potyarkin/lego
1
0
Fork 0
forked from TrueCloudLab/lego
Code Pull requests Activity

Merge pull request #127 from xenolf/tweaks

Browse source 
Add go vet to the CI checks, fix vet errors and set default HTTP timeout to 10 seconds.
This commit is contained in:
xenolf 2016-02-15 00:02:11 +01:00
commit f1a1e081c8
11 changed files with 54 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
.travis.yml
View file

@ -4,3 +4,11 @@ go:
- 1.4.3 - 1.4.3
- 1.5.3 - 1.5.3
- tip - tip
install:
- go get -t ./...
- go get golang.org/x/tools/cmd/vet
script:
- go vet ./...
- go test -v ./...

1
acme/challenges.go
View file

@ -1,5 +1,6 @@
package acme package acme
// Challenge is a string that identifies a particular type and version of ACME challenge.
type Challenge string type Challenge string
const ( const (

23
acme/crypto.go
View file

@ -56,14 +56,22 @@ func GetOCSPForCert(bundle []byte) ([]byte, *ocsp.Response, error) {
return nil, nil, err return nil, nil, err
} }
// We only got one certificate, means we have no issuer certificate - get it. // We expect the certificate slice to be ordered downwards the chain.
// SRV CRT -> CA. We need to pull the leaf and issuer certs out of it,
// which should always be the first two certificates. If there's no
// OCSP server listed in the leaf cert, there's nothing to do. And if
// we have only one certificate so far, we need to get the issuer cert.
issuedCert := certificates[0]
if len(issuedCert.OCSPServer) == 0 {
return nil, nil, errors.New("no OCSP server specified in cert")
}
if len(certificates) == 1 { if len(certificates) == 1 {
// TODO: build fallback. If this fails, check the remaining array entries. // TODO: build fallback. If this fails, check the remaining array entries.
if len(certificates[0].IssuingCertificateURL) == 0 { if len(issuedCert.IssuingCertificateURL) == 0 {
return nil, nil, errors.New("no issuing certificate URL") return nil, nil, errors.New("no issuing certificate URL")
} }
resp, err := httpGet(certificates[0].IssuingCertificateURL[0]) resp, err := httpGet(issuedCert.IssuingCertificateURL[0])
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
@ -83,17 +91,8 @@ func GetOCSPForCert(bundle []byte) ([]byte, *ocsp.Response, error) {
// We want it ordered right SRV CRT -> CA // We want it ordered right SRV CRT -> CA
certificates = append(certificates, issuerCert) certificates = append(certificates, issuerCert)
} }
// We expect the certificate slice to be ordered downwards the chain.
// SRV CRT -> CA. We need to pull the cert and issuer cert out of it,
// which should always be the last two certificates.
issuedCert := certificates[0]
issuerCert := certificates[1] issuerCert := certificates[1]
if len(issuedCert.OCSPServer) == 0 {
return nil, nil, errors.New("no OCSP server specified in cert")
}
// Finally kick off the OCSP request. // Finally kick off the OCSP request.
ocspReq, err := ocsp.CreateRequest(issuedCert, issuerCert, nil) ocspReq, err := ocsp.CreateRequest(issuedCert, issuerCert, nil)
if err != nil { if err != nil {

