forked from TrueCloudLab/lego
Merge pull request #127 from xenolf/tweaks
Add go vet to the CI checks, fix vet errors and set default HTTP timeout to 10 seconds.
This commit is contained in:
commit
f1a1e081c8
11 changed files with 54 additions and 39 deletions
|
@ -4,3 +4,11 @@ go:
|
||||||
- 1.4.3
|
- 1.4.3
|
||||||
- 1.5.3
|
- 1.5.3
|
||||||
- tip
|
- tip
|
||||||
|
|
||||||
|
install:
|
||||||
|
- go get -t ./...
|
||||||
|
- go get golang.org/x/tools/cmd/vet
|
||||||
|
|
||||||
|
script:
|
||||||
|
- go vet ./...
|
||||||
|
- go test -v ./...
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
package acme
|
package acme
|
||||||
|
|
||||||
|
// Challenge is a string that identifies a particular type and version of ACME challenge.
|
||||||
type Challenge string
|
type Challenge string
|
||||||
|
|
||||||
const (
|
const (
|
||||||
|
|
|
@ -56,14 +56,22 @@ func GetOCSPForCert(bundle []byte) ([]byte, *ocsp.Response, error) {
|
||||||
return nil, nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// We only got one certificate, means we have no issuer certificate - get it.
|
// We expect the certificate slice to be ordered downwards the chain.
|
||||||
|
// SRV CRT -> CA. We need to pull the leaf and issuer certs out of it,
|
||||||
|
// which should always be the first two certificates. If there's no
|
||||||
|
// OCSP server listed in the leaf cert, there's nothing to do. And if
|
||||||
|
// we have only one certificate so far, we need to get the issuer cert.
|
||||||
|
issuedCert := certificates[0]
|
||||||
|
if len(issuedCert.OCSPServer) == 0 {
|
||||||
|
return nil, nil, errors.New("no OCSP server specified in cert")
|
||||||
|
}
|
||||||
if len(certificates) == 1 {
|
if len(certificates) == 1 {
|
||||||
// TODO: build fallback. If this fails, check the remaining array entries.
|
// TODO: build fallback. If this fails, check the remaining array entries.
|
||||||
if len(certificates[0].IssuingCertificateURL) == 0 {
|
if len(issuedCert.IssuingCertificateURL) == 0 {
|
||||||
return nil, nil, errors.New("no issuing certificate URL")
|
return nil, nil, errors.New("no issuing certificate URL")
|
||||||
}
|
}
|
||||||
|
|
||||||
resp, err := httpGet(certificates[0].IssuingCertificateURL[0])
|
resp, err := httpGet(issuedCert.IssuingCertificateURL[0])
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
|
@ -83,17 +91,8 @@ func GetOCSPForCert(bundle []byte) ([]byte, *ocsp.Response, error) {
|
||||||
// We want it ordered right SRV CRT -> CA
|
// We want it ordered right SRV CRT -> CA
|
||||||
certificates = append(certificates, issuerCert)
|
certificates = append(certificates, issuerCert)
|
||||||
}
|
}
|
||||||
|
|
||||||
// We expect the certificate slice to be ordered downwards the chain.
|
|
||||||
// SRV CRT -> CA. We need to pull the cert and issuer cert out of it,
|
|
||||||
// which should always be the last two certificates.
|
|
||||||
issuedCert := certificates[0]
|
|
||||||
issuerCert := certificates[1]
|
issuerCert := certificates[1]
|
||||||
|
|
||||||
if len(issuedCert.OCSPServer) == 0 {
|
|
||||||
return nil, nil, errors.New("no OCSP server specified in cert")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Finally kick off the OCSP request.
|
// Finally kick off the OCSP request.
|
||||||
ocspReq, err := ocsp.CreateRequest(issuedCert, issuerCert, nil)
|
ocspReq, err := ocsp.CreateRequest(issuedCert, issuerCert, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -15,7 +15,7 @@ import (
|
||||||
|
|
||||||
type preCheckDNSFunc func(fqdn, value string) (bool, error)
|
type preCheckDNSFunc func(fqdn, value string) (bool, error)
|
||||||
|
|
||||||
var preCheckDNS preCheckDNSFunc = checkDnsPropagation
|
var preCheckDNS preCheckDNSFunc = checkDNSPropagation
|
||||||
|
|
||||||
var recursiveNameserver = "google-public-dns-a.google.com"
|
var recursiveNameserver = "google-public-dns-a.google.com"
|
||||||
|
|
||||||
|
@ -75,8 +75,8 @@ func (s *dnsChallenge) Solve(chlng challenge, domain string) error {
|
||||||
return s.validate(s.jws, domain, chlng.URI, challenge{Resource: "challenge", Type: chlng.Type, Token: chlng.Token, KeyAuthorization: keyAuth})
|
return s.validate(s.jws, domain, chlng.URI, challenge{Resource: "challenge", Type: chlng.Type, Token: chlng.Token, KeyAuthorization: keyAuth})
|
||||||
}
|
}
|
||||||
|
|
||||||
// checkDnsPropagation checks if the expected TXT record has been propagated to all authoritative nameservers.
