Add Identifiers to Authorization & Order structs #7961
Conversation
Add `identifier` fields, which will soon replace the `dnsName` fields, to: - `corepb.Authorization` - `corepb.Order` - `rapb.NewOrderRequest` - `sapb.CountFQDNSetsRequest` - `sapb.CountInvalidAuthorizationsRequest` - `sapb.FQDNSetExistsRequest` - `sapb.GetAuthorizationsRequest` - `sapb.GetOrderForNamesRequest` - `sapb.GetValidAuthorizationsRequest` - `sapb.NewOrderRequest` Populate these `identifier` fields in every function that creates instances of these structs. Preferentially use these `identifier` fields in every function that uses these structs - but when crossing component boundaries, don't assume they'll be present, for deployability's sake. Part of #7311
…within structs only
There was a problem hiding this comment.
SliceFromProto is neatly designed in that it does double duty as both a conversion function and a defaulting function, but the number of places it's called with the first or second arg nil suggests that mixing up those roles is actually having a negative effect.
I think we should split up the defaulting function from the type conversion functions, so it's clear at the call site which behavior we're using a function for.
Also: you and I had talked on video the other day about the neat property that proto objects all have named accessor functions. At the time I wasn't sure if it made sense to take advantage of that property, but looking at this PR I think it would be quite useful. We have a bunch of different objects that all have Identifiers and DnsNames (and thus .GetIdentifiers() and .GetDnsNames()). And we want the same logic for all of them: if you got Identifiers, use it verbatim and ignore DnsNames; otherwise convert DnsNames and use that.
It would look something like this (untested):
type HasIdentifiers interface {
GetIdentifiers() []corepb.Identifier
GetDnsNames() []string
}
func ProtoToProtoDefaulted(input HasIdentifiers) []*corepb.Identifier {
if len(input.GetIdentifiers()) > 0 {
return input.GetIdentifiers()
}
return ToProto(DNSNames(input.GetDnsNames()))
}
// DNSNames returns a list of ACMEIdentifier of type "dns".
func DNSNames(input []string) []ACMEIdentifier {
var out []ACMEIdentifier
for _, in := range input {
out = append(out, NewDNS(in))
}
return out
}
// ToProto turns a list of ACMEIdentifier into a list of *corepb.Identifier.
func ToProto(input []ACMEIdentifier) []*corepb.Identifier {
var out []*corepb.Identifier
for _, in := range input {
out = append(out, in.AsProto())
}
return out
}I think there's also a place for another function:
// AllDNS returns a list of DNS names from the input, if the input contains only DNS identifiers. Otherwise it returns an error.
func AllDNS(input []ACMEIdentifier) ([]string, error)This would facilitate updating some of the places where we're still assuming DNS, and ensuring that we return error if that assumption fails.
In terms of looking for split points where smaller PRs could land on their own, it looks like the changes to policy/pa.go and their call sites (WillingToIssue, WellFormedDomainNames) are nicely independent. Also, the new FromCert() (and updating all the call sites that need it) is a nicely independent piece of code.
Add
identifierfields, which will soon replace thednsNamefields, to:corepb.Authorizationcorepb.Orderrapb.NewOrderRequestsapb.CountFQDNSetsRequestsapb.CountInvalidAuthorizationsRequestsapb.FQDNSetExistsRequestsapb.GetAuthorizationsRequestsapb.GetOrderForNamesRequestsapb.GetValidAuthorizationsRequestsapb.NewOrderRequestPopulate these
identifierfields in every function that creates instances of these structs.Use these
identifierfields instead ofdnsNamefields (at least preferentially) in every function that uses these structs. When crossing component boundaries, don't assume they'll be present, for deployability's sake.Deployability note: Mismatched
cert-checkerandsaversions will be incompatible because of a type change in the arguments tosa.SelectAuthzsMatchingIssuance.Part of #7311