6
acme/dns_challenge.go
View file

@ -15,7 +15,7 @@ import (
type preCheckDNSFunc func(fqdn, value string) (bool, error) type preCheckDNSFunc func(fqdn, value string) (bool, error)
var preCheckDNS preCheckDNSFunc = checkDnsPropagation var preCheckDNS preCheckDNSFunc = checkDNSPropagation
var recursiveNameserver = "google-public-dns-a.google.com" var recursiveNameserver = "google-public-dns-a.google.com"
@ -75,8 +75,8 @@ func (s *dnsChallenge) Solve(chlng challenge, domain string) error {
return s.validate(s.jws, domain, chlng.URI, challenge{Resource: "challenge", Type: chlng.Type, Token: chlng.Token, KeyAuthorization: keyAuth}) return s.validate(s.jws, domain, chlng.URI, challenge{Resource: "challenge", Type: chlng.Type, Token: chlng.Token, KeyAuthorization: keyAuth})
} }
// checkDnsPropagation checks if the expected TXT record has been propagated to all authoritative nameservers. // checkDNSPropagation checks if the expected TXT record has been propagated to all authoritative nameservers.
func checkDnsPropagation(fqdn, value string) (bool, error) { func checkDNSPropagation(fqdn, value string) (bool, error) {
// Initial attempt to resolve at the recursive NS // Initial attempt to resolve at the recursive NS
r, err := dnsQuery(fqdn, dns.TypeTXT, recursiveNameserver, true) r, err := dnsQuery(fqdn, dns.TypeTXT, recursiveNameserver, true)
if err != nil { if err != nil {

2
acme/dns_challenge_cloudflare.go
View file

@ -27,7 +27,7 @@ func NewDNSProviderCloudFlare(cloudflareEmail, cloudflareKey string) (*DNSProvid
} }
c := &DNSProviderCloudFlare{ c := &DNSProviderCloudFlare{
client: cloudflare.New(&cloudflare.Options{cloudflareEmail, cloudflareKey}), client: cloudflare.New(&cloudflare.Options{Email: cloudflareEmail, Key: cloudflareKey}),
ctx: context.Background(), ctx: context.Background(),
} }

10
acme/dns_challenge_dnsimple.go
View file

@ -16,16 +16,16 @@ type DNSProviderDNSimple struct {
// NewDNSProviderDNSimple returns a DNSProviderDNSimple instance with a configured dnsimple client. // NewDNSProviderDNSimple returns a DNSProviderDNSimple instance with a configured dnsimple client.
// Authentication is either done using the passed credentials or - when empty - using the environment // Authentication is either done using the passed credentials or - when empty - using the environment
// variables DNSIMPLE_EMAIL and DNSIMPLE_API_KEY. // variables DNSIMPLE_EMAIL and DNSIMPLE_API_KEY.
func NewDNSProviderDNSimple(dnsimpleEmail, dnsimpleApiKey string) (*DNSProviderDNSimple, error) { func NewDNSProviderDNSimple(dnsimpleEmail, dnsimpleAPIKey string) (*DNSProviderDNSimple, error) {
if dnsimpleEmail == "" || dnsimpleApiKey == "" { if dnsimpleEmail == "" || dnsimpleAPIKey == "" {
dnsimpleEmail, dnsimpleApiKey = dnsimpleEnvAuth() dnsimpleEmail, dnsimpleAPIKey = dnsimpleEnvAuth()
if dnsimpleEmail == "" || dnsimpleApiKey == "" { if dnsimpleEmail == "" || dnsimpleAPIKey == "" {
return nil, fmt.Errorf("DNSimple credentials missing") return nil, fmt.Errorf("DNSimple credentials missing")
} }
} }
c := &DNSProviderDNSimple{ c := &DNSProviderDNSimple{
client: dnsimple.NewClient(dnsimpleApiKey, dnsimpleEmail), client: dnsimple.NewClient(dnsimpleAPIKey, dnsimpleEmail),
} }
return c, nil return c, nil

