From c228681c9b6c8613137560debe46babde8e2af82 Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Wed, 1 Jul 2026 17:20:23 -0700 Subject: [PATCH] Prevent parallel validation attempts --- errors/errors.go | 4 + features/features.go | 6 + ra/ra.go | 8 + sa/db/01-boulder_sa_next.sql | 2 + sa/proto/sa.pb.go | 337 +++++++++++++++++---------------- sa/proto/sa.proto | 1 + sa/proto/sa_grpc.pb.go | 38 ++++ sa/sa.go | 34 ++++ sa/sa_test.go | 29 +++ test/config-next/ra.json | 3 +- test/integration/authz_test.go | 70 +++++++ 11 files changed, 366 insertions(+), 166 deletions(-) diff --git a/errors/errors.go b/errors/errors.go index 14d5b7af873..3801cade0bc 100644 --- a/errors/errors.go +++ b/errors/errors.go @@ -326,6 +326,10 @@ func UnknownSerialError() error { return newf(UnknownSerial, "unknown serial") } +func ConflictError(msg string, args ...any) error { + return newf(Conflict, msg, args...) +} + func InvalidProfileError(msg string, args ...any) error { return newf(InvalidProfile, msg, args...) } diff --git a/features/features.go b/features/features.go index 42dd6b7ebb0..0c69c9d1529 100644 --- a/features/features.go +++ b/features/features.go @@ -68,6 +68,12 @@ type Config struct { // during certificate issuance. This flag must be set to true in the // RA and VA services for full functionality. DNSPersist01Enabled bool + + // SetAuthzProcessing controls whether the RA attempts to mark authorizations + // as "processing" before dispatching validation to the VA. This reduces + // unnecessary work due to parallel validations, but requires a database + // change to work. + SetAuthzProcessing bool } var fMu = new(sync.RWMutex) diff --git a/ra/ra.go b/ra/ra.go index e6a8651598b..0460225ff3a 100644 --- a/ra/ra.go +++ b/ra/ra.go @@ -1447,6 +1447,14 @@ func (ra *RegistrationAuthorityImpl) PerformValidation( return nil, berrors.MalformedError("cannot validate challenge: %s", cErr.Error()) } + // Set the authorization to "processing", to prevent parallel attempts. + if features.Get().SetAuthzProcessing { + _, err = ra.SA.SetAuthzProcessing(ctx, &sapb.AuthorizationID2{Id: authz.ID}) + if err != nil { + return nil, fmt.Errorf("failed to mark authz as processing: %w", err) + } + } + // Dispatch to the VA for service ra.drainWG.Go(func() { ctx := context.WithoutCancel(ctx) diff --git a/sa/db/01-boulder_sa_next.sql b/sa/db/01-boulder_sa_next.sql index b981eb03cb0..934175e3d19 100644 --- a/sa/db/01-boulder_sa_next.sql +++ b/sa/db/01-boulder_sa_next.sql @@ -251,3 +251,5 @@ ALTER TABLE `revokedCertificates` ADD KEY `serial` (`serial`); ALTER TABLE `orders` ADD COLUMN `mtcLogID` varchar(255) DEFAULT NULL, ADD COLUMN `mtcSerialNumber` bigint(20) unsigned DEFAULT NULL; + +ALTER TABLE `authz2` ADD COLUMN `beganProcessing` tinyint(1) NOT NULL DEFAULT 0; diff --git a/sa/proto/sa.pb.go b/sa/proto/sa.pb.go index 3605e0e69e7..963586e16cc 100644 --- a/sa/proto/sa.pb.go +++ b/sa/proto/sa.pb.go @@ -3757,7 +3757,7 @@ var file_sa_proto_rawDesc = string([]byte{ 0x12, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x1d, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x52, - 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x30, 0x01, 0x32, 0xb4, 0x1a, 0x0a, 0x10, + 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x30, 0x01, 0x32, 0xfa, 0x1a, 0x0a, 0x10, 0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, 0x37, 0x0a, 0x0d, 0x46, 0x51, 0x44, 0x4e, 0x53, 0x65, 0x74, 0x45, 0x78, 0x69, 0x73, 0x74, 0x73, 0x12, 0x18, 0x2e, 0x73, 0x61, 0x2e, 0x46, 0x51, 0x44, 0x4e, 0x53, 0x65, 0x74, 0x45, 0x78, @@ -3916,77 +3916,82 @@ var file_sa_proto_rawDesc = string([]byte{ 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1c, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x43, 0x0a, - 0x0d, 0x53, 0x65, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x18, - 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x45, 0x72, 0x72, 0x6f, - 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, - 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, - 0x22, 0x00, 0x12, 0x40, 0x0a, 0x12, 0x53, 0x65, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x50, 0x72, - 0x6f, 0x63, 0x65, 0x73, 0x73, 0x69, 0x6e, 0x67, 0x12, 0x10, 0x2e, 0x73, 0x61, 0x2e, 0x4f, 0x72, - 0x64, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, - 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, - 0x74, 0x79, 0x22, 0x00, 0x12, 0x4f, 0x0a, 0x15, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, - 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x12, 0x20, 0x2e, - 0x73, 0x61, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x12, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x22, 0x00, 0x12, 0x52, 0x0a, 0x18, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, - 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, - 0x65, 0x12, 0x1c, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x43, 0x65, 0x72, - 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, - 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x46, 0x0a, 0x0d, 0x4c, 0x65, 0x61, - 0x73, 0x65, 0x43, 0x52, 0x4c, 0x53, 0x68, 0x61, 0x72, 0x64, 0x12, 0x18, 0x2e, 0x73, 0x61, 0x2e, - 0x4c, 0x65, 0x61, 0x73, 0x65, 0x43, 0x52, 0x4c, 0x53, 0x68, 0x61, 0x72, 0x64, 0x52, 0x65, 0x71, - 0x75, 0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x73, 0x61, 0x2e, 0x4c, 0x65, 0x61, 0x73, 0x65, 0x43, - 0x52, 0x4c, 0x53, 0x68, 0x61, 0x72, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, - 0x00, 0x12, 0x45, 0x0a, 