certificates/ca/acmeClient_test.go

1469 lines
36 KiB
Go

package ca
import (
"crypto/x509"
"encoding/base64"
"encoding/json"
"encoding/pem"
"io"
"net/http"
"net/http/httptest"
"testing"
"time"
"github.com/pkg/errors"
"github.com/smallstep/assert"
"github.com/smallstep/certificates/acme"
acmeAPI "github.com/smallstep/certificates/acme/api"
"github.com/smallstep/certificates/api/render"
"go.step.sm/crypto/jose"
"go.step.sm/crypto/pemutil"
)
func TestNewACMEClient(t *testing.T) {
type test struct {
ops []ClientOption
r1, r2 interface{}
rc1, rc2 int
err error
}
srv := httptest.NewServer(nil)
defer srv.Close()
dir := acmeAPI.Directory{
NewNonce: srv.URL + "/foo",
NewAccount: srv.URL + "/bar",
NewOrder: srv.URL + "/baz",
RevokeCert: srv.URL + "/zip",
KeyChange: srv.URL + "/blorp",
}
acc := acme.Account{
Contact: []string{"max", "mariano"},
Status: "valid",
OrdersURL: "orders-url",
}
tests := map[string]func(t *testing.T) test{
"fail/client-option-error": func(t *testing.T) test {
return test{
ops: []ClientOption{
func(o *clientOptions) error {
return errors.New("force")
},
},
err: errors.New("force"),
}
},
"fail/get-directory": func(t *testing.T) test {
return test{
ops: []ClientOption{WithTransport(http.DefaultTransport)},
r1: acme.NewError(acme.ErrorMalformedType, "malformed request"),
rc1: 400,
err: errors.New("The request message was malformed"),
}
},
"fail/bad-directory": func(t *testing.T) test {
return test{
ops: []ClientOption{WithTransport(http.DefaultTransport)},
r1: "foo",
rc1: 200,
err: errors.New("error reading http://127.0.0.1"),
}
},
"fail/error-post-newAccount": func(t *testing.T) test {
return test{
ops: []ClientOption{WithTransport(http.DefaultTransport)},
r1: dir,
rc1: 200,
r2: acme.NewError(acme.ErrorAccountDoesNotExistType, "account does not exist"),
rc2: 400,
err: errors.New("Account does not exist"),
}
},
"fail/error-bad-account": func(t *testing.T) test {
return test{
ops: []ClientOption{WithTransport(http.DefaultTransport)},
r1: dir,
rc1: 200,
r2: "foo",
rc2: 200,
err: errors.New("error reading http://127.0.0.1"),
}
},
"ok": func(t *testing.T) test {
return test{
ops: []ClientOption{WithTransport(http.DefaultTransport)},
r1: dir,
rc1: 200,
r2: acc,
rc2: 200,
}
},
}
accLocation := "linkitylink"
for name, run := range tests {
t.Run(name, func(t *testing.T) {
tc := run(t)
i := 0
srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
switch {
case i == 0:
render.JSONStatus(w, tc.r1, tc.rc1)
i++
case i == 1:
w.Header().Set("Replay-Nonce", "abc123")
render.JSONStatus(w, []byte{}, 200)
i++
default:
w.Header().Set("Location", accLocation)
render.JSONStatus(w, tc.r2, tc.rc2)
}
})
if client, err := NewACMEClient(srv.URL, []string{"max", "mariano"}, tc.ops...); err != nil {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
}
} else {
if assert.Nil(t, tc.err) {
assert.Equals(t, *client.dir, dir)
assert.NotNil(t, client.Key)
assert.NotNil(t, client.acc)
assert.Equals(t, client.kid, accLocation)
}
}
})
}
}
func TestACMEClient_GetDirectory(t *testing.T) {
c := &ACMEClient{
dir: &acmeAPI.Directory{
NewNonce: "/foo",
NewAccount: "/bar",
NewOrder: "/baz",
RevokeCert: "/zip",
KeyChange: "/blorp",
},
}
dir, err := c.GetDirectory()
assert.FatalError(t, err)
assert.Equals(t, c.dir, dir)
}
func TestACMEClient_GetNonce(t *testing.T) {
type test struct {
r1 interface{}
rc1 int
err error
}
srv := httptest.NewServer(nil)
defer srv.Close()
dir := acmeAPI.Directory{
NewNonce: srv.URL + "/foo",
}
// Retrieve transport from options.
