func TestCheckpointIntervalOK(t *testing.T) { // Test a number of intervals know to be OK, ensure that no error is // produced when calling `ok()`. okCases := []struct { testInterval interval }{ {interval{}}, {interval{start: 10}}, {interval{end: 10}}, {interval{start: 10, end: 15}}, } for _, testcase := range okCases { err := testcase.testInterval.ok() test.AssertNotError(t, err, "valid interval produced ok() error") } // Test a number of intervals known to be invalid, ensure that the produced // error has the expected message. failureCases := []struct { testInterval interval expectedError string }{ {interval{start: -1}, "interval start (-1) and end (0) must both be positive integers"}, {interval{end: -1}, "interval start (0) and end (-1) must both be positive integers"}, {interval{start: -1, end: -1}, "interval start (-1) and end (-1) must both be positive integers"}, {interval{start: 999, end: 10}, "interval start value (999) is greater than end value (10)"}, } for _, testcase := range failureCases { err := testcase.testInterval.ok() test.AssertNotNil(t, err, fmt.Sprintf("Invalid interval %#v was ok", testcase.testInterval)) test.AssertEquals(t, err.Error(), testcase.expectedError) } }
func TestDNSValidationNoAuthorityOK(t *testing.T) { stats, _ := statsd.NewNoopClient() va := NewValidationAuthorityImpl(&PortConfig{}, nil, stats, clock.Default()) va.DNSResolver = &bdns.MockDNSResolver{} mockRA := &MockRegistrationAuthority{} va.RA = mockRA // create a challenge with well known token chalDNS := core.DNSChallenge01(accountKey) chalDNS.Token = expectedToken keyAuthorization, _ := core.NewKeyAuthorization(chalDNS.Token, accountKey) chalDNS.KeyAuthorization = &keyAuthorization goodIdent := core.AcmeIdentifier{ Type: core.IdentifierDNS, Value: "no-authority-dns01.com", } var authz = core.Authorization{ ID: core.NewToken(), RegistrationID: 1, Identifier: goodIdent, Challenges: []core.Challenge{chalDNS}, } va.validate(context.Background(), authz, 0) test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization") test.Assert(t, authz.Challenges[0].Status == core.StatusValid, "Should be valid.") }
func TestDNSValidationInvalid(t *testing.T) { var notDNS = core.AcmeIdentifier{ Type: core.IdentifierType("iris"), Value: "790DB180-A274-47A4-855F-31C428CB1072", } chalDNS := core.DNSChallenge01(accountKey) var authz = core.Authorization{ ID: core.NewToken(), RegistrationID: 1, Identifier: notDNS, Challenges: []core.Challenge{chalDNS}, } stats, _ := statsd.NewNoopClient() va := NewValidationAuthorityImpl(&PortConfig{}, nil, stats, clock.Default()) va.DNSResolver = &mocks.DNSResolver{} mockRA := &MockRegistrationAuthority{} va.RA = mockRA va.validate(authz, 0) test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization") test.Assert(t, authz.Challenges[0].Status == core.StatusInvalid, "Should be invalid.") test.AssertEquals(t, authz.Challenges[0].Error.Type, core.MalformedProblem) }
func TestDNSValidationInvalid(t *testing.T) { var notDNS = core.AcmeIdentifier{ Type: core.IdentifierType("iris"), Value: "790DB180-A274-47A4-855F-31C428CB1072", } chalDNS := core.DNSChallenge() var authz = core.Authorization{ ID: core.NewToken(), RegistrationID: 1, Identifier: notDNS, Challenges: []core.Challenge{chalDNS}, } va := NewValidationAuthorityImpl(true) va.DNSResolver = core.NewDNSResolver(time.Second*5, []string{"8.8.8.8:53"}) mockRA := &MockRegistrationAuthority{} va.RA = mockRA va.validate(authz, 0) test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization") test.Assert(t, authz.Challenges[0].Status == core.StatusInvalid, "Should be invalid.") test.AssertEquals(t, authz.Challenges[0].Error.Type, core.MalformedProblem) }
