feat: Add core definitions for dns-account-01 #8140
Conversation
sheurich
force-pushed
the
feat-dns-account-01-core
branch
2 times, most recently
from
bd2501a to
217b809
Compare
sheurich
changed the title
sheurich
force-pushed
the
feat-dns-account-01-core
branch
from
217b809 to
e8b0275
Compare
sheurich
force-pushed
the
feat-dns-account-01-core
branch
from
e8b0275 to
5b582d2
Compare
There was a problem hiding this comment.
Generally looks good. A few comments but nothing big or structural in the code itself.
That said, I do have one big/overarching comment:
I think it's an antipattern to introduce a feature flag but not immediately turn that feature flag on in the config-next integration tests configuration files. It means that we're not actually testing that flag in a meaningful way, and we could easily miss that step in a later PR (e.g. I don't see the flag being enabled in #8149 either).
But in this case, turning on the feature flag would immediately cause things to blow up, because the SA doesn't know how to convert a dns-account-01 challenge into a database entry.
This suggests to me that we're going about things in slightly the wrong order. In my opinion, the correct order to land these changes would be:
- core definitions
- SA/database support and WFE/rendering support, neither of which needs to be gated behind a flag
- PA, VA, and RA support, plus the feature flag, and new integration tests
core/objects.go
Outdated
| @@ -238,6 +239,16 @@ func (ch Challenge) RecordsSane() bool { | |||
| return false | |||
| } | |||
| return true | |||
| case ChallengeTypeDNSAccount01: | |||
There was a problem hiding this comment.
Rather than duplicating code in this block, I'd suggest simply changing line 232 to say
case ChallengeTypeDNS01, ChallengeTypeDNSAccount01:
policy/pa.go
Outdated
| @@ -535,16 +536,28 @@ func (pa *AuthorityImpl) ChallengeTypesFor(ident identifier.ACMEIdentifier) ([]c | |||
| // stating that ACME HTTP-01 and TLS-ALPN-01 are not suitable for validating | |||
| // Wildcard Domains. | |||
| if ident.Type == identifier.TypeDNS && strings.HasPrefix(ident.Value, "*.") { | |||
| return []core.AcmeChallenge{core.ChallengeTypeDNS01}, nil | |||
| challenges := []core.AcmeChallenge{core.ChallengeTypeDNS01} | |||
There was a problem hiding this comment.
The comment above this block also needs to be updated to mention dns-account-01.
features/features.go
Outdated
| @@ -89,6 +89,11 @@ type Config struct { | |||
| // StoreARIReplacesInOrders causes the SA to store and retrieve the optional | |||
| // ARI replaces field in the orders table. | |||
| StoreARIReplacesInOrders bool | |||
|
|
|||
| // DNSAccount01Enabled enables or disables support for the dns-account-01 | |||
There was a problem hiding this comment.
This comment should indicate which services respect this flag (i.e. which services it needs to be set in to be fully successful -- don't want to enable it on the RA but not the VA and end up in a broken state).
| @@ -7,7 +7,7 @@ require ( | |||
| github.com/aws/aws-sdk-go-v2/config v1.27.43 | |||
| github.com/aws/aws-sdk-go-v2/service/s3 v1.65.3 | |||
| github.com/aws/smithy-go v1.22.0 | |||
| github.com/eggsampler/acme/v3 v3.6.2-0.20250208073118-0466a0230941 | |||
| github.com/eggsampler/acme/v3 v3.6.2 | |||
There was a problem hiding this comment.
While I appreciate this bump to an actually-released version, it doesn't seem to actually affect any of our vendored code. That suggests to me that it isn't actually necessary for the rest of this PR to work, and I think it should be separated out.
If you update this PR to be only the core definitions (i.e. separate the PA + feature code into a later PR, as I suggest in the top-level comment) then I think including this here will be fine.
policy/pa_test.go
Outdated
| @@ -401,6 +402,9 @@ func TestChallengeTypesFor(t *testing.T) { | |||
| t.Parallel() | |||
| pa := paImpl(t) | |||
|
|
|||
| features.Set(features.Config{DNSAccount01Enabled: true}) | |||
There was a problem hiding this comment.