o := new(clientOptions)
assert.FatalError(t, o.apply([]ClientOption{WithTransport(http.DefaultTransport)}))
tr, err := o.getTransport(srv.URL)
assert.FatalError(t, err)
ac := &ACMEClient{
client: &http.Client{
Transport: tr,
},
dirLoc: srv.URL,
dir: &dir,
}
tests := map[string]func(t *testing.T) test{
"fail/GET-nonce": func(t *testing.T) test {
return test{
r1: acme.NewError(acme.ErrorMalformedType, "malformed request"),
rc1: 400,
err: errors.New("The request message was malformed"),
}
},
"ok": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
}
},
}
expectedNonce := "abc123"
for name, run := range tests {
t.Run(name, func(t *testing.T) {
tc := run(t)
srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
w.Header().Set("Replay-Nonce", expectedNonce)
render.JSONStatus(w, tc.r1, tc.rc1)
})
if nonce, err := ac.GetNonce(); err != nil {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
}
} else {
if assert.Nil(t, tc.err) {
assert.Equals(t, expectedNonce, nonce)
}
}
})
}
}
func TestACMEClient_post(t *testing.T) {
type test struct {
payload []byte
Key *jose.JSONWebKey
ops []withHeaderOption
r1, r2 interface{}
rc1, rc2 int
jwkInJWS bool
client *ACMEClient
err error
}
srv := httptest.NewServer(nil)
defer srv.Close()
dir := acmeAPI.Directory{
NewNonce: srv.URL + "/foo",
}
// Retrieve transport from options.
o := new(clientOptions)
assert.FatalError(t, o.apply([]ClientOption{WithTransport(http.DefaultTransport)}))
tr, err := o.getTransport(srv.URL)
assert.FatalError(t, err)
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
assert.FatalError(t, err)
acc := acme.Account{
Contact: []string{"max", "mariano"},
Status: "valid",
OrdersURL: "orders-url",
}
ac := &ACMEClient{
client: &http.Client{
Transport: tr,
},
dirLoc: srv.URL,
dir: &dir,
Key: jwk,
kid: "foobar",
}
tests := map[string]func(t *testing.T) test{
"fail/account-not-configured": func(t *testing.T) test {
return test{
client: &ACMEClient{},
r1: acme.NewError(acme.ErrorMalformedType, "malformed request"),
rc1: 400,
err: errors.New("acme client not configured with account"),
}
},
"fail/GET-nonce": func(t *testing.T) test {
return test{
client: ac,
r1: acme.NewError(acme.ErrorMalformedType, "malformed request"),
rc1: 400,
err: errors.New("The request message was malformed"),
}
},
"ok/jwk": func(t *testing.T) test {
return test{
client: ac,
r1: []byte{},
rc1: 200,
r2: acc,
rc2: 200,
ops: []withHeaderOption{withJWK(ac)},
jwkInJWS: true,
}
},
"ok/kid": func(t *testing.T) test {
return test{
client: ac,
r1: []byte{},
rc1: 200,
r2: acc,
rc2: 200,
ops: []withHeaderOption{withKid(ac)},
}
},
}
expectedNonce := "abc123"
url := srv.URL + "/foo"
for name, run := range tests {
t.Run(name, func(t *testing.T) {
tc := run(t)
i := 0
srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
w.Header().Set("Replay-Nonce", expectedNonce)
if i == 0 {
render.JSONStatus(w, tc.r1, tc.rc1)
i++
return
}
// validate jws request protected headers and body
body, err := io.ReadAll(req.Body)
assert.FatalError(t, err)
jws, err := jose.ParseJWS(string(body))
assert.FatalError(t, err)
hdr := jws.Signatures[0].Protected
assert.Equals(t, hdr.Nonce, expectedNonce)
jwsURL, ok := hdr.ExtraHeaders["url"].(string)
assert.Fatal(t, ok)
assert.Equals(t, jwsURL, url)
if tc.jwkInJWS {
assert.Equals(t, hdr.JSONWebKey.KeyID, ac.Key.KeyID)
} else {
assert.Equals(t, hdr.KeyID, ac.kid)
}
render.JSONStatus(w, tc.r2, tc.rc2)
})
if resp, err := tc.client.post(tc.payload, url, tc.ops...); err != nil {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
}
} else {
if assert.Nil(t, tc.err) {
var res acme.Account
assert.FatalError(t, readJSON(resp.Body, &res))
assert.Equals(t, res, acc)
}
}
})
}
}
func TestACMEClient_NewOrder(t *testing.T) {
type test struct {
ops []withHeaderOption
r1, r2 interface{}
rc1, rc2 int
err error
}
srv := httptest.NewServer(nil)
defer srv.Close()
dir := acmeAPI.Directory{
NewNonce: srv.URL + "/foo",
NewOrder: srv.URL + "/bar",
}
// Retrieve transport from options.
