From 117d8e0b5d5f01c538595146ec3fb816d5988176 Mon Sep 17 00:00:00 2001
From: AJ ONeal <coolaj86@gmail.com>
Date: Sun, 7 Apr 2019 17:23:31 -0600
Subject: [PATCH] v3.0.0: challenge strategy test suite for Greenlock v2.7+
 (and v3)

---
 README.md    |  8 +++----
 example.js   | 13 +++++++++--
 index.js     | 66 +++++++++++++++++++++++++++++-----------------------
 package.json | 27 +++++++++++++++++++++
 4 files changed, 79 insertions(+), 35 deletions(-)
 create mode 100644 package.json

diff --git a/README.md b/README.md
index 1f8a557..e63ea18 100644
--- a/README.md
+++ b/README.md
@@ -61,14 +61,14 @@ tester.test('http-01', 'example.com', {
     //   // dns-01 only, for testing / dubgging
     // , altname: '...'
     // , dnsHost: '...'
-    // , dnsAuthorization: '...' }
+    // , wildcard: false }
     // Note: query.identifier.value is different for http-01 than for dns-01
 
-    return API.get(...).then(function () {
+    return API.get(...).then(function (secret) {
       // http-01
-      return { identifier: { type: 'dns', value: 'example.com' }, keyAuthorization: 'xxxx.yyyy' };
+      return { keyAuthorization: secret };
       // dns-01
-      //return { identifier: { type: 'dns', value: 'example.com' }, dnsAuthorization: 'zzzz' };
+      //return { dnsAuthorization: secret };
     });
   }
 , remove: function (opts) {
diff --git a/example.js b/example.js
index b952987..309d01c 100644
--- a/example.js
+++ b/example.js
@@ -1,15 +1,24 @@
 'use strict';
 
-var tester = require('greenlock-challenge-test');
+//var tester = require('greenlock-challenge-test');
+var tester = require('./');
 
+var type = 'http-01';
 var challenger = require('greenlock-challenge-http').create({});
+//var type = 'dns-01';
 //var challenger = require('greenlock-challenge-dns').create({});
 //var challenger = require('./YOUR-CHALLENGE-STRATEGY').create({});
+//var type = 'YOUR-TYPE-01';
 
 // The dry-run tests can pass on, literally, 'example.com'
 // but the integration tests require that you have control over the domain
 var domain = 'example.com';
+//var domain = '*.example.com';
 
-tester.test('http-01', domain, challenger).then(function () {
+tester.test(type, domain, challenger).then(function () {
   console.info("PASS");
+}).catch(function (err) {
+  console.error("FAIL");
+  console.error(err);
+  process.exit(20);
 });
diff --git a/index.js b/index.js
index aad46cc..4736f2c 100644
--- a/index.js
+++ b/index.js
@@ -34,6 +34,7 @@ function promiseCheckAndCatch(obj, name) {
       throw new Error("'challenge.'" + name + "' should never return `undefined`. Please explicitly return null"
         + " (or fix the place where a value should have been returned but wasn't).");
     }
+    return result;
   }
 
