270 lines
8.1 KiB
Go
270 lines
8.1 KiB
Go
|
package acme
|
||
|
|
||
|
import (
|
||
|
"crypto"
|
||
|
"crypto/rand"
|
||
|
"crypto/rsa"
|
||
|
"encoding/json"
|
||
|
"net"
|
||
|
"net/http"
|
||
|
"net/http/httptest"
|
||
|
"strings"
|
||
|
"testing"
|
||
|
"time"
|
||
|
)
|
||
|
|
||
|
func TestNewClient(t *testing.T) {
|
||
|
keyBits := 32 // small value keeps test fast
|
||
|
keyType := RSA2048
|
||
|
key, err := rsa.GenerateKey(rand.Reader, keyBits)
|
||
|
if err != nil {
|
||
|
t.Fatal("Could not generate test key:", err)
|
||
|
}
|
||
|
user := mockUser{
|
||
|
email: "test@test.com",
|
||
|
regres: new(RegistrationResource),
|
||
|
privatekey: key,
|
||
|
}
|
||
|
|
||
|
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||
|
data, _ := json.Marshal(directory{NewAuthzURL: "http://test", NewCertURL: "http://test", NewRegURL: "http://test", RevokeCertURL: "http://test"})
|
||
|
w.Write(data)
|
||
|
}))
|
||
|
|
||
|
client, err := NewClient(ts.URL, user, keyType)
|
||
|
if err != nil {
|
||
|
t.Fatalf("Could not create client: %v", err)
|
||
|
}
|
||
|
|
||
|
if client.jws == nil {
|
||
|
t.Fatalf("Expected client.jws to not be nil")
|
||
|
}
|
||
|
if expected, actual := key, client.jws.privKey; actual != expected {
|
||
|
t.Errorf("Expected jws.privKey to be %p but was %p", expected, actual)
|
||
|
}
|
||
|
|
||
|
if client.keyType != keyType {
|
||
|
t.Errorf("Expected keyType to be %s but was %s", keyType, client.keyType)
|
||
|
}
|
||
|
|
||
|
if expected, actual := 2, len(client.solvers); actual != expected {
|
||
|
t.Fatalf("Expected %d solver(s), got %d", expected, actual)
|
||
|
}
|
||
|
}
|
||
|
|
||
|
func TestClientOptPort(t *testing.T) {
|
||
|
keyBits := 32 // small value keeps test fast
|
||
|
key, err := rsa.GenerateKey(rand.Reader, keyBits)
|
||
|
if err != nil {
|
||
|
t.Fatal("Could not generate test key:", err)
|
||
|
}
|
||
|
user := mockUser{
|
||
|
email: "test@test.com",
|
||
|
regres: new(RegistrationResource),
|
||
|
privatekey: key,
|
||
|
}
|
||
|
|
||
|
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||
|
data, _ := json.Marshal(directory{NewAuthzURL: "http://test", NewCertURL: "http://test", NewRegURL: "http://test", RevokeCertURL: "http://test"})
|
||
|
w.Write(data)
|
||
|
}))
|
||
|
|
||
|
optPort := "1234"
|
||
|
optHost := ""
|
||
|
client, err := NewClient(ts.URL, user, RSA2048)
|
||
|
if err != nil {
|
||
|
t.Fatalf("Could not create client: %v", err)
|
||
|
}
|
||
|
client.SetHTTPAddress(net.JoinHostPort(optHost, optPort))
|
||
|
client.SetTLSAddress(net.JoinHostPort(optHost, optPort))
|
||
|
|
||
|
httpSolver, ok := client.solvers[HTTP01].(*httpChallenge)
|
||
|
if !ok {
|
||
|
t.Fatal("Expected http-01 solver to be httpChallenge type")
|
||
|
}
|
||
|
if httpSolver.jws != client.jws {
|
||
|
t.Error("Expected http-01 to have same jws as client")
|
||
|
}
|
||
|
if got := httpSolver.provider.(*HTTPProviderServer).port; got != optPort {
|
||
|
t.Errorf("Expected http-01 to have port %s but was %s", optPort, got)
|
||
|
}
|
||
|
if got := httpSolver.provider.(*HTTPProviderServer).iface; got != optHost {
|
||
|
t.Errorf("Expected http-01 to have iface %s but was %s", optHost, got)
|
||
|
}
|
||
|
|
||
|
httpsSolver, ok := client.solvers[TLSSNI01].(*tlsSNIChallenge)
|
||
|
if !ok {
|
||
|
t.Fatal("Expected tls-sni-01 solver to be httpChallenge type")
|
||
|
}
|
||
|
if httpsSolver.jws != client.jws {
|
||
|
t.Error("Expected tls-sni-01 to have same jws as client")
|
||
|
}
|
||
|
if got := httpsSolver.provider.(*TLSProviderServer).port; got != optPort {
|
||
|
t.Errorf("Expected tls-sni-01 to have port %s but was %s", optPort, got)
|
||
|
}
|
||
|
if got := httpsSolver.provider.(*TLSProviderServer).iface; got != optHost {
|
||
|
t.Errorf("Expected tls-sni-01 to have port %s but was %s", optHost, got)
|
||
|
}
|
||
|
|
||
|
// test setting different host
|
||
|
optHost = "127.0.0.1"
|
||
|
client.SetHTTPAddress(net.JoinHostPort(optHost, optPort))
|
||
|
client.SetTLSAddress(net.JoinHostPort(optHost, optPort))
|
||
|
|
||
|
if got := httpSolver.provider.(*HTTPProviderServer).iface; got != optHost {
|
||
|
t.Errorf("Expected http-01 to have iface %s but was %s", optHost, got)
|
||
|
}
|
||
|
if got := httpsSolver.provider.(*TLSProviderServer).port; got != optPort {
|
||
|
t.Errorf("Expected tls-sni-01 to have port %s but was %s", optPort, got)
|
||
|
}
|
||
|
}
|
||
|
|
||
|
func TestNotHoldingLockWhileMakingHTTPRequests(t *testing.T) {
|
||
|
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||
|
time.Sleep(250 * time.Millisecond)
|
||
|
w.Header().Add("Replay-Nonce", "12345")
|
||
|
w.Header().Add("Retry-After", "0")
|
||
|
writeJSONResponse(w, &challenge{Type: "http-01", Status: "Valid", URI: "http://example.com/", Token: "token"})
|
||
|
}))
|
||
|
defer ts.Close()
|
||
|
|
||
|
privKey, _ := rsa.GenerateKey(rand.Reader, 512)
|
||
|
j := &jws{privKey: privKey, directoryURL: ts.URL}
|
||
|
ch := make(chan bool)
|
||
|
resultCh := make(chan bool)
|
||
|
go func() {
|
||
|
j.Nonce()
|
||
|
ch <- true
|
||
|
}()
|
||
|
go func() {
|
||
|
j.Nonce()
|
||
|
ch <- true
|
||
|
}()
|
||
|
go func() {
|
||
|
<-ch
|
||
|
<-ch
|
||
|
resultCh <- true
|
||
|
}()
|
||
|
select {
|
||
|
case <-resultCh:
|
||
|
case <-time.After(400 * time.Millisecond):
|
||
|
t.Fatal("JWS is probably holding a lock while making HTTP request")
|
||
|
}
|
||
|
}
|
||
|
|
||
|
func TestValidate(t *testing.T) {
|
||
|
var statuses []string
|
||
|
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||
|
// Minimal stub ACME server for validation.
