ra: Add IdentifierTypes to profiles (#8154)

jprenken · web-flow · commit 60033836dbf8 · 2025-05-16T13:57:02.000-07:00
Add `IdentifierTypes` to validation profiles' config, defaulting to DNS if not set. In `NewOrder`, check that the order's profile permits each identifier's type. Fixes #8137 Depends on #8173
diff --git a/ra/ra.go b/ra/ra.go
@@ -302,10 +302,12 @@ type ValidationProfileConfig struct {
 	// specified, the profile is open to all accounts. If the file
 	// exists but is empty, the profile is closed to all accounts.
 	AllowList string `validate:"omitempty"`
+	// IdentifierTypes is a list of identifier types that may be issued under
+	// this profile. If none are specified, it defaults to "dns".
+	IdentifierTypes []identifier.IdentifierType `validate:"omitempty,dive,oneof=dns ip"`
 }
 
-// validationProfile holds the order and authz lifetimes and allowlist for a
-// given validation profile.
+// validationProfile holds the attributes of a given validation profile.
 type validationProfile struct {
 	// pendingAuthzLifetime defines how far in the future an authorization's
 	// "expires" timestamp is set when it is first created, i.e. how much
@@ -327,6 +329,9 @@ type validationProfile struct {
 	// allowList holds the set of account IDs allowed to use this profile. If
 	// nil, the profile is open to all accounts (everyone is allowed).
 	allowList *allowlist.List[int64]
+	// identifierTypes is a list of identifier types that may be issued under
+	// this profile. If none are specified, it defaults to "dns".
+	identifierTypes []identifier.IdentifierType
 }
 
 // validationProfiles provides access to the set of configured profiles,
@@ -379,12 +384,22 @@ func NewValidationProfiles(defaultName string, configs map[string]*ValidationPro
 			}
 		}
 
+		identifierTypes := config.IdentifierTypes
+		// If this profile has no identifier types configured, default to DNS.
+		// This default is temporary, to improve deployability.
+		//
+		// TODO(#8184): Remove this default and use config.IdentifierTypes below.
+		if len(identifierTypes) == 0 {
+			identifierTypes = []identifier.IdentifierType{identifier.TypeDNS}
+		}
+
 		profiles[name] = &validationProfile{
 			pendingAuthzLifetime: config.PendingAuthzLifetime.Duration,
 			validAuthzLifetime:   config.ValidAuthzLifetime.Duration,
 			orderLifetime:        config.OrderLifetime.Duration,
 			maxNames:             config.MaxNames,
 			allowList:            allowList,
+			identifierTypes:      identifierTypes,
 		}
 	}
 
@@ -2338,7 +2353,14 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
 			"Order cannot contain more than %d identifiers", profile.maxNames)
 	}
 
-	// Validate that our policy allows issuing for each of the names in the order
+	for _, ident := range idents {
+		if !slices.Contains(profile.identifierTypes, ident.Type) {
+			return nil, berrors.RejectedIdentifierError("Profile %q does not permit %s type identifiers", req.CertificateProfileName, ident.Type)
+		}
+	}
+
+	// Validate that our policy allows issuing for each of the identifiers in
+	// the order
 	err = ra.PA.WillingToIssue(idents)
 	if err != nil {
 		return nil, err
diff --git a/ra/ra_test.go b/ra/ra_test.go
@@ -10,6 +10,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
+	"encoding/hex"
 	"encoding/json"
 	"encoding/pem"
 	"errors"
@@ -77,6 +78,27 @@ func randomDomain() string {
 	return fmt.Sprintf("%x.example.com", bytes[:])
 }
 
+// randomIPv6 creates a random IPv6 netip.Addr for testing. It uses a real IPv6
+// address range, not a test/documentation range.
+//
+// panics if crypto/rand.Rand.Read or netip.AddrFromSlice fails.
+func randomIPv6() netip.Addr {
+	var ipBytes [10]byte
+	_, err := rand.Read(ipBytes[:])
+	if err != nil {
+		panic(err)
+	}
+	ipPrefix, err := hex.DecodeString("2602080a600f")
+	if err != nil {
+		panic(err)
+	}
+	ip, ok := netip.AddrFromSlice(bytes.Join([][]byte{ipPrefix, ipBytes[:]}, nil))
+	if !ok {
+		panic("Couldn't parse random IP to netip.Addr")
+	}
+	return ip
+}
+
 func createPendingAuthorization(t *testing.T, sa sapb.StorageAuthorityClient, ident identifier.ACMEIdentifier, exp time.Time) *corepb.Authorization {
 	t.Helper()
 
@@ -354,6 +376,7 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, sapb.StorageAutho
 			validAuthzLifetime:   300 * 24 * time.Hour,
 			orderLifetime:        7 * 24 * time.Hour,
 			maxNames:             100,
+			identifierTypes:      []identifier.IdentifierType{identifier.TypeDNS},
 		}},
 	}
 