o := new(clientOptions)
assert.FatalError(t, o.apply([]ClientOption{WithTransport(http.DefaultTransport)}))
tr, err := o.getTransport(srv.URL)
assert.FatalError(t, err)
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
assert.FatalError(t, err)
now := time.Now().UTC().Round(time.Second)
nor := acmeAPI.NewOrderRequest{
Identifiers: []acme.Identifier{
{Type: "dns", Value: "example.com"},
{Type: "dns", Value: "acme.example.com"},
},
NotBefore: now,
NotAfter: now.Add(time.Minute),
}
norb, err := json.Marshal(nor)
assert.FatalError(t, err)
ord := acme.Order{
Status: "valid",
ExpiresAt: now, // "soon"
FinalizeURL: "finalize-url",
}
ac := &ACMEClient{
client: &http.Client{
Transport: tr,
},
dirLoc: srv.URL,
dir: &dir,
Key: jwk,
kid: "foobar",
}
tests := map[string]func(t *testing.T) test{
"fail/client-post": func(t *testing.T) test {
return test{
r1: acme.NewError(acme.ErrorMalformedType, "malformed request"),
rc1: 400,
err: errors.New("The request message was malformed"),
}
},
"fail/newOrder-error": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
r2: acme.NewError(acme.ErrorMalformedType, "malformed request"),
rc2: 400,
ops: []withHeaderOption{withKid(ac)},
err: errors.New("The request message was malformed"),
}
},
"fail/bad-order": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
r2: "foo",
rc2: 200,
ops: []withHeaderOption{withKid(ac)},
err: errors.New("error reading http://127.0.0.1"),
}
},
"ok": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
r2: ord,
rc2: 200,
ops: []withHeaderOption{withKid(ac)},
}
},
}
expectedNonce := "abc123"
for name, run := range tests {
t.Run(name, func(t *testing.T) {
tc := run(t)
i := 0
srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
w.Header().Set("Replay-Nonce", expectedNonce)
if i == 0 {
render.JSONStatus(w, tc.r1, tc.rc1)
i++
return
}
// validate jws request protected headers and body
body, err := io.ReadAll(req.Body)
assert.FatalError(t, err)
jws, err := jose.ParseJWS(string(body))
assert.FatalError(t, err)
hdr := jws.Signatures[0].Protected
assert.Equals(t, hdr.Nonce, expectedNonce)
jwsURL, ok := hdr.ExtraHeaders["url"].(string)
assert.Fatal(t, ok)
assert.Equals(t, jwsURL, dir.NewOrder)
assert.Equals(t, hdr.KeyID, ac.kid)
payload, err := jws.Verify(ac.Key.Public())
assert.FatalError(t, err)
assert.Equals(t, payload, norb)
render.JSONStatus(w, tc.r2, tc.rc2)
})
if res, err := ac.NewOrder(norb); err != nil {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
}
} else {
if assert.Nil(t, tc.err) {
assert.Equals(t, *res, ord)
}
}
})
}
}
func TestACMEClient_GetOrder(t *testing.T) {
type test struct {
r1, r2 interface{}
rc1, rc2 int
err error
}
srv := httptest.NewServer(nil)
defer srv.Close()
dir := acmeAPI.Directory{
NewNonce: srv.URL + "/foo",
}
// Retrieve transport from options.
