func TestAddCertificate(t *testing.T) { // Enable the feature for the `CertStatusOptimizationsMigrated` flag so that // adding a new certificate will populate the `certificateStatus.NotAfter` // field correctly. This will let the unit test assertion for `NotAfter` // pass provided everything is working as intended. Note: this must be done // **before** the DbMap is created in `initSA()` or the feature flag won't be // set correctly at the time the table maps are set up. _ = features.Set(map[string]bool{"CertStatusOptimizationsMigrated": true}) defer features.Reset() sa, _, cleanUp := initSA(t) defer cleanUp() reg := satest.CreateWorkingRegistration(t, sa) // An example cert taken from EFF's website certDER, err := ioutil.ReadFile("www.eff.org.der") test.AssertNotError(t, err, "Couldn't read example cert DER") digest, err := sa.AddCertificate(ctx, certDER, reg.ID) test.AssertNotError(t, err, "Couldn't add www.eff.org.der") test.AssertEquals(t, digest, "qWoItDZmR4P9eFbeYgXXP3SR4ApnkQj8x4LsB_ORKBo") retrievedCert, err := sa.GetCertificate(ctx, "000000000000000000000000000000021bd4") test.AssertNotError(t, err, "Couldn't get www.eff.org.der by full serial") test.AssertByteEquals(t, certDER, retrievedCert.DER) certificateStatus, err := sa.GetCertificateStatus(ctx, "000000000000000000000000000000021bd4") test.AssertNotError(t, err, "Couldn't get status for www.eff.org.der") test.Assert(t, !certificateStatus.SubscriberApproved, "SubscriberApproved should be false") test.Assert(t, certificateStatus.Status == core.OCSPStatusGood, "OCSP Status should be good") test.Assert(t, certificateStatus.OCSPLastUpdated.IsZero(), "OCSPLastUpdated should be nil") test.AssertEquals(t, certificateStatus.NotAfter, retrievedCert.Expires) // Test cert generated locally by Boulder / CFSSL, names [example.com, // www.example.com, admin.example.com] certDER2, err := ioutil.ReadFile("test-cert.der") test.AssertNotError(t, err, "Couldn't read example cert DER") serial := "ffdd9b8a82126d96f61d378d5ba99a0474f0" digest2, err := sa.AddCertificate(ctx, certDER2, reg.ID) test.AssertNotError(t, err, "Couldn't add test-cert.der") test.AssertEquals(t, digest2, "vrlPN5wIPME1D2PPsCy-fGnTWh8dMyyYQcXPRkjHAQI") retrievedCert2, err := sa.GetCertificate(ctx, serial) test.AssertNotError(t, err, "Couldn't get test-cert.der") test.AssertByteEquals(t, certDER2, retrievedCert2.DER) certificateStatus2, err := sa.GetCertificateStatus(ctx, serial) test.AssertNotError(t, err, "Couldn't get status for test-cert.der") test.Assert(t, !certificateStatus2.SubscriberApproved, "SubscriberApproved should be false") test.Assert(t, certificateStatus2.Status == core.OCSPStatusGood, "OCSP Status should be good") test.Assert(t, certificateStatus2.OCSPLastUpdated.IsZero(), "OCSPLastUpdated should be nil") }
func TestDeactivateAccount(t *testing.T) { _ = features.Set(map[string]bool{"AllowAccountDeactivation": true}) defer features.Reset() sa, _, cleanUp := initSA(t) defer cleanUp() reg := satest.CreateWorkingRegistration(t, sa) err := sa.DeactivateRegistration(context.Background(), reg.ID) test.AssertNotError(t, err, "DeactivateRegistration failed") dbReg, err := sa.GetRegistration(context.Background(), reg.ID) test.AssertNotError(t, err, "GetRegistration failed") test.AssertEquals(t, dbReg.Status, core.StatusDeactivated) }