0x0e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x43, 0x52, 0x4c, 0x53, 0x68, - 0x61, 0x72, 0x64, 0x12, 0x19, 0x2e, 0x73, 0x61, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x43, - 0x52, 0x4c, 0x53, 0x68, 0x61, 0x72, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, + 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x44, 0x0a, + 0x12, 0x53, 0x65, 0x74, 0x41, 0x75, 0x74, 0x68, 0x7a, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, + 0x69, 0x6e, 0x67, 0x12, 0x14, 0x2e, 0x73, 0x61, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, + 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x32, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, + 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, + 0x79, 0x22, 0x00, 0x12, 0x43, 0x0a, 0x0d, 0x53, 0x65, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x45, + 0x72, 0x72, 0x6f, 0x72, 0x12, 0x18, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x74, 0x4f, 0x72, 0x64, + 0x65, 0x72, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, - 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x44, 0x0a, 0x10, 0x50, 0x61, 0x75, 0x73, - 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x12, 0x10, 0x2e, 0x73, - 0x61, 0x2e, 0x50, 0x61, 0x75, 0x73, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, - 0x2e, 0x73, 0x61, 0x2e, 0x50, 0x61, 0x75, 0x73, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, - 0x69, 0x65, 0x72, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x31, - 0x0a, 0x0e, 0x55, 0x6e, 0x70, 0x61, 0x75, 0x73, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, - 0x12, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x49, 0x44, 0x1a, 0x09, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x22, - 0x00, 0x12, 0x5b, 0x0a, 0x14, 0x41, 0x64, 0x64, 0x52, 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d, 0x69, - 0x74, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x12, 0x1f, 0x2e, 0x73, 0x61, 0x2e, 0x41, - 0x64, 0x64, 0x52, 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x4f, 0x76, 0x65, 0x72, 0x72, - 0x69, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x73, 0x61, 0x2e, - 0x41, 0x64, 0x64, 0x52, 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x4f, 0x76, 0x65, 0x72, - 0x72, 0x69, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x59, - 0x0a, 0x18, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d, - 0x69, 0x74, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x12, 0x23, 0x2e, 0x73, 0x61, 0x2e, - 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d, 0x69, 0x74, - 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, - 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x57, 0x0a, 0x17, 0x45, 0x6e, 0x61, - 0x62, 0x6c, 0x65, 0x52, 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x4f, 0x76, 0x65, 0x72, - 0x72, 0x69, 0x64, 0x65, 0x12, 0x22, 0x2e, 0x73, 0x61, 0x2e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, - 0x52, 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, - 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, - 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, - 0x22, 0x00, 0x32, 0xe6, 0x01, 0x0a, 0x15, 0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x41, 0x75, - 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x41, 0x64, 0x6d, 0x69, 0x6e, 0x12, 0x3b, 0x0a, 0x0e, - 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x12, 0x19, - 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, - 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0c, 0x2e, 0x73, 0x61, 0x2e, 0x49, - 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x22, 0x00, 0x12, 0x3b, 0x0a, 0x0e, 0x55, 0x70, 0x64, - 0x61, 0x74, 0x65, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x12, 0x19, 0x2e, 0x73, 0x61, - 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x52, - 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0c, 0x2e, 0x73, 0x61, 0x2e, 0x49, 0x6e, 0x63, 0x69, - 0x64, 0x65, 0x6e, 0x74, 0x22, 0x00, 0x12, 0x53, 0x0a, 0x14, 0x41, 0x64, 0x64, 0x53, 0x65, 0x72, - 0x69, 0x61, 0x6c, 0x73, 0x54, 0x6f, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x12, 0x1f, - 0x2e, 0x73, 0x61, 0x2e, 0x41, 0x64, 0x64, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x73, 0x54, 0x6f, + 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x40, 0x0a, 0x12, 0x53, 0x65, 0x74, 0x4f, + 0x72, 0x64, 0x65, 0x72, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x69, 0x6e, 0x67, 0x12, 0x10, + 0x2e, 0x73, 0x61, 0x2e, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, + 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x4f, 0x0a, 0x15, 0x55, 0x70, + 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x4b, 0x65, 0x79, 0x12, 0x20, 0x2e, 0x73, 0x61, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, + 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x52, 0x65, 0x67, + 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x00, 0x12, 0x52, 0x0a, 0x18, 0x55, + 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x43, 0x65, 0x72, 0x74, + 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1c, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x76, + 0x6f, 0x6b, 0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, + 0x46, 0x0a, 0x0d, 0x4c, 0x65, 0x61, 0x73, 0x65, 0x43, 0x52, 0x4c, 0x53, 0x68, 0x61, 0x72, 0x64, + 0x12, 0x18, 0x2e, 0x73, 0x61, 0x2e, 0x4c, 0x65, 0x61, 0x73, 0x65, 0x43, 0x52, 0x4c, 0x53, 0x68, + 0x61, 0x72, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x73, 0x61, 0x2e, + 0x4c, 0x65, 0x61, 0x73, 0x65, 0x43, 0x52, 0x4c, 