9
acme/dns_challenge_route53.go
View file

@ -32,12 +32,13 @@ func NewDNSProviderRoute53(awsAccessKey, awsSecretKey, awsRegionName string) (*D
// - uses AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY and optionally AWS_SECURITY_TOKEN, if provided // - uses AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY and optionally AWS_SECURITY_TOKEN, if provided
// - uses EC2 instance metadata credentials (http://169.254.169.254/latest/meta-data/…), if available // - uses EC2 instance metadata credentials (http://169.254.169.254/latest/meta-data/…), if available
// ...and otherwise returns an error // ...and otherwise returns an error
if auth, err := aws.GetAuth(awsAccessKey, awsSecretKey); err != nil { auth, err := aws.GetAuth(awsAccessKey, awsSecretKey)
if err != nil {
return nil, err return nil, err
} else { }
client := route53.New(auth, region) client := route53.New(auth, region)
return &DNSProviderRoute53{client: client}, nil return &DNSProviderRoute53{client: client}, nil
}
} }
// Present creates a TXT record using the specified parameters // Present creates a TXT record using the specified parameters
@ -60,7 +61,7 @@ func (r *DNSProviderRoute53) changeRecord(action, fqdn, value string, ttl int) e
return err return err
} }
recordSet := newTXTRecordSet(fqdn, value, ttl) recordSet := newTXTRecordSet(fqdn, value, ttl)
update := route53.Change{action, recordSet} update := route53.Change{Action: action, Record: recordSet}
changes := []route53.Change{update} changes := []route53.Change{update}
req := route53.ChangeResourceRecordSetsRequest{Comment: "Created by Lego", Changes: changes} req := route53.ChangeResourceRecordSetsRequest{Comment: "Created by Lego", Changes: changes}
resp, err := r.client.ChangeResourceRecordSets(hostedZoneID, &req) resp, err := r.client.ChangeResourceRecordSets(hostedZoneID, &req)

8
acme/dns_challenge_route53_test.go
View file

@ -65,9 +65,9 @@ var GetChangeAnswer = `<?xml version="1.0" encoding="UTF-8"?>
</GetChangeResponse>` </GetChangeResponse>`
var serverResponseMap = testutil.ResponseMap{ var serverResponseMap = testutil.ResponseMap{
"/2013-04-01/hostedzone/": testutil.Response{200, nil, ListHostedZonesAnswer}, "/2013-04-01/hostedzone/": testutil.Response{Status: 200, Headers: nil, Body: ListHostedZonesAnswer},
"/2013-04-01/hostedzone/Z2K123214213123/rrset": testutil.Response{200, nil, ChangeResourceRecordSetsAnswer}, "/2013-04-01/hostedzone/Z2K123214213123/rrset": testutil.Response{Status: 200, Headers: nil, Body: ChangeResourceRecordSetsAnswer},
"/2013-04-01/change/asdf": testutil.Response{200, nil, GetChangeAnswer}, "/2013-04-01/change/asdf": testutil.Response{Status: 200, Headers: nil, Body: GetChangeAnswer},
} }
func init() { func init() {
@ -92,7 +92,7 @@ func makeRoute53TestServer() *testutil.HTTPServer {
} }
func makeRoute53Provider(server *testutil.HTTPServer) *DNSProviderRoute53 { func makeRoute53Provider(server *testutil.HTTPServer) *DNSProviderRoute53 {
auth := aws.Auth{"abc", "123", ""} auth := aws.Auth{AccessKey: "abc", SecretKey: "123", Token: ""}
client := route53.NewWithClient(auth, aws.Region{Route53Endpoint: server.URL}, testutil.DefaultClient) client := route53.NewWithClient(auth, aws.Region{Route53Endpoint: server.URL}, testutil.DefaultClient)
return &DNSProviderRoute53{client: client} return &DNSProviderRoute53{client: client}
} }

4
acme/dns_challenge_test.go
View file

@ -141,7 +141,7 @@ func TestCheckAuthoritativeNss(t *testing.T) {
for _, tt := range checkAuthoritativeNssTests { for _, tt := range checkAuthoritativeNssTests {
ok, _ := checkAuthoritativeNss(tt.fqdn, tt.value, tt.ns) ok, _ := checkAuthoritativeNss(tt.fqdn, tt.value, tt.ns)
if ok != tt.ok { if ok != tt.ok {
t.Errorf("#%s: got %t; want %t", tt.fqdn, tt.ok) t.Errorf("%s: got %t; want %t", tt.fqdn, tt.ok, tt.ok)
} }
} }
} }
@ -174,7 +174,7 @@ func TestWaitForTimeout(t *testing.T) {
t.Fatal("timeout exceeded") t.Fatal("timeout exceeded")
case err := <-c: case err := <-c:
if err == nil { if err == nil {
t.Errorf("expected timeout error; got <nil>", err) t.Errorf("expected timeout error; got %v", err)
} }
} }
} }

