Log the Perspective and RIR when present, do not require at this time.

letsencrypt · Oct 8, 2024 · d3e7ecf · d3e7ecf
1 parent dba1629
commit d3e7ecf
Show file tree

Hide file tree

Showing 8 changed files with 105 additions and 34 deletions.
diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go
@@ -115,7 +115,9 @@ func main() {
 		scope,
 		clk,
 		logger,
-		c.VA.AccountURIPrefixes)
+		c.VA.AccountURIPrefixes,
+		va.PrimaryPerspective,
+		"")
 	cmd.FailOnError(err, "Unable to create VA server")
 
 	start, err := bgrpc.NewServer(c.VA.GRPC, logger).Add(

diff --git a/cmd/remoteva/main.go b/cmd/remoteva/main.go
@@ -20,25 +20,27 @@ type Config struct {
 	RVA struct {
 		vaConfig.Common
 
-		// Cluster specifies the cluster name that this RVA belongs to. The
-		// format is unrestricted, but it should uniquely identify a group of
-		// RVAs deployed in the same physical datacenter.
+		// Perspective uniquely identifies the Network Perspective used to
+		// perform the validation, as specified in BRs Section 5.4.1,
+		// Requirement 2.7 ("Multi-Perspective Issuance Corroboration attempts
+		// from each Network Perspective"). It should uniquely identify a group
+		// of RVAs deployed in the same datacenter.
 		//
-		// TODO(#7615): Make mandatory once referenced in audit logs. Update the
-		// comment above.
-		Cluster string `validate:"omitempty"`
+		// TODO(#7615): Make mandatory.
+		Perspective string `validate:"omitempty"`
 
 		// RIR indicates the Regional Internet Registry where this RVA is
-		// located. This will be used to to identify which RIR a given
-		// validation was performed from. Must be one of the following values:
+		// located. This field is used to identify the RIR region from which a
+		// given validation was performed, as specified in the "Phased
+		// Implementation Timeline" in BRs Section 3.2.2.9. It must be one of
+		// the following values:
 		//   - ARIN
 		//   - RIPE
 		//   - APNIC
 		//   - LACNIC
 		//   - AfriNIC
 		//
-		// TODO(#7615): Make mandatory once referenced in audit logs. Update the
-		// comment above.
+		// TODO(#7615): Make mandatory.
 		RIR string `validate:"omitempty,oneof=ARIN RIPE APNIC LACNIC AfriNIC"`
 
 		// SkipGRPCClientCertVerification, when disabled as it should typically
@@ -139,7 +141,9 @@ func main() {
 		scope,
 		clk,
 		logger,
-		c.RVA.AccountURIPrefixes)
+		c.RVA.AccountURIPrefixes,
+		c.RVA.Perspective,
+		c.RVA.RIR)
 	cmd.FailOnError(err, "Unable to create Remote-VA server")
 
 	start, err := bgrpc.NewServer(c.RVA.GRPC, logger).Add(

diff --git a/core/objects.go b/core/objects.go
@@ -129,6 +129,7 @@ type ValidationRecord struct {
 	Port              string   `json:"port,omitempty"`
 	AddressesResolved []net.IP `json:"addressesResolved,omitempty"`
 	AddressUsed       net.IP   `json:"addressUsed,omitempty"`
+
 	// AddressesTried contains a list of addresses tried before the `AddressUsed`.
 	// Presently this will only ever be one IP from `AddressesResolved` since the
 	// only retry is in the case of a v6 failure with one v4 fallback. E.g. if
@@ -144,10 +145,29 @@ type ValidationRecord struct {
 	//   ...
 	// }
 	AddressesTried []net.IP `json:"addressesTried,omitempty"`
+
 	// ResolverAddrs is the host:port of the DNS resolver(s) that fulfilled the
 	// lookup for AddressUsed. During recursive A and AAAA lookups, a record may
 	// instead look like A:host:port or AAAA:host:port
 	ResolverAddrs []string `json:"resolverAddrs,omitempty"`
+
+	// Perspective uniquely identifies the Network Perspective used to perform
+	// the validation, as specified in BRs Section 5.4.1, Requirement 2.7
+	// ("Multi-Perspective Issuance Corroboration attempts from each Network
+	// Perspective"). It should uniquely identify either the Primary Perspective
+	// (VA) or a group of RVAs deployed in the same datacenter.
+	Perspective string `json:"perspective,omitempty"`
+
+	// RIR indicates the Regional Internet Registry where this RVA is located.
+	// This field is used to identify the RIR region from which a given
+	// validation was performed, as specified in the "Phased Implementation
+	// Timeline" in BRs Section 3.2.2.9. It must be one of the following values:
+	//   - ARIN
+	//   - RIPE
+	//   - APNIC
+	//   - LACNIC
+	//   - AfriNIC
+	RIR string `json:"rir,omitempty"`
 }
 
 // Challenge is an aggregate of all data needed for any challenges.

diff --git a/test/config-next/remoteva-b.json b/test/config-next/remoteva-b.json
@@ -38,7 +38,7 @@
 			"http://boulder.service.consul:4001/acme/acct/"
 		],
 		"cluster": "development",
-		"rir": "ARIN"
+		"rir": "RIPE"
 	},
 	"syslog": {
 		"stdoutlevel": 4,

diff --git a/va/proto/va.pb.go b/va/proto/va.pb.go
diff --git a/va/proto/va.proto b/va/proto/va.proto
@@ -40,4 +40,6 @@ message AuthzMeta {
 message ValidationResult {
   repeated core.ValidationRecord records = 1;
   core.ProblemDetails problems = 2;
+  string cluster = 3;
+  string rir = 4;
 }
diff --git a/va/va.go b/va/va.go
@@ -31,6 +31,8 @@ import (
 	vapb "github.com/letsencrypt/boulder/va/proto"
 )
 
+const PrimaryPerspective = "Primary"
+
 var (
 	// badTLSHeader contains the string 'HTTP /' which is returned when
 	// we try to talk TLS to a server that only talks HTTP
@@ -256,6 +258,8 @@ type ValidationAuthorityImpl struct {
 	maxRemoteFailures  int
 	accountURIPrefixes []string
 	singleDialTimeout  time.Duration
+	perspective        string
+	rir                string
 
 	metrics *vaMetrics
 }
@@ -274,6 +278,8 @@ func NewValidationAuthorityImpl(
 	clk clock.Clock,
 	logger blog.Logger,
 	accountURIPrefixes []string,
+	perspective string,
+	rir string,
 ) (*ValidationAuthorityImpl, error) {
 
 	if len(accountURIPrefixes) == 0 {
@@ -300,6 +306,8 @@ func NewValidationAuthorityImpl(
 		// used for the DialContext operations that take place during an
 		// HTTP-01 challenge validation.
 		singleDialTimeout: 10 * time.Second,
+		perspective:       perspective,
+		rir:               rir,
 	}
 
 	return va, nil
@@ -314,6 +322,8 @@ type verificationRequestEvent struct {
 	ValidationLatency float64
 	Error             string `json:",omitempty"`
 	InternalError     string `json:",omitempty"`
+	Perspective       string `json:",omitempty"`
+	RIR               string `json:",omitempty"`
 }
 
 // ipError is an error type used to pass though the IP address of the remote
@@ -708,6 +718,18 @@ func (va *ValidationAuthorityImpl) PerformValidation(ctx context.Context, req *v
 		return bgrpc.ValidationResultToPB(records, filterProblemDetails(prob))
 	}
 
+	if va.perspective != PrimaryPerspective {
+		// This validation was performed by a remote VA. According to the
+		// requirements in section 5.4.1 (2) vii of the BRs we need to log the
+		// perspective used. Additionally, we'll log the RIR where this RVA is
+		// located.
+		//
+		// TODO(#7615): Make these fields mandatory for non-Primary
+		// perspectives.
+		logEvent.Perspective = va.perspective
+		logEvent.RIR = va.rir
+	}
+
 	// Do remote validation. We do this after local validation is complete to
 	// avoid wasting work when validation will fail anyway. This only returns a
 	// singular problem, because the remote VAs have already audit-logged their

diff --git a/va/va_test.go b/va/va_test.go
@@ -123,6 +123,8 @@ func setup(srv *httptest.Server, maxRemoteFailures int, userAgent string, remote
 		fc,
 		logger,
 		accountURIPrefixes,
+		PrimaryPerspective,
+		"",
 	)
 
 	if mockDNSClientOverride != nil {