0x53, 0x68, 0x61, 0x72, 0x64, 0x52, 0x65, 0x73, + 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x45, 0x0a, 0x0e, 0x55, 0x70, 0x64, 0x61, 0x74, + 0x65, 0x43, 0x52, 0x4c, 0x53, 0x68, 0x61, 0x72, 0x64, 0x12, 0x19, 0x2e, 0x73, 0x61, 0x2e, 0x55, + 0x70, 0x64, 0x61, 0x74, 0x65, 0x43, 0x52, 0x4c, 0x53, 0x68, 0x61, 0x72, 0x64, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x44, + 0x0a, 0x10, 0x50, 0x61, 0x75, 0x73, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, + 0x72, 0x73, 0x12, 0x10, 0x2e, 0x73, 0x61, 0x2e, 0x50, 0x61, 0x75, 0x73, 0x65, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x73, 0x61, 0x2e, 0x50, 0x61, 0x75, 0x73, 0x65, 0x49, + 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x22, 0x00, 0x12, 0x31, 0x0a, 0x0e, 0x55, 0x6e, 0x70, 0x61, 0x75, 0x73, 0x65, 0x41, + 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x67, 0x69, + 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x1a, 0x09, 0x2e, 0x73, 0x61, 0x2e, + 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x22, 0x00, 0x12, 0x5b, 0x0a, 0x14, 0x41, 0x64, 0x64, 0x52, 0x61, + 0x74, 0x65, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x12, + 0x1f, 0x2e, 0x73, 0x61, 0x2e, 0x41, 0x64, 0x64, 0x52, 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d, 0x69, + 0x74, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x1a, 0x20, 0x2e, 0x73, 0x61, 0x2e, 0x41, 0x64, 0x64, 0x52, 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d, + 0x69, 0x74, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x22, 0x00, 0x12, 0x59, 0x0a, 0x18, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x52, + 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, + 0x12, 0x23, 0x2e, 0x73, 0x61, 0x2e, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x61, 0x74, + 0x65, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, + 0x57, 0x0a, 0x17, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d, + 0x69, 0x74, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x12, 0x22, 0x2e, 0x73, 0x61, 0x2e, + 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x61, 0x74, 0x65, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x4f, + 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, + 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, + 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x32, 0xe6, 0x01, 0x0a, 0x15, 0x53, 0x74, 0x6f, + 0x72, 0x61, 0x67, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x41, 0x64, 0x6d, + 0x69, 0x6e, 0x12, 0x3b, 0x0a, 0x0e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x49, 0x6e, 0x63, 0x69, + 0x64, 0x65, 0x6e, 0x74, 0x12, 0x19, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, - 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x28, 0x01, 0x42, 0x29, 0x5a, 0x27, 0x67, - 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6c, 0x65, 0x74, 0x73, 0x65, 0x6e, - 0x63, 0x72, 0x79, 0x70, 0x74, 0x2f, 0x62, 0x6f, 0x75, 0x6c, 0x64, 0x65, 0x72, 0x2f, 0x73, 0x61, - 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x0c, 0x2e, 0x73, 0x61, 0x2e, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x22, 0x00, 0x12, + 0x3b, 0x0a, 0x0e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, + 0x74, 0x12, 0x19, 0x2e, 0x73, 0x61, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x49, 0x6e, 0x63, + 0x69, 0x64, 0x65, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0c, 0x2e, 0x73, + 0x61, 0x2e, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x22, 0x00, 0x12, 0x53, 0x0a, 0x14, + 0x41, 0x64, 0x64, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x73, 0x54, 0x6f, 0x49, 0x6e, 0x63, 0x69, + 0x64, 0x65, 0x6e, 0x74, 0x12, 0x1f, 0x2e, 0x73, 0x61, 0x2e, 0x41, 0x64, 0x64, 0x53, 0x65, 0x72, + 0x69, 0x61, 0x6c, 0x73, 0x54, 0x6f, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x28, + 0x01, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, + 0x6c, 0x65, 0x74, 0x73, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2f, 0x62, 0x6f, 0x75, 0x6c, + 0x64, 0x65, 0x72, 0x2f, 0x73, 0x61, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, }) var ( @@ -4189,101 +4194,103 @@ var file_sa_proto_depIdxs = []int32{ 17, // 115: sa.StorageAuthority.NewOrderAndAuthzs:input_type -> sa.NewOrderAndAuthzsRequest 61, // 116: sa.StorageAuthority.NewRegistration:input_type -> core.Registration 25, // 117: sa.StorageAuthority.RevokeCertificate:input_type -> sa.RevokeCertificateRequest - 18, // 118: sa.StorageAuthority.SetOrderError:input_type -> sa.SetOrderErrorRequest - 14, // 119: sa.StorageAuthority.SetOrderProcessing:input_type -> sa.OrderRequest - 46, // 120: sa.StorageAuthority.UpdateRegistrationKey:input_type -> sa.UpdateRegistrationKeyRequest - 25, // 121: sa.StorageAuthority.UpdateRevokedCertificate:input_type -> sa.RevokeCertificateRequest - 40, // 122: sa.StorageAuthority.LeaseCRLShard:input_type -> sa.LeaseCRLShardRequest - 42, // 123: sa.StorageAuthority.UpdateCRLShard:input_type -> sa.UpdateCRLShardRequest - 44, // 124: sa.StorageAuthority.PauseIdentifiers:input_type -> sa.PauseRequest - 0, // 125: sa.StorageAuthority.UnpauseAccount:input_type -> sa.RegistrationID - 48, // 126: sa.StorageAuthority.AddRateLimitOverride:input_type -> sa.AddRateLimitOverrideRequest - 51, // 127: sa.StorageAuthority.DisableRateLimitOverride:input_type -> sa.DisableRateLimitOverrideRequest - 50, // 128: sa.StorageAuthority.EnableRateLimitOverride:input_type -> sa.EnableRateLimitOverrideRequest - 32, // 129: sa.StorageAuthorityAdmin.CreateIncident:input_type -> sa.CreateIncidentRequest - 33, // 130: sa.StorageAuthorityAdmin.UpdateIncident:input_type -> sa.UpdateIncidentRequest - 34, // 131: sa.StorageAuthorityAdmin.AddSerialsToIncident:input_type -> sa.AddSerialsToIncidentRequest - 11, // 132: sa.StorageAuthorityReadOnly.FQDNSetExists:output_type -> sa.Exists - 7, // 133: sa.StorageAuthorityReadOnly.FQDNSetTimestampsForWindow:output_type -> sa.Timestamps - 58, // 134: sa.StorageAuthorityReadOnly.GetAuthorization2:output_type -> core.Authorization - 62, // 135: sa.StorageAuthorityReadOnly.GetCertificate:output_type -> core.Certificate - 62, // 136: sa.StorageAuthorityReadOnly.GetLintPrecertificate:output_type -> core.Certificate - 63, // 137: sa.StorageAuthorityReadOnly.GetCertificateStatus:output_type -> core.CertificateStatus - 64, // 138: sa.StorageAuthorityReadOnly.GetOrder:output_type -> core.Order - 64, // 139: sa.StorageAuthorityReadOnly.GetOrderForNames:output_type -> core.Order - 61, // 140: sa.StorageAuthorityReadOnly.GetRegistration:output_type -> core.Registration - 61, // 141: sa.StorageAuthorityReadOnly.GetRegistrationByKey:output_type -> core.Registration - 39, // 142: sa.StorageAuthorityReadOnly.GetRevocationStatus:output_type -> sa.RevocationStatus - 65, // 143: sa.StorageAuthorityReadOnly.GetRevokedCertsByShard:output_type -> core.CRLEntry - 4, // 144: sa.StorageAuthorityReadOnly.GetSerialMetadata:output_type -> sa.SerialMetadata - 3, // 145: sa.StorageAuthorityReadOnly.GetSerialsByAccount:output_type -> sa.Serial - 3, // 146: sa.StorageAuthorityReadOnly.GetSerialsByKey:output_type -> sa.Serial - 23, // 147: sa.StorageAuthorityReadOnly.GetValidAuthorizations2:output_type -> sa.Authorizations - 23, // 148: sa.StorageAuthorityReadOnly.GetValidOrderAuthorizations2:output_type -> sa.Authorizations - 23, // 149: sa.StorageAuthorityReadOnly.GetOrderAuthorizations:output_type -> sa.Authorizations - 30, // 150: sa.StorageAuthorityReadOnly.IncidentsForSerial:output_type -> sa.Incidents - 11, // 151: sa.StorageAuthorityReadOnly.KeyBlocked:output_type -> sa.Exists - 30, // 152: sa.StorageAuthorityReadOnly.ListIncidents:output_type -> sa.Incidents - 11, // 153: sa.StorageAuthorityReadOnly.ReplacementOrderExists:output_type -> sa.Exists - 37, // 154: sa.StorageAuthorityReadOnly.SerialsForIncident:output_type -> sa.IncidentSerial - 43, // 155: sa.StorageAuthorityReadOnly.CheckIdentifiersPaused:output_type -> sa.Identifiers - 43, // 156: sa.StorageAuthorityReadOnly.GetPausedIdentifiers:output_type -> sa.Identifiers - 53, // 157: sa.StorageAuthorityReadOnly.GetRateLimitOverride:output_type -> sa.RateLimitOverrideResponse - 53, // 158: sa.StorageAuthorityReadOnly.GetEnabledRateLimitOverrides:output_type -> sa.RateLimitOverrideResponse - 11, // 159: sa.StorageAuthority.FQDNSetExists:output_type -> sa.Exists - 7, // 160: sa.StorageAuthority.FQDNSetTimestampsForWindow:output_type -> sa.Timestamps - 58, // 161: sa.StorageAuthority.GetAuthorization2:output_type -> core.Authorization - 62, // 162: sa.StorageAuthority.GetCertificate:output_type -> core.Certificate - 62, // 163: sa.StorageAuthority.GetLintPrecertificate:output_type -> core.Certificate - 63, // 164: sa.StorageAuthority.GetCertificateStatus:output_type -> core.CertificateStatus - 64, // 165: sa.StorageAuthority.GetOrder:output_type -> core.Order - 64, // 166: sa.StorageAuthority.GetOrderForNames:output_type -> core.Order - 61, // 167: sa.StorageAuthority.GetRegistration:output_type -> core.Registration - 61, // 168: sa.StorageAuthority.GetRegistrationByKey:output_type -> core.Registration - 39, // 169: sa.StorageAuthority.GetRevocationStatus:output_type -> sa.RevocationStatus - 65, // 170: sa.StorageAuthority.GetRevokedCertsByShard:output_type -> core.CRLEntry - 4, // 171: sa.StorageAuthority.GetSerialMetadata:output_type -> sa.SerialMetadata - 3, // 172: sa.StorageAuthority.GetSerialsByAccount:output_type -> sa.Serial - 3, // 173: sa.StorageAuthority.GetSerialsByKey:output_type -> sa.Serial - 23, // 174: sa.StorageAuthority.GetValidAuthorizations2:output_type -> sa.Authorizations - 23, // 175: sa.StorageAuthority.GetValidOrderAuthorizations2:output_type -> sa.Authorizations - 23, // 176: sa.StorageAuthority.GetOrderAuthorizations:output_type -> sa.Authorizations - 30, // 177: sa.StorageAuthority.IncidentsForSerial:output_type -> sa.Incidents - 11, // 178: sa.StorageAuthority.KeyBlocked:output_type -> sa.Exists - 30, // 179: sa.StorageAuthority.ListIncidents:output_type -> sa.Incidents - 11, // 180: sa.StorageAuthority.ReplacementOrderExists:output_type -> sa.Exists - 37, // 181: sa.StorageAuthority.SerialsForIncident:output_type -> sa.IncidentSerial - 43, // 182: sa.StorageAuthority.CheckIdentifiersPaused:output_type -> sa.Identifiers - 43, // 183: sa.StorageAuthority.GetPausedIdentifiers:output_type -> sa.Identifiers - 53, // 184: sa.StorageAuthority.GetRateLimitOverride:output_type -> sa.RateLimitOverrideResponse - 53, // 185: sa.StorageAuthority.GetEnabledRateLimitOverrides:output_type -> sa.RateLimitOverrideResponse - 60, // 186: sa.StorageAuthority.AddBlockedKey:output_type -> google.protobuf.Empty - 60, // 187: sa.StorageAuthority.AddCertificate:output_type -> google.protobuf.Empty - 60, // 188: sa.StorageAuthority.AddPrecertificate:output_type -> google.protobuf.Empty - 60, // 189: sa.StorageAuthority.AddSerial:output_type -> google.protobuf.Empty - 60, // 190: sa.StorageAuthority.DeactivateAuthorization2:output_type -> google.protobuf.Empty - 61, // 191: sa.StorageAuthority.DeactivateRegistration:output_type -> core.Registration - 60, // 192: sa.StorageAuthority.FinalizeAuthorization2:output_type -> google.protobuf.Empty - 60, // 193: sa.StorageAuthority.FinalizeOrder:output_type -> google.protobuf.Empty - 64, // 194: sa.StorageAuthority.NewOrderAndAuthzs:output_type -> core.Order - 61, // 195: sa.StorageAuthority.NewRegistration:output_type -> core.Registration - 60, // 196: sa.StorageAuthority.RevokeCertificate:output_type -> google.protobuf.Empty - 60, // 197: sa.StorageAuthority.SetOrderError:output_type -> google.protobuf.Empty - 60, // 198: sa.StorageAuthority.SetOrderProcessing:output_type -> google.protobuf.Empty - 61, // 199: sa.StorageAuthority.UpdateRegistrationKey:output_type -> core.Registration - 60, // 200: sa.StorageAuthority.UpdateRevokedCertificate:output_type -> google.protobuf.Empty - 41, // 201: sa.StorageAuthority.LeaseCRLShard:output_type -> sa.LeaseCRLShardResponse - 60, // 202: sa.StorageAuthority.UpdateCRLShard:output_type -> google.protobuf.Empty - 45, // 203: sa.StorageAuthority.PauseIdentifiers:output_type -> sa.PauseIdentifiersResponse - 6, // 204: sa.StorageAuthority.UnpauseAccount:output_type -> sa.Count - 49, // 205: sa.StorageAuthority.AddRateLimitOverride:output_type -> sa.AddRateLimitOverrideResponse - 60, // 206: sa.StorageAuthority.DisableRateLimitOverride:output_type -> google.protobuf.Empty - 60, // 207: sa.StorageAuthority.EnableRateLimitOverride:output_type -> google.protobuf.Empty - 29, // 208: sa.StorageAuthorityAdmin.CreateIncident:output_type -> sa.Incident - 29, // 209: sa.StorageAuthorityAdmin.UpdateIncident:output_type -> sa.Incident - 60, // 210: sa.StorageAuthorityAdmin.AddSerialsToIncident:output_type -> google.protobuf.Empty - 132, // [132:211] is the sub-list for method output_type - 53, // [53:132] is the sub-list for method input_type + 24, // 118: sa.StorageAuthority.SetAuthzProcessing:input_type -> sa.AuthorizationID2 + 18, // 119: sa.StorageAuthority.SetOrderError:input_type -> sa.SetOrderErrorRequest + 14, // 120: sa.StorageAuthority.SetOrderProcessing:input_type -> sa.OrderRequest + 46, // 121: sa.StorageAuthority.UpdateRegistrationKey:input_type -> sa.UpdateRegistrationKeyRequest + 25, // 122: sa.StorageAuthority.UpdateRevokedCertificate:input_type -> sa.RevokeCertificateRequest + 40, // 123: sa.StorageAuthority.LeaseCRLShard:input_type -> sa.LeaseCRLShardRequest + 42, // 124: sa.StorageAuthority.UpdateCRLShard:input_type -> sa.UpdateCRLShardRequest + 44, // 125: sa.StorageAuthority.PauseIdentifiers:input_type -> sa.PauseRequest + 0, // 126: sa.StorageAuthority.UnpauseAccount:input_type -> sa.RegistrationID + 48, // 127: sa.StorageAuthority.AddRateLimitOverride:input_type -> sa.AddRateLimitOverrideRequest + 51, // 128: sa.StorageAuthority.DisableRateLimitOverride:input_type -> sa.DisableRateLimitOverrideRequest + 50, // 129: sa.StorageAuthority.EnableRateLimitOverride:input_type -> sa.EnableRateLimitOverrideRequest + 32, // 130: sa.StorageAuthorityAdmin.CreateIncident:input_type -> sa.CreateIncidentRequest + 33, // 131: sa.StorageAuthorityAdmin.UpdateIncident:input_type -> sa.UpdateIncidentRequest + 34, // 132: sa.StorageAuthorityAdmin.AddSerialsToIncident:input_type -> sa.AddSerialsToIncidentRequest + 11, // 133: sa.StorageAuthorityReadOnly.FQDNSetExists:output_type -> sa.Exists + 7, // 134: sa.StorageAuthorityReadOnly.FQDNSetTimestampsForWindow:output_type -> sa.Timestamps + 58, // 135: sa.StorageAuthorityReadOnly.GetAuthorization2:output_type -> core.Authorization + 62, // 136: sa.StorageAuthorityReadOnly.GetCertificate:output_type -> core.Certificate + 62, // 137: sa.StorageAuthorityReadOnly.GetLintPrecertificate:output_type -> core.Certificate + 63, // 138: sa.StorageAuthorityReadOnly.GetCertificateStatus:output_type -> core.CertificateStatus + 64, // 139: sa.StorageAuthorityReadOnly.GetOrder:output_type -> core.Order + 64, // 140: sa.StorageAuthorityReadOnly.GetOrderForNames:output_type -> core.Order + 61, // 141: sa.StorageAuthorityReadOnly.GetRegistration:output_type -> core.Registration + 61, // 142: sa.StorageAuthorityReadOnly.GetRegistrationByKey:output_type -> core.Registration + 39, // 143: sa.StorageAuthorityReadOnly.GetRevocationStatus:output_type -> sa.RevocationStatus + 65, // 144: sa.StorageAuthorityReadOnly.GetRevokedCertsByShard:output_type -> core.CRLEntry + 4, // 145: sa.StorageAuthorityReadOnly.GetSerialMetadata:output_type -> sa.SerialMetadata + 3, // 146: sa.StorageAuthorityReadOnly.GetSerialsByAccount:output_type -> sa.Serial + 3, // 147: sa.StorageAuthorityReadOnly.GetSerialsByKey:output_type -> sa.Serial + 23, // 148: sa.StorageAuthorityReadOnly.GetValidAuthorizations2:output_type -> sa.Authorizations + 23, // 149: sa.StorageAuthorityReadOnly.GetValidOrderAuthorizations2:output_type -> sa.Authorizations + 23, // 150: sa.StorageAuthorityReadOnly.GetOrderAuthorizations:output_type -> sa.Authorizations + 30, // 151: sa.StorageAuthorityReadOnly.IncidentsForSerial:output_type -> sa.Incidents + 11, // 152: sa.StorageAuthorityReadOnly.KeyBlocked:output_type -> sa.Exists + 30, // 153: sa.StorageAuthorityReadOnly.ListIncidents:output_type -> sa.Incidents + 11, // 154: sa.StorageAuthorityReadOnly.ReplacementOrderExists:output_type -> sa.Exists + 37, // 155: sa.StorageAuthorityReadOnly.SerialsForIncident:output_type -> sa.IncidentSerial + 43, // 156: sa.StorageAuthorityReadOnly.CheckIdentifiersPaused:output_type -> sa.Identifiers + 43, // 157: sa.StorageAuthorityReadOnly.GetPausedIdentifiers:output_type -> sa.Identifiers + 53, // 158: sa.StorageAuthorityReadOnly.GetRateLimitOverride:output_type -> sa.RateLimitOverrideResponse + 53, // 159: sa.StorageAuthorityReadOnly.GetEnabledRateLimitOverrides:output_type -> sa.RateLimitOverrideResponse + 11, // 160: sa.StorageAuthority.FQDNSetExists:output_type -> sa.Exists + 7, // 161: sa.StorageAuthority.FQDNSetTimestampsForWindow:output_type -> sa.Timestamps + 58, // 162: sa.StorageAuthority.GetAuthorization2:output_type -> core.Authorization + 62, // 163: sa.StorageAuthority.GetCertificate:output_type -> core.Certificate + 62, // 164: sa.StorageAuthority.GetLintPrecertificate:output_type -> core.Certificate + 63, // 165: sa.StorageAuthority.GetCertificateStatus:output_type -> core.CertificateStatus + 64, // 166: sa.StorageAuthority.GetOrder:output_type -> core.Order + 64, // 167: sa.StorageAuthority.GetOrderForNames:output_type -> core.Order + 61, // 168: sa.StorageAuthority.GetRegistration:output_type -> core.Registration + 61, // 169: sa.StorageAuthority.GetRegistrationByKey:output_type -> core.Registration + 39, // 170: sa.StorageAuthority.GetRevocationStatus:output_type -> sa.RevocationStatus + 65, // 171: sa.StorageAuthority.GetRevokedCertsByShard:output_type -> core.CRLEntry + 4, // 172: sa.StorageAuthority.GetSerialMetadata:output_type -> sa.SerialMetadata + 3, // 173: sa.StorageAuthority.GetSerialsByAccount:output_type -> sa.Serial + 3, // 174: sa.StorageAuthority.GetSerialsByKey:output_type -> sa.Serial + 23, // 175: sa.StorageAuthority.GetValidAuthorizations2:output_type -> sa.Authorizations + 23, // 176: sa.StorageAuthority.GetValidOrderAuthorizations2:output_type -> sa.Authorizations + 23, // 177: sa.StorageAuthority.GetOrderAuthorizations:output_type -> sa.Authorizations + 30, // 178: sa.StorageAuthority.IncidentsForSerial:output_type -> sa.Incidents + 11, // 179: sa.StorageAuthority.KeyBlocked:output_type -> sa.Exists + 30, // 180: sa.StorageAuthority.ListIncidents:output_type -> sa.Incidents + 11, // 181: sa.StorageAuthority.ReplacementOrderExists:output_type -> sa.Exists + 37, // 182: sa.StorageAuthority.SerialsForIncident:output_type -> sa.IncidentSerial + 43, // 183: sa.StorageAuthority.CheckIdentifiersPaused:output_type -> sa.Identifiers + 43, // 184: sa.StorageAuthority.GetPausedIdentifiers:output_type -> sa.Identifiers + 53, // 185: sa.StorageAuthority.GetRateLimitOverride:output_type -> sa.RateLimitOverrideResponse + 53, // 186: sa.StorageAuthority.GetEnabledRateLimitOverrides:output_type -> sa.RateLimitOverrideResponse + 60, // 187: sa.StorageAuthority.AddBlockedKey:output_type -> google.protobuf.Empty + 60, // 188: sa.StorageAuthority.AddCertificate:output_type -> google.protobuf.Empty + 60, // 189: sa.StorageAuthority.AddPrecertificate:output_type -> google.protobuf.Empty + 60, // 190: sa.StorageAuthority.AddSerial:output_type -> google.protobuf.Empty + 60, // 191: sa.StorageAuthority.DeactivateAuthorization2:output_type -> google.protobuf.Empty + 61, // 192: sa.StorageAuthority.DeactivateRegistration:output_type -> core.Registration + 60, // 193: sa.StorageAuthority.FinalizeAuthorization2:output_type -> google.protobuf.Empty + 60, // 194: sa.StorageAuthority.FinalizeOrder:output_type -> google.protobuf.Empty + 64, // 195: sa.StorageAuthority.NewOrderAndAuthzs:output_type -> core.Order + 61, // 196: sa.StorageAuthority.NewRegistration:output_type -> core.Registration + 60, // 197: sa.StorageAuthority.RevokeCertificate:output_type -> google.protobuf.Empty + 60, // 198: sa.StorageAuthority.SetAuthzProcessing:output_type -> google.protobuf.Empty + 60, // 199: sa.StorageAuthority.SetOrderError:output_type -> google.protobuf.Empty + 60, // 200: sa.StorageAuthority.SetOrderProcessing:output_type -> google.protobuf.Empty + 61, // 201: sa.StorageAuthority.UpdateRegistrationKey:output_type -> core.Registration + 60, // 202: sa.StorageAuthority.UpdateRevokedCertificate:output_type -> google.protobuf.Empty + 41, // 203: sa.StorageAuthority.LeaseCRLShard:output_type -> sa.LeaseCRLShardResponse + 60, // 204: sa.StorageAuthority.UpdateCRLShard:output_type -> google.protobuf.Empty + 45, // 205: sa.StorageAuthority.PauseIdentifiers:output_type -> sa.PauseIdentifiersResponse + 6, // 206: sa.StorageAuthority.UnpauseAccount:output_type -> sa.Count + 49, // 207: sa.StorageAuthority.AddRateLimitOverride:output_type -> sa.AddRateLimitOverrideResponse + 60, // 208: sa.StorageAuthority.DisableRateLimitOverride:output_type -> google.protobuf.Empty + 60, // 209: sa.StorageAuthority.EnableRateLimitOverride:output_type -> google.protobuf.Empty + 29, // 210: sa.StorageAuthorityAdmin.CreateIncident:output_type -> sa.Incident + 29, // 211: sa.StorageAuthorityAdmin.UpdateIncident:output_type -> sa.Incident + 60, // 212: sa.StorageAuthorityAdmin.AddSerialsToIncident:output_type -> google.protobuf.Empty + 133, // [133:213] is the sub-list for method output_type + 53, // [53:133] is the sub-list for method input_type 53, // [53:53] is the sub-list for extension type_name 53, // [53:53] is the sub-list for extension extendee 0, // [0:53] is the sub-list for field type_name diff --git a/sa/proto/sa.proto b/sa/proto/sa.proto index 3122b98fb02..7d8104ef05e 100644 --- a/sa/proto/sa.proto +++ b/sa/proto/sa.proto @@ -82,6 +82,7 @@ service StorageAuthority { rpc NewOrderAndAuthzs(NewOrderAndAuthzsRequest) returns (core.Order) {} rpc NewRegistration(core.Registration) returns (core.Registration) {} rpc RevokeCertificate(RevokeCertificateRequest) returns (google.protobuf.Empty) {} + rpc SetAuthzProcessing(AuthorizationID2) returns (google.protobuf.Empty) {} rpc SetOrderError(SetOrderErrorRequest) returns (google.protobuf.Empty) {} rpc SetOrderProcessing(OrderRequest) returns (google.protobuf.Empty) {} rpc UpdateRegistrationKey(UpdateRegistrationKeyRequest) returns (core.Registration) {} diff --git a/sa/proto/sa_grpc.pb.go b/sa/proto/sa_grpc.pb.go index 65de98b16c1..da71fe8275d 100644 --- a/sa/proto/sa_grpc.pb.go +++ b/sa/proto/sa_grpc.pb.go @@ -1170,6 +1170,7 @@ const ( StorageAuthority_NewOrderAndAuthzs_FullMethodName = "/sa.StorageAuthority/NewOrderAndAuthzs" StorageAuthority_NewRegistration_FullMethodName = "/sa.StorageAuthority/NewRegistration" StorageAuthority_RevokeCertificate_FullMethodName = "/sa.StorageAuthority/RevokeCertificate" + StorageAuthority_SetAuthzProcessing_FullMethodName = "/sa.StorageAuthority/SetAuthzProcessing" StorageAuthority_SetOrderError_FullMethodName = "/sa.StorageAuthority/SetOrderError" StorageAuthority_SetOrderProcessing_FullMethodName = "/sa.StorageAuthority/SetOrderProcessing" StorageAuthority_UpdateRegistrationKey_FullMethodName = "/sa.StorageAuthority/UpdateRegistrationKey" @@ -1229,6 +1230,7 @@ type StorageAuthorityClient interface { NewOrderAndAuthzs(ctx context.Context, in *NewOrderAndAuthzsRequest, opts ...grpc.CallOption) (*proto.Order, error) NewRegistration(ctx context.Context, in *proto.Registration, opts ...grpc.CallOption) (*proto.Registration, error) RevokeCertificate(ctx context.Context, in *RevokeCertificateRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) + SetAuthzProcessing(ctx context.Context, in *AuthorizationID2, opts ...grpc.CallOption) (*emptypb.Empty, error) SetOrderError(ctx context.Context, in *SetOrderErrorRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) SetOrderProcessing(ctx context.Context, in *OrderRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) UpdateRegistrationKey(ctx context.Context, in *UpdateRegistrationKeyRequest, opts ...grpc.CallOption) (*proto.Registration, error) @@ -1675,6 +1677,16 @@ func (c *storageAuthorityClient) RevokeCertificate(ctx context.Context, in *Revo return out, nil } +func (c *storageAuthorityClient) SetAuthzProcessing(ctx context.Context, in *AuthorizationID2, opts ...grpc.CallOption) (*emptypb.Empty, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(emptypb.Empty) + err := c.cc.Invoke(ctx, StorageAuthority_SetAuthzProcessing_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + func (c *storageAuthorityClient) SetOrderError(ctx context.Context, in *SetOrderErrorRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) { cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) out := new(emptypb.Empty) @@ -1831,6 +1843,7 @@ type StorageAuthorityServer interface { NewOrderAndAuthzs(context.Context, *NewOrderAndAuthzsRequest) (*proto.Order, error) NewRegistration(context.Context, *proto.Registration) (*proto.Registration, error) RevokeCertificate(context.Context, *RevokeCertificateRequest) (*emptypb.Empty, error) + SetAuthzProcessing(context.Context, *AuthorizationID2) (*emptypb.Empty, error) SetOrderError(context.Context, *SetOrderErrorRequest) (*emptypb.Empty, error) SetOrderProcessing(context.Context, *OrderRequest) (*emptypb.Empty, error) UpdateRegistrationKey(context.Context, *UpdateRegistrationKeyRequest) (*proto.Registration, error) @@ -1966,6 +1979,9 @@ func (UnimplementedStorageAuthorityServer) NewRegistration(context.Context, *pro func (UnimplementedStorageAuthorityServer) RevokeCertificate(context.Context, *RevokeCertificateRequest) (*emptypb.Empty, error) { return nil, status.Errorf(codes.Unimplemented, "method RevokeCertificate not implemented") } +func (UnimplementedStorageAuthorityServer) SetAuthzProcessing(context.Context, *AuthorizationID2) (*emptypb.Empty, error) { + return nil, status.Errorf(codes.Unimplemented, "method SetAuthzProcessing not implemented") +} func (UnimplementedStorageAuthorityServer) SetOrderError(context.Context, *SetOrderErrorRequest) (*emptypb.Empty, error) { return nil, status.Errorf(codes.Unimplemented, "method SetOrderError not implemented") } @@ -2669,6 +2685,24 @@ func _StorageAuthority_RevokeCertificate_Handler(srv interface{}, ctx context.Co return interceptor(ctx, in, info, handler) } +func _StorageAuthority_SetAuthzProcessing_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(AuthorizationID2) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(StorageAuthorityServer).SetAuthzProcessing(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: StorageAuthority_SetAuthzProcessing_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(StorageAuthorityServer).SetAuthzProcessing(ctx, req.