func TestDNSValidationOK(t *testing.T) { stats := mocks.NewStatter() va := NewValidationAuthorityImpl(&cmd.PortConfig{}, nil, nil, stats, clock.Default()) va.DNSResolver = &bdns.MockDNSResolver{} mockRA := &MockRegistrationAuthority{} va.RA = mockRA // create a challenge with well known token chalDNS := core.DNSChallenge01(accountKey) chalDNS.Token = expectedToken chalDNS.ProvidedKeyAuthorization, _ = chalDNS.ExpectedKeyAuthorization() goodIdent := core.AcmeIdentifier{ Type: core.IdentifierDNS, Value: "good-dns01.com", } var authz = core.Authorization{ ID: core.NewToken(), RegistrationID: 1, Identifier: goodIdent, Challenges: []core.Challenge{chalDNS}, } va.validate(ctx, authz, 0) test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization") test.Assert(t, authz.Challenges[0].Status == core.StatusValid, "Should be valid.") test.AssertEquals(t, stats.TimingDurationCalls[0].Metric, "VA.Validations.dns-01.valid") }
func TestDNSValidationServFail(t *testing.T) { stats, _ := statsd.NewNoopClient() va := NewValidationAuthorityImpl(&PortConfig{}, nil, stats, clock.Default()) va.DNSResolver = &mocks.DNSResolver{} mockRA := &MockRegistrationAuthority{} va.RA = mockRA chalDNS := createChallenge(core.ChallengeTypeDNS01) badIdent := core.AcmeIdentifier{ Type: core.IdentifierDNS, Value: "servfail.com", } var authz = core.Authorization{ ID: core.NewToken(), RegistrationID: 1, Identifier: badIdent, Challenges: []core.Challenge{chalDNS}, } va.validate(authz, 0) test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization") test.Assert(t, authz.Challenges[0].Status == core.StatusInvalid, "Should be invalid.") test.AssertEquals(t, authz.Challenges[0].Error.Type, core.ConnectionProblem) }
func TestSingleton(t *testing.T) { t.Parallel() log1 := GetAuditLogger() test.AssertNotNil(t, log1, "Logger shouldn't be nil") log2 := GetAuditLogger() test.AssertEquals(t, log1, log2) writer, err := syslog.New(syslog.LOG_EMERG|syslog.LOG_KERN, "tag") test.AssertNotError(t, err, "Could not construct syslog object") stats, _ := statsd.NewNoopClient(nil) log3, err := NewAuditLogger(writer, stats) test.AssertNotError(t, err, "Could not construct audit logger") // Should not work err = SetAuditLogger(log3) test.AssertError(t, err, "Can't re-set") // Verify no change log4 := GetAuditLogger() // Verify that log4 != log3 test.AssertNotEquals(t, log4, log3) // Verify that log4 == log2 == log1 test.AssertEquals(t, log4, log2) test.AssertEquals(t, log4, log1) }
func TestGenerateOCSP(t *testing.T) { mock := &MockRPCClient{} client, err := NewCertificateAuthorityClient(mock) test.AssertNotError(t, err, "Client construction") test.AssertNotNil(t, client, "Client construction") req := core.OCSPSigningRequest{ // nope } mock.NextResp = []byte{} _, err = client.GenerateOCSP(req) test.AssertError(t, err, "Should have failed at signer") }
func TestDNSValidationNoServer(t *testing.T) { va := NewValidationAuthorityImpl(true) va.DNSResolver = core.NewDNSResolver(time.Second*5, []string{}) mockRA := &MockRegistrationAuthority{} va.RA = mockRA chalDNS := core.DNSChallenge() var authz = core.Authorization{ ID: core.NewToken(), RegistrationID: 1, Identifier: ident, Challenges: []core.Challenge{chalDNS}, } va.validate(authz, 0) test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization") test.Assert(t, authz.Challenges[0].Status == core.StatusInvalid, "Should be invalid.") test.AssertEquals(t, authz.Challenges[0].Error.Type, core.ServerInternalProblem) }
func TestDNSValidationNoServer(t *testing.T) { stats, _ := statsd.NewNoopClient() va := NewValidationAuthorityImpl(&PortConfig{}, stats, clock.Default()) va.DNSResolver = core.NewTestDNSResolverImpl(time.Second*5, []string{}) mockRA := &MockRegistrationAuthority{} va.RA = mockRA chalDNS := createChallenge(core.ChallengeTypeDNS01) var authz = core.Authorization{ ID: core.NewToken(), RegistrationID: 1, Identifier: ident, Challenges: []core.Challenge{chalDNS}, } va.validate(authz, 0) test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization") test.Assert(t, authz.Challenges[0].Status == core.StatusInvalid, "Should be invalid.") test.AssertEquals(t, authz.Challenges[0].Error.Type, core.ConnectionProblem) }
