Merge pull request #8 from maksimsavrilov/bugfix/msavrilov-MTID-375

Bugfix/msavrilov mtid 375

.codespell.ignore.txt

@@ -10,3 +10,4 @@ te
 uint
 vas
 ede
+vai

.github/workflows/boulder-ci.yml

@@ -36,7 +36,8 @@ jobs:
       matrix:
         # Add additional docker image tags here and all tests will be run with the additional image.
         BOULDER_TOOLS_TAG:
-          - go1.20.4_2023-05-02
+          - go1.20.6_2023-07-19
+          - go1.21rc2_2023-07-19
         # Tests command definitions. Use the entire "docker compose" command you want to run.
         tests:
           # Run ./test.sh --help for a description of each of the flags.
@@ -60,10 +61,10 @@ jobs:
           # container (used for service discovery).
           - "docker compose run --use-aliases netaccess ./test.sh --gomod-vendor"
 
-    # This sets the docker image tag for the boulder-tools repository to
-    # use in tests. It will be set appropriately for each tag in the list
-    # defined in the matrix.
     env:
+      # This sets the docker image tag for the boulder-tools repository to
+      # use in tests. It will be set appropriately for each tag in the list
+      # defined in the matrix.
       BOULDER_TOOLS_TAG: ${{ matrix.BOULDER_TOOLS_TAG }}
 
     # Sequence of tasks that will be executed as part of the job.
@@ -72,11 +73,16 @@ jobs:
       - uses: actions/checkout@v3
         with:
           persist-credentials: false
+
+      # TODO(#6998): Remove this step when the ubuntu-20.04 image has v2.20.0+.
+      # Install instructions copied from https://docs.docker.com/compose/install/linux/#install-the-plugin-manually
+      - name: Update docker compose plugin
+        run: mkdir -p ${DOCKER_CONFIG:-$HOME/.docker}/cli-plugins && curl -SL https://github.com/docker/compose/releases/download/v2.20.0/docker-compose-linux-x86_64 -o ${DOCKER_CONFIG:-$HOME/.docker}/cli-plugins/docker-compose && chmod +x ${DOCKER_CONFIG:-$HOME/.docker}/cli-plugins/docker-compose
 
       - name: Docker Login
         # You may pin to the exact commit or the version.
         # uses: docker/login-action@f3364599c6aa293cdc2b8391b1b56d0c30e45c8a
-        uses: docker/login-action@v2.1.0
+        uses: docker/login-action@v2.2.0
         with:
           # Username used to log against the Docker registry
           username: ${{ secrets.DOCKER_USERNAME}}
@@ -95,10 +101,73 @@ jobs:
       - name: docker compose pull
         run: docker compose pull
 
+      # Enable https://github.com/golang/go/wiki/LoopvarExperiment if we're on
+      # go1.21rc2 or higher. This experiment value is unknown in lower versions.
+      - if: startsWith(matrix.BOULDER_TOOLS_TAG, 'go1.21')
+        run: echo "GOEXPERIMENT=loopvar" >> "$GITHUB_ENV"
+
       # Run the test matrix. This will run
       - name: "Run Test: ${{ matrix.tests }}"
         run: ${{ matrix.tests }}
 
+  govulncheck:
+    runs-on: ubuntu-20.04
+    strategy:
+      # When set to true, GitHub cancels all in-progress jobs if any matrix job fails. Default: true
+      fail-fast: false
+      matrix:
+        # Add additional docker image tags here and all tests will be run with the additional image.
+        BOULDER_TOOLS_TAG:
+          - go1.20.6_2023-07-19
+          - go1.21rc2_2023-07-19
+
+    env:
+      # This sets the docker image tag for the boulder-tools repository to
+      # use in tests. It will be set appropriately for each tag in the list
+      # defined in the matrix.
+      BOULDER_TOOLS_TAG: ${{ matrix.BOULDER_TOOLS_TAG }}
+
+    steps:
+      # Checks out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+
+      - name: Docker Login
+        # You may pin to the exact commit or the version.
+        # uses: docker/login-action@f3364599c6aa293cdc2b8391b1b56d0c30e45c8a
+        uses: docker/[email protected]
+        with:
+          # Username used to log against the Docker registry
+          username: ${{ secrets.DOCKER_USERNAME}}
+          # Password or personal access token used to log against the Docker registry
+          password: ${{ secrets.DOCKER_PASSWORD}}
+          # Log out from the Docker registry at the end of a job
+          logout: true
+        continue-on-error: true
+
+      # Print the env variable being used to pull the docker image. For
+      # informational use.
+      - name: Print BOULDER_TOOLS_TAG
+        run: echo "Using BOULDER_TOOLS_TAG ${BOULDER_TOOLS_TAG}"
+
+      # Pre-pull the docker containers before running the tests.
+      - name: docker compose pull netaccess
+        run: docker compose pull netaccess
+
+      # Enable https://github.com/golang/go/wiki/LoopvarExperiment if we're on
+      # go1.21rc2 or higher. This experiment value is unknown in lower versions.
+      - if: startsWith(matrix.BOULDER_TOOLS_TAG, 'go1.21')
+        run: echo "GOEXPERIMENT=loopvar" >> "$GITHUB_ENV"
+
+      # Unset the GOFLAGS environment variable because, by default, it will be
+      # set to "GOFLAGS='-mod=vendor'" which all go subcommands will utilize. In
+      # this instance, we want to run a package that isn't vendored in our
+      # repository because 1) we don't need this package for CA operations and
+      # 2) we want the benefits of vulnerability checking.
+      - name: Run govulncheck
+        run: docker compose run -e GOFLAGS= netaccess go run golang.org/x/vuln/cmd/govulncheck@latest ./...
+
   # This is a utility build job to detect if the status of any of the
   # above jobs have failed and fail if so. It is needed so there can be
   # one static job name that can be used to determine success of the job
@@ -109,8 +178,10 @@ jobs:
     if: ${{ always() }}
     runs-on: ubuntu-latest
     name: Boulder CI Test Matrix
-    needs: b
+    needs:
+      - b
+      - govulncheck
     steps:
       - name: Check boulder ci test matrix status
-        if: ${{ needs.b.result != 'success' }}
+        if: ${{ needs.b.result != 'success' || needs.govulncheck.result != 'success' }}
         run: exit 1