o := new(clientOptions)
assert.FatalError(t, o.apply([]ClientOption{WithTransport(http.DefaultTransport)}))
tr, err := o.getTransport(srv.URL)
assert.FatalError(t, err)
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
assert.FatalError(t, err)
ord := acme.Order{
Status: "valid",
ExpiresAt: time.Now().UTC().Round(time.Second), // "soon"
FinalizeURL: "finalize-url",
}
ac := &ACMEClient{
client: &http.Client{
Transport: tr,
},
dirLoc: srv.URL,
dir: &dir,
Key: jwk,
kid: "foobar",
}
tests := map[string]func(t *testing.T) test{
"fail/client-post": func(t *testing.T) test {
return test{
r1: acme.NewError(acme.ErrorMalformedType, "malformed request"),
rc1: 400,
err: errors.New("The request message was malformed"),
}
},
"fail/getOrder-error": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
r2: acme.NewError(acme.ErrorMalformedType, "malformed request"),
rc2: 400,
err: errors.New("The request message was malformed"),
}
},
"fail/bad-order": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
r2: "foo",
rc2: 200,
err: errors.New("error reading http://127.0.0.1"),
}
},
"ok": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
r2: ord,
rc2: 200,
}
},
}
expectedNonce := "abc123"
url := srv.URL + "/hullaballoo"
for name, run := range tests {
t.Run(name, func(t *testing.T) {
tc := run(t)
i := 0
srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
w.Header().Set("Replay-Nonce", expectedNonce)
if i == 0 {
render.JSONStatus(w, tc.r1, tc.rc1)
i++
return
}
// validate jws request protected headers and body
body, err := io.ReadAll(req.Body)
assert.FatalError(t, err)
jws, err := jose.ParseJWS(string(body))
assert.FatalError(t, err)
hdr := jws.Signatures[0].Protected
assert.Equals(t, hdr.Nonce, expectedNonce)
jwsURL, ok := hdr.ExtraHeaders["url"].(string)
assert.Fatal(t, ok)
assert.Equals(t, jwsURL, url)
assert.Equals(t, hdr.KeyID, ac.kid)
payload, err := jws.Verify(ac.Key.Public())
assert.FatalError(t, err)
assert.Equals(t, len(payload), 0)
render.JSONStatus(w, tc.r2, tc.rc2)
})
if res, err := ac.GetOrder(url); err != nil {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
}
} else {
if assert.Nil(t, tc.err) {
assert.Equals(t, *res, ord)
}
}
})
}
}
func TestACMEClient_GetAuthz(t *testing.T) {
type test struct {
r1, r2 interface{}
rc1, rc2 int
err error
}
srv := httptest.NewServer(nil)
defer srv.Close()
dir := acmeAPI.Directory{
NewNonce: srv.URL + "/foo",
}
// Retrieve transport from options.
o := new(clientOptions)
assert.FatalError(t, o.apply([]ClientOption{WithTransport(http.DefaultTransport)}))
tr, err := o.getTransport(srv.URL)
assert.FatalError(t, err)
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
assert.FatalError(t, err)
az := acme.Authorization{
Status: "valid",
ExpiresAt: time.Now().UTC().Round(time.Second),
Identifier: acme.Identifier{Type: "dns", Value: "example.com"},
}
ac := &ACMEClient{
client: &http.Client{
Transport: tr,
},
dirLoc: srv.URL,
dir: &dir,
Key: jwk,
kid: "foobar",
}
tests := map[string]func(t *testing.T) test{
"fail/client-post": func(t *testing.T) test {
return test{
r1: acme.NewError(acme.ErrorMalformedType, "malformed request"),
rc1: 400,
err: errors.New("The request message was malformed"),
}
},
"fail/getChallenge-error": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
r2: acme.NewError(acme.ErrorMalformedType, "malformed request"),
rc2: 400,
err: errors.New("The request message was malformed"),
}
},
"fail/bad-challenge": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
r2: "foo",
rc2: 200,
err: errors.New("error reading http://127.0.0.1"),
}
},
"ok": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
r2: az,
rc2: 200,
}
},
}
expectedNonce := "abc123"
url := srv.URL + "/hullaballoo"
for name, run := range tests {
t.Run(name, func(t *testing.T) {
tc := run(t)
i := 0
srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
w.Header().Set("Replay-Nonce", expectedNonce)
if i == 0 {
render.JSONStatus(w, tc.r1, tc.rc1)
i++
return
}
// validate jws request protected headers and body
body, err := io.ReadAll(req.Body)
assert.FatalError(t, err)
jws, err := jose.ParseJWS(string(body))
assert.FatalError(t, err)
hdr := jws.Signatures[0].Protected
assert.Equals(t, hdr.Nonce, expectedNonce)
jwsURL, ok := hdr.ExtraHeaders["url"].(string)
assert.Fatal(t, ok)
assert.Equals(t, jwsURL, url)
assert.Equals(t, hdr.KeyID, ac.kid)
payload, err := jws.Verify(ac.Key.Public())
assert.FatalError(t, err)
assert.Equals(t, len(payload), 0)
render.JSONStatus(w, tc.r2, tc.rc2)
})
if res, err := ac.GetAuthz(url); err != nil {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
}
} else {
if assert.Nil(t, tc.err) {
assert.Equals(t, *res, az)
}
}
})
}
}
func TestACMEClient_GetChallenge(t *testing.T) {
type test struct {
r1, r2 interface{}
rc1, rc2 int
err error
}
srv := httptest.NewServer(nil)
defer srv.Close()
dir := acmeAPI.Directory{
NewNonce: srv.URL + "/foo",
}
// Retrieve transport from options.
