	test.AssertNotError(t, err, "Unable to construct response to challenge")
-	finalAuthz.Challenges[ResponseIndex].Type = core.ChallengeTypeDNS01
+	finalAuthz.Challenges[ResponseIndex].Type = core.ChallengeTypeHTTP01
 	finalAuthz.Challenges[ResponseIndex].Status = core.StatusPending
 	va.RecordsReturn = []core.ValidationRecord{
 		{Hostname: "example.com"}}
@@ -2909,6 +2926,33 @@ func TestDisabledChallengeValidAuthz(t *testing.T) {
 	test.AssertNotError(t, err, "RA prevented use of an authorization which used an enabled challenge type")
 }
 
+func TestValidChallengeStillGood(t *testing.T) {
+	_, _, ra, _, cleanUp := initAuthorities(t)
+	defer cleanUp()
+	pa, err := policy.New(map[string]bool{
+		core.ChallengeTypeTLSSNI01: true,
+	})
+	test.AssertNotError(t, err, "Couldn't create PA")
+	ra.PA = pa
+
+	test.Assert(t, !ra.validChallengeStillGood(&core.Authorization{}), "ra.validChallengeStillGood didn't fail with empty authorization")
+	test.Assert(t, !ra.validChallengeStillGood(&core.Authorization{Challenges: []core.Challenge{{Status: core.StatusPending}}}), "ra.validChallengeStillGood didn't fail with no valid challenges")
+	test.Assert(t, !ra.validChallengeStillGood(&core.Authorization{Challenges: []core.Challenge{{Status: core.StatusValid, Type: core.ChallengeTypeHTTP01}}}), "ra.validChallengeStillGood didn't fail with disabled challenge")
+
+	test.Assert(t, ra.validChallengeStillGood(&core.Authorization{Challenges: []core.Challenge{{Status: core.StatusValid, Type: core.ChallengeTypeTLSSNI01}}}), "ra.validChallengeStillGood failed with enabled challenge")
+}
+
+func TestUpdateAuthorizationBadChallengeType(t *testing.T) {
+	_, _, ra, _, cleanUp := initAuthorities(t)
+	defer cleanUp()
+	pa, err := policy.New(map[string]bool{})
+	test.AssertNotError(t, err, "Couldn't create PA")
+	ra.PA = pa
+
+	_, err = ra.UpdateAuthorization(context.Background(), core.Authorization{}, 0, core.Challenge{})
+	test.AssertError(t, err, "ra.UpdateAuthorization allowed a update to a authorization")
+}
+
 var CAkeyPEM = `
 -----BEGIN RSA PRIVATE KEY-----
 MIIJKQIBAAKCAgEAqmM0dEf/J9MCk2ItzevL0dKJ84lVUtf/vQ7AXFi492vFXc3b
diff --git a/wfe/wfe_test.go b/wfe/wfe_test.go
@@ -280,6 +280,10 @@ func (pa *mockPA) WillingToIssueWildcard(id core.AcmeIdentifier) error {
 	return nil
 }
 
+func (pa *mockPA) ChallengeTypeEnabled(string) bool {
+	return true
+}
+
 func makeBody(s string) io.ReadCloser {
 	return ioutil.NopCloser(strings.NewReader(s))
 }

Original file line number	Diff line number	Diff line change
`@@ -108,7 +108,7 @@ type PolicyAuthority interface {`
`108`	`108`	`WillingToIssue(domain AcmeIdentifier) error`
`109`	`109`	`WillingToIssueWildcard(domain AcmeIdentifier) error`
`110`	`110`	`ChallengesFor(domain AcmeIdentifier) (challenges []Challenge, validCombinations [][]int, err error)`
`111`		`- ChallengeStillAllowed(authz *Authorization) bool`
	`111`	`+ ChallengeTypeEnabled(t string) bool`
`112`	`112`	`}`
`113`	`113`
`114`	`114`	`// StorageGetter are the Boulder SA's read-only methods`
Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,9 @@ func (pa *mockPA) WillingToIssue(id core.AcmeIdentifier) error {`
`37`	`37`	`func (pa *mockPA) WillingToIssueWildcard(id core.AcmeIdentifier) error {`
`38`	`38`	`return nil`
`39`	`39`	`}`
	`40`	`+func (pa *mockPA) ChallengeTypeEnabled(t string) bool {`
	`41`	`+ return true`
	`42`	`+}`
`40`	`43`
`41`	`44`	`func TestVerifyCSR(t *testing.T) {`
`42`	`45`	`private, err := rsa.GenerateKey(rand.Reader, 2048)`
Original file line number	Diff line number	Diff line change
`@@ -368,6 +368,13 @@ func (sa *StorageAuthority) GetValidAuthorizations(_ context.Context, regID int6`
`368`	`368`	`Type: "dns",`
`369`	`369`	`Value: name,`
`370`	`370`	`},`
	`371`	`+ Challenges: []core.Challenge{`
	`372`	`+ {`
	`373`	`+ Status: core.StatusValid,`
	`374`	`+ ID: 23,`
	`375`	`+ Type: core.ChallengeTypeDNS01,`
	`376`	`+ },`
	`377`	`+ },`
`371`	`378`	`}`
`372`	`379`	`}`
`373`	`380`	`}`
Original file line number	Diff line number	Diff line change
`@@ -280,6 +280,10 @@ func (pa *mockPA) WillingToIssueWildcard(id core.AcmeIdentifier) error {`
`280`	`280`	`return nil`
`281`	`281`	`}`
`282`	`282`
	`283`	`+func (pa *mockPA) ChallengeTypeEnabled(string) bool {`
	`284`	`+ return true`
	`285`	`+}`
	`286`	`+`
`283`	`287`	`func makeBody(s string) io.ReadCloser {`
`284`	`288`	`return ioutil.NopCloser(strings.NewReader(s))`
`285`	`289`	`}`