|
// checkDNSPropagation checks if the expected TXT record has been propagated to all authoritative nameservers.
|
||||||
func checkDnsPropagation(fqdn, value string) (bool, error) {
|
func checkDNSPropagation(fqdn, value string) (bool, error) {
|
||||||
// Initial attempt to resolve at the recursive NS
|
// Initial attempt to resolve at the recursive NS
|
||||||
r, err := dnsQuery(fqdn, dns.TypeTXT, recursiveNameserver, true)
|
r, err := dnsQuery(fqdn, dns.TypeTXT, recursiveNameserver, true)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -27,7 +27,7 @@ func NewDNSProviderCloudFlare(cloudflareEmail, cloudflareKey string) (*DNSProvid
|
||||||
}
|
}
|
||||||
|
|
||||||
c := &DNSProviderCloudFlare{
|
c := &DNSProviderCloudFlare{
|
||||||
client: cloudflare.New(&cloudflare.Options{cloudflareEmail, cloudflareKey}),
|
client: cloudflare.New(&cloudflare.Options{Email: cloudflareEmail, Key: cloudflareKey}),
|
||||||
ctx: context.Background(),
|
ctx: context.Background(),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -16,16 +16,16 @@ type DNSProviderDNSimple struct {
|
||||||
// NewDNSProviderDNSimple returns a DNSProviderDNSimple instance with a configured dnsimple client.
|
// NewDNSProviderDNSimple returns a DNSProviderDNSimple instance with a configured dnsimple client.
|
||||||
// Authentication is either done using the passed credentials or - when empty - using the environment
|
// Authentication is either done using the passed credentials or - when empty - using the environment
|
||||||
// variables DNSIMPLE_EMAIL and DNSIMPLE_API_KEY.
|
// variables DNSIMPLE_EMAIL and DNSIMPLE_API_KEY.
|
||||||
func NewDNSProviderDNSimple(dnsimpleEmail, dnsimpleApiKey string) (*DNSProviderDNSimple, error) {
|
func NewDNSProviderDNSimple(dnsimpleEmail, dnsimpleAPIKey string) (*DNSProviderDNSimple, error) {
|
||||||
if dnsimpleEmail == "" || dnsimpleApiKey == "" {
|
if dnsimpleEmail == "" || dnsimpleAPIKey == "" {
|
||||||
dnsimpleEmail, dnsimpleApiKey = dnsimpleEnvAuth()
|
dnsimpleEmail, dnsimpleAPIKey = dnsimpleEnvAuth()
|
||||||
if dnsimpleEmail == "" || dnsimpleApiKey == "" {
|
if dnsimpleEmail == "" || dnsimpleAPIKey == "" {
|
||||||
return nil, fmt.Errorf("DNSimple credentials missing")
|
return nil, fmt.Errorf("DNSimple credentials missing")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
c := &DNSProviderDNSimple{
|
c := &DNSProviderDNSimple{
|
||||||
client: dnsimple.NewClient(dnsimpleApiKey, dnsimpleEmail),
|
client: dnsimple.NewClient(dnsimpleAPIKey, dnsimpleEmail),
|
||||||
}
|
}
|
||||||
|
|
||||||
return c, nil
|
return c, nil
|
||||||
|
|
|
@ -32,13 +32,14 @@ func NewDNSProviderRoute53(awsAccessKey, awsSecretKey, awsRegionName string) (*D
|
||||||
// - uses AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY and optionally AWS_SECURITY_TOKEN, if provided
|
// - uses AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY and optionally AWS_SECURITY_TOKEN, if provided
|
||||||
// - uses EC2 instance metadata credentials (http://169.254.169.254/latest/meta-data/…), if available
|
// - uses EC2 instance metadata credentials (http://169.254.169.254/latest/meta-data/…), if available
|
||||||
// ...and otherwise returns an error
|
// ...and otherwise returns an error
|
||||||
if auth, err := aws.GetAuth(awsAccessKey, awsSecretKey); err != nil {
|
auth, err := aws.GetAuth(awsAccessKey, awsSecretKey)
|
||||||
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
} else {
|
}
|
||||||
|
|
||||||
client := route53.New(auth, region)
|
client := route53.New(auth, region)
|
||||||
return &DNSProviderRoute53{client: client}, nil
|
return &DNSProviderRoute53{client: client}, nil
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
// Present creates a TXT record using the specified parameters
|
// Present creates a TXT record using the specified parameters
