From 6b1e390f6fa1f89ea7cb7497b80f37ccafe1a46c Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Thu, 30 Jan 2025 14:53:11 -0800 Subject: [PATCH] RA: Clean up deprecated validation configuration --- cmd/boulder-ra/main.go | 50 +++--------------------------------------- ra/ra.go | 16 +++++--------- test/config/ra.json | 16 +++++++++++--- 3 files changed, 21 insertions(+), 61 deletions(-) diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go index b16c05c4e27..038935507a6 100644 --- a/cmd/boulder-ra/main.go +++ b/cmd/boulder-ra/main.go @@ -4,7 +4,6 @@ import ( "context" "flag" "os" - "time" akamaipb "github.com/letsencrypt/boulder/akamai/proto" "github.com/letsencrypt/boulder/allowlist" @@ -81,37 +80,18 @@ type Config struct { // configurations. MaxNames int `validate:"required,min=1,max=100"` - // AuthorizationLifetimeDays defines how long authorizations will be - // considered valid for. Given a value of 300 days when used with a 90-day - // cert lifetime, this allows creation of certs that will cover a whole - // year, plus a grace period of a month. - // - // Deprecated: use ValidationProfiles.[profile].ValidAuthzLifetime instead. - // TODO(#7986): Remove this. - AuthorizationLifetimeDays int `validate:"omitempty,required_without=ValidationProfiles,min=1,max=397"` - - // PendingAuthorizationLifetimeDays defines how long authorizations may be in - // the pending state. If you can't respond to a challenge this quickly, then - // you need to request a new challenge. - // - // Deprecated: use ValidationProfiles.[profile].PendingAuthzLifetime instead. - // TODO(#7986): Remove this. - PendingAuthorizationLifetimeDays int `validate:"omitempty,required_without=ValidationProfiles,min=1,max=29"` - // ValidationProfiles is a map of validation profiles to their // respective issuance allow lists. If a profile is not included in this // mapping, it cannot be used by any account. If this field is left // empty, all profiles are open to all accounts. - // TODO(#7986): Make this field required. - ValidationProfiles map[string]ra.ValidationProfileConfig `validate:"omitempty"` + ValidationProfiles map[string]ra.ValidationProfileConfig `validate:"required"` // DefaultProfileName sets the profile to use if one wasn't provided by the // client in the new-order request. Must match a configured validation // profile or the RA will fail to start. Must match a certificate profile // configured in the CA or finalization will fail for orders using this // default. - // TODO(#7986): Make this field unconditionally required. - DefaultProfileName string `validate:"required_with=ValidationProfiles"` + DefaultProfileName string `validate:"required"` // MustStapleAllowList specifies the path to a YAML file containing a // list of account IDs permitted to request certificates with the OCSP @@ -123,13 +103,6 @@ type Config struct { // GoodKey is an embedded config stanza for the goodkey library. GoodKey goodkey.Config - // OrderLifetime is how far in the future an Order's expiration date should - // be set when it is first created. - // - // Deprecated: Use ValidationProfiles.[profile].OrderLifetime instead. - // TODO(#7986): Remove this. - OrderLifetime config.Duration `validate:"omitempty,required_without=ValidationProfiles"` - // FinalizeTimeout is how long the RA is willing to wait for the Order // finalization process to take. This config parameter only has an effect // if the AsyncFinalization feature flag is enabled. Any systems which @@ -266,25 +239,8 @@ func main() { ctp = ctpolicy.New(pubc, sctLogs, infoLogs, finalLogs, c.RA.CTLogs.Stagger.Duration, logger, scope) - // TODO(#7986): Remove this fallback, error out if no default is configured. - if