Ideally this test would run with this flag both enabled and disabled, to prove that the flag works correctly.
sheurich
force-pushed
the
feat-dns-account-01-core
branch
from
5b582d2 to
a813c3a
Compare
sheurich
changed the title
|
Thanks @aarongable. I made the suggested changes and split the feature-flag + PA changes to a future PR. |
It seems that no changes are required for WFE rendering. Given that the SA changes are minor (limited to updating the challenge type map), it makes sense to bundle the first two items into this PR. By including the necessary SA changes here, the remaining items—PA, VA, RA support, feature flag implementation, and integration tests—can be moved to #8149. |
sheurich
force-pushed
the
feat-dns-account-01-core
branch
4 times, most recently
from
7e79102 to
70d50ce
Compare
sa/model.go
Outdated
There was a problem hiding this comment.
The changes to this file should be accompanied by changes to either model_test.go or sa_test.go showing that we can successfully round-trip a dns-account-01 challenge into and back out of the database. This should probably be in the form of something similar to the existing TestGetAuthorization2 test, but with the test setup creating an authz with the new dns-account-01 challenge set.
aarongable
requested review from
a team and
beautifulentropy
and removed request for
a team
sheurich
force-pushed
the
feat-dns-account-01-core
branch
2 times, most recently
from
c00aeee to
afc4313
Compare
sheurich
force-pushed
the
feat-dns-account-01-core
branch
2 times, most recently
from
4aafca3 to
afd88db
Compare
|
@aarongable everything is up-to-date and ready for a final review. |
sheurich
force-pushed
the
feat-dns-account-01-core
branch
from
afd88db to
69ae9c0
Compare
sheurich
force-pushed
the
feat-dns-account-01-core
branch
from
69ae9c0 to
e8ee04a
Compare
sheurich
force-pushed
the
feat-dns-account-01-core
branch
from
e8ee04a to
1c345a9
Compare
|
@aarongable Thanks for the detailed review! I've addressed all the feedback from your reviews: ✅ All Review Comments Resolved:
✅ Architectural Changes Implemented:
The PA, VA, RA support + feature flags are in the follow-up PR #8149. ✅ Dependency Update: This should be ready for final approval! 🚀 |
sheurich
force-pushed
the
feat-dns-account-01-core
branch
from
d65b13d to
135b84a
Compare
sheurich
force-pushed
the
feat-dns-account-01-core
branch
from
135b84a to
32de32b
Compare
- Add `ChallengeTypeDNSAccount01` constant, `IsValid` update, and `RecordsSane` logic in `core/objects.go` - Add `DNSAccountChallenge01` function and handling in `core/challenges.go` - Add tests for the new challenge type in `core/core_test.go` and `core/objects_test.go` Implements core components for draft-ietf-acme-dns-account-label-00
- Add dns-account-01 challenge type to challTypeToUint map - Add dns-account-01 challenge type to uintToChallType map
…tions2 Extends the existing TestGetValidAuthorizations2 function to verify that authorizations with dns-account-01 challenges can be properly stored in and retrieved from the database.
sheurich
force-pushed
the
feat-dns-account-01-core
branch
from
32de32b to
6726be6
Compare
Summary
This PR introduces the foundational components required to support the
dns-account-01challenge type, as specified in draft-ietf-acme-dns-account-label-00.Updated Scope (per review feedback): This PR now focuses only on core definitions and SA support. PA/VA/RA logic moved to PR #8149.
Changes
Core Definitions & Logic:
core/objects.go: AddedChallengeTypeDNSAccount01constant and updated validation methodscore/challenges.go: AddedDNSAccountChallenge01constructor and factory supportStorage Authority (SA) Support:
sa/model.go: Addeddns-account-01to challenge type mappingsTesting:
core/*_test.go: Basic definition and validation testssa/sa_test.go: Database round-trip tests fordns-account-01challengesDependencies:
github.com/eggsampler/acme/v3to release versionv3.6.2Next Steps: PR #8149 will add the PA/VA/RA validation logic and feature flags.