func TestDNSValidationFailure(t *testing.T) { va := NewValidationAuthorityImpl(true) va.DNSResolver = &mocks.MockDNS{} mockRA := &MockRegistrationAuthority{} va.RA = mockRA chalDNS := createChallenge(core.ChallengeTypeDNS) var authz = core.Authorization{ ID: core.NewToken(), RegistrationID: 1, Identifier: ident, Challenges: []core.Challenge{chalDNS}, } va.validate(authz, 0, AccountKey) t.Logf("Resulting Authz: %+v", authz) test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization") test.Assert(t, authz.Challenges[0].Status == core.StatusInvalid, "Should be invalid.") test.AssertEquals(t, authz.Challenges[0].Error.Type, core.UnauthorizedProblem) }
func TestRANewRegistration(t *testing.T) { mock := &MockRPCClient{} client, err := NewRegistrationAuthorityClient(mock) test.AssertNotError(t, err, "Client construction") test.AssertNotNil(t, client, "Client construction") var jwk jose.JsonWebKey json.Unmarshal([]byte(JWK1JSON), &jwk) reg := core.Registration{ ID: 1, Key: jwk, } _, err = client.NewRegistration(reg) test.AssertNotError(t, err, "Updated Registration") test.Assert(t, len(mock.LastBody) > 0, "Didn't send Registration") test.AssertEquals(t, "NewRegistration", mock.LastMethod) t.Logf("LastMethod: %v", mock.LastMethod) t.Logf("LastBody: %v", mock.LastBody) }
func TestDNSValidationFailure(t *testing.T) { stats, _ := statsd.NewNoopClient() va := NewValidationAuthorityImpl(&PortConfig{}, nil, stats, clock.Default()) va.DNSResolver = &bdns.MockDNSResolver{} mockRA := &MockRegistrationAuthority{} va.RA = mockRA chalDNS := createChallenge(core.ChallengeTypeDNS01) var authz = core.Authorization{ ID: core.NewToken(), RegistrationID: 1, Identifier: ident, Challenges: []core.Challenge{chalDNS}, } va.validate(context.Background(), authz, 0) t.Logf("Resulting Authz: %+v", authz) test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization") test.Assert(t, authz.Challenges[0].Status == core.StatusInvalid, "Should be invalid.") test.AssertEquals(t, authz.Challenges[0].Error.Type, probs.UnauthorizedProblem) }
func TestDNSValidationFailure(t *testing.T) { stats := mocks.NewStatter() va := NewValidationAuthorityImpl(&cmd.PortConfig{}, nil, nil, stats, clock.Default()) va.DNSResolver = &bdns.MockDNSResolver{} mockRA := &MockRegistrationAuthority{} va.RA = mockRA chalDNS := createChallenge(core.ChallengeTypeDNS01) var authz = core.Authorization{ ID: core.NewToken(), RegistrationID: 1, Identifier: ident, Challenges: []core.Challenge{chalDNS}, } va.validate(ctx, authz, 0) t.Logf("Resulting Authz: %+v", authz) test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization") test.Assert(t, authz.Challenges[0].Status == core.StatusInvalid, "Should be invalid.") test.AssertEquals(t, authz.Challenges[0].Error.Type, probs.UnauthorizedProblem) test.AssertEquals(t, stats.TimingDurationCalls[0].Metric, "VA.Validations.dns-01.invalid") }
func TestSingleton(t *testing.T) { t.Parallel() log1 := Get() test.AssertNotNil(t, log1, "Logger shouldn't be nil") log2 := Get() test.AssertEquals(t, log1, log2) audit := setup(t) // Should not work err := Set(audit) test.AssertError(t, err, "Can't re-set") // Verify no change log4 := Get() // Verify that log4 != log3 test.AssertNotEquals(t, log4, audit) // Verify that log4 == log2 == log1 test.AssertEquals(t, log4, log2) test.AssertEquals(t, log4, log1) }
func TestDNSValidationBadDNSSEC(t *testing.T) { va := NewValidationAuthorityImpl(true) va.DNSResolver = core.NewDNSResolver(time.Second*5, []string{"8.8.8.8:53"}) mockRA := &MockRegistrationAuthority{} va.RA = mockRA chalDNS := core.DNSChallenge() badDNSSEC := core.AcmeIdentifier{ Type: core.IdentifierDNS, Value: "dnssec-failed.org", } var authz = core.Authorization{ ID: core.NewToken(), RegistrationID: 1, Identifier: badDNSSEC, Challenges: []core.Challenge{chalDNS}, } va.validate(authz, 0) test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization") test.Assert(t, authz.Challenges[0].Status == core.StatusInvalid, "Should be invalid.") test.AssertEquals(t, authz.Challenges[0].Error.Type, core.DNSSECProblem) }