|
||||||
func (r *DNSProviderRoute53) Present(domain, token, keyAuth string) error {
|
func (r *DNSProviderRoute53) Present(domain, token, keyAuth string) error {
|
||||||
|
@ -60,7 +61,7 @@ func (r *DNSProviderRoute53) changeRecord(action, fqdn, value string, ttl int) e
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
recordSet := newTXTRecordSet(fqdn, value, ttl)
|
recordSet := newTXTRecordSet(fqdn, value, ttl)
|
||||||
update := route53.Change{action, recordSet}
|
update := route53.Change{Action: action, Record: recordSet}
|
||||||
changes := []route53.Change{update}
|
changes := []route53.Change{update}
|
||||||
req := route53.ChangeResourceRecordSetsRequest{Comment: "Created by Lego", Changes: changes}
|
req := route53.ChangeResourceRecordSetsRequest{Comment: "Created by Lego", Changes: changes}
|
||||||
resp, err := r.client.ChangeResourceRecordSets(hostedZoneID, &req)
|
resp, err := r.client.ChangeResourceRecordSets(hostedZoneID, &req)
|
||||||
|
|
|
@ -65,9 +65,9 @@ var GetChangeAnswer = `<?xml version="1.0" encoding="UTF-8"?>
|
||||||
</GetChangeResponse>`
|
</GetChangeResponse>`
|
||||||
|
|
||||||
var serverResponseMap = testutil.ResponseMap{
|
var serverResponseMap = testutil.ResponseMap{
|
||||||
"/2013-04-01/hostedzone/": testutil.Response{200, nil, ListHostedZonesAnswer},
|
"/2013-04-01/hostedzone/": testutil.Response{Status: 200, Headers: nil, Body: ListHostedZonesAnswer},
|
||||||
"/2013-04-01/hostedzone/Z2K123214213123/rrset": testutil.Response{200, nil, ChangeResourceRecordSetsAnswer},
|
"/2013-04-01/hostedzone/Z2K123214213123/rrset": testutil.Response{Status: 200, Headers: nil, Body: ChangeResourceRecordSetsAnswer},
|
||||||
"/2013-04-01/change/asdf": testutil.Response{200, nil, GetChangeAnswer},
|
"/2013-04-01/change/asdf": testutil.Response{Status: 200, Headers: nil, Body: GetChangeAnswer},
|
||||||
}
|
}
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
|
@ -92,7 +92,7 @@ func makeRoute53TestServer() *testutil.HTTPServer {
|
||||||
}
|
}
|
||||||
|
|
||||||
func makeRoute53Provider(server *testutil.HTTPServer) *DNSProviderRoute53 {
|
func makeRoute53Provider(server *testutil.HTTPServer) *DNSProviderRoute53 {
|
||||||
auth := aws.Auth{"abc", "123", ""}
|
auth := aws.Auth{AccessKey: "abc", SecretKey: "123", Token: ""}
|
||||||
client := route53.NewWithClient(auth, aws.Region{Route53Endpoint: server.URL}, testutil.DefaultClient)
|
client := route53.NewWithClient(auth, aws.Region{Route53Endpoint: server.URL}, testutil.DefaultClient)
|
||||||
return &DNSProviderRoute53{client: client}
|
return &DNSProviderRoute53{client: client}
|
||||||
}
|
}
|
||||||
|
|
|
@ -141,7 +141,7 @@ func TestCheckAuthoritativeNss(t *testing.T) {
|
||||||
for _, tt := range checkAuthoritativeNssTests {
|
for _, tt := range checkAuthoritativeNssTests {
|
||||||
ok, _ := checkAuthoritativeNss(tt.fqdn, tt.value, tt.ns)
|
ok, _ := checkAuthoritativeNss(tt.fqdn, tt.value, tt.ns)
|
||||||
if ok != tt.ok {
|
if ok != tt.ok {
|
||||||
t.Errorf("#%s: got %t; want %t", tt.fqdn, tt.ok)
|
t.Errorf("%s: got %t; want %t", tt.fqdn, tt.ok, tt.ok)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -174,7 +174,7 @@ func TestWaitForTimeout(t *testing.T) {
|
||||||
t.Fatal("timeout exceeded")
|
t.Fatal("timeout exceeded")
|
||||||
case err := <-c:
|
case err := <-c:
|
||||||
if err == nil {
|
if err == nil {
|
||||||
t.Errorf("expected timeout error; got <nil>", err)
|
t.Errorf("expected timeout error; got %v", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
10
acme/http.go
10
acme/http.go
|
@ -8,11 +8,15 @@ import (
|
||||||
"net/http"
|
"net/http"
|
||||||
"runtime"
|
"runtime"
|
||||||
"strings"
|
"strings"
|
||||||
|
"time"
|
||||||
)
|
)
|
||||||
|
|
||||||
// UserAgent (if non-empty) will be tacked onto the User-Agent string in requests.
