Merge 6afcc91 into 62db2d0

letsencrypt · Aug 8, 2019 · 39e5419 · 39e5419
2 parents 62db2d0 + 6afcc91
commit 39e5419
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 0 deletions.
diff --git a/...t/migrations/20190221140139_AddAuthz2.sql → ...b/migrations/20190221140139_AddAuthz2.sql b/...t/migrations/20190221140139_AddAuthz2.sql → ...b/migrations/20190221140139_AddAuthz2.sql
diff --git a/.../20190524120239_AddAuthz2ExpiresIndex.sql → .../20190524120239_AddAuthz2ExpiresIndex.sql b/.../20190524120239_AddAuthz2ExpiresIndex.sql → .../20190524120239_AddAuthz2ExpiresIndex.sql
diff --git a/test/config/sa.json b/test/config/sa.json
@@ -24,6 +24,7 @@
       ]
     },
     "features": {
+      "DisableAuthz2Orders": true,
       "DeleteUnusedChallenges": true
     }
   },

diff --git a/test/integration-test.py b/test/integration-test.py
@@ -244,6 +244,8 @@ def main():
         config = default_config_dir
         if CONFIG_NEXT:
             config = "test/config"
+        else:
+            config = "test/config-next"
         now = datetime.datetime.utcnow()
 
         six_months_ago = now+datetime.timedelta(days=-30*6)

diff --git a/test/v1_integration.py b/test/v1_integration.py
@@ -449,6 +449,13 @@ def test_recheck_caa():
        was good. We'll set a new CAA record forbidding issuance; the CAA should
        recheck CAA and reject the request.
     """
+    # TODO(jsha): We can't do this test in non-CONFIG_NEXT mode
+    # because of authzv2. We do the twenty_days setup in CONFIG_NEXT
+    # mode (creating an authzv2), then restart Boulder with the authzv2
+    # flag disabled, which causes the authz to 404. Remove this check once
+    # authzv2 is live.
+    if not CONFIG_NEXT:
+        return
     if len(caa_recheck_authzs) == 0:
         raise Exception("CAA authzs not prepared for test_caa")
     domains = []

diff --git a/test/v2_integration.py b/test/v2_integration.py
@@ -936,6 +936,36 @@ def test_z1_reuse():
     if len(authz_uris) != 0:
         raise Exception("Failed to reuse all authzs. Remaining: %s" % authz_uris)
 
+z2_disable_client = None
+z2_disable_authz = None
+z2_disable_order = None
+@register_twenty_days_ago
+def z2_disable_setup():
+    global z2_disable_client
+    global z2_disable_authz
+    global z2_disable_order
+    z2_disable_client = chisel2.make_client()
+    z2_disable_order = chisel2.auth_and_issue([random_domain()])
+    z2_disable_authz = z2_disable_order.authorizations[0]
+
+def test_z2_disable():
+    """Test the DisableAuthz2Orders feature flag. Only runs when
+       that flag is set (that is, not in CONFIG_NEXT mode)."""
+    if CONFIG_NEXT:
+        return
+    response = requests.get(z2_disable_authz.uri)
+    if response.status_code != 404:
+        raise Exception("Expected authorization to be disabled. Got %s" %
+            response)
+    response = requests.get(z2_disable_order.uri)
+    if response.status_code != 404:
+        raise Exception("Expected order to be disabled. Got %s" %
+            response)
+    o = z2_disable_client.new_order(
+        chisel2.make_csr([z2_disable_authz.body.identifier.value]))
+    if o.authorizations[0].uri == z2_disable_authz.uri:
+        raise Exception("Expected authzv2 authorization not to be reused")
+
 def test_new_order_policy_errs():
     """
     Test that creating an order with policy blocked identifiers returns