Fix race condition during ACME order finalization

base/acme/src/main/java/org/dogtagpki/acme/server/ACMEChallengeProcessor.java

@@ -118,8 +118,6 @@ public void finalizeValidAuthorization() throws Exception {
         Date expirationTime = engine.getPolicy().getValidAuthorizationExpirationTime(currentTime);
         authorization.setExpirationTime(expirationTime);
 
-        engine.updateAuthorization(account, authorization);
-
         logger.info("Updating pending orders");
 
         Collection<ACMEOrder> orders =
@@ -129,6 +127,10 @@ public void finalizeValidAuthorization() throws Exception {
             boolean allAuthorizationsValid = true;
 
             for (String orderAuthzID : order.getAuthzIDs()) {
+                if (orderAuthzID.equals(authzID)) {
+                    // We're about to set it to valid, so treat it as such
+                    continue;
+                }
 
                 ACMEAuthorization authz = engine.getAuthorization(account, orderAuthzID);
                 if (authz.getStatus().equals("valid")) continue;
@@ -147,6 +149,13 @@ public void finalizeValidAuthorization() throws Exception {
 
             engine.updateOrder(account, order);
         }
+
+        // We defer the LDAP update until AFTER any order transitions
+        // occur.  This avoids a race condition where clients that eagerly
+        // proceed to finalization when all Authorizations are "valid"
+        // experience finalization failure, because the __Order__ has not yet
+        // transition to "ready".
+        engine.updateAuthorization(account, authorization);
     }
 
     public void finalizeInvalidAuthorization(ACMEError err) throws Exception {

base/acme/src/main/java/org/dogtagpki/acme/server/ACMEFinalizeOrderService.java

@@ -12,13 +12,15 @@
 import javax.ws.rs.Path;
 import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
+import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.Response.ResponseBuilder;
 import javax.ws.rs.core.UriInfo;
 
 import org.dogtagpki.acme.ACMEAccount;
+import org.dogtagpki.acme.ACMEError;
 import org.dogtagpki.acme.ACMEHeader;
 import org.dogtagpki.acme.ACMENonce;
 import org.dogtagpki.acme.ACMEOrder;
@@ -66,8 +68,25 @@ public Response handlePOST(@PathParam("id") String orderID, JWS jws) throws Exce
         ACMEOrder order = engine.getOrder(account, orderID);
 
         if (!order.getStatus().equals("ready")) {
-            // TODO: generate proper exception
-            throw new Exception("Order not ready: " + orderID);
+
+            // RFC 8555 Section 7.4: Applying for Certificate Issuance
+            //
+            // A request to finalize an order will result in error if the order is
+            // not in the "ready" state.  In such cases, the server MUST return a
+            // 403 (Forbidden) error with a problem document of type
+            // "orderNotReady".  The client should then send a POST-as-GET request
+            // to the order resource to obtain its current state.  The status of the
+            // order will indicate what action the client should take (see below).
+
+            ResponseBuilder builder = Response.status(Response.Status.FORBIDDEN);
+            builder.type("application/problem+json");
+
+            ACMEError error = new ACMEError();
+            error.setType("urn:ietf:params:acme:error:orderNotReady");
+            error.setDetail("Order not ready: " + orderID);
+            builder.entity(error);
+
+            throw new WebApplicationException(builder.build());
         }
 
         order.setStatus("processing");