o := new(clientOptions)
assert.FatalError(t, o.apply([]ClientOption{WithTransport(http.DefaultTransport)}))
tr, err := o.getTransport(srv.URL)
assert.FatalError(t, err)
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
assert.FatalError(t, err)
ch := acme.Challenge{
Type: "http-01",
Status: "valid",
Token: "foo",
}
ac := &ACMEClient{
client: &http.Client{
Transport: tr,
},
dirLoc: srv.URL,
dir: &dir,
Key: jwk,
kid: "foobar",
}
tests := map[string]func(t *testing.T) test{
"fail/client-post": func(t *testing.T) test {
return test{
r1: acme.NewError(acme.ErrorMalformedType, "malformed request"),
rc1: 400,
err: errors.New("The request message was malformed"),
}
},
"fail/getChallenge-error": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
r2: acme.NewError(acme.ErrorMalformedType, "malformed request"),
rc2: 400,
err: errors.New("The request message was malformed"),
}
},
"fail/bad-challenge": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
r2: "foo",
rc2: 200,
err: errors.New("error reading http://127.0.0.1"),
}
},
"ok": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
r2: ch,
rc2: 200,
}
},
}
expectedNonce := "abc123"
url := srv.URL + "/hullaballoo"
for name, run := range tests {
t.Run(name, func(t *testing.T) {
tc := run(t)
i := 0
srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
w.Header().Set("Replay-Nonce", expectedNonce)
if i == 0 {
render.JSONStatus(w, tc.r1, tc.rc1)
i++
return
}
// validate jws request protected headers and body
body, err := io.ReadAll(req.Body)
assert.FatalError(t, err)
jws, err := jose.ParseJWS(string(body))
assert.FatalError(t, err)
hdr := jws.Signatures[0].Protected
assert.Equals(t, hdr.Nonce, expectedNonce)
jwsURL, ok := hdr.ExtraHeaders["url"].(string)
assert.Fatal(t, ok)
assert.Equals(t, jwsURL, url)
assert.Equals(t, hdr.KeyID, ac.kid)
payload, err := jws.Verify(ac.Key.Public())
assert.FatalError(t, err)
assert.Equals(t, len(payload), 0)
render.JSONStatus(w, tc.r2, tc.rc2)
})
if res, err := ac.GetChallenge(url); err != nil {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
}
} else {
if assert.Nil(t, tc.err) {
assert.Equals(t, *res, ch)
}
}
})
}
}
func TestACMEClient_ValidateChallenge(t *testing.T) {
type test struct {
r1, r2 interface{}
rc1, rc2 int
err error
}
srv := httptest.NewServer(nil)
defer srv.Close()
dir := acmeAPI.Directory{
NewNonce: srv.URL + "/foo",
}
// Retrieve transport from options.
o := new(clientOptions)
assert.FatalError(t, o.apply([]ClientOption{WithTransport(http.DefaultTransport)}))
tr, err := o.getTransport(srv.URL)
assert.FatalError(t, err)
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
assert.FatalError(t, err)
ch := acme.Challenge{
Type: "http-01",
Status: "valid",
Token: "foo",
}
ac := &ACMEClient{
client: &http.Client{
Transport: tr,
},
dirLoc: srv.URL,
dir: &dir,
Key: jwk,
kid: "foobar",
}
tests := map[string]func(t *testing.T) test{
"fail/client-post": func(t *testing.T) test {
return test{
r1: acme.NewError(acme.ErrorMalformedType, "malformed request"),
rc1: 400,
err: errors.New("The request message was malformed"),
}
},
"fail/getChallenge-error": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
r2: acme.NewError(acme.ErrorMalformedType, "malformed request"),
rc2: 400,
err: errors.New("The request message was malformed"),
}
},
"fail/bad-challenge": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
r2: "foo",
rc2: 200,
err: errors.New("error reading http://127.0.0.1"),
}
},
"ok": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
r2: ch,
rc2: 200,
}
},
}
