coolaj86/acme-challenge-test.js
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Update record test, use random prefix

Browse Source 
* Test multiple zone records (@, foo, *.foo)
* Use random _acme-challenge-xxxx
This commit is contained in:
AJ ONeal 2019-06-06 22:48:34 -06:00
parent e179188bc0
commit f2373a09de
4 changed files with 144 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
example.js
View File

@ -1,10 +1,10 @@
"use strict"; 'use strict';
//var tester = require('acme-challenge-test'); //var tester = require('acme-challenge-test');
var tester = require("./"); var tester = require('./');
var type = "http-01"; var type = 'http-01';
var challenger = require("acme-http-01-cli").create({}); var challenger = require('acme-http-01-cli').create({});
//var type = 'dns-01'; //var type = 'dns-01';
//var challenger = require('acme-dns-01-cli').create({}); //var challenger = require('acme-dns-01-cli').create({});
//var challenger = require('./YOUR-CHALLENGE-STRATEGY').create({}); //var challenger = require('./YOUR-CHALLENGE-STRATEGY').create({});
@ -12,16 +12,15 @@ var challenger = require("acme-http-01-cli").create({});
// The dry-run tests can pass on, literally, 'example.com' // The dry-run tests can pass on, literally, 'example.com'
// but the integration tests require that you have control over the domain // but the integration tests require that you have control over the domain
var domain = "example.com"; var zone = 'example.com';
//var domain = '*.example.com';
tester tester
.test(type, domain, challenger) .test(type, zone, challenger)
.then(function() { .then(function() {
console.info("PASS"); console.info('ALL PASSED');
}) })
.catch(function(err) { .catch(function(err) {
console.error("FAIL"); console.error('FAIL');
console.error(err); console.error(err);
process.exit(20); process.exit(20);
}); });