10
acme/http.go
View file

@ -8,11 +8,15 @@ import (
"net/http" "net/http"
"runtime" "runtime"
"strings" "strings"
"time"
) )
// UserAgent (if non-empty) will be tacked onto the User-Agent string in requests. // UserAgent (if non-empty) will be tacked onto the User-Agent string in requests.
var UserAgent string var UserAgent string
// defaultClient is an HTTP client with a reasonable timeout value.
var defaultClient = http.Client{Timeout: 10 * time.Second}
const ( const (
// defaultGoUserAgent is the Go HTTP package user agent string. Too // defaultGoUserAgent is the Go HTTP package user agent string. Too
// bad it isn't exported. If it changes, we should update it here, too. // bad it isn't exported. If it changes, we should update it here, too.
@ -32,7 +36,7 @@ func httpHead(url string) (resp *http.Response, err error) {
req.Header.Set("User-Agent", userAgent()) req.Header.Set("User-Agent", userAgent())
resp, err = http.DefaultClient.Do(req) resp, err = defaultClient.Do(req)
if err != nil { if err != nil {
return resp, err return resp, err
} }
@ -50,7 +54,7 @@ func httpPost(url string, bodyType string, body io.Reader) (resp *http.Response,
req.Header.Set("Content-Type", bodyType) req.Header.Set("Content-Type", bodyType)
req.Header.Set("User-Agent", userAgent()) req.Header.Set("User-Agent", userAgent())
return http.DefaultClient.Do(req) return defaultClient.Do(req)
} }
// httpGet performs a GET request with a proper User-Agent string. // httpGet performs a GET request with a proper User-Agent string.
@ -62,7 +66,7 @@ func httpGet(url string) (resp *http.Response, err error) {
} }
req.Header.Set("User-Agent", userAgent()) req.Header.Set("User-Agent", userAgent())
return http.DefaultClient.Do(req) return defaultClient.Do(req)
} }
// getJSON performs an HTTP GET request and parses the response body // getJSON performs an HTTP GET request and parses the response body

4
configuration.go
View file

@ -25,6 +25,7 @@ func (c *Configuration) RsaBits() int {
return c.context.GlobalInt("rsa-key-size") return c.context.GlobalInt("rsa-key-size")
} }
// ExcludedSolvers is a list of solvers that are to be excluded.
func (c *Configuration) ExcludedSolvers() (cc []acme.Challenge) { func (c *Configuration) ExcludedSolvers() (cc []acme.Challenge) {
for _, s := range c.context.GlobalStringSlice("exclude") { for _, s := range c.context.GlobalStringSlice("exclude") {
cc = append(cc, acme.Challenge(s)) cc = append(cc, acme.Challenge(s))
@ -39,6 +40,7 @@ func (c *Configuration) ServerPath() string {
return strings.Replace(srvStr, "/", string(os.PathSeparator), -1) return strings.Replace(srvStr, "/", string(os.PathSeparator), -1)
} }
// CertPath gets the path for certificates.
func (c *Configuration) CertPath() string { func (c *Configuration) CertPath() string {
return path.Join(c.context.GlobalString("path"), "certificates") return path.Join(c.context.GlobalString("path"), "certificates")
} }
@ -54,7 +56,7 @@ func (c *Configuration) AccountPath(acc string) string {
return path.Join(c.AccountsPath(), acc) return path.Join(c.AccountsPath(), acc)
} }
// AccountPath returns the OS dependent path to the keys of a particular account // AccountKeysPath returns the OS dependent path to the keys of a particular account
func (c *Configuration) AccountKeysPath(acc string) string { func (c *Configuration) AccountKeysPath(acc string) string {
return path.Join(c.AccountPath(acc), "keys") return path.Join(c.AccountPath(acc), "keys")
} }