expectedNonce := "abc123"
url := srv.URL + "/hullaballoo"
for name, run := range tests {
t.Run(name, func(t *testing.T) {
tc := run(t)
i := 0
srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
w.Header().Set("Replay-Nonce", expectedNonce)
if i == 0 {
render.JSONStatus(w, tc.r1, tc.rc1)
i++
return
}
// validate jws request protected headers and body
body, err := io.ReadAll(req.Body)
assert.FatalError(t, err)
jws, err := jose.ParseJWS(string(body))
assert.FatalError(t, err)
hdr := jws.Signatures[0].Protected
assert.Equals(t, hdr.Nonce, expectedNonce)
jwsURL, ok := hdr.ExtraHeaders["url"].(string)
assert.Fatal(t, ok)
assert.Equals(t, jwsURL, url)
assert.Equals(t, hdr.KeyID, ac.kid)
payload, err := jws.Verify(ac.Key.Public())
assert.FatalError(t, err)
assert.Equals(t, payload, []byte("{}"))
render.JSONStatus(w, tc.r2, tc.rc2)
})
if err := ac.ValidateChallenge(url); err != nil {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
}
}
})
}
}
func TestACMEClient_ValidateWithPayload(t *testing.T) {
key, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
assert.FatalError(t, err)
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
t.Log(req.RequestURI)
w.Header().Set("Replay-Nonce", "nonce")
switch req.RequestURI {
case "/nonce":
render.JSONStatus(w, []byte{}, 200)
return
case "/fail-nonce":
render.JSONStatus(w, acme.NewError(acme.ErrorMalformedType, "malformed request"), 400)
return
}
// validate jws request protected headers and body
body, err := io.ReadAll(req.Body)
assert.FatalError(t, err)
jws, err := jose.ParseJWS(string(body))
assert.FatalError(t, err)
hdr := jws.Signatures[0].Protected
assert.Equals(t, hdr.Nonce, "nonce")
_, ok := hdr.ExtraHeaders["url"].(string)
assert.Fatal(t, ok)
assert.Equals(t, hdr.KeyID, "kid")
payload, err := jws.Verify(key.Public())
assert.FatalError(t, err)
assert.Equals(t, payload, []byte("the-payload"))
switch req.RequestURI {
case "/ok":
render.JSONStatus(w, acme.Challenge{
Type: "device-attestation-01",
Status: "valid",
Token: "foo",
}, 200)
case "/fail":
render.JSONStatus(w, acme.NewError(acme.ErrorMalformedType, "malformed request"), 400)
}
}))
defer srv.Close()
type fields struct {
client *http.Client
dirLoc string
dir *acmeAPI.Directory
acc *acme.Account
Key *jose.JSONWebKey
kid string
}
type args struct {
url string
payload []byte
}
tests := []struct {
name string
fields fields
args args
wantErr bool
}{
{"ok", fields{srv.Client(), srv.URL, &acmeAPI.Directory{
NewNonce: srv.URL + "/nonce",
}, nil, key, "kid"}, args{srv.URL + "/ok", []byte("the-payload")}, false},
{"fail nonce", fields{srv.Client(), srv.URL, &acmeAPI.Directory{
NewNonce: srv.URL + "/fail-nonce",
}, nil, key, "kid"}, args{srv.URL + "/ok", []byte("the-payload")}, true},
{"fail payload", fields{srv.Client(), srv.URL, &acmeAPI.Directory{
NewNonce: srv.URL + "/nonce",
}, nil, key, "kid"}, args{srv.URL + "/fail", []byte("the-payload")}, true},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
c := &ACMEClient{
client: tt.fields.client,
dirLoc: tt.fields.dirLoc,
dir: tt.fields.dir,
acc: tt.fields.acc,
Key: tt.fields.Key,
kid: tt.fields.kid,
}
if err := c.ValidateWithPayload(tt.args.url, tt.args.payload); (err != nil) != tt.wantErr {
t.Errorf("ACMEClient.ValidateWithPayload() error = %v, wantErr %v", err, tt.wantErr)
}
})
}
}
func TestACMEClient_FinalizeOrder(t *testing.T) {
type test struct {
r1, r2 interface{}
rc1, rc2 int
err error
}
srv := httptest.NewServer(nil)
defer srv.Close()
dir := acmeAPI.Directory{
NewNonce: srv.URL + "/foo",
}
// Retrieve transport from options.
