VA: Make performRemoteValidation more generic (#7847)

- Make performRemoteValidation a more generic function that returns a new remoteResult interface - Modify the return value of IsCAAValid and PerformValidation to satisfy the remoteResult interface - Include compile time checks and tests that pass an arbitrary operation
letsencrypt · Nov 27, 2024 · 27a7714 · 27a7714
1 parent ded2e5e
commit 27a7714
Show file tree

Hide file tree

Showing 9 changed files with 215 additions and 100 deletions.
diff --git a/grpc/pb-marshalling.go b/grpc/pb-marshalling.go
@@ -188,13 +188,13 @@ func ValidationResultToPB(records []core.ValidationRecord, prob *probs.ProblemDe
 			return nil, err
 		}
 	}
-	marshalledProbs, err := ProblemDetailsToPB(prob)
+	marshalledProb, err := ProblemDetailsToPB(prob)
 	if err != nil {
 		return nil, err
 	}
 	return &vapb.ValidationResult{
 		Records:     recordAry,
-		Problems:    marshalledProbs,
+		Problem:     marshalledProb,
 		Perspective: perspective,
 		Rir:         rir,
 	}, nil
@@ -212,7 +212,7 @@ func pbToValidationResult(in *vapb.ValidationResult) ([]core.ValidationRecord, *
 			return nil, nil, err
 		}
 	}
-	prob, err := PBToProblemDetails(in.Problems)
+	prob, err := PBToProblemDetails(in.Problem)
 	if err != nil {
 		return nil, nil, err
 	}

diff --git a/ra/ra.go b/ra/ra.go
@@ -1762,7 +1762,7 @@ func (ra *RegistrationAuthorityImpl) recordValidation(ctx context.Context, authI
 		Attempted:         string(challenge.Type),
 		AttemptedAt:       validated,
 		ValidationRecords: vr.Records,
-		ValidationError:   vr.Problems,
+		ValidationError:   vr.Problem,
 	})
 	return err
 }
@@ -1929,8 +1929,8 @@ func (ra *RegistrationAuthorityImpl) PerformValidation(
 			prob = probs.ServerInternal("Could not communicate with VA")
 			ra.log.AuditErrf("Could not communicate with VA: %s", err)
 		} else {
-			if res.Problems != nil {
-				prob, err = bgrpc.PBToProblemDetails(res.Problems)
+			if res.Problem != nil {
+				prob, err = bgrpc.PBToProblemDetails(res.Problem)
 				if err != nil {
 					prob = probs.ServerInternal("Could not communicate with VA")
 					ra.log.AuditErrf("Could not communicate with VA: %s", err)

diff --git a/ra/ra_test.go b/ra/ra_test.go
@@ -728,7 +728,7 @@ func TestPerformValidationAlreadyValid(t *testing.T) {
 				Url:         "http://example.com/",
 			},
 		},
-		Problems: nil,
+		Problem: nil,
 	}
 
 	// A subsequent call to perform validation should return nil due
@@ -758,7 +758,7 @@ func TestPerformValidationSuccess(t *testing.T) {
 				ResolverAddrs: []string{"rebound"},
 			},
 		},
-		Problems: nil,
+		Problem: nil,
 	}
 
 	now := fc.Now()
@@ -901,7 +901,7 @@ func TestPerformValidation_FailedValidationsTriggerPauseIdentifiersRatelimit(t *
 				ResolverAddrs: []string{"rebound"},
 			},
 		},
-		Problems: &corepb.ProblemDetails{
+		Problem: &corepb.ProblemDetails{
 			Detail: fmt.Sprintf("CAA invalid for %s", domain),
 		},
 	}
@@ -954,7 +954,7 @@ func TestPerformValidation_FailedValidationsTriggerPauseIdentifiersRatelimit(t *
 				ResolverAddrs: []string{"rebound"},
 			},
 		},
-		Problems: &corepb.ProblemDetails{
+		Problem: &corepb.ProblemDetails{
 			Detail: fmt.Sprintf("CAA invalid for %s", domain),
 		},
 	}
@@ -1034,7 +1034,7 @@ func TestPerformValidation_FailedThenSuccessfulValidationResetsPauseIdentifiersR
 				ResolverAddrs: []string{"rebound"},
 			},
 		},
-		Problems: &corepb.ProblemDetails{
+		Problem: &corepb.ProblemDetails{
 			Detail: fmt.Sprintf("CAA invalid for %s", domain),
 		},
 	}
@@ -1092,7 +1092,7 @@ func TestPerformValidation_FailedThenSuccessfulValidationResetsPauseIdentifiersR
 				ResolverAddrs: []string{"rebound"},
 			},
 		},
-		Problems: nil,
+		Problem: nil,
 	}
 
 	challIdx = dnsChallIdx(t, authzPB.Challenges)

diff --git a/test/v2_integration.py b/test/v2_integration.py
@@ -1083,8 +1083,8 @@ def test_http_multiva_threshold_fail():
         raise(Exception("no HTTP-01 challenge in failed authz"))
     if httpChall.error.typ != "urn:ietf:params:acme:error:unauthorized":
         raise(Exception("expected unauthorized prob, found {0}".format(httpChall.error.typ)))
-    if not httpChall.error.detail.startswith("During secondary domain validation: "):
-        raise(Exception("expected 'During secondary domain validation' problem detail, found {0}".format(httpChall.error.detail)))
+    if not httpChall.error.detail.startswith("During secondary validation: "):
+        raise(Exception("expected 'During secondary validation' problem detail, found {0}".format(httpChall.error.detail)))
 
 class FakeH2ServerHandler(socketserver.BaseRequestHandler):
     """

diff --git a/va/dns_test.go b/va/dns_test.go
@@ -25,8 +25,8 @@ func TestDNSValidationEmpty(t *testing.T) {
 	// metrics checked below are incremented.
 	req := createValidationRequest("empty-txts.com", core.ChallengeTypeDNS01)
 	res, _ := va.PerformValidation(context.Background(), req)
-	test.AssertEquals(t, res.Problems.ProblemType, "unauthorized")
-	test.AssertEquals(t, res.Problems.Detail, "No TXT record found at _acme-challenge.empty-txts.com")
+	test.AssertEquals(t, res.Problem.ProblemType, "unauthorized")
+	test.AssertEquals(t, res.Problem.Detail, "No TXT record found at _acme-challenge.empty-txts.com")
 
 	test.AssertMetricWithLabelsEquals(t, va.metrics.validationLatency, prometheus.Labels{
 		"operation":      opChallAndCAA,

diff --git a/va/proto/va.pb.go b/va/proto/va.pb.go
diff --git a/va/proto/va.proto b/va/proto/va.proto
@@ -23,6 +23,8 @@ message IsCAAValidRequest {
 // If CAA is valid for the requested domain, the problem will be empty
 message IsCAAValidResponse {
   core.ProblemDetails problem = 1;
+  string perspective = 3;
+  string rir = 4;
 }
 
 message PerformValidationRequest {
@@ -39,7 +41,7 @@ message AuthzMeta {
 
 message ValidationResult {
   repeated core.ValidationRecord records = 1;
-  core.ProblemDetails problems = 2;
+  core.ProblemDetails problem = 2;
   string perspective = 3;
   string rir = 4;
 }