Merge fede924 into b4e483d

letsencrypt · Mar 2, 2021 · 7d93305 · 7d93305
2 parents b4e483d + fede924
commit 7d93305
Show file tree

Hide file tree

Showing 10 changed files with 282 additions and 221 deletions.
diff --git a/ra/ra.go b/ra/ra.go
@@ -1519,11 +1519,16 @@ func (ra *RegistrationAuthorityImpl) recordValidation(ctx context.Context, authI
 	if err != nil {
 		return err
 	}
+	var validated int64
+	if challenge.Validated != nil {
+		validated = challenge.Validated.UTC().UnixNano()
+	}
 	err = ra.SA.FinalizeAuthorization2(ctx, &sapb.FinalizeAuthorizationRequest{
 		Id:                authzID,
 		Status:            string(challenge.Status),
 		Expires:           expires,
 		Attempted:         string(challenge.Type),
+		AttemptedAt:       validated,
 		ValidationRecords: vr.Records,
 		ValidationError:   vr.Problems,
 	})
@@ -1539,6 +1544,10 @@ func (ra *RegistrationAuthorityImpl) recordValidation(ctx context.Context, authI
 func (ra *RegistrationAuthorityImpl) PerformValidation(
 	ctx context.Context,
 	req *rapb.PerformValidationRequest) (*corepb.Authorization, error) {
+
+	// Clock for start of PerformValidation.
+	vStart := ra.clk.Now()
+
 	authz, err := bgrpc.PBToAuthz(req.Authz)
 	if err != nil {
 		return nil, err
@@ -1653,9 +1662,11 @@ func (ra *RegistrationAuthorityImpl) PerformValidation(
 
 		if prob != nil {
 			challenge.Status = core.StatusInvalid
+			challenge.Validated = &vStart
 			challenge.Error = prob
 		} else {
 			challenge.Status = core.StatusValid
+			challenge.Validated = &vStart
 		}
 		authz.Challenges[challIndex] = *challenge
 

diff --git a/ra/ra_test.go b/ra/ra_test.go
@@ -924,7 +924,7 @@ func TestPerformValidationAlreadyValid(t *testing.T) {
 }
 
 func TestPerformValidationSuccess(t *testing.T) {
-	va, sa, ra, _, cleanUp := initAuthorities(t)
+	va, sa, ra, fc, cleanUp := initAuthorities(t)
 	defer cleanUp()
 
 	// We know this is OK because of TestNewAuthorization
@@ -982,12 +982,16 @@ func TestPerformValidationSuccess(t *testing.T) {
 
 	// The DB authz's expiry should be equal to the current time plus the
 	// configured authorization lifetime
-	expectedExpires := ra.clk.Now().Add(ra.authorizationLifetime)
+	expectedExpires := fc.Now().Add(ra.authorizationLifetime)
 	test.AssertEquals(t, *dbAuthz.Expires, expectedExpires)
+
+	// Check that validated timestamp was recorded, stored, and retrieved
+	expectedValidated := fc.Now()
+	test.Assert(t, *dbAuthz.Challenges[challIdx].Validated == expectedValidated, "Validated timestamp incorrect or missing")
 }
 
 func TestPerformValidationVAError(t *testing.T) {
-	va, sa, ra, _, cleanUp := initAuthorities(t)
+	va, sa, ra, fc, cleanUp := initAuthorities(t)
 	defer cleanUp()
 
 	authz, err := ra.NewAuthorization(ctx, AuthzRequest, Registration.ID)
@@ -1032,6 +1036,10 @@ func TestPerformValidationVAError(t *testing.T) {
 	test.Assert(t, dbAuthz.Challenges[challIdx].Status == core.StatusInvalid, "challenge was not marked as invalid")
 	test.AssertContains(t, dbAuthz.Challenges[challIdx].Error.Error(), "Could not communicate with VA")
 	test.Assert(t, dbAuthz.Challenges[challIdx].ValidationRecord == nil, "challenge had a ValidationRecord")
+
+	// Check that validated timestamp was recorded, stored, and retrieved
+	expectedValidated := fc.Now()
+	test.Assert(t, *dbAuthz.Challenges[challIdx].Validated == expectedValidated, "Validated timestamp incorrect or missing")
 }
 
 func TestCertificateKeyNotEqualAccountKey(t *testing.T) {

diff --git a/sa/model.go b/sa/model.go
@@ -179,6 +179,7 @@ type challModel struct {
 	Token            string             `db:"token"`
 	KeyAuthorization string             `db:"keyAuthorization"`
 	ValidationRecord []byte             `db:"validationRecord"`
+	AttemptedAt      time.Time          `db:"attemptedAt"`
 