239
index.js
View File

@ -75,121 +75,140 @@ function run(challenger, opts) {
// The first time we just check it against itself // The first time we just check it against itself
// this will cause the prompt to appear // this will cause the prompt to appear
return set(opts) return set(opts).then(function() {
.then(function() { // this will cause the final completion message to appear
// this will cause the final completion message to appear // _test is used by the manual cli reference implementations
// _test is used by the manual cli reference implementations var query = { type: ch.type, /*debug*/ status: ch.status, _test: true };
var query = { type: ch.type, /*debug*/ status: ch.status, _test: true }; if ('http-01' === ch.type) {
if ('http-01' === ch.type) { query.identifier = ch.identifier;
query.identifier = ch.identifier; query.token = ch.token;
query.token = ch.token; // For testing only
// For testing only query.url = ch.challengeUrl;
query.url = ch.challengeUrl; } else if ('dns-01' === ch.type) {
} else if ('dns-01' === ch.type) { query.identifier = { type: 'dns', value: ch.dnsHost };
query.identifier = { type: 'dns', value: ch.dnsHost }; // For testing only
// For testing only query.altname = ch.altname;
query.altname = ch.altname; // there should only be two possible TXT records per challenge domain:
// there should only be two possible TXT records per challenge domain: // one for the bare domain, and the other if and only if there's a wildcard
// one for the bare domain, and the other if and only if there's a wildcard query.wildcard = ch.wildcard;
query.wildcard = ch.wildcard; query.dnsAuthorization = ch.dnsAuthorization;
query.dnsAuthorization = ch.dnsAuthorization; } else {
} else { query = JSON.parse(JSON.stringify(ch));
query = JSON.parse(JSON.stringify(ch)); query.comment = 'unknown challenge type, supplying everything';
query.comment = 'unknown challenge type, supplying everything'; }
} return get({ challenge: query })
return get({ challenge: query }) .then(function(secret) {
.then(function(secret) { if ('string' === typeof secret) {
if ('string' === typeof secret) { console.info(
console.info( 'secret was passed as a string, which works historically, but should be an object instead:'
'secret was passed as a string, which works historically, but should be an object instead:' );
); console.info('{ "keyAuthorization": "' + secret + '" }');
console.info('{ "keyAuthorization": "' + secret + '" }'); console.info('or');
console.info('or'); // TODO this should be "keyAuthorizationDigest"
// TODO this should be "keyAuthorizationDigest" console.info('{ "dnsAuthorization": "' + secret + '" }');
console.info('{ "dnsAuthorization": "' + secret + '" }'); console.info(
console.info( 'This is to help keep acme / greenlock (and associated plugins) future-proof for new challenge types'
'This is to help keep acme / greenlock (and associated plugins) future-proof for new challenge types' );
}
// historically 'secret' has been a string, but I'd like it to transition to be an object.
// to make it backwards compatible in v2.7 to change it,
// so I'm not sure that we really need to.
if ('http-01' === ch.type) {
secret = secret.keyAuthorization || secret;
if (ch.keyAuthorization !== secret) {
throw new Error(
"http-01 challenge.get() returned '" +
secret +
"', which does not match the keyAuthorization" +
" saved with challenge.set(), which was '" +
ch.keyAuthorization +
"'"
); );
} }
// historically 'secret' has been a string, but I'd like it to transition to be an object. } else if ('dns-01' === ch.type) {
// to make it backwards compatible in v2.7 to change it, secret = secret.dnsAuthorization || secret;
// so I'm not sure that we really need to. if (ch.dnsAuthorization !== secret) {
if ('http-01' === ch.type) { throw new Error(
secret = secret.keyAuthorization || secret; "dns-01 challenge.get() returned '" +
if (ch.keyAuthorization !== secret) { secret +
throw new Error( "', which does not match the dnsAuthorization" +
"http-01 challenge.get() returned '" + " (keyAuthDigest) saved with challenge.set(), which was '" +
secret + ch.dnsAuthorization +
"', which does not match the keyAuthorization" + "'"
" saved with challenge.set(), which was '" + );
ch.keyAuthorization + }
"'" } else {
); if ('tls-alpn-01' === ch.type) {
} console.warn(
} else if ('dns-01' === ch.type) { "'tls-alpn-01' support is in development" +
secret = secret.dnsAuthorization || secret; " (or developed and we haven't update this yet). Please contact us."
if (ch.dnsAuthorization !== secret) { );
throw new Error(
"dns-01 challenge.get() returned '" +
secret +
"', which does not match the dnsAuthorization" +
" (keyAuthDigest) saved with challenge.set(), which was '" +
ch.dnsAuthorization +
"'"
);
}
} else { } else {
if ('tls-alpn-01' === ch.type) { console.warn(
console.warn( "We don't know how to test '" +
"'tls-alpn-01' support is in development" + ch.type +
" (or developed and we haven't update this yet). Please contact us." "'... are you sure that's a thing?"
); );
} else {
console.warn(
"We don't know how to test '" +
ch.type +
"'... are you sure that's a thing?"
);
}
secret = secret.keyAuthorization || secret;
if (ch.keyAuthorization !== secret) {
console.warn(
"The returned value doesn't match keyAuthorization",
ch.keyAuthorization,
secret
);
}
} }
}) secret = secret.keyAuthorization || secret;
.then(function() { if (ch.keyAuthorization !== secret) {
return remove(opts).then(function() { console.warn(
return get(opts).then(function(result) { "The returned value doesn't match keyAuthorization",
if (result) { ch.keyAuthorization,
throw new Error( secret
'challenge.remove() should have made it not possible for challenge.get() to return a value' );
); }
} }
if (null !== result) { })
throw new Error( .then(function() {
'challenge.get() should return null when the value is not set' return remove(opts).then(function() {
); return get(opts).then(function(result) {
} if (result) {
}); throw new Error(
'challenge.remove() should have made it not possible for challenge.get() to return a value'
);
}
if (null !== result) {
throw new Error(
'challenge.get() should return null when the value is not set'
);
}
}); });
}); });
}) });
.then(function() { });
console.info('All soft tests: PASS');
console.warn(
'Hard tests (actually checking http URLs and dns records) is implemented in acme-v2.'
);
console.warn(
"We'll copy them over here as well, but that's a TODO for next week."
);
});
} }
module.exports.test = function(type, altname, challenger) { module.exports.test = function(type, zone, challenger) {
var domains = [zone, 'foo.' + zone];
if ('dns-01' === type) {
domains.push('*.foo.' + zone);
}
function next() {
var domain = domains.shift();
if (!domain) {
return;
}
console.info("TEST '%s'", domain);
return testOne(type, domain, challenger).then(function() {
console.info("PASS '%s'", domain);
return next();
});
}
return next().then(function() {
console.info('All soft tests: PASS');
console.warn(
'Hard tests (actually checking http URLs and dns records) is implemented in acme-v2.'
);
console.warn(
"We'll copy them over here as well, but that's a TODO for next week."
);
});
};
function testOne(type, altname, challenger) {
var expires = new Date(Date.now() + 10 * 60 * 1000).toISOString(); var expires = new Date(Date.now() + 10 * 60 * 1000).toISOString();
var token = crypto.randomBytes(8).toString('hex'); var token = crypto.randomBytes(8).toString('hex');
var thumb = crypto.randomBytes(16).toString('hex'); var thumb = crypto.randomBytes(16).toString('hex');
@ -212,7 +231,7 @@ module.exports.test = function(type, altname, challenger) {
thumbprint: thumb, thumbprint: thumb,
keyAuthorization: keyAuth, keyAuthorization: keyAuth,
url: null, // completed below url: null, // completed below
dnsHost: '_acme-challenge.', // completed below dnsHost: '_acme-challenge-' + token.slice(0, 4) + '.', // completed below
dnsAuthorization: dnsAuth, dnsAuthorization: dnsAuth,
altname: altname, altname: altname,
_test: true // used by CLI referenced implementations _test: true // used by CLI referenced implementations
@ -227,4 +246,6 @@ module.exports.test = function(type, altname, challenger) {
challenge.dnsHost += altname; challenge.dnsHost += altname;
return run(challenger, { challenge: challenge }); return run(challenger, { challenge: challenge });
}; }
module.exports._test = testOne;

5
package-lock.json generated Normal file
View File

@ -0,0 +1,5 @@
{
"name": "acme-challenge-test",
"version": "3.0.4",
"lockfileVersion": 1
}

2
package.json
View File

@ -1,6 +1,6 @@
{ {
"name": "acme-challenge-test", "name": "acme-challenge-test",
"version": "3.0.4", "version": "3.0.5",
"description": "The base set of tests for all ACME challenge strategies. Any `acme-http-01-`, `acme-dns-01-`, `acme-challenge-`, or greenlock plugin should be able to pass these tests.", "description": "The base set of tests for all ACME challenge strategies. Any `acme-http-01-`, `acme-dns-01-`, `acme-challenge-`, or greenlock plugin should be able to pass these tests.",
"main": "index.js", "main": "index.js",
"homepage": "https://git.rootprojects.org/root/acme-challenge-test.js", "homepage": "https://git.rootprojects.org/root/acme-challenge-test.js",