c.RA.DefaultProfileName == "" { - c.RA.DefaultProfileName = ra.UnconfiguredDefaultProfileName - } - logger.Infof("Configured default profile name set to: %s", c.RA.DefaultProfileName) - - // TODO(#7986): Remove this fallback, error out if no profiles are configured. if len(c.RA.ValidationProfiles) == 0 { - c.RA.ValidationProfiles = map[string]ra.ValidationProfileConfig{ - c.RA.DefaultProfileName: { - PendingAuthzLifetime: config.Duration{ - Duration: time.Duration(c.RA.PendingAuthorizationLifetimeDays) * 24 * time.Hour}, - ValidAuthzLifetime: config.Duration{ - Duration: time.Duration(c.RA.AuthorizationLifetimeDays) * 24 * time.Hour}, - OrderLifetime: c.RA.OrderLifetime, - // Leave the allowlist empty, so all accounts have access to this - // default profile. - }, - } + cmd.Fail("At least one profile must be configured") } validationProfiles, err := ra.NewValidationProfiles(c.RA.DefaultProfileName, c.RA.ValidationProfiles) diff --git a/ra/ra.go b/ra/ra.go index e9f842777e7..7530a17f752 100644 --- a/ra/ra.go +++ b/ra/ra.go @@ -275,12 +275,6 @@ func NewRegistrationAuthorityImpl( return ra } -// UnconfiguredDefaultProfileName is a unique string which the RA can use to -// identify a profile, but also detect that no profiles were explicitly -// configured, and therefore should not be assumed to exist outside the RA. -// TODO(#7986): Remove this when the defaultProfileName config is required. -const UnconfiguredDefaultProfileName = "unconfiguredDefaultProfileName" - // ValidationProfileConfig is a config struct which can be used to create a // ValidationProfile. type ValidationProfileConfig struct { @@ -340,6 +334,10 @@ type validationProfiles struct { // configs and default name. It enforces that the given authorization lifetimes // are within the bounds mandated by the Baseline Requirements. func NewValidationProfiles(defaultName string, configs map[string]ValidationProfileConfig) (*validationProfiles, error) { + if defaultName == "" { + return nil, errors.New("default profile name must be configured") + } + profiles := make(map[string]*validationProfile, len(configs)) for name, config := range configs { @@ -1188,12 +1186,8 @@ func (ra *RegistrationAuthorityImpl) issueCertificateOuter( logEvent.PreviousCertificateIssued = timestamps.Timestamps[0].AsTime() } - // If the order didn't request a specific profile and we have a default - // configured, provide it to the CA so we can stop relying on the CA's - // configured default. - // TODO(#7309): Make this unconditional. profileName := order.CertificateProfileName - if profileName == "" && ra.profiles.defaultName != UnconfiguredDefaultProfileName { + if profileName == "" { profileName = ra.profiles.defaultName } diff --git a/test/config/ra.json b/test/config/ra.json index 7a5befadad8..23c277c6cea 100644 --- a/test/config/ra.json +++ b/test/config/ra.json @@ -29,12 +29,9 @@ "debugAddr": ":8002", "hostnamePolicyFile": "test/hostname-policy.yaml", "maxNames": 100, - "authorizationLifetimeDays": 30, - "pendingAuthorizationLifetimeDays": 7, "goodkey": { "fermatRounds": 100 }, - "orderLifetime": "168h", "issuerCerts": [ "test/certs/webpki/int-rsa-a.cert.pem", "test/certs/webpki/int-rsa-b.cert.pem", @@ -43,6 +40,19 @@ "test/certs/webpki/int-ecdsa-b.cert.pem", "test/certs/webpki/int-ecdsa-c.cert.pem" ], + "validationProfiles": { + "legacy": { + "pendingAuthzLifetime": "168h", + "validAuthzLifetime": "720h", + "orderLifetime": "168h" + }, + "modern": { + "pendingAuthzLifetime": "7h", + "validAuthzLifetime": "7h", + "orderLifetime": "7h" + } + }, + "defaultProfileName": "legacy", "tls": { "caCertFile": "test/certs/ipki/minica.pem", "certFile": "test/certs/ipki/ra.boulder/cert.pem",