va: Check for RIR and Perspective mismatches at runtime when they're …

…provided (#7841) - Ensure the Perspective and RIR reported by each remoteVA in the *vapb.ValidationResult returned by VA.PerformValidation, matches the expected local configuration when that configuration is present. - Correct "AfriNIC" to "AFRINIC", everywhere. Part of #7819
letsencrypt · Dec 6, 2024 · 4316c7c · 4316c7c
1 parent 5cd629c
commit 4316c7c
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 5 deletions.
diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go
@@ -30,6 +30,8 @@ type RemoteVAGRPCClientConfig struct {
 	// Requirement 2.7 ("Multi-Perspective Issuance Corroboration attempts
 	// from each Network Perspective"). It should uniquely identify a group
 	// of RVAs deployed in the same datacenter.
+	//
+	// TODO(#7615): Make mandatory.
 	Perspective string `validate:"required"`
 
 	// RIR indicates the Regional Internet Registry where this RVA is
@@ -42,7 +44,9 @@ type RemoteVAGRPCClientConfig struct {
 	//   - APNIC
 	//   - LACNIC
 	//   - AFRINIC
-	RIR string `validate:"required,oneof=ARIN RIPE APNIC LACNIC AFRINIC"`
+	//
+	// TODO(#7615): Make mandatory.
+	RIR string `validate:"omitempty,oneof=ARIN RIPE APNIC LACNIC AFRINIC"`
 }
 
 type Config struct {

diff --git a/cmd/remoteva/main.go b/cmd/remoteva/main.go
@@ -25,7 +25,9 @@ type Config struct {
 		// Requirement 2.7 ("Multi-Perspective Issuance Corroboration attempts
 		// from each Network Perspective"). It should uniquely identify a group
 		// of RVAs deployed in the same datacenter.
-		Perspective string `validate:"required"`
+		//
+		// TODO(#7615): Make mandatory.
+		Perspective string `omitempty:"omitempty"`
 
 		// RIR indicates the Regional Internet Registry where this RVA is
 		// located. This field is used to identify the RIR region from which a
@@ -37,7 +39,9 @@ type Config struct {
 		//   - APNIC
 		//   - LACNIC
 		//   - AFRINIC
-		RIR string `validate:"required,oneof=ARIN RIPE APNIC LACNIC AFRINIC"`
+		//
+		// TODO(#7615): Make mandatory.
+		RIR string `validate:"omitempty,oneof=ARIN RIPE APNIC LACNIC AFRINIC"`
 
 		// SkipGRPCClientCertVerification, when disabled as it should typically
 		// be, will cause the remoteva server (which receives gRPCs from a

diff --git a/va/va.go b/va/va.go
@@ -242,7 +242,8 @@ func NewValidationAuthorityImpl(
 
 	for i, va1 := range remoteVAs {
 		for j, va2 := range remoteVAs {
-			if i != j && va1.Perspective == va2.Perspective {
+			// TODO(#7615): Remove the != "" check once perspective is required.
+			if i != j && va1.Perspective == va2.Perspective && va1.Perspective != "" {
 				return nil, fmt.Errorf("duplicate remote VA perspective %q", va1.Perspective)
 			}
 		}
@@ -508,7 +509,9 @@ func (va *ValidationAuthorityImpl) performRemoteOperation(ctx context.Context, o
 				responses <- &response{rva.Address, rva.Perspective, rva.RIR, res, err}
 				return
 			}
-			if res.GetPerspective() != rva.Perspective || res.GetRir() != rva.RIR {
+			// TODO(#7615): Remove the != "" checks once perspective and rir are required.
+			if (rva.Perspective != "" && res.GetPerspective() != "" && res.GetPerspective() != rva.Perspective) ||
+				(rva.RIR != "" && res.GetRir() != "" && res.GetRir() != rva.RIR) {
 				err = fmt.Errorf(
 					"Expected perspective %q (%q) but got reply from %q (%q) - misconfiguration likely", rva.Perspective, rva.RIR, res.GetPerspective(), res.GetRir(),
 				)