|
||
|
w.Header().Add("Replay-Nonce", "12345")
|
||
|
w.Header().Add("Retry-After", "0")
|
||
|
switch r.Method {
|
||
|
case "HEAD":
|
||
|
case "POST":
|
||
|
st := statuses[0]
|
||
|
statuses = statuses[1:]
|
||
|
writeJSONResponse(w, &challenge{Type: "http-01", Status: st, URI: "http://example.com/", Token: "token"})
|
||
|
|
||
|
case "GET":
|
||
|
st := statuses[0]
|
||
|
statuses = statuses[1:]
|
||
|
writeJSONResponse(w, &challenge{Type: "http-01", Status: st, URI: "http://example.com/", Token: "token"})
|
||
|
|
||
|
default:
|
||
|
http.Error(w, r.Method, http.StatusMethodNotAllowed)
|
||
|
}
|
||
|
}))
|
||
|
defer ts.Close()
|
||
|
|
||
|
privKey, _ := rsa.GenerateKey(rand.Reader, 512)
|
||
|
j := &jws{privKey: privKey, directoryURL: ts.URL}
|
||
|
|
||
|
tsts := []struct {
|
||
|
name string
|
||
|
statuses []string
|
||
|
want string
|
||
|
}{
|
||
|
{"POST-unexpected", []string{"weird"}, "unexpected"},
|
||
|
{"POST-valid", []string{"valid"}, ""},
|
||
|
{"POST-invalid", []string{"invalid"}, "Error Detail"},
|
||
|
{"GET-unexpected", []string{"pending", "weird"}, "unexpected"},
|
||
|
{"GET-valid", []string{"pending", "valid"}, ""},
|
||
|
{"GET-invalid", []string{"pending", "invalid"}, "Error Detail"},
|
||
|
}
|
||
|
|
||
|
for _, tst := range tsts {
|
||
|
statuses = tst.statuses
|
||
|
if err := validate(j, "example.com", ts.URL, challenge{Type: "http-01", Token: "token"}); err == nil && tst.want != "" {
|
||
|
t.Errorf("[%s] validate: got error %v, want something with %q", tst.name, err, tst.want)
|
||
|
} else if err != nil && !strings.Contains(err.Error(), tst.want) {
|
||
|
t.Errorf("[%s] validate: got error %v, want something with %q", tst.name, err, tst.want)
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
func TestGetChallenges(t *testing.T) {
|
||
|
var ts *httptest.Server
|
||
|
ts = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||
|
switch r.Method {
|
||
|
case "GET", "HEAD":
|
||
|
w.Header().Add("Replay-Nonce", "12345")
|
||
|
w.Header().Add("Retry-After", "0")
|
||
|
writeJSONResponse(w, directory{NewAuthzURL: ts.URL, NewCertURL: ts.URL, NewRegURL: ts.URL, RevokeCertURL: ts.URL})
|
||
|
case "POST":
|
||
|
writeJSONResponse(w, authorization{})
|
||
|
}
|
||
|
}))
|
||
|
defer ts.Close()
|
||
|
|
||
|
keyBits := 512 // small value keeps test fast
|
||
|
keyType := RSA2048
|
||
|
key, err := rsa.GenerateKey(rand.Reader, keyBits)
|
||
|
if err != nil {
|
||
|
t.Fatal("Could not generate test key:", err)
|
||
|
}
|
||
|
user := mockUser{
|
||
|
email: "test@test.com",
|
||
|
regres: &RegistrationResource{NewAuthzURL: ts.URL},
|
||
|
privatekey: key,
|
||
|
}
|
||
|
|
||
|
client, err := NewClient(ts.URL, user, keyType)
|
||
|
if err != nil {
|
||
|
t.Fatalf("Could not create client: %v", err)
|
||
|
}
|
||
|
|
||
|
_, failures := client.getChallenges([]string{"example.com"})
|
||
|
if failures["example.com"] == nil {
|
||
|
t.Fatal("Expecting \"Server did not provide next link to proceed\" error, got nil")
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// writeJSONResponse marshals the body as JSON and writes it to the response.
|
||
|
func writeJSONResponse(w http.ResponseWriter, body interface{}) {
|
||
|
bs, err := json.Marshal(body)
|
||
|
if err != nil {
|
||
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||
|
return
|
||
|
}
|
||
|
|
||
|
w.Header().Set("Content-Type", "application/json")
|
||
|
if _, err := w.Write(bs); err != nil {
|
||
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// stubValidate is like validate, except it does nothing.
|
||
|
func stubValidate(j *jws, domain, uri string, chlng challenge) error {
|
||
|
return nil
|
||
|
}
|
||
|
|
||
|
type mockUser struct {
|
||
|
email string
|
||
|
regres *RegistrationResource
|
||
|
privatekey *rsa.PrivateKey
|
||
|
}
|
||
|
|
||
|
func (u mockUser) GetEmail() string { return u.email }
|
||
|
func (u mockUser) GetRegistration() *RegistrationResource { return u.regres }
|
||
|
func (u mockUser) GetPrivateKey() crypto.PrivateKey { return u.privatekey }
|