   return function (opts) {
@@ -62,7 +63,8 @@ function run(challenger, opts) {
   // this will cause the prompt to appear
   return set(opts).then(function () {
     // this will cause the final completion message to appear
-    var query = { type: ch.type };
+    // _test is used by the manual cli reference implementations
+    var query = { type: ch.type, /*debug*/ status: ch.status, _test: true };
     if ('http-01' === ch.type) {
       query.identifier = ch.identifier;
       query.token = ch.token;
@@ -72,38 +74,48 @@ function run(challenger, opts) {
       query.identifier = { type: 'dns', value: ch.dnsHost };
       // For testing only
       query.altname = ch.altname;
-      query.dnsAuthorization = ch.dnsAuthorization;
+      // there should only be two possible TXT records per challenge domain:
+      // one for the bare domain, and the other if and only if there's a wildcard
+      query.wildcard = ch.wildcard;
     } else {
       query = JSON.parse(JSON.stringify(ch));
       query.comment = "unknown challenge type, supplying everything";
     }
-    return get({ challenge: query }).then(function (result) {
+    return get({ challenge: query }).then(function (secret) {
+      if ('string' === typeof secret) {
+        console.info("secret was passed as a string, which works historically, but should be an object instead:");
+        console.info('{ "keyAuthorization": "' + secret + '" }');
+        console.info("or");
+        // TODO this should be "keyAuthorizationDigest"
+        console.info('{ "dnsAuthorization": "' + secret + '" }');
+        console.info("This is to help keep greenlock (and associated plugins) future-proof for new challenge types");
+      }
+      // historically 'secret' has been a string, but I'd like it to transition to be an object.
+      // to make it backwards compatible in v2.7 to change it,
+      // so I'm not sure that we really need to.
       if ('http-01' === ch.type) {
-        if (ch.keyAuthorization !== result.keyAuthorization
-          // cross-checking on purpose
-          || (ch.altname !== result.identifier.value || ch.identifier.value !== result.altname)
-        ) {
-          throw new Error("challenge.get() for http-01 should return the same altname, identifier.value,"
-            + " and keyAuthorization as were saved with challenge.set()");
+        secret = secret.keyAuthorization || secret;
+        if (ch.keyAuthorization !== secret) {
+          throw new Error("http-01 challenge.get() returned '" + secret + "', which does not match the keyAuthorization"
+            + " saved with challenge.set(), which was '" + ch.keyAuthorization + "'");
         }
       } else if ('dns-01' === ch.type) {
-        if (ch.dnsAuthorization !== result.dnsAuthorization
-          || ch.identifier.value !== result.identifier.value
-        ) {
-          throw new Error("challenge.get() for dns-01 should return the same identifier.value,"
-            + " and dnsAuthorization as were saved with challenge.set()");
+        secret = secret.dnsAuthorization || secret;
+        if (ch.dnsAuthorization !== secret) {
+          throw new Error("dns-01 challenge.get() returned '" + secret + "', which does not match the dnsAuthorization"
+            + " (keyAuthDigest) saved with challenge.set(), which was '" + ch.dnsAuthorization + "'");
         }
       } else {
-        if (ch.identifier.value !== result.identifier.value) {
-          throw new Error("challenge.get() should always return the same identifier.value,"
-            + " and dnsAuthorization as were saved with challenge.set()");
-        }
         if ('tls-alpn-01' === ch.type) {
           console.warn("'tls-alpn-01' support is in development"
             + " (or developed and we haven't update this yet). Please contact us.");
         } else {
           console.warn("We don't know how to test '" + ch.type + "'... are you sure that's a thing?");
         }
+        secret = secret.keyAuthorization || secret;
+        if (ch.keyAuthorization !== secret) {
+          console.warn("The returned value doesn't match keyAuthorization", ch.keyAuthorization, secret);
+        }
       }
     }).then(function () {
       return remove(opts).then(function () {
@@ -126,16 +138,17 @@ function run(challenger, opts) {
 
 module.exports.test = function (type, altname, challenger) {
   var expires = new Date(Date.now() + (10*60*1000)).toISOString();
-  var token = crypto.randomBytes('8').toString('hex');
-  var thumb = crypto.randomBytes('16').toString('hex');
-  var keyAuth = token + '.' + crypto.randomBytes('16').toString('hex');
+  var token = crypto.randomBytes(8).toString('hex');
+  var thumb = crypto.randomBytes(16).toString('hex');
+  var keyAuth = token + '.' + crypto.randomBytes(16).toString('hex');
   var dnsAuth = crypto.createHash('sha256').update(keyAuth).digest('base64')
-    .replace(/\+/, '-').replace(/\//, '_').replace(/=/, '');
+    .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
 
   var challenge = {
     type: type
   , identifier: { type: 'dns', value: null }  // completed below
   , wildcard: false                           // completed below
+  , status: 'pending'
   , expires: expires
   , token: token
   , thumbprint: thumb
@@ -144,6 +157,7 @@ module.exports.test = function (type, altname, challenger) {
   , dnsHost: '_acme-challenge.'               // completed below
   , dnsAuthorization: dnsAuth
   , altname: altname
+  , _test: true                               // used by CLI referenced implementations
   };
   if ('*.' === altname.slice(0, 2)) {
     challenge.wildcard = true;
@@ -153,11 +167,5 @@ module.exports.test = function (type, altname, challenger) {
   challenge.url = 'http://' + altname + '/.well-known/acme-challenge/' + challenge.token;
   challenge.dnsHost += altname;
 
-  run(challenger, { challenge: challenge }).then(function () {
-    console.info("PASS");
-  }).catch(function (err) {
-    console.error("FAIL");
-    console.error(err);
-    process.exit(20);
-  });
+  return run(challenger, { challenge: challenge });
 };
diff --git a/package.json b/package.json
new file mode 100644
index 0000000..3d48e9a
--- /dev/null
+++ b/package.json
@@ -0,0 +1,27 @@
+{
+  "name": "greenlock-challenge-test",
+  "version": "3.0.0",
+  "description": "The base set of tests for all ACME challenge strategies. Any `greenlock-challenge-` plugin should be able to pass these tests.",
+  "main": "index.js",
+  "dependencies": {},
+  "devDependencies": {},
+  "scripts": {
+    "test": "node example.js"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://git.coolaj86.com/coolaj86/greenlock-challenge-test.js.git"
+  },
+  "keywords": [
+    "Let's Encrypt",
+    "ACME",
+    "http-01",
+    "dns-01",
+    "challenge",
+    "plugin",
+    "module",
+    "strategy"
+  ],
+  "author": "AJ ONeal <coolaj86@gmail.com> (https://coolaj86.com/)",
+  "license": "MPL-2.0"
+}