|
// UserAgent (if non-empty) will be tacked onto the User-Agent string in requests.
|
||||||
var UserAgent string
|
var UserAgent string
|
||||||
|
|
||||||
|
// defaultClient is an HTTP client with a reasonable timeout value.
|
||||||
|
var defaultClient = http.Client{Timeout: 10 * time.Second}
|
||||||
|
|
||||||
const (
|
const (
|
||||||
// defaultGoUserAgent is the Go HTTP package user agent string. Too
|
// defaultGoUserAgent is the Go HTTP package user agent string. Too
|
||||||
// bad it isn't exported. If it changes, we should update it here, too.
|
// bad it isn't exported. If it changes, we should update it here, too.
|
||||||
|
@ -32,7 +36,7 @@ func httpHead(url string) (resp *http.Response, err error) {
|
||||||
|
|
||||||
req.Header.Set("User-Agent", userAgent())
|
req.Header.Set("User-Agent", userAgent())
|
||||||
|
|
||||||
resp, err = http.DefaultClient.Do(req)
|
resp, err = defaultClient.Do(req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return resp, err
|
return resp, err
|
||||||
}
|
}
|
||||||
|
@ -50,7 +54,7 @@ func httpPost(url string, bodyType string, body io.Reader) (resp *http.Response,
|
||||||
req.Header.Set("Content-Type", bodyType)
|
req.Header.Set("Content-Type", bodyType)
|
||||||
req.Header.Set("User-Agent", userAgent())
|
req.Header.Set("User-Agent", userAgent())
|
||||||
|
|
||||||
return http.DefaultClient.Do(req)
|
return defaultClient.Do(req)
|
||||||
}
|
}
|
||||||
|
|
||||||
// httpGet performs a GET request with a proper User-Agent string.
|
// httpGet performs a GET request with a proper User-Agent string.
|
||||||
|
@ -62,7 +66,7 @@ func httpGet(url string) (resp *http.Response, err error) {
|
||||||
}
|
}
|
||||||
req.Header.Set("User-Agent", userAgent())
|
req.Header.Set("User-Agent", userAgent())
|
||||||
|
|
||||||
return http.DefaultClient.Do(req)
|
return defaultClient.Do(req)
|
||||||
}
|
}
|
||||||
|
|
||||||
// getJSON performs an HTTP GET request and parses the response body
|
// getJSON performs an HTTP GET request and parses the response body
|
||||||
|
|
|
@ -25,6 +25,7 @@ func (c *Configuration) RsaBits() int {
|
||||||
return c.context.GlobalInt("rsa-key-size")
|
return c.context.GlobalInt("rsa-key-size")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ExcludedSolvers is a list of solvers that are to be excluded.
|
||||||
func (c *Configuration) ExcludedSolvers() (cc []acme.Challenge) {
|
func (c *Configuration) ExcludedSolvers() (cc []acme.Challenge) {
|
||||||
for _, s := range c.context.GlobalStringSlice("exclude") {
|
for _, s := range c.context.GlobalStringSlice("exclude") {
|
||||||
cc = append(cc, acme.Challenge(s))
|
cc = append(cc, acme.Challenge(s))
|
||||||
|
@ -39,6 +40,7 @@ func (c *Configuration) ServerPath() string {
|
||||||
return strings.Replace(srvStr, "/", string(os.PathSeparator), -1)
|
return strings.Replace(srvStr, "/", string(os.PathSeparator), -1)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// CertPath gets the path for certificates.
|
||||||
func (c *Configuration) CertPath() string {
|
func (c *Configuration) CertPath() string {
|
||||||
return path.Join(c.context.GlobalString("path"), "certificates")
|
return path.Join(c.context.GlobalString("path"), "certificates")
|
||||||
}
|
}
|
||||||
|
@ -54,7 +56,7 @@ func (c *Configuration) AccountPath(acc string) string {
|
||||||
return path.Join(c.AccountsPath(), acc)
|
return path.Join(c.AccountsPath(), acc)
|
||||||
}
|
}
|
||||||
|
|
||||||
// AccountPath returns the OS dependent path to the keys of a particular account
|
// AccountKeysPath returns the OS dependent path to the keys of a particular account
|
||||||
func (c *Configuration) AccountKeysPath(acc string) string {
|
func (c *Configuration) AccountKeysPath(acc string) string {
|
||||||
return path.Join(c.AccountPath(acc), "keys")
|
return path.Join(c.AccountPath(acc), "keys")
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue