feat: Add core definitions for dns-account-01#8140
feat: Add core definitions for dns-account-01#8140aarongable merged 8 commits intoletsencrypt:mainfrom
Conversation
sheurich
force-pushed
the
feat-dns-account-01-core
branch
2 times, most recently
from
bd2501a to
217b809
Compare
sheurich
changed the title
sheurich
force-pushed
the
feat-dns-account-01-core
branch
from
217b809 to
e8b0275
Compare
sheurich
force-pushed
the
feat-dns-account-01-core
branch
from
e8b0275 to
5b582d2
Compare
aarongable
left a comment
aarongable
left a comment
There was a problem hiding this comment.
Generally looks good. A few comments but nothing big or structural in the code itself.
That said, I do have one big/overarching comment:
I think it's an antipattern to introduce a feature flag but not immediately turn that feature flag on in the config-next integration tests configuration files. It means that we're not actually testing that flag in a meaningful way, and we could easily miss that step in a later PR (e.g. I don't see the flag being enabled in #8149 either).
But in this case, turning on the feature flag would immediately cause things to blow up, because the SA doesn't know how to convert a dns-account-01 challenge into a database entry.
This suggests to me that we're going about things in slightly the wrong order. In my opinion, the correct order to land these changes would be:
- core definitions
- SA/database support and WFE/rendering support, neither of which needs to be gated behind a flag
- PA, VA, and RA support, plus the feature flag, and new integration tests
sheurich
force-pushed
the
feat-dns-account-01-core
branch
from
5b582d2 to
a813c3a
Compare
sheurich
changed the title
|
Thanks @aarongable. I made the suggested changes and split the feature-flag + PA changes to a future PR. |
It seems that no changes are required for WFE rendering. Given that the SA changes are minor (limited to updating the challenge type map), it makes sense to bundle the first two items into this PR. By including the necessary SA changes here, the remaining items—PA, VA, RA support, feature flag implementation, and integration tests—can be moved to #8149. |
sheurich
force-pushed
the
feat-dns-account-01-core
branch
4 times, most recently
from
7e79102 to
70d50ce
Compare
aarongable
requested review from
a team and
beautifulentropy
and removed request for
a team
sheurich
force-pushed
the
feat-dns-account-01-core
branch
2 times, most recently
from
c00aeee to
afc4313
Compare
sheurich
force-pushed
the
feat-dns-account-01-core
branch
2 times, most recently
from
4aafca3 to
afd88db
Compare
|
@aarongable everything is up-to-date and ready for a final review. |
sheurich
force-pushed
the
feat-dns-account-01-core
branch
from
afd88db to
69ae9c0
Compare
sheurich
force-pushed
the
feat-dns-account-01-core
branch
from
69ae9c0 to
e8ee04a
Compare
sheurich
force-pushed
the
feat-dns-account-01-core
branch
from
e8ee04a to
1c345a9
Compare
|
@aarongable Thanks for the detailed review! I've addressed all the feedback from your reviews: ✅ All Review Comments Resolved:
✅ Architectural Changes Implemented:
The PA, VA, RA support + feature flags are in the follow-up PR #8149. ✅ Dependency Update: This should be ready for final approval! 🚀 |
sheurich
force-pushed
the
feat-dns-account-01-core
branch
from
d65b13d to
135b84a
Compare
sheurich
force-pushed
the
feat-dns-account-01-core
branch
from
135b84a to
32de32b
Compare
- Add `ChallengeTypeDNSAccount01` constant, `IsValid` update, and `RecordsSane` logic in `core/objects.go` - Add `DNSAccountChallenge01` function and handling in `core/challenges.go` - Add tests for the new challenge type in `core/core_test.go` and `core/objects_test.go` Implements core components for draft-ietf-acme-dns-account-label-00
- Add dns-account-01 challenge type to challTypeToUint map - Add dns-account-01 challenge type to uintToChallType map
…tions2 Extends the existing TestGetValidAuthorizations2 function to verify that authorizations with dns-account-01 challenges can be properly stored in and retrieved from the database.
sheurich
force-pushed
the
feat-dns-account-01-core
branch
from
32de32b to
6726be6
Compare
|
This needs to be rebased to incorporate recent changes, but we believe it's otherwise complete. Any chance y'all can look it over this week? We should be able to work on the rebase Wednesday 07-23. |
aarongable
left a comment
aarongable
left a comment
There was a problem hiding this comment.
LGTM with one formatting nit
empty line between stanzas Co-authored-by: Aaron Gable <aaron@aarongable.com>
|
FYI, you don't have to push a merge commit just because the UI says "this branch is out of date". It'll clean that up on its own when we land the PR. We only require a merge commit when there are actual merge conflicts. |
This pull request introduces support for the `dns-account-01` challenge type as specified in draft-ietf-acme-dns-account-label-01 (https://datatracker.ietf.org/doc/draft-ietf-acme-dns-account-label/01/), building upon PR #8140 which introduced the core type definitions. Core Implementation: - The policy engine in `policy/pa.go` is updated to offer the `dns-account-01` challenge for both standard and wildcard domains. - The main validation authority logic in `va/va.go` is updated to recognize `dns-account-01` challenges and route them to the correct validation routine, passing the necessary account information. - The core validation logic for `dns-account-01` is implemented in `va/dns.go`, which calculates the account-specific DNS label and verifies the corresponding TXT record. Configuration: - The `PAConfig` is updated to recognize `dns-account-01` as a valid challenge type which can be enabled in the PA config. - A new `DNSAccount01Enabled` feature flag is introduced in `features/features.go`. If this flag is not set, then the PA will not offer the new challenge type, and the VA will refuse to validate this challenge type. Testing: - A new suite of integration tests (`test/integration/dns_account_01_test.go`) has been added to cover various scenarios, including successful validation, incorrect TXT records, and wildcard domains. - The PA unit tests have been expanded to cover cases where the `dns-account-01` feature is both enabled and disabled. - The VA unit tests now include `va/dns_account_test.go`, specifically targeting the `dns-account-01` validation logic. - The mock DNS client (`bdns/mocks.go`) has been updated to simulate various `dns-account-01` responses. - The challenge test server client (`test/chall-test-srv-client/client.go`) now includes methods for adding and removing `dns-account-01` challenge responses. These changes provide a complete implementation of the `dns-account-01` challenge, including the necessary logic, configuration, and comprehensive testing to ensure its correctness and reliability.
4 participants
Summary
This PR introduces the foundational components required to support the
dns-account-01challenge type, as specified in draft-ietf-acme-dns-account-label-00.Updated Scope (per review feedback): This PR now focuses only on core definitions and SA support. PA/VA/RA logic moved to PR #8149.
Changes
Core Definitions & Logic:
core/objects.go: AddedChallengeTypeDNSAccount01constant and updated validation methodscore/challenges.go: AddedDNSAccountChallenge01constructor and factory supportStorage Authority (SA) Support:
sa/model.go: Addeddns-account-01to challenge type mappingsTesting:
core/*_test.go: Basic definition and validation testssa/sa_test.go: Database round-trip tests fordns-account-01challengesDependencies:
github.com/eggsampler/acme/v3to release versionv3.6.2Next Steps: PR #8149 will add the PA/VA/RA validation logic and feature flags.