func TestModelToRegistrationNilContact(t *testing.T) { _ = features.Set(map[string]bool{"AllowAccountDeactivation": true}) defer features.Reset() reg, err := modelToRegistration(®Modelv2{ regModelv1: regModelv1{ Key: []byte(`{"kty":"RSA","n":"AQAB","e":"AQAB"}`), Contact: nil, }}) if err != nil { t.Errorf("Got error from modelToRegistration: %s", err) } if reg.Contact == nil { t.Errorf("Expected non-nil Contact field, got %#v", reg.Contact) } if len(*reg.Contact) != 0 { t.Errorf("Expected empty Contact field, got %#v", reg.Contact) } }
func TestWillingToIssue(t *testing.T) { testCases := []struct { domain string err error }{ {``, errEmptyName}, // Empty name {`zomb!.com`, errInvalidDNSCharacter}, // ASCII character out of range {`[email protected]`, errInvalidDNSCharacter}, {`user:[email protected]`, errInvalidDNSCharacter}, {`zömbo.com`, errInvalidDNSCharacter}, // non-ASCII character {`127.0.0.1`, errIPAddress}, // IPv4 address {`fe80::1:1`, errInvalidDNSCharacter}, // IPv6 addresses {`[2001:db8:85a3:8d3:1319:8a2e:370:7348]`, errInvalidDNSCharacter}, // unexpected IPv6 variants {`[2001:db8:85a3:8d3:1319:8a2e:370:7348]:443`, errInvalidDNSCharacter}, {`2001:db8::/32`, errInvalidDNSCharacter}, {`a.b.c.d.e.f.g.h.i.j.k`, errTooManyLabels}, // Too many labels (>10) {`www.0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef012345.com`, errNameTooLong}, // Too long (254 characters) {`www.abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz.com`, errLabelTooLong}, // Label too long (>63 characters) {`www.-ombo.com`, errInvalidDNSCharacter}, // Label starts with '-' {`www.zomb-.com`, errInvalidDNSCharacter}, // Label ends with '-' {`xn--.net`, errInvalidDNSCharacter}, // Label ends with '-' {`0`, errTooFewLabels}, {`1`, errTooFewLabels}, {`*`, errInvalidDNSCharacter}, {`**`, errInvalidDNSCharacter}, {`*.*`, errInvalidDNSCharacter}, {`zombo*com`, errInvalidDNSCharacter}, {`*.com`, errInvalidDNSCharacter}, {`*.zombo.com`, errInvalidDNSCharacter}, {`..a`, errLabelTooShort}, {`a..a`, errLabelTooShort}, {`.a..a`, errLabelTooShort}, {`..foo.com`, errLabelTooShort}, {`.`, errNameEndsInDot}, {`..`, errNameEndsInDot}, {`a..`, errNameEndsInDot}, {`.....`, errNameEndsInDot}, {`.a.`, errNameEndsInDot}, {`www.zombo.com.`, errNameEndsInDot}, {`www.zombo_com.com`, errInvalidDNSCharacter}, {`\uFEFF`, errInvalidDNSCharacter}, // Byte order mark {`\uFEFFwww.zombo.com`, errInvalidDNSCharacter}, {`www.zom\u202Ebo.com`, errInvalidDNSCharacter}, // Right-to-Left Override {`\u202Ewww.zombo.com`, errInvalidDNSCharacter}, {`www.zom\u200Fbo.com`, errInvalidDNSCharacter}, // Right-to-Left Mark {`\u200Fwww.zombo.com`, errInvalidDNSCharacter}, // Underscores are technically disallowed in DNS. Some DNS // implementations accept them but we will be conservative. {`www.zom_bo.com`, errInvalidDNSCharacter}, {`zombocom`, errTooFewLabels}, {`localhost`, errTooFewLabels}, {`mail`, errTooFewLabels}, // disallow capitalized letters for #927 {`CapitalizedLetters.com`, errInvalidDNSCharacter}, {`example.acting`, errNonPublic}, {`example.internal`, errNonPublic}, // All-numeric final label not okay. {`www.zombo.163`, errNonPublic}, } shouldBeTLDError := []string{ `co.uk`, `foo.bn`, } shouldBeBlacklisted := []string{ `highvalue.website1.org`, `website2.co.uk`, `www.website3.com`, `lots.of.labels.website4.com`, } blacklistContents := []string{ `website2.com`, `website2.org`, `website2.co.uk`, `website3.com`, `website4.com`, } exactBlacklistContents := []string{ `www.website1.org`, `highvalue.website1.org`, `dl.website1.org`, } shouldBeAccepted := []string{ `lowvalue.website1.org`, `website4.sucks`, "www.unrelated.com", "unrelated.com", "www.8675309.com", "8675309.com", "web5ite2.com", "www.web-site2.com", } pa := paImpl(t) blacklistBytes, err := json.Marshal(blacklistJSON{ Blacklist: blacklistContents, ExactBlacklist: exactBlacklistContents, }) test.AssertNotError(t, err, "Couldn't serialize blacklist") f, _ := ioutil.TempFile("", "test-blacklist.txt") defer os.Remove(f.Name()) err = ioutil.WriteFile(f.Name(), blacklistBytes, 0640) test.AssertNotError(t, err, "Couldn't write blacklist") err = pa.SetHostnamePolicyFile(f.Name()) test.AssertNotError(t, err, "Couldn't load rules") // Test for invalid identifier type identifier := core.AcmeIdentifier{Type: "ip", Value: "example.com"} err = pa.WillingToIssue(identifier) if err != errInvalidIdentifier { t.Error("Identifier was not correctly forbidden: ", identifier) } // Test syntax errors for _, tc := range testCases { identifier := core.AcmeIdentifier{Type: core.IdentifierDNS, Value: tc.domain} err := pa.WillingToIssue(identifier) if err != tc.err { t.Errorf("WillingToIssue(%q) = %q, expected %q", tc.domain, err, tc.err) } } // Test IDNs err = pa.WillingToIssue(core.AcmeIdentifier{Type: core.IdentifierDNS, Value: "www.xn--mnich-kva.com"}) test.AssertError(t, err, "WillingToIssue didn't fail on a IDN with features.IDNASupport disabled") _ = features.Set(map[string]bool{"IDNASupport": true}) // Invalid encoding err = pa.WillingToIssue(core.AcmeIdentifier{Type: core.IdentifierDNS, Value: "www.xn--m.com"}) test.AssertError(t, err, "WillingToIssue didn't fail on a malformed IDN") // Valid encoding err = pa.WillingToIssue(core.AcmeIdentifier{Type: core.IdentifierDNS, Value: "www.xn--mnich-kva.com"}) test.AssertNotError(t, err, "WillingToIssue failed on a properly formed IDN") // IDN TLD err = pa.WillingToIssue(core.AcmeIdentifier{Type: core.IdentifierDNS, Value: "xn--example--3bhk5a.xn--p1ai"}) test.AssertNotError(t, err, "WillingToIssue failed on a properly formed domain with IDN TLD") features.Reset() // Test domains that are equal to public suffixes for _, domain := range shouldBeTLDError { identifier := core.AcmeIdentifier{Type: core.IdentifierDNS, Value: domain} err := pa.WillingToIssue(identifier) if err != errICANNTLD { t.Error("Identifier was not correctly forbidden: ", identifier, err) } } // Test blacklisting for _, domain := range shouldBeBlacklisted { identifier := core.AcmeIdentifier{Type: core.IdentifierDNS, Value: domain} err := pa.WillingToIssue(identifier) if err != errBlacklisted { t.Error("Identifier was not correctly forbidden: ", identifier, err) } } // Test acceptance of good names for _, domain := range shouldBeAccepted { identifier := core.AcmeIdentifier{Type: core.IdentifierDNS, Value: domain} if err := pa.WillingToIssue(identifier); err != nil { t.Error("Identifier was incorrectly forbidden: ", identifier, err) } } }