|
|
|
@ -24,6 +24,7 @@ import (
|
|
|
|
|
"net/http"
|
|
|
|
|
"net/http/httptest"
|
|
|
|
|
"reflect"
|
|
|
|
|
"strconv"
|
|
|
|
|
"strings"
|
|
|
|
|
"testing"
|
|
|
|
|
"time"
|
|
|
|
@ -370,6 +371,47 @@ func TestChallenge_Validate(t *testing.T) {
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"ok/http-01-insecure": func(t *testing.T) test {
|
|
|
|
|
t.Cleanup(func() {
|
|
|
|
|
InsecurePortHTTP01 = 0
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
ch := &Challenge{
|
|
|
|
|
ID: "chID",
|
|
|
|
|
Status: StatusPending,
|
|
|
|
|
Type: "http-01",
|
|
|
|
|
Token: "token",
|
|
|
|
|
Value: "zap.internal",
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
InsecurePortHTTP01 = 8080
|
|
|
|
|
|
|
|
|
|
return test{
|
|
|
|
|
ch: ch,
|
|
|
|
|
vc: &mockClient{
|
|
|
|
|
get: func(url string) (*http.Response, error) {
|
|
|
|
|
return nil, errors.New("force")
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
db: &MockDB{
|
|
|
|
|
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
|
|
|
|
|
assert.Equals(t, updch.ID, ch.ID)
|
|
|
|
|
assert.Equals(t, updch.Token, ch.Token)
|
|
|
|
|
assert.Equals(t, updch.Type, ch.Type)
|
|
|
|
|
assert.Equals(t, updch.Status, ch.Status)
|
|
|
|
|
assert.Equals(t, updch.Value, ch.Value)
|
|
|
|
|
|
|
|
|
|
err := NewError(ErrorConnectionType, "error doing http GET for url http://zap.internal:8080/.well-known/acme-challenge/%s: force", ch.Token)
|
|
|
|
|
assert.HasPrefix(t, updch.Error.Err.Error(), err.Err.Error())
|
|
|
|
|
assert.Equals(t, updch.Error.Type, err.Type)
|
|
|
|
|
assert.Equals(t, updch.Error.Detail, err.Detail)
|
|
|
|
|
assert.Equals(t, updch.Error.Status, err.Status)
|
|
|
|
|
assert.Equals(t, updch.Error.Detail, err.Detail)
|
|
|
|
|
return nil
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"fail/dns-01": func(t *testing.T) test {
|
|
|
|
|
ch := &Challenge{
|
|
|
|
|
ID: "chID",
|
|
|
|
@ -501,6 +543,72 @@ func TestChallenge_Validate(t *testing.T) {
|
|
|
|
|
srv, tlsDial := newTestTLSALPNServer(cert)
|
|
|
|
|
srv.Start()
|
|
|
|
|
|
|
|
|
|
return test{
|
|
|
|
|
ch: ch,
|
|
|
|
|
vc: &mockClient{
|
|
|
|
|
tlsDial: tlsDial,
|
|
|
|
|
},
|
|
|
|
|
db: &MockDB{
|
|
|
|
|
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
|
|
|
|
|
assert.Equals(t, updch.ID, ch.ID)
|
|
|
|
|
assert.Equals(t, updch.Token, ch.Token)
|
|
|
|
|
assert.Equals(t, updch.Status, ch.Status)
|
|
|
|
|
assert.Equals(t, updch.Type, ch.Type)
|
|
|
|
|
assert.Equals(t, updch.Value, ch.Value)
|
|
|
|
|
assert.Equals(t, updch.Error, nil)
|
|
|
|
|
return nil
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
srv: srv,
|
|
|
|
|
jwk: jwk,
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"ok/tls-alpn-01-insecure": func(t *testing.T) test {
|
|
|
|
|
t.Cleanup(func() {
|
|
|
|
|
InsecurePortTLSALPN01 = 0
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
ch := &Challenge{
|
|
|
|
|
ID: "chID",
|
|
|
|
|
Token: "token",
|
|
|
|
|
Type: "tls-alpn-01",
|
|
|
|
|
Status: StatusPending,
|
|
|
|
|
Value: "zap.internal",
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
|
|
|
|
|
expKeyAuth, err := KeyAuthorization(ch.Token, jwk)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
expKeyAuthHash := sha256.Sum256([]byte(expKeyAuth))
|
|
|
|
|
|
|
|
|
|
cert, err := newTLSALPNValidationCert(expKeyAuthHash[:], false, true, ch.Value)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
|
|
|
|
|
l, err := net.Listen("tcp", "127.0.0.1:0")
|
|
|
|
|
if err != nil {
|
|
|
|
|
if l, err = net.Listen("tcp6", "[::1]:0"); err != nil {
|
|
|
|
|
t.Fatalf("failed to listen on a port: %v", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
_, port, err := net.SplitHostPort(l.Addr().String())
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("failed to split host port: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Use an insecure port
|
|
|
|
|
InsecurePortTLSALPN01, err = strconv.Atoi(port)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("failed to convert port to int: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
srv, tlsDial := newTestTLSALPNServer(cert, func(srv *httptest.Server) {
|
|
|
|
|
srv.Listener.Close()
|
|
|
|
|
srv.Listener = l
|
|
|
|
|
})
|
|
|
|
|
srv.Start()
|
|
|
|
|
|
|
|
|
|
return test{
|
|
|
|
|
ch: ch,
|
|
|
|
|
vc: &mockClient{
|
|
|
|
@ -1248,7 +1356,7 @@ func TestDNS01Validate(t *testing.T) {
|
|
|
|
|
|
|
|
|
|
type tlsDialer func(network, addr string, config *tls.Config) (conn *tls.Conn, err error)
|
|
|
|
|
|
|
|
|
|
func newTestTLSALPNServer(validationCert *tls.Certificate) (*httptest.Server, tlsDialer) {
|
|
|
|
|
func newTestTLSALPNServer(validationCert *tls.Certificate, opts ...func(*httptest.Server)) (*httptest.Server, tlsDialer) {
|
|
|
|
|
srv := httptest.NewUnstartedServer(http.NewServeMux())
|
|
|
|
|
|
|
|
|
|
srv.Config.TLSNextProto = map[string]func(*http.Server, *tls.Conn, http.Handler){
|
|
|
|
@ -1273,6 +1381,11 @@ func newTestTLSALPNServer(validationCert *tls.Certificate) (*httptest.Server, tl
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Apply options
|
|
|
|
|
for _, fn := range opts {
|
|
|
|
|
fn(srv)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
srv.Listener = tls.NewListener(srv.Listener, srv.TLS)
|
|
|
|
|
//srv.Config.ErrorLog = log.New(ioutil.Discard, "", 0) // hush
|
|
|
|
|
|
|
|
|
|