From ec8ff0bcedc34c1c0457da7f60b067abef54896e Mon Sep 17 00:00:00 2001
From: Oleksandr Kovalchuk <anxolerd@outlook.com>
Date: Fri, 20 Dec 2019 22:54:41 +0200
Subject: [PATCH] Add testcase which ensures we pass correct domain to
 lookupTxt

Make sure we do not pass domains with asterisk (wildcard) in the middle,
like _acme-challenge.*.example.com to lookupTxt function, but preprocess
domain and remove leading wildcard so we lookup for
_acme-challenge.example.com.
---
 acme/challenge_test.go | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/acme/challenge_test.go b/acme/challenge_test.go
index 6291803d..720321e5 100644
--- a/acme/challenge_test.go
+++ b/acme/challenge_test.go
@@ -930,6 +930,47 @@ func TestDNS01Validate(t *testing.T) {
 				res: ch,
 			}
 		},
+		"ok/lookup-txt-wildcard": func(t *testing.T) test {
+			ch, err := newDNSCh()
+			assert.FatalError(t, err)
+			_ch, ok := ch.(*dns01Challenge)
+			assert.Fatal(t, ok)
+			_ch.baseChallenge.Value = "*.zap.internal"
+
+			jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
+			assert.FatalError(t, err)
+
+			expKeyAuth, err := KeyAuthorization(ch.getToken(), jwk)
+			assert.FatalError(t, err)
+			h := sha256.Sum256([]byte(expKeyAuth))
+			expected := base64.RawURLEncoding.EncodeToString(h[:])
+
+			baseClone := ch.clone()
+			baseClone.Status = StatusValid
+			baseClone.Error = nil
+			newCh := &dns01Challenge{baseClone}
+
+			return test{
+				ch:  ch,
+				res: newCh,
+				vo: validateOptions{
+					lookupTxt: func(url string) ([]string, error) {
+						assert.Equals(t, url, "_acme-challenge.zap.internal")
+						return []string{"foo", expected}, nil
+					},
+				},
+				jwk: jwk,
+				db: &db.MockNoSQLDB{
+					MCmpAndSwap: func(bucket, key, old, newval []byte) ([]byte, bool, error) {
+						dnsCh, err := unmarshalChallenge(newval)
+						assert.FatalError(t, err)
+						assert.Equals(t, dnsCh.getStatus(), StatusValid)
+						baseClone.Validated = dnsCh.getValidated()
+						return nil, true, nil
+					},
+				},
+			}
+		},
 		"fail/key-authorization-gen-error": func(t *testing.T) test {
 			ch, err := newDNSCh()
 			assert.FatalError(t, err)