Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rename RA RPC UpdateAuthorization to PerformValidation #3930

Closed
rolandshoemaker opened this issue Nov 12, 2018 · 1 comment
Closed

Rename RA RPC UpdateAuthorization to PerformValidation #3930

rolandshoemaker opened this issue Nov 12, 2018 · 1 comment
Assignees
@cpu
Milestone
Sprint 2018-11-27

Comments

@rolandshoemaker
Copy link
Contributor

The current name is rather misleading.
@rolandshoemaker rolandshoemaker changed the title Rename RA RPC UpdateAuthorization PreformValidation Rename RA RPC UpdateAuthorization to PreformValidation Nov 13, 2018
@jsha jsha changed the title Rename RA RPC UpdateAuthorization to PreformValidation Rename RA RPC UpdateAuthorization to PerformValidation Nov 13, 2018
@jsha
Copy link
Contributor

jsha commented Nov 13, 2018

Note: We may actually want to give PerformValidation a slightly different API, that doesn't include a keyAuthorization object. Then we can get rid of this comment and associated code:

boulder/ra/ra.go

Lines 1473 to 1482 in 465be64

// NOTE(@cpu): Historically challenge update required the client to send
// a JSON POST body that included a computed KeyAuthorization. The RA would
// check this provided authorization against its own computation of the key
// authorization and err if they did not match. New ACME specification does
// not require this - the client does not need to send the key authorization.
// To support this for ACMEv2 we only enforce the provided key authorization
// matches expected if the update included it.
if response.ProvidedKeyAuthorization != "" && expectedKeyAuthorization != response.ProvidedKeyAuthorization {
return core.Authorization{}, berrors.MalformedError("provided key authorization was incorrect")
}

@jsha jsha added this to the Sprint 2018-11-13 milestone Nov 13, 2018
@jsha jsha assigned cpu Nov 13, 2018
@cpu cpu mentioned this issue Nov 19, 2018
Merged
@cpu cpu closed this as completed in #3942 Nov 28, 2018
cpu added a commit that referenced this issue Nov 28, 2018
@cpu
RA: Add PerformValidation RPC to replace UpdateAuthorization. (#3942)
8f5de53 
The existing RA `UpdateAuthorization` RPC needs replacing for
two reasons:

1. The name isn't accurate - `PerformValidation` better captures
the purpose of the RPC.
2. The `core.Challenge` argument is superfluous since Key 
Authorizations are not sent in the initiation POST from the client 
anymore. The corresponding unmarshal and verification is now 
removed. Notably this means broken clients that were POSTing
the wrong thing and failing pre-validation will now likely fail 
post-validation.

To remove `UpdateAuthorization` the new `PerformValidation` 
RPC is added alongside the old one. WFE and WFE2 are 
updated to use the new RPC when the perform validation
feature flag is enabled. We can remove 
`UpdateAuthorization` and its associated wrappers once all 
WFE instances have been updated.

Resolves #3930
@cpu cpu mentioned this issue Jan 7, 2019
Merged
rolandshoemaker pushed a commit that referenced this issue Jan 8, 2019
@cpu
RA: Remove deprecated UpdateAuthorization RPC. (#3993)
b0f407d 
Staging and prod both deployed the PerformValidationRPC feature flag. All running WFE/WFE2 instances are using the more accurately named PerformValidation RPC and we can strip out the old UpdateAuthorization bits. The feature flag for PerformValidationRPC remains until we clean up the staging/prod configs.

Resolves #3947 and completes the last of #3930
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cpu cpu

Labels
None yet
Projects
None yet
Milestone
Sprint 2018-11-27
Development

No branches or pull requests
3 participants
@jsha @cpu @rolandshoemaker