From f2373a09ded2c709474645160b7e6da12941e821 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Thu, 6 Jun 2019 22:48:34 -0600 Subject: [PATCH] Update record test, use random prefix * Test multiple zone records (@, foo, *.foo) * Use random _acme-challenge-xxxx --- example.js | 17 ++-- index.js | 239 +++++++++++++++++++++++++--------------------- package-lock.json | 5 + package.json | 2 +- 4 files changed, 144 insertions(+), 119 deletions(-) create mode 100644 package-lock.json diff --git a/example.js b/example.js index 3c23ab1..912400f 100644 --- a/example.js +++ b/example.js @@ -1,10 +1,10 @@ -"use strict"; +'use strict'; //var tester = require('acme-challenge-test'); -var tester = require("./"); +var tester = require('./'); -var type = "http-01"; -var challenger = require("acme-http-01-cli").create({}); +var type = 'http-01'; +var challenger = require('acme-http-01-cli').create({}); //var type = 'dns-01'; //var challenger = require('acme-dns-01-cli').create({}); //var challenger = require('./YOUR-CHALLENGE-STRATEGY').create({}); @@ -12,16 +12,15 @@ var challenger = require("acme-http-01-cli").create({}); // The dry-run tests can pass on, literally, 'example.com' // but the integration tests require that you have control over the domain -var domain = "example.com"; -//var domain = '*.example.com'; +var zone = 'example.com'; tester - .test(type, domain, challenger) + .test(type, zone, challenger) .then(function() { - console.info("PASS"); + console.info('ALL PASSED'); }) .catch(function(err) { - console.error("FAIL"); + console.error('FAIL'); console.error(err); process.exit(20); }); diff --git a/index.js b/index.js index 51e9e68..0582083 100644 --- a/index.js +++ b/index.js @@ -75,121 +75,140 @@ function run(challenger, opts) { // The first time we just check it against itself // this will cause the prompt to appear - return set(opts) - .then(function() { - // this will cause the final completion message to appear - // _test is used by the manual cli reference implementations - var query = { type: ch.type, /*debug*/ status: ch.status, _test: true }; - if ('http-01' === ch.type) { - query.identifier = ch.identifier; - query.token = ch.token; - // For testing only - query.url = ch.challengeUrl; - } else if ('dns-01' === ch.type) { - query.identifier = { type: 'dns', value: ch.dnsHost }; - // For testing only - query.altname = ch.altname; - // there should only be two possible TXT records per challenge domain: - // one for the bare domain, and the other if and only if there's a wildcard - query.wildcard = ch.wildcard; - query.dnsAuthorization = ch.dnsAuthorization; - } else { - query = JSON.parse(JSON.stringify(ch)); - query.comment = 'unknown challenge type, supplying everything'; - } - return get({ challenge: query }) - .then(function(secret) { - if ('string' === typeof secret) { - console.info( - 'secret was passed as a string, which works historically, but should be an object instead:' - ); - console.info('{ "keyAuthorization": "' + secret + '" }'); - console.info('or'); - // TODO this should be "keyAuthorizationDigest" - console.info('{ "dnsAuthorization": "' + secret + '" }'); - console.info( - 'This is to help keep acme / greenlock (and associated plugins) future-proof for new challenge types' + return set(opts).then(function() { + // this will cause the final completion message to appear + // _test is used by the manual cli reference implementations + var query = { type: ch.type, /*debug*/ status: ch.status, _test: true }; + if ('http-01' === ch.type) { + query.identifier = ch.identifier; + query.token = ch.token; + // For testing only + query.url = ch.challengeUrl; + } else if ('dns-01' === ch.type) { + query.identifier = { type: 'dns', value: ch.dnsHost }; + // For testing only + query.altname = ch.altname; + // there should only be two possible TXT records per challenge domain: + // one for the bare domain, and the other if and only if there's a wildcard + query.wildcard = ch.wildcard; + query.dnsAuthorization = ch.dnsAuthorization; + } else { + query = JSON.parse(JSON.stringify(ch)); + query.comment = 'unknown challenge type, supplying everything'; + } + return get({ challenge: query }) + .then(function(secret) { + if ('string' === typeof secret) { + console.info( + 'secret was passed as a string, which works historically, but should be an object instead:' + ); + console.info('{ "keyAuthorization": "' + secret + '" }'); + console.info('or'); + // TODO this should be "keyAuthorizationDigest" + console.info('{ "dnsAuthorization": "' + secret + '" }'); + console.info( + 'This is to help keep acme / greenlock (and associated plugins) future-proof for new challenge types' + ); + } + // historically 'secret' has been a string, but I'd like it to transition to be an object. + // to make it backwards compatible in v2.7 to change it, + // so I'm not sure that we really need to. + if ('http-01' === ch.type) { + secret = secret.keyAuthorization || secret; + if (ch.keyAuthorization !== secret) { + throw new Error( + "http-01 challenge.get() returned '" + + secret + + "', which does not match the keyAuthorization" + + " saved with challenge.set(), which was '" + + ch.keyAuthorization + + "'" ); } - // historically 'secret' has been a string, but I'd like it to transition to be an object. - // to make it backwards compatible in v2.7 to change it, - // so I'm not sure that we really need to. - if ('http-01' === ch.type) { - secret = secret.keyAuthorization || secret; - if (ch.keyAuthorization !