o := new(clientOptions)
assert.FatalError(t, o.apply([]ClientOption{WithTransport(http.DefaultTransport)}))
tr, err := o.getTransport(srv.URL)
assert.FatalError(t, err)
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
assert.FatalError(t, err)
ord := acme.Order{
Status: "valid",
ExpiresAt: time.Now(), // "soon"
FinalizeURL: "finalize-url",
CertificateURL: "cert-url",
}
_csr, err := pemutil.Read("../authority/testdata/certs/foo.csr")
assert.FatalError(t, err)
csr, ok := _csr.(*x509.CertificateRequest)
assert.Fatal(t, ok)
fr := acmeAPI.FinalizeRequest{CSR: base64.RawURLEncoding.EncodeToString(csr.Raw)}
frb, err := json.Marshal(fr)
assert.FatalError(t, err)
ac := &ACMEClient{
client: &http.Client{
Transport: tr,
},
dirLoc: srv.URL,
dir: &dir,
Key: jwk,
kid: "foobar",
}
tests := map[string]func(t *testing.T) test{
"fail/client-post": func(t *testing.T) test {
return test{
r1: acme.NewError(acme.ErrorMalformedType, "malformed request"),
rc1: 400,
err: errors.New("The request message was malformed"),
}
},
"fail/finalizeOrder-error": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
r2: acme.NewError(acme.ErrorMalformedType, "malformed request"),
rc2: 400,
err: errors.New("The request message was malformed"),
}
},
"fail/bad-order": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
r2: "foo",
rc2: 200,
err: errors.New("error reading http://127.0.0.1"),
}
},
"ok": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
r2: ord,
rc2: 200,
}
},
}
expectedNonce := "abc123"
url := srv.URL + "/hullaballoo"
for name, run := range tests {
t.Run(name, func(t *testing.T) {
tc := run(t)
i := 0
srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
w.Header().Set("Replay-Nonce", expectedNonce)
if i == 0 {
render.JSONStatus(w, tc.r1, tc.rc1)
i++
return
}
// validate jws request protected headers and body
body, err := io.ReadAll(req.Body)
assert.FatalError(t, err)
jws, err := jose.ParseJWS(string(body))
assert.FatalError(t, err)
hdr := jws.Signatures[0].Protected
assert.Equals(t, hdr.Nonce, expectedNonce)
jwsURL, ok := hdr.ExtraHeaders["url"].(string)
assert.Fatal(t, ok)
assert.Equals(t, jwsURL, url)
assert.Equals(t, hdr.KeyID, ac.kid)
payload, err := jws.Verify(ac.Key.Public())
assert.FatalError(t, err)
assert.Equals(t, payload, frb)
render.JSONStatus(w, tc.r2, tc.rc2)
})
if err := ac.FinalizeOrder(url, csr); err != nil {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
}
}
})
}
}
func TestACMEClient_GetAccountOrders(t *testing.T) {
type test struct {
r1, r2 interface{}
rc1, rc2 int
err error
client *ACMEClient
}
srv := httptest.NewServer(nil)
defer srv.Close()
dir := acmeAPI.Directory{
NewNonce: srv.URL + "/foo",
}
// Retrieve transport from options.
o := new(clientOptions)
assert.FatalError(t, o.apply([]ClientOption{WithTransport(http.DefaultTransport)}))
tr, err := o.getTransport(srv.URL)
assert.FatalError(t, err)
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
assert.FatalError(t, err)
orders := []string{"foo", "bar", "baz"}
ac := &ACMEClient{
client: &http.Client{
Transport: tr,
},
dirLoc: srv.URL,
dir: &dir,
Key: jwk,
kid: "foobar",
acc: &acme.Account{
Contact: []string{"max", "mariano"},
Status: "valid",
OrdersURL: srv.URL + "/orders-url",
},
}
tests := map[string]func(t *testing.T) test{
"fail/account-not-configured": func(t *testing.T) test {
return test{
client: &ACMEClient{},
err: errors.New("acme client not configured with account"),
}
},
"fail/client-post": func(t *testing.T) test {
return test{
client: ac,
r1: acme.NewError(acme.ErrorMalformedType, "malformed request"),
rc1: 400,
err: errors.New("The request message was malformed"),
}
},
"fail/getAccountOrders-error": func(t *testing.T) test {
return test{
client: ac,
r1: []byte{},
rc1: 200,
r2: acme.NewError(acme.ErrorMalformedType, "malformed request"),
rc2: 400,
err: errors.New("The request message was malformed"),
}
},
"fail/bad-accountOrders": func(t *testing.T) test {
return test{
client: ac,
r1: []byte{},
rc1: 200,
r2: "foo",
rc2: 200,
err: errors.New("error reading http://127.0.0.1"),