@@ -1801,12 +1824,14 @@ func TestNewOrder_ValidationProfiles(t *testing.T) {
 				validAuthzLifetime:   1 * 24 * time.Hour,
 				orderLifetime:        1 * 24 * time.Hour,
 				maxNames:             10,
+				identifierTypes:      []identifier.IdentifierType{identifier.TypeDNS},
 			},
 			"two": {
 				pendingAuthzLifetime: 2 * 24 * time.Hour,
 				validAuthzLifetime:   2 * 24 * time.Hour,
 				orderLifetime:        2 * 24 * time.Hour,
 				maxNames:             10,
+				identifierTypes:      []identifier.IdentifierType{identifier.TypeDNS},
 			},
 		},
 	}
@@ -1900,6 +1925,7 @@ func TestNewOrder_ProfileSelectionAllowList(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			tc.profile.maxNames = 1
+			tc.profile.identifierTypes = []identifier.IdentifierType{identifier.TypeDNS}
 			ra.profiles.byName = map[string]*validationProfile{
 				"test": &tc.profile,
 			}
@@ -1921,6 +1947,83 @@ func TestNewOrder_ProfileSelectionAllowList(t *testing.T) {
 	}
 }
 
+func TestNewOrder_ProfileIdentifierTypes(t *testing.T) {
+	_, _, ra, _, _, cleanUp := initAuthorities(t)
+	defer cleanUp()
+
+	testCases := []struct {
+		name       string
+		identTypes []identifier.IdentifierType
+		idents     []*corepb.Identifier
+		expectErr  string
+	}{
+		{
+			name:       "Permit DNS, provide DNS names",
+			identTypes: []identifier.IdentifierType{identifier.TypeDNS},
+			idents:     []*corepb.Identifier{identifier.NewDNS(randomDomain()).ToProto(), identifier.NewDNS(randomDomain()).ToProto()},
+		},
+		{
+			name:       "Permit IP, provide IPs",
+			identTypes: []identifier.IdentifierType{identifier.TypeIP},
+			idents:     []*corepb.Identifier{identifier.NewIP(randomIPv6()).ToProto(), identifier.NewIP(randomIPv6()).ToProto()},
+		},
+		{
+			name:       "Permit DNS & IP, provide DNS & IP",
+			identTypes: []identifier.IdentifierType{identifier.TypeDNS, identifier.TypeIP},
+			idents:     []*corepb.Identifier{identifier.NewIP(randomIPv6()).ToProto(), identifier.NewDNS(randomDomain()).ToProto()},
+		},
+		{
+			name:       "Permit DNS, provide IP",
+			identTypes: []identifier.IdentifierType{identifier.TypeDNS},
+			idents:     []*corepb.Identifier{identifier.NewIP(randomIPv6()).ToProto()},
+			expectErr:  "Profile \"test\" does not permit ip type identifiers",
+		},
+		{
+			name:       "Permit DNS, provide DNS & IP",
+			identTypes: []identifier.IdentifierType{identifier.TypeDNS},
+			idents:     []*corepb.Identifier{identifier.NewDNS(randomDomain()).ToProto(), identifier.NewIP(randomIPv6()).ToProto()},
+			expectErr:  "Profile \"test\" does not permit ip type identifiers",
+		},
+		{
+			name:       "Permit IP, provide DNS",
+			identTypes: []identifier.IdentifierType{identifier.TypeIP},
+			idents:     []*corepb.Identifier{identifier.NewDNS(randomDomain()).ToProto()},
+			expectErr:  "Profile \"test\" does not permit dns type identifiers",
+		},
+		{
+			name:       "Permit IP, provide DNS & IP",
+			identTypes: []identifier.IdentifierType{identifier.TypeIP},
+			idents:     []*corepb.Identifier{identifier.NewIP(randomIPv6()).ToProto(), identifier.NewDNS(randomDomain()).ToProto()},
+			expectErr:  "Profile \"test\" does not permit dns type identifiers",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			var profile validationProfile
+			profile.maxNames = 2
+			profile.identifierTypes = tc.identTypes
+			ra.profiles.byName = map[string]*validationProfile{
+				"test": &profile,
+			}
+
+			orderReq := &rapb.NewOrderRequest{
+				RegistrationID:         Registration.Id,
+				Identifiers:            tc.idents,
+				CertificateProfileName: "test",
+			}
+			_, err := ra.NewOrder(context.Background(), orderReq)
+
+			if tc.expectErr != "" {
+				test.AssertErrorIs(t, err, berrors.RejectedIdentifier)
+				test.AssertContains(t, err.Error(), tc.expectErr)
+			} else {
+				test.AssertNotError(t, err, "NewOrder failed")
+			}
+		})
+	}
+}
+
 // mockSAWithAuthzs has a GetAuthorizations2 method that returns the protobuf
 // version of its authzs struct member. It also has a fake GetOrderForNames
 // which always fails, and a fake NewOrderAndAuthzs which always succeeds, to
diff --git a/test/config-next/ra.json b/test/config-next/ra.json
@@ -41,19 +41,29 @@
 				"pendingAuthzLifetime": "168h",
 				"validAuthzLifetime": "720h",
 				"orderLifetime": "168h",
-				"maxNames": 100
+				"maxNames": 100,
+				"identifierTypes": [
+					"dns"
+				]
 			},
 			"modern": {
 				"pendingAuthzLifetime": "7h",
 				"validAuthzLifetime": "7h",
 				"orderLifetime": "7h",
-				"maxNames": 10
+				"maxNames": 10,
+				"identifierTypes": [
+					"dns"
+				]
 			},
 			"shortlived": {
 				"pendingAuthzLifetime": "7h",
 				"validAuthzLifetime": "7h",
 				"orderLifetime": "7h",
-				"maxNames": 10
+				"maxNames": 10,
+				"identifierTypes": [
+					"dns",
+					"ip"
+				]
 			}
 		},
 		"defaultProfileName": "legacy",