func TestDNSValidationServFail(t *testing.T) { va := NewValidationAuthorityImpl(true) va.DNSResolver = &mocks.MockDNS{} mockRA := &MockRegistrationAuthority{} va.RA = mockRA chalDNS := createChallenge(core.ChallengeTypeDNS) badIdent := core.AcmeIdentifier{ Type: core.IdentifierDNS, Value: "servfail.com", } var authz = core.Authorization{ ID: core.NewToken(), RegistrationID: 1, Identifier: badIdent, Challenges: []core.Challenge{chalDNS}, } va.validate(authz, 0, AccountKey) test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization") test.Assert(t, authz.Challenges[0].Status == core.StatusInvalid, "Should be invalid.") test.AssertEquals(t, authz.Challenges[0].Error.Type, core.ConnectionProblem) }
func TestHTTPRedirectLookup(t *testing.T) { chall := core.HTTPChallenge01() setChallengeToken(&chall, expectedToken) hs := httpSrv(t, expectedToken) defer hs.Close() port, err := getPort(hs) test.AssertNotError(t, err, "failed to get test server port") va, _, log := setup() va.httpPort = port setChallengeToken(&chall, pathMoved) _, prob := va.validateHTTP01(ctx, ident, chall) if prob != nil { t.Fatalf("Unexpected failure in redirect (%s): %s", pathMoved, prob) } test.AssertEquals(t, len(log.GetAllMatching(`redirect from ".*/`+pathMoved+`" to ".*/`+pathValid+`"`)), 1) test.AssertEquals(t, len(log.GetAllMatching(`Resolved addresses for localhost \[using 127.0.0.1\]: \[127.0.0.1\]`)), 2) log.Clear() setChallengeToken(&chall, pathFound) _, prob = va.validateHTTP01(ctx, ident, chall) if prob != nil { t.Fatalf("Unexpected failure in redirect (%s): %s", pathFound, prob) } test.AssertEquals(t, len(log.GetAllMatching(`redirect from ".*/`+pathFound+`" to ".*/`+pathMoved+`"`)), 1) test.AssertEquals(t, len(log.GetAllMatching(`redirect from ".*/`+pathMoved+`" to ".*/`+pathValid+`"`)), 1) test.AssertEquals(t, len(log.GetAllMatching(`Resolved addresses for localhost \[using 127.0.0.1\]: \[127.0.0.1\]`)), 3) log.Clear() setChallengeToken(&chall, pathReLookupInvalid) _, err = va.validateHTTP01(ctx, ident, chall) test.AssertError(t, err, chall.Token) test.AssertEquals(t, len(log.GetAllMatching(`Resolved addresses for localhost \[using 127.0.0.1\]: \[127.0.0.1\]`)), 1) test.AssertEquals(t, len(log.GetAllMatching(`No valid IP addresses found for invalid.invalid`)), 1) log.Clear() setChallengeToken(&chall, pathReLookup) _, prob = va.validateHTTP01(ctx, ident, chall) if prob != nil { t.Fatalf("Unexpected error in redirect (%s): %s", pathReLookup, prob) } test.AssertEquals(t, len(log.GetAllMatching(`redirect from ".*/`+pathReLookup+`" to ".*other.valid:\d+/path"`)), 1) test.AssertEquals(t, len(log.GetAllMatching(`Resolved addresses for localhost \[using 127.0.0.1\]: \[127.0.0.1\]`)), 1) test.AssertEquals(t, len(log.GetAllMatching(`Resolved addresses for other.valid \[using 127.0.0.1\]: \[127.0.0.1\]`)), 1) log.Clear() setChallengeToken(&chall, pathRedirectPort) _, err = va.validateHTTP01(ctx, ident, chall) test.AssertError(t, err, chall.Token) test.AssertEquals(t, len(log.GetAllMatching(`redirect from ".*/port-redirect" to ".*other.valid:8080/path"`)), 1) test.AssertEquals(t, len(log.GetAllMatching(`Resolved addresses for localhost \[using 127.0.0.1\]: \[127.0.0.1\]`)), 1) test.AssertEquals(t, len(log.GetAllMatching(`Resolved addresses for other.valid \[using 127.0.0.1\]: \[127.0.0.1\]`)), 1) // This case will redirect from a valid host to a host that is throwing // HTTP 500 errors. The test case is ensuring that the connection error // is referencing the redirected to host, instead of the original host. log.Clear() setChallengeToken(&chall, pathRedirectToFailingURL) _, prob = va.validateHTTP01(ctx, ident, chall) test.AssertNotNil(t, prob, "Problem Details should not be nil") test.AssertEquals(t, prob.Detail, "Could not connect to other.valid") }