.github/workflows/release.yml

@@ -15,7 +15,8 @@ jobs:
       fail-fast: false
       matrix:
         GO_VERSION:
-          - "1.20.4"
+          - "1.20.6"
+          - "1.21rc2"
     runs-on: ubuntu-20.04
     permissions:
       contents: write
@@ -24,6 +25,11 @@ jobs:
         with:
           persist-credentials: false
 
+      # Enable https://github.com/golang/go/wiki/LoopvarExperiment if we're on
+      # go1.21rc2 or higher. This experiment value is unknown in lower versions.
+      - if: startsWith(matrix.GO_VERSION, '1.21')
+        run: echo "GOEXPERIMENT=loopvar" >> "$GITHUB_ENV"
+
       - name: Build .deb
         id: build
         env:

.github/workflows/try-release.yml

@@ -15,13 +15,19 @@ jobs:
       fail-fast: false
       matrix:
         GO_VERSION:
-          - "1.20.4"
+          - "1.20.6"
+          - "1.21rc2"
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/checkout@v3
         with:
           persist-credentials: false
 
+      # Enable https://github.com/golang/go/wiki/LoopvarExperiment if we're on
+      # go1.21rc2 or higher. This experiment value is unknown in lower versions.
+      - if: startsWith(matrix.GO_VERSION, '1.21')
+        run: echo "GOEXPERIMENT=loopvar" >> "$GITHUB_ENV"
+
       - name: Build .deb
         id: build
         env:

bdns/servers.go

@@ -105,9 +105,6 @@ type dynamicProvider struct {
 	// a hostname it will be resolved via the system DNS. If the port is left
 	// unspecified it will default to '53'. If this field is left unspecified
 	// the system DNS will be used for resolution of DNS backends.
-	//
-	// TODO(#6868): Make this field required once 'dnsResolver' is removed from
-	// the boulder-va JSON config in favor of 'dnsProvider'.
 	dnsAuthority string
 	// service is the service name to look up SRV records for within the domain.
 	// If this field is left unspecified 'dns' will be used as the service name.
@@ -189,19 +186,15 @@ func StartDynamicProvider(c *cmd.DNSProvider, refresh time.Duration) (*dynamicPr
 		service = "dns"
 	}
 
-	// TODO(#6868): Make dnsAuthority required once 'dnsResolver' is removed
-	// from the boulder-va JSON config in favor of 'dnsProvider'.
-	dnsAuthority := c.DNSAuthority
-	if dnsAuthority != "" {
-		host, port, err := ParseTarget(dnsAuthority, "53")
-		if err != nil {
-			return nil, err
-		}
-		dnsAuthority = net.JoinHostPort(host, port)
-		err = validateServerAddress(dnsAuthority)
-		if err != nil {
-			return nil, err
-		}
+	host, port, err := ParseTarget(c.DNSAuthority, "53")
+	if err != nil {
+		return nil, err
+	}
+
+	dnsAuthority := net.JoinHostPort(host, port)
+	err = validateServerAddress(dnsAuthority)
+	if err != nil {
+		return nil, err
 	}
 
 	dp := dynamicProvider{
@@ -222,7 +215,7 @@ func StartDynamicProvider(c *cmd.DNSProvider, refresh time.Duration) (*dynamicPr
 
