From c3f23f62d2c4128dbc1e3f4f80386432903a135c Mon Sep 17 00:00:00 2001
From: Seth Schoen <schoen@eff.org>
Date: Thu, 15 Nov 2012 21:34:00 -0800
Subject: [PATCH] put session into payment state after verifying dvsni if
 policy calls for a payment

---
 server-ca/chocolate.py            |  4 ++++
 server-ca/testchallenge-daemon.py | 18 ++++++++++++++----
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/server-ca/chocolate.py b/server-ca/chocolate.py
index 980790815..111d22568 100755
--- a/server-ca/chocolate.py
+++ b/server-ca/chocolate.py
@@ -69,6 +69,7 @@ class session(object):
         #   yet been received;
         # * "makechallenge" where the CA is still coming up with challenges,
         # * "testchallenge" where the challenges have been issued,
+        # * "payment" where the recipient must pay for the certificate,
         # * "issue" where the CA is in the process of issuing the cert,
         # * "done" where the cert has been issued.
         #
@@ -346,6 +347,9 @@ class session(object):
                     pass
             self.send_challenges(m, r)
             return
+        if state == "payment":
+            # XXX TODO send a payment challenge including URL to complete payment
+            pass
         # If we're in done, tell the client about the successfully issued cert.
         if state == "done":
             self.send_cert(m, r)
diff --git a/server-ca/testchallenge-daemon.py b/server-ca/testchallenge-daemon.py
index 65d05fac1..a033b48db 100755
--- a/server-ca/testchallenge-daemon.py
+++ b/server-ca/testchallenge-daemon.py
@@ -5,6 +5,7 @@
 # challenges have been met, and to perform this test.
 
 import redis, time, sys, signal
+import policy
 from redis_lock import redis_lock
 from sni_challenge.verify import verify_challenge
 
@@ -83,15 +84,24 @@ def testchallenge(session):
              all_satisfied = False
     if all_satisfied:
         # Challenges all succeeded, so we should prepare to issue
-        # the requested cert.
+        # the requested cert or request a payment if applicable.
         # TODO: double-check that there were > 0 challenges,
         # so that we don't somehow mistakenly issue a cert in
         # response to an empty list of challenges (even though
         # the daemon that put this session on the queue should
         # also have implicitly guaranteed this).
-        if debug: print "\t** All challenges satisfied; request %s GRANTED" % short(session)
-        r.hset(session, "state", "issue")
-        r.lpush("pending-issue", session)
+        if policy.payment_required(session):
+            if debug: print "\t** All challenges satisfied; request %s NEEDS PAYMENT" % short(session)
+            r.hset(session, "state", "payment")
+            # According to current practice, there is no pending-payment
+            # queue because sessions can get out of payment state
+            # instantaneously as soon as the payment system sends a "payments"
+            # pubsub message to
+            # the payments daemon.
+        else:
+            if debug: print "\t** All challenges satisfied; request %s GRANTED" % short(session)
+            r.hset(session, "state", "issue")
+            r.lpush("pending-issue", session)
     else:
         # Some challenges were not verified.  In the current
         # design of this daemon, the client must contact