(*AuthorizationID2)) + } + return interceptor(ctx, in, info, handler) +} + func _StorageAuthority_SetOrderError_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(SetOrderErrorRequest) if err := dec(in); err != nil { @@ -3006,6 +3040,10 @@ var StorageAuthority_ServiceDesc = grpc.ServiceDesc{ MethodName: "RevokeCertificate", Handler: _StorageAuthority_RevokeCertificate_Handler, }, + { + MethodName: "SetAuthzProcessing", + Handler: _StorageAuthority_SetAuthzProcessing_Handler, + }, { MethodName: "SetOrderError", Handler: _StorageAuthority_SetOrderError_Handler, diff --git a/sa/sa.go b/sa/sa.go index f58ccd817bf..7540fb968be 100644 --- a/sa/sa.go +++ b/sa/sa.go @@ -597,6 +597,40 @@ func containsDuplicates(ids []int64) bool { return false } +// SetAuthzProcessing sets the "beganProcessing" bool for an authorization. +// This does not affect its public-facing status (unlike orders, authzs do not +// have an RFC 8555 "processing" state), but does prevent further requests to +// the challenge endpoint from kicking off parallel validation attempts. +func (ssa *SQLStorageAuthority) SetAuthzProcessing(ctx context.Context, req *sapb.AuthorizationID2) (*emptypb.Empty, error) { + if req.Id == 0 { + return nil, errIncompleteRequest + } + _, overallError := db.WithTransaction(ctx, ssa.dbMap, func(tx db.Executor) (any, error) { + result, err := tx.ExecContext(ctx, ` + UPDATE authz2 + SET beganProcessing = ? + WHERE id = ? + AND beganProcessing = ?`, + true, + req.Id, + false) + if err != nil { + return nil, berrors.InternalServerError("error updating authz to beganProcessing status") + } + + n, err := result.RowsAffected() + if err != nil || n == 0 { + return nil, berrors.ConflictError("Authorization is already being validated. This may indicate your client attempted the same challenge multiple times, possibly due to a client bug.") + } + + return nil, nil + }) + if overallError != nil { + return nil, overallError + } + return &emptypb.Empty{}, nil +} + // SetOrderProcessing updates an order from pending status to processing // status by updating the `beganProcessing` field of the corresponding // Order table row in the DB. diff --git a/sa/sa_test.go b/sa/sa_test.go index 3c19459ce1a..a64571d815a 100644 --- a/sa/sa_test.go +++ b/sa/sa_test.go @@ -1266,6 +1266,35 @@ func TestNewOrderAndAuthzs_Profile(t *testing.T) { } } +func TestSetAuthzProcessing(t *testing.T) { + if os.Getenv("BOULDER_CONFIG_DIR") != "test/config-next" { + t.Skip("TestSetAuthzProcessing requires config-next") + } + + sa, fc := initSA(t) + + reg := createWorkingRegistration(t, sa) + + // Add one valid authz + expires := fc.Now().Add(time.Hour) + authzID := createPendingAuthorization(t, sa, reg.Id, identifier.NewDNS("example.com"), expires) + + // Set the authz to processing + _, err := sa.SetAuthzProcessing(t.Context(), &sapb.AuthorizationID2{Id: authzID}) + if err != nil { + t.Fatalf("SetAuthzProcessing = %q, but want success", err) + } + + // Try to set the same authz to be processing again. We should get an error. + _, err = sa.SetAuthzProcessing(context.Background(), &sapb.AuthorizationID2{Id: authzID}) + if err == nil { + t.Fatal("SetAuthzProcessing again succeeded, but want error") + } + if !errors.Is(err, berrors.Conflict) { + t.Errorf("SetAuthzProcessing = %T, but want berrors.Conflict", err) + } +} + func TestSetOrderProcessing(t *testing.T) { sa, fc := initSA(t) diff --git a/test/config-next/ra.json b/test/config-next/ra.json index 50813bf4713..7e584ec4530 100644 --- a/test/config-next/ra.json +++ b/test/config-next/ra.json @@ -186,7 +186,8 @@ "CAARechecksFailOrder": true, "AutomaticallyPauseZombieClients": true, "DNSAccount01Enabled": true, - "DNSPersist01Enabled": true + "DNSPersist01Enabled": true, + "SetAuthzProcessing": true } }, "pa": { diff --git a/test/integration/authz_test.go b/test/integration/authz_test.go index 1520c9d95db..cee01a58fe3 100644 --- a/test/integration/authz_test.go +++ b/test/integration/authz_test.go @@ -3,6 +3,9 @@ package integration import ( + "os" + "strings" + "sync" "testing" "time" @@ -54,3 +57,70 @@ func TestValidAuthzExpires(t *testing.T) { actualExpires, expectedExpiresMin, expectedExpiresMax) } } + +func TestParallelValidationConflict(t *testing.T) { + t.Parallel() + + if os.Getenv("BOULDER_CONFIG_DIR") != "test/config-next" { + t.Skip("TestParallelValidationConflict requires config-next") + } + + c, err := makeClient() + if err != nil { + t.Fatalf("making client: %s", err) + } + + name := random_domain() + order, err := c.NewOrder(c.Account, []acme.Identifier{{Type: "dns", Value: name}}) + if err != nil { + t.Fatalf("making order: %s", err) + } + + authz, err := c.FetchAuthorization(c.Account, order.Authorizations[0]) + if err != nil { + t.Fatalf("fetching authz: %s", err) + } + + chall, ok := authz.ChallengeMap[acme.ChallengeTypeDNS01] + if !ok { + t.Fatalf("authz doesn't have dns-01 challenge") + } + + // Setting up chall-test-srv to have an actual response isn't strictly + // necessary, but it makes the success/failure difference between the attempts + // below more obvious. + _, err = testSrvClient.AddDNS01Response(name, chall.KeyAuthorization) + if err != nil { + t.Fatalf("prepping chall-test-srv: %s", err) + } + t.Cleanup(func() { + testSrvClient.RemoveDNS01Response(chall.Token) + }) + + // Kick off two validations in parallel. + var wg sync.WaitGroup + errs := make([]error, 2) + for i := range 2 { + wg.Go(func() { + _, err := c.UpdateChallenge(c.Account, chall) + errs[i] = err + }) + } + wg.Wait() + + // Make sure we got one error and one success. + if errs[0] == nil && errs[1] == nil { + t.Error("parallel UpdateChallenge both succeeded, but want one failure") + } else if errs[0] != nil && errs[1] != nil { + t.Errorf("parallel UpdateChallenge both failed (%q and %q), but want one success", errs[0], errs[1]) + } + + // Make sure the one error is of type "conflict" + err = errs[0] + if err == nil { + err = errs[1] + } + if !strings.Contains(err.Error(), "urn:ietf:params:acme:error:conflict") { + t.Errorf("parallel UpdateChallenge = %q, but want 'conflict'", err) + } +}