Add profile filter to Get[Valid]Authorizations methods

letsencrypt · Feb 1, 2025 · 69bfacc · 69bfacc
1 parent b155102
commit 69bfacc
Showing 4 changed files with 676 additions and 645 deletions.
diff --git a/ra/ra.go b/ra/ra.go
@@ -2232,13 +2232,15 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
 			RegistrationID: newOrder.RegistrationID,
 			ValidUntil:     timestamppb.New(authzExpiryCutoff),
 			DnsNames:       newOrder.DnsNames,
+			Profile:        req.CertificateProfileName,
 		}
 		existingAuthz, err = ra.SA.GetValidAuthorizations2(ctx, getAuthReq)
 	} else {
 		getAuthReq := &sapb.GetAuthorizationsRequest{
 			RegistrationID: newOrder.RegistrationID,
 			ValidUntil:     timestamppb.New(authzExpiryCutoff),
 			DnsNames:       newOrder.DnsNames,
+			Profile:        req.CertificateProfileName,
 		}
 		existingAuthz, err = ra.SA.GetAuthorizations2(ctx, getAuthReq)
 	}

diff --git a/sa/proto/sa.pb.go b/sa/proto/sa.pb.go
diff --git a/sa/proto/sa.proto b/sa/proto/sa.proto
@@ -108,11 +108,12 @@ message AuthorizationID {
 }
 
 message GetValidAuthorizationsRequest {
-  // Next unused field number: 5
+  // Next unused field number: 6
   int64 registrationID = 1;
   repeated string dnsNames = 2;
   reserved 3; // Previously nowNS
   google.protobuf.Timestamp validUntil = 4;
+  string profile = 5;
 }
 
 message Serial {
@@ -267,11 +268,12 @@ message FinalizeOrderRequest {
 }
 
 message GetAuthorizationsRequest {
-  // Next unused field number: 5
+  // Next unused field number: 6
   int64 registrationID = 1;
   repeated string dnsNames = 2;
   reserved 3; // Previously nowNS
   google.protobuf.Timestamp validUntil = 4;
+  string profile = 5;
 }
 
 message Authorizations {

diff --git a/sa/saro.go b/sa/saro.go
@@ -645,6 +645,10 @@ func (ssa *SQLStorageAuthorityRO) GetAuthorizations2(ctx context.Context, req *s
 
 	authzModelMap := make(map[string]authzModel, len(authzModels))
 	for _, am := range authzModels {
+		if req.Profile != "" && am.CertificateProfileName != &req.Profile {
+			// Don't return authzs whose profile doesn't match that requested.
+			continue
+		}
 		// If there is an existing authorization in the map, only replace it with
 		// one which has a "better" validation state (valid instead of pending).
 		existing, present := authzModelMap[am.IdentifierValue]
@@ -820,6 +824,10 @@ func (ssa *SQLStorageAuthorityRO) GetValidAuthorizations2(ctx context.Context, r
 
 	authzMap := make(map[string]authzModel, len(authzModels))
 	for _, am := range authzModels {
+		if req.Profile != "" && am.CertificateProfileName != &req.Profile {
+			// Don't return authzs whose profile doesn't match that requested.
+			continue
+		}
 		// If there is an existing authorization in the map only replace it with one
 		// which has a later expiry.
 		existing, present := authzMap[am.IdentifierValue]