}
},
"ok": func(t *testing.T) test {
return test{
client: ac,
r1: []byte{},
rc1: 200,
r2: orders,
rc2: 200,
}
},
}
expectedNonce := "abc123"
for name, run := range tests {
t.Run(name, func(t *testing.T) {
tc := run(t)
i := 0
srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
w.Header().Set("Replay-Nonce", expectedNonce)
if i == 0 {
render.JSONStatus(w, tc.r1, tc.rc1)
i++
return
}
// validate jws request protected headers and body
body, err := io.ReadAll(req.Body)
assert.FatalError(t, err)
jws, err := jose.ParseJWS(string(body))
assert.FatalError(t, err)
hdr := jws.Signatures[0].Protected
assert.Equals(t, hdr.Nonce, expectedNonce)
jwsURL, ok := hdr.ExtraHeaders["url"].(string)
assert.Fatal(t, ok)
assert.Equals(t, jwsURL, ac.acc.OrdersURL)
assert.Equals(t, hdr.KeyID, ac.kid)
payload, err := jws.Verify(ac.Key.Public())
assert.FatalError(t, err)
assert.Equals(t, len(payload), 0)
render.JSONStatus(w, tc.r2, tc.rc2)
})
if res, err := tc.client.GetAccountOrders(); err != nil {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
}
} else {
if assert.Nil(t, tc.err) {
assert.Equals(t, res, orders)
}
}
})
}
}
func TestACMEClient_GetCertificate(t *testing.T) {
type test struct {
r1, r2 interface{}
certBytes []byte
rc1, rc2 int
err error
}
srv := httptest.NewServer(nil)
defer srv.Close()
dir := acmeAPI.Directory{
NewNonce: srv.URL + "/foo",
}
// Retrieve transport from options.
o := new(clientOptions)
assert.FatalError(t, o.apply([]ClientOption{WithTransport(http.DefaultTransport)}))
tr, err := o.getTransport(srv.URL)
assert.FatalError(t, err)
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
assert.FatalError(t, err)
leaf, err := pemutil.ReadCertificate("../authority/testdata/certs/foo.crt")
assert.FatalError(t, err)
leafb := pem.EncodeToMemory(&pem.Block{
Type: "Certificate",
Bytes: leaf.Raw,
})
//nolint:gocritic
certBytes := append(leafb, leafb...)
certBytes = append(certBytes, leafb...)
ac := &ACMEClient{
client: &http.Client{
Transport: tr,
},
dirLoc: srv.URL,
dir: &dir,
Key: jwk,
kid: "foobar",
acc: &acme.Account{
Contact: []string{"max", "mariano"},
Status: "valid",
OrdersURL: srv.URL + "/orders-url",
},
}
tests := map[string]func(t *testing.T) test{
"fail/client-post": func(t *testing.T) test {
return test{
r1: acme.NewError(acme.ErrorMalformedType, "malformed request"),
rc1: 400,
err: errors.New("The request message was malformed"),
}
},
"fail/getAccountOrders-error": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
r2: acme.NewError(acme.ErrorMalformedType, "malformed request"),
rc2: 400,
err: errors.New("The request message was malformed"),
}
},
"fail/bad-certificate": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
r2: "foo",
rc2: 200,
err: errors.New("failed to parse any certificates from response"),
}
},
"ok": func(t *testing.T) test {
return test{
r1: []byte{},
rc1: 200,
certBytes: certBytes,
}
},
}
expectedNonce := "abc123"
url := srv.URL + "/cert/foo"
for name, run := range tests {
t.Run(name, func(t *testing.T) {
tc := run(t)
i := 0
srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header
w.Header().Set("Replay-Nonce", expectedNonce)
if i == 0 {
render.JSONStatus(w, tc.r1, tc.rc1)
i++
return
}
// validate jws request protected headers and body
body, err := io.ReadAll(req.Body)
assert.FatalError(t, err)
jws, err := jose.ParseJWS(string(body))
assert.FatalError(t, err)
hdr := jws.Signatures[0].Protected
assert.Equals(t, hdr.Nonce, expectedNonce)
jwsURL, ok := hdr.ExtraHeaders["url"].(string)
assert.Fatal(t, ok)
assert.Equals(t, jwsURL, url)
assert.Equals(t, hdr.KeyID, ac.kid)
payload, err := jws.Verify(ac.Key.Public())
assert.FatalError(t, err)
assert.Equals(t, len(payload), 0)
if tc.certBytes != nil {
w.Write(tc.certBytes)
} else {
render.JSONStatus(w, tc.r2, tc.rc2)
}
})
if crt, chain, err := ac.GetCertificate(url); err != nil {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
}
} else {
if assert.Nil(t, tc.err) {
assert.Equals(t, crt, leaf)
assert.Equals(t, chain, []*x509.Certificate{leaf, leaf})
}
}
})
}
}