 	// TODO(#1818): Remove, this field is unused, but is kept temporarily to avoid a database migration.
 	Validated bool `db:"validated"`
@@ -253,6 +254,7 @@ func modelToChallenge(cm *challModel) (core.Challenge, error) {
 		Status:                   cm.Status,
 		Token:                    cm.Token,
 		ProvidedKeyAuthorization: cm.KeyAuthorization,
+		Validated:                &cm.AttemptedAt,
 	}
 	if len(cm.Error) > 0 {
 		var problem probs.ProblemDetails
@@ -406,17 +408,18 @@ func statusUint(status core.AcmeStatus) uint8 {
 const authzFields = "id, identifierType, identifierValue, registrationID, status, expires, challenges, attempted, token, validationError, validationRecord"
 
 type authzModel struct {
-	ID               int64     `db:"id"`
-	IdentifierType   uint8     `db:"identifierType"`
-	IdentifierValue  string    `db:"identifierValue"`
-	RegistrationID   int64     `db:"registrationID"`
-	Status           uint8     `db:"status"`
-	Expires          time.Time `db:"expires"`
-	Challenges       uint8     `db:"challenges"`
-	Attempted        *uint8    `db:"attempted"`
-	Token            []byte    `db:"token"`
-	ValidationError  []byte    `db:"validationError"`
-	ValidationRecord []byte    `db:"validationRecord"`
+	ID               int64      `db:"id"`
+	IdentifierType   uint8      `db:"identifierType"`
+	IdentifierValue  string     `db:"identifierValue"`
+	RegistrationID   int64      `db:"registrationID"`
+	Status           uint8      `db:"status"`
+	Expires          time.Time  `db:"expires"`
+	Challenges       uint8      `db:"challenges"`
+	Attempted        *uint8     `db:"attempted"`
+	AttemptedAt      *time.Time `db:"attemptedAt"`
+	Token            []byte     `db:"token"`
+	ValidationError  []byte     `db:"validationError"`
+	ValidationRecord []byte     `db:"validationRecord"`
 }
 
 // hasMultipleNonPendingChallenges checks if a slice of challenges contains
@@ -477,6 +480,15 @@ func authzPBToModel(authz *corepb.Authorization) (*authzModel, error) {
 		if chall.Status == string(core.StatusValid) || chall.Status == string(core.StatusInvalid) {
 			attemptedType := challTypeToUint[chall.Type]
 			am.Attempted = &attemptedType
+
+			// If validated Unix timestamp is zero then keep the core.Challenge Validated object nil.
+			var validated *time.Time
+			if chall.Validated != 0 {
+				val := time.Unix(0, chall.Validated).UTC()
+				validated = &val
+			}
+			am.AttemptedAt = validated
+
 			// Marshal corepb.ValidationRecords to core.ValidationRecords so that we
 			// can marshal them to JSON.
 			records := make([]core.ValidationRecord, len(chall.Validationrecords))
@@ -588,6 +600,12 @@ func modelToAuthzPB(am authzModel) (*corepb.Authorization, error) {
 					if err := populateAttemptedFields(am, challenge); err != nil {
 						return nil, err
 					}
+					// Get the attemptedAt time and assign to the challenge validated time.
+					var validated int64
+					if am.AttemptedAt != nil {
+						validated = am.AttemptedAt.UTC().UnixNano()
+					}
+					challenge.Validated = validated
 					pb.Challenges = append(pb.Challenges, challenge)
 				}
 			} else {

diff --git a/sa/model_test.go b/sa/model_test.go
@@ -65,9 +65,10 @@ func TestAuthzModel(t *testing.T) {
 		Expires:        1234,
 		Challenges: []*corepb.Challenge{
 			{
-				Type:   string(core.ChallengeTypeHTTP01),
-				Status: string(core.StatusValid),
-				Token:  "MTIz",
+				Type:      string(core.ChallengeTypeHTTP01),
+				Status:    string(core.StatusValid),
+				Token:     "MTIz",
+				Validated: 1234,
 				Validationrecords: []*corepb.ValidationRecord{
 					{
 						Hostname:          "hostname",