 	// Update once immediately, so we can know whether that was successful, then
 	// kick off the long-running update goroutine.
-	err := dp.update()
+	err = dp.update()
 	if err != nil {
 		return nil, fmt.Errorf("failed to start dynamic provider: %w", err)
 	}
@@ -261,17 +254,12 @@ func (dp *dynamicProvider) update() error {
 	ctx, cancel := context.WithTimeout(context.Background(), dp.refresh/2)
 	defer cancel()
 
-	// If dnsAuthority is specified, setup a custom resolver to use it
-	// otherwise use a default system resolver.
-	resolver := net.DefaultResolver
-	if dp.dnsAuthority != "" {
-		resolver = &net.Resolver{
-			PreferGo: true,
-			Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
-				d := &net.Dialer{}
-				return d.DialContext(ctx, network, dp.dnsAuthority)
-			},
-		}
+	resolver := &net.Resolver{
+		PreferGo: true,
+		Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
+			d := &net.Dialer{}
+			return d.DialContext(ctx, network, dp.dnsAuthority)
+		},
 	}
 
 	// RFC 2782 formatted SRV record being queried e.g. "_service._proto.name."

ca/ca.go

@@ -220,43 +220,14 @@ func (ca *certificateAuthorityImpl) IssuePrecertificate(ctx context.Context, iss
 		return nil, err
 	}
 
-	precertDER, issuer, err := ca.issuePrecertificateInner(ctx, issueReq, serialBigInt, validity)
+	precertDER, _, err := ca.issuePrecertificateInner(ctx, issueReq, serialBigInt, validity)
 	if err != nil {
 		return nil, err
 	}
-	issuerNameID := issuer.Cert.NameID()
 
-	req := &sapb.AddCertificateRequest{
-		Der:          precertDER,
-		RegID:        regID,
-		Issued:       nowNanos,
-		IssuerNameID: int64(issuerNameID),
-	}
-
-	if features.Enabled(features.StoreLintingCertificateInsteadOfPrecertificate) {
-		_, err = ca.sa.SetCertificateStatusReady(ctx, &sapb.Serial{Serial: serialHex})
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		_, err = ca.sa.AddPrecertificate(ctx, req)
-		if err != nil {
-			ca.orphanCount.With(prometheus.Labels{"type": "precert"}).Inc()
-			err = berrors.InternalServerError(err.Error())
-			// Note: This log line is parsed by cmd/orphan-finder. If you make any
-			// changes here, you should make sure they are reflected in orphan-finder.
-			ca.log.AuditErrf("Failed RPC to store at SA, orphaning precertificate: serial=[%s], cert=[%s], issuerID=[%d], regID=[%d], orderID=[%d], err=[%v]",
-				serialHex, hex.EncodeToString(precertDER), issuerNameID, issueReq.RegistrationID, issueReq.OrderID, err)
-			if ca.orphanQueue != nil {
-				ca.queueOrphan(&orphanedCert{
-					DER:      precertDER,
-					RegID:    regID,
-					Precert:  true,
-					IssuerID: int64(issuerNameID),
-				})
-			}
-			return nil, err
-		}
+	_, err = ca.sa.SetCertificateStatusReady(ctx, &sapb.Serial{Serial: serialHex})
+	if err != nil {
+		return nil, err
 	}
 
 	return &capb.IssuePrecertificateResponse{
@@ -460,18 +431,16 @@ func (ca *certificateAuthorityImpl) issuePrecertificateInner(ctx context.Context
 		return nil, nil, berrors.InternalServerError("failed to prepare precertificate signing: %s", err)
 	}
 
-	if features.Enabled(features.StoreLintingCertificateInsteadOfPrecertificate) {
-		nowNanos := ca.clk.Now().UnixNano()
-		_, err = ca.sa.AddPrecertificate(context.Background(), &sapb.AddCertificateRequest{
-			Der:          lintCertBytes,
-			RegID:        issueReq.RegistrationID,
-			Issued:       nowNanos,
-			IssuerNameID: int64(issuer.Cert.NameID()),
-			OcspNotReady: true,
-		})
-		if err != nil {
-			return nil, nil, err
-		}
+	nowNanos := ca.clk.Now().UnixNano()
+	_, err = ca.sa.AddPrecertificate(context.Background(), &sapb.AddCertificateRequest{
+		Der:          lintCertBytes,
+		RegID:        issueReq.RegistrationID,
+		Issued:       nowNanos,
+		IssuerNameID: int64(issuer.Cert.NameID()),
+		OcspNotReady: true,
+	})
+	if err != nil {
+		return nil, nil, err
 	}
 
 	certDER, err := issuer.Issue(issuanceToken)
@@ -551,7 +520,7 @@ func (ca *certificateAuthorityImpl) OrphanIntegrationLoop() {
 	}
 }
 
-// integrateOrpan removes an orphan from the queue and adds it to the database. The
+// integrateOrphan removes an orphan from the queue and adds it to the database. The
 // item isn't dequeued until it is actually added to the database to prevent items from
 // being lost if the CA is restarted between the item being dequeued and being added to
 // the database. It calculates the issuance time by subtracting the backdate period from