Make orders with deact authz invalid (#4687)

Fixes #4685.
letsencrypt · Feb 27, 2020 · 542cb6d · 542cb6d
1 parent 4184dc3
commit 542cb6d
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 12 deletions.
diff --git a/sa/sa.go b/sa/sa.go
@@ -1128,7 +1128,7 @@ func (ssa *SQLStorageAuthority) GetOrder(ctx context.Context, req *sapb.OrderReq
 //   * If the order has an error, the order is invalid
 //   * If any of the order's authorizations are invalid, the order is invalid.
 //   * If any of the order's authorizations are expired, the order is invalid.
-//   * If any of the order's authorizations are deactivated, the order is deactivated.
+//   * If any of the order's authorizations are deactivated, the order is invalid.
 //   * If any of the order's authorizations are pending, the order is pending.
 //   * If all of the order's authorizations are valid, and there is
 //     a certificate serial, the order is valid.
@@ -1207,18 +1207,13 @@ func (ssa *SQLStorageAuthority) statusForOrder(ctx context.Context, order *corep
 		}
 	}
 
-	// An order is invalid if **any** of its authzs are invalid
-	if invalidAuthzs > 0 {
+	// An order is invalid if **any** of its authzs are invalid, deactivated,
+	// or expired, see https://tools.ietf.org/html/rfc8555#section-7.1.6
+	if invalidAuthzs > 0 ||
+		expiredAuthzs > 0 ||
+		deactivatedAuthzs > 0 {
 		return string(core.StatusInvalid), nil
 	}
-	// An order is invalid if **any** of its authzs are expired
-	if expiredAuthzs > 0 {
-		return string(core.StatusInvalid), nil
-	}
-	// An order is deactivated if **any** of its authzs are deactivated
-	if deactivatedAuthzs > 0 {
-		return string(core.StatusDeactivated), nil
-	}
 	// An order is pending if **any** of its authzs are pending
 	if pendingAuthzs > 0 {
 		return string(core.StatusPending), nil

diff --git a/sa/sa_test.go b/sa/sa_test.go
@@ -1460,7 +1460,7 @@ func TestStatusForOrder(t *testing.T) {
 			Name:             "Order with a deactivated authz",
 			OrderNames:       []string{"pending.your.order.is.up", "deactivated.your.order.is.up", "valid.your.order.is.up"},
 			AuthorizationIDs: []int64{pendingID, deactivatedID, validID},
-			ExpectedStatus:   string(core.StatusDeactivated),
+			ExpectedStatus:   string(core.StatusInvalid),
 		},
 		{
 			Name:             "Order with a pending authz",