== secret) { - throw new Error( - "http-01 challenge.get() returned '" + - secret + - "', which does not match the keyAuthorization" + - " saved with challenge.set(), which was '" + - ch.keyAuthorization + - "'" - ); - } - } else if ('dns-01' === ch.type) { - secret = secret.dnsAuthorization || secret; - if (ch.dnsAuthorization !== secret) { - throw new Error( - "dns-01 challenge.get() returned '" + - secret + - "', which does not match the dnsAuthorization" + - " (keyAuthDigest) saved with challenge.set(), which was '" + - ch.dnsAuthorization + - "'" - ); - } + } else if ('dns-01' === ch.type) { + secret = secret.dnsAuthorization || secret; + if (ch.dnsAuthorization !== secret) { + throw new Error( + "dns-01 challenge.get() returned '" + + secret + + "', which does not match the dnsAuthorization" + + " (keyAuthDigest) saved with challenge.set(), which was '" + + ch.dnsAuthorization + + "'" + ); + } + } else { + if ('tls-alpn-01' === ch.type) { + console.warn( + "'tls-alpn-01' support is in development" + + " (or developed and we haven't update this yet). Please contact us." + ); } else { - if ('tls-alpn-01' === ch.type) { - console.warn( - "'tls-alpn-01' support is in development" + - " (or developed and we haven't update this yet). Please contact us." - ); - } else { - console.warn( - "We don't know how to test '" + - ch.type + - "'... are you sure that's a thing?" - ); - } - secret = secret.keyAuthorization || secret; - if (ch.keyAuthorization !== secret) { - console.warn( - "The returned value doesn't match keyAuthorization", - ch.keyAuthorization, - secret - ); - } + console.warn( + "We don't know how to test '" + + ch.type + + "'... are you sure that's a thing?" + ); } - }) - .then(function() { - return remove(opts).then(function() { - return get(opts).then(function(result) { - if (result) { - throw new Error( - 'challenge.remove() should have made it not possible for challenge.get() to return a value' - ); - } - if (null !== result) { - throw new Error( - 'challenge.get() should return null when the value is not set' - ); - } - }); + secret = secret.keyAuthorization || secret; + if (ch.keyAuthorization !== secret) { + console.warn( + "The returned value doesn't match keyAuthorization", + ch.keyAuthorization, + secret + ); + } + } + }) + .then(function() { + return remove(opts).then(function() { + return get(opts).then(function(result) { + if (result) { + throw new Error( + 'challenge.remove() should have made it not possible for challenge.get() to return a value' + ); + } + if (null !== result) { + throw new Error( + 'challenge.get() should return null when the value is not set' + ); + } }); }); - }) - .then(function() { - console.info('All soft tests: PASS'); - console.warn( - 'Hard tests (actually checking http URLs and dns records) is implemented in acme-v2.' - ); - console.warn( - "We'll copy them over here as well, but that's a TODO for next week." - ); - }); + }); + }); } -module.exports.test = function(type, altname, challenger) { +module.exports.test = function(type, zone, challenger) { + var domains = [zone, 'foo.' + zone]; + if ('dns-01' === type) { + domains.push('*.foo.' + zone); + } + + function next() { + var domain = domains.shift(); + if (!domain) { + return; + } + console.info("TEST '%s'", domain); + return testOne(type, domain, challenger).then(function() { + console.info("PASS '%s'", domain); + return next(); + }); + } + + return next().then(function() { + console.info('All soft tests: PASS'); + console.warn( + 'Hard tests (actually checking http URLs and dns records) is implemented in acme-v2.' + ); + console.warn( + "We'll copy them over here as well, but that's a TODO for next week." + ); + }); +}; + +function testOne(type, altname, challenger) { var expires = new Date(Date.now() + 10 * 60 * 1000).toISOString(); var token = crypto.randomBytes(8).toString('hex'); var thumb = crypto.randomBytes(16).toString('hex'); @@ -212,7 +231,7 @@ module.exports.test = function(type, altname, challenger) { thumbprint: thumb, keyAuthorization: keyAuth, url: null, // completed below - dnsHost: '_acme-challenge.', // completed below + dnsHost: '_acme-challenge-' + token.slice(0, 4) + '.', // completed below dnsAuthorization: dnsAuth, altname: altname, _test: true // used by CLI referenced implementations @@ -227,4 +246,6 @@ module.exports.test = function(type, altname, challenger) { challenge.dnsHost += altname; return run(challenger, { challenge: challenge }); -}; +} + +module.exports._test = testOne; diff --git a/package-lock.json b/package-lock.json new file mode 100644 index 0000000..c93547c --- /dev/null +++ b/package-lock.json @@ -0,0 +1,5 @@ +{ + "name": "acme-challenge-test", + "version": "3.0.4", + "lockfileVersion": 1 +} diff --git a/package.json b/package.json index 6e5ffe9..ff4ba9a 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "acme-challenge-test", - "version": "3.0.4", + "version": "3.0.5", "description": "The base set of tests for all ACME challenge strategies. Any `acme-http-01-`, `acme-dns-01-`, `acme-challenge-`, or greenlock plugin should be able to pass these tests.", "main": "index.js", "homepage": "https://git.rootprojects.org/root/acme-challenge-test.js",