Skip to content

Remove all string ID fields for Authzs.#8828

Open
ezekiel wants to merge 5 commits into
mainfrom
ezekiel/unify-authzid-type-stage2
Open

Remove all string ID fields for Authzs.#8828
ezekiel wants to merge 5 commits into
mainfrom
ezekiel/unify-authzid-type-stage2

Conversation

@ezekiel

@ezekiel ezekiel commented Jun 30, 2026

Copy link
Copy Markdown
Member

This is Stage 2 for #8722

@ezekiel ezekiel marked this pull request as ready for review June 30, 2026 17:31
@ezekiel ezekiel requested a review from a team as a code owner June 30, 2026 17:31
@ezekiel ezekiel requested a review from beautifulentropy June 30, 2026 17:31
@ezekiel ezekiel changed the title Remove all string IDs fields for Authzs. Remove all string ID fields for Authzs. Jun 30, 2026
Comment thread sa/model.go Outdated
Comment thread grpc/pb-marshalling.go Outdated
@ezekiel ezekiel requested a review from aarongable July 1, 2026 19:30
Comment thread wfe2/wfe.go

// Ensure gRPC response is complete.
if core.IsAnyNilOrZero(authzPB.Id, authzPB.Identifier, authzPB.Status, authzPB.Expires) {
if core.IsAnyNilOrZero(authzPB.IdInt, authzPB.Identifier, authzPB.Status, authzPB.Expires) {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at #8754, stage 1 modified all the SA/RA methods to prefer the int64 Id, but the WFE's gRPC response core.IsAnyNilOrZero() checks still required the string Id to be non-empty. This is the case in three places:

  • wfe2/wfe.go:1198 (Challenge)
  • wfe2/wfe.go:1397 (postChallenge)
  • wfe2/wfe.go:1618 (Authorization)

The problem I'm foreseeing is that during the rollout of stage 2, every stage 1 WFE will answer every authz and challenge request with 500 "Problem getting authorization" as soon as the SA/RA behind it has been updated.

We should probably ship another PR, call it stage 1.5, that swaps authzPB.Id for authzPB.IdInt in these three checks. Deploy that and then land the rest of this PR as stage 2.

outAuthz3, err = PBToAuthz(pbAuthz3)
test.AssertNotError(t, err, "PBToAuthz with only int IDInt failed")
test.AssertDeepEquals(t, inAuthz, outAuthz3)
}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need a test that sets IdInt = 0 on a PB and asserts PBToAuthz() returns ErrMissingParameters.

Comment thread ra/ra_test.go
Comment on lines 858 to 863
dbAuthzPBIdChecks.IdInt = authzID
_, err = ra.DeactivateAuthorization(ctx, dbAuthzPBIdChecks)
test.AssertNotError(t, err, "Could not deactivate authorization")
deact, err = sa.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: authzID})
test.AssertNotError(t, err, "Could not get deactivated authorization with ID "+dbAuthzPBIdChecks.Id)
test.AssertNotError(t, err, "Could not get deactivated authorization by ID")
test.AssertEquals(t, deact.Status, string(core.StatusDeactivated))

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this block essentially duplicates the coverage of the block above it.

Comment thread va/proto/va.proto Outdated
Comment thread sa/model_test.go Outdated
Comment thread sa/model_test.go

// Manipulate authzPB to test marshalling between corepb.Authorization and
// the SA authz model
// TODO(#8722): clean up these tests when authz IDs are int-only

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need a test that sets IdInt = 0 and asserts authzPBToModel() returns an error that contains "authorization is missing an ID value".

Comment thread va/va_test.go
test.AssertContains(t, err.Error(), "duplicate remote VA perspective \"dadaist\"")
}

// TODO(#8722): Remove this whole function when Authz IDs are int-only

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need a test that sends a DoDCV() request with Authz.IdInt = 0 and ensures that it errors. Also, we should do the same for DoCAA() in caa_test.go.

ezekiel and others added 2 commits July 2, 2026 08:41
Co-authored-by: Samantha Frank <hello@entropy.cat>
Co-authored-by: Samantha Frank <hello@entropy.cat>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants