func TestDNSValidationNotSane(t *testing.T) {
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
chal0 := core.DNSChallenge01(accountKey)
chal0.Token = ""
chal1 := core.DNSChallenge01(accountKey)
chal1.Token = "yfCBb-bRTLz8Wd1C0lTUQK3qlKj3-t2tYGwx5Hj7r_"
chal2 := core.DNSChallenge01(accountKey)
chal2.TLS = new(bool)
*chal2.TLS = true
var authz = core.Authorization{
ID: core.NewToken(),
RegistrationID: 1,
Identifier: ident,
Challenges: []core.Challenge{chal0, chal1, chal2},
}
for i := 0; i < len(authz.Challenges); i++ {
va.validate(authz, i)
test.AssertEquals(t, authz.Challenges[i].Status, core.StatusInvalid)
test.AssertEquals(t, authz.Challenges[i].Error.Type, core.MalformedProblem)
}
}
func TestDNSValidationNotSane(t *testing.T) {
va, _, _ := setup()
chal0 := core.DNSChallenge01()
chal0.Token = ""
chal1 := core.DNSChallenge01()
chal1.Token = "yfCBb-bRTLz8Wd1C0lTUQK3qlKj3-t2tYGwx5Hj7r_"
chal2 := core.DNSChallenge01()
chal2.ProvidedKeyAuthorization = ""
var authz = core.Authorization{
ID: core.NewToken(),
RegistrationID: 1,
Identifier: ident,
Challenges: []core.Challenge{chal0, chal1, chal2},
}
for i := 0; i < len(authz.Challenges); i++ {
_, prob := va.validateChallenge(ctx, ident, authz.Challenges[i])
if prob.Type != probs.MalformedProblem {
t.Errorf("Got wrong error type for %d: expected %s, got %s",
i, prob.Type, probs.MalformedProblem)
}
if !strings.Contains(prob.Error(), "Challenge failed sanity check.") {
t.Errorf("Got wrong error: %s", prob.Error())
}
}
}
func TestDNSValidationNotSane(t *testing.T) {
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&cmd.PortConfig{}, nil, nil, stats, clock.Default())
va.DNSResolver = &bdns.MockDNSResolver{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
chal0 := core.DNSChallenge01(accountKey)
chal0.Token = ""
chal1 := core.DNSChallenge01(accountKey)
chal1.Token = "yfCBb-bRTLz8Wd1C0lTUQK3qlKj3-t2tYGwx5Hj7r_"
chal2 := core.DNSChallenge01(accountKey)
chal2.ProvidedKeyAuthorization = ""
chal3 := core.DNSChallenge01(accountKey)
chal3.ProvidedKeyAuthorization = "a.a"
var authz = core.Authorization{
ID: core.NewToken(),
RegistrationID: 1,
Identifier: ident,
Challenges: []core.Challenge{chal0, chal1, chal2, chal3},
}
for i := 0; i < len(authz.Challenges); i++ {
va.validate(ctx, authz, i)
test.AssertEquals(t, authz.Challenges[i].Status, core.StatusInvalid)
test.AssertEquals(t, authz.Challenges[i].Error.Type, probs.MalformedProblem)
if !strings.Contains(authz.Challenges[i].Error.Error(), "Challenge failed sanity check.") {
t.Errorf("Got wrong error: %s", authz.Challenges[i].Error)
}
}
}
// TestDNSValidationLive is an integration test, depending on
// the existance of some Internet resources. Because of that,
// it asserts nothing; it is intended for coverage.
func TestDNSValidationLive(t *testing.T) {
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
goodChalDNS := core.DNSChallenge01(accountKey)
// This token is set at _acme-challenge.good.bin.coffee
goodChalDNS.Token = "yfCBb-bRTLz8Wd1C0lTUQK3qlKj3-t2tYGwx5Hj7r_w"
var goodIdent = core.AcmeIdentifier{
Type: core.IdentifierDNS,
Value: "good.bin.coffee",
}
var badIdent = core.AcmeIdentifier{
Type: core.IdentifierType("dns"),
Value: "bad.bin.coffee",
}
var authzGood = core.Authorization{
ID: core.NewToken(),
RegistrationID: 1,
Identifier: goodIdent,
Challenges: []core.Challenge{goodChalDNS},
}
va.validate(authzGood, 0)
if authzGood.Challenges[0].Status != core.StatusValid {
t.Logf("TestDNSValidationLive on Good did not succeed.")
}
badChalDNS := core.DNSChallenge01(accountKey)
// This token is NOT set at _acme-challenge.bad.bin.coffee
badChalDNS.Token = "yfCBb-bRTLz8Wd1C0lTUQK3qlKj3-t2tYGwx5Hj7r_w"
var authzBad = core.Authorization{
ID: core.NewToken(),
RegistrationID: 1,
Identifier: badIdent,
Challenges: []core.Challenge{badChalDNS},
}
va.validate(authzBad, 0)
if authzBad.Challenges[0].Status != core.StatusInvalid {
t.Logf("TestDNSValidationLive on Bad did succeed inappropriately.")
}
}
func TestDNSValidationInvalid(t *testing.T) {
var notDNS = core.AcmeIdentifier{
Type: core.IdentifierType("iris"),
Value: "790DB180-A274-47A4-855F-31C428CB1072",
}
chalDNS := core.DNSChallenge01(accountKey)
var authz = core.Authorization{
ID: core.NewToken(),
RegistrationID: 1,
Identifier: notDNS,
Challenges: []core.Challenge{chalDNS},
}
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{}, nil, stats, clock.Default())
va.DNSResolver = &mocks.DNSResolver{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
va.validate(authz, 0)
test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization")
test.Assert(t, authz.Challenges[0].Status == core.StatusInvalid, "Should be invalid.")
test.AssertEquals(t, authz.Challenges[0].Error.Type, core.MalformedProblem)
}
func TestDNSValidationNoAuthorityOK(t *testing.T) {
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(&PortConfig{}, nil, stats, clock.Default())
va.DNSResolver = &bdns.MockDNSResolver{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
// create a challenge with well known token
chalDNS := core.DNSChallenge01(accountKey)
chalDNS.Token = expectedToken
keyAuthorization, _ := core.NewKeyAuthorization(chalDNS.Token, accountKey)
chalDNS.KeyAuthorization = &keyAuthorization
goodIdent := core.AcmeIdentifier{
Type: core.IdentifierDNS,
Value: "no-authority-dns01.com",
}
var authz = core.Authorization{
ID: core.NewToken(),
RegistrationID: 1,
Identifier: goodIdent,
Challenges: []core.Challenge{chalDNS},
}
va.validate(context.Background(), authz, 0)
test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization")
test.Assert(t, authz.Challenges[0].Status == core.StatusValid, "Should be valid.")
}
// ChallengesFor makes a decision of what challenges, and combinations, are
// acceptable for the given identifier.
//
// Note: Current implementation is static, but future versions may not be.
func (pa *AuthorityImpl) ChallengesFor(identifier core.AcmeIdentifier) ([]core.Challenge, [][]int) {
challenges := []core.Challenge{}
if pa.enabledChallenges[core.ChallengeTypeHTTP01] {
challenges = append(challenges, core.HTTPChallenge01())
}
if pa.enabledChallenges[core.ChallengeTypeTLSSNI01] {
challenges = append(challenges, core.TLSSNIChallenge01())
}
if pa.enabledChallenges[core.ChallengeTypeDNS01] {
challenges = append(challenges, core.DNSChallenge01())
}
// We shuffle the challenges and combinations to prevent ACME clients from
// relying on the specific order that boulder returns them in.
shuffled := make([]core.Challenge, len(challenges))
combinations := make([][]int, len(challenges))
for i, challIdx := range pa.pseudoRNG.Perm(len(challenges)) {
shuffled[i] = challenges[challIdx]
combinations[i] = []int{i}
}
shuffledCombos := make([][]int, len(combinations))
for i, comboIdx := range pa.pseudoRNG.Perm(len(combinations)) {
shuffledCombos[i] = combinations[comboIdx]
}
return shuffled, shuffledCombos
}
func TestDNSValidationOK(t *testing.T) {
stats := mocks.NewStatter()
va := NewValidationAuthorityImpl(&cmd.PortConfig{}, nil, nil, stats, clock.Default())
va.DNSResolver = &bdns.MockDNSResolver{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
// create a challenge with well known token
chalDNS := core.DNSChallenge01(accountKey)
chalDNS.Token = expectedToken
chalDNS.ProvidedKeyAuthorization, _ = chalDNS.ExpectedKeyAuthorization()
goodIdent := core.AcmeIdentifier{
Type: core.IdentifierDNS,
Value: "good-dns01.com",
}
var authz = core.Authorization{
ID: core.NewToken(),
RegistrationID: 1,
Identifier: goodIdent,
Challenges: []core.Challenge{chalDNS},
}
va.validate(ctx, authz, 0)
test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization")
test.Assert(t, authz.Challenges[0].Status == core.StatusValid, "Should be valid.")
test.AssertEquals(t, stats.TimingDurationCalls[0].Metric, "VA.Validations.dns-01.valid")
}
// ChallengesFor makes a decision of what challenges, and combinations, are
// acceptable for the given identifier.
//
// Note: Current implementation is static, but future versions may not be.
func (pa PolicyAuthorityImpl) ChallengesFor(identifier core.AcmeIdentifier, accountKey *jose.JsonWebKey) (challenges []core.Challenge, combinations [][]int, err error) {
challenges = []core.Challenge{}
combinations = [][]int{}
// TODO(https://github.com/letsencrypt/boulder/issues/894): Remove this block
if pa.enabledChallenges[core.ChallengeTypeSimpleHTTP] {
challenges = append(challenges, core.SimpleHTTPChallenge(accountKey))
}
// TODO(https://github.com/letsencrypt/boulder/issues/894): Remove this block
if pa.enabledChallenges[core.ChallengeTypeDVSNI] {
challenges = append(challenges, core.DvsniChallenge(accountKey))
}
if pa.enabledChallenges[core.ChallengeTypeHTTP01] {
challenges = append(challenges, core.HTTPChallenge01(accountKey))
}
if pa.enabledChallenges[core.ChallengeTypeTLSSNI01] {
challenges = append(challenges, core.TLSSNIChallenge01(accountKey))
}
if pa.enabledChallenges[core.ChallengeTypeDNS01] {
challenges = append(challenges, core.DNSChallenge01(accountKey))
}
combinations = make([][]int, len(challenges))
for i := range combinations {
combinations[i] = []int{i}
}
return
}
func TestPerformValidationValid(t *testing.T) {
va, stats, _ := setup()
// create a challenge with well known token
chalDNS := core.DNSChallenge01()
chalDNS.Token = expectedToken
chalDNS.ProvidedKeyAuthorization = expectedKeyAuthorization
_, prob := va.PerformValidation(context.Background(), "good-dns01.com", chalDNS, core.Authorization{})
test.Assert(t, prob == nil, fmt.Sprintf("validation failed: %#v", prob))
test.AssertEquals(t, stats.TimingDurationCalls[0].Metric, "VA.Validations.dns-01.valid")
}
func TestDNSValidationInvalid(t *testing.T) {
var notDNS = core.AcmeIdentifier{
Type: core.IdentifierType("iris"),
Value: "790DB180-A274-47A4-855F-31C428CB1072",
}
chalDNS := core.DNSChallenge01()
chalDNS.ProvidedKeyAuthorization = expectedKeyAuthorization
va, _, _ := setup()
_, prob := va.validateChallenge(ctx, notDNS, chalDNS)
test.AssertEquals(t, prob.Type, probs.MalformedProblem)
}
func TestDNSValidationOK(t *testing.T) {
va, _, _ := setup()
// create a challenge with well known token
chalDNS := core.DNSChallenge01()
chalDNS.Token = expectedToken
chalDNS.ProvidedKeyAuthorization = expectedKeyAuthorization
goodIdent := core.AcmeIdentifier{
Type: core.IdentifierDNS,
Value: "good-dns01.com",
}
_, prob := va.validateChallenge(ctx, goodIdent, chalDNS)
test.Assert(t, prob == nil, "Should be valid.")
}
// ChallengesFor makes a decision of what challenges, and combinations, are
// acceptable for the given identifier.
//
// Note: Current implementation is static, but future versions may not be.
func (pa PolicyAuthorityImpl) ChallengesFor(identifier core.AcmeIdentifier, accountKey *jose.JsonWebKey) ([]core.Challenge, [][]int, error) {
challenges := []core.Challenge{}
// TODO(https://github.com/letsencrypt/boulder/issues/894): Remove this block
if pa.enabledChallenges[core.ChallengeTypeSimpleHTTP] {
challenges = append(challenges, core.SimpleHTTPChallenge(accountKey))
}
// TODO(https://github.com/letsencrypt/boulder/issues/894): Remove this block
if pa.enabledChallenges[core.ChallengeTypeDVSNI] {
challenges = append(challenges, core.DvsniChallenge(accountKey))
}
if pa.enabledChallenges[core.ChallengeTypeHTTP01] {
challenges = append(challenges, core.HTTPChallenge01(accountKey))
}
if pa.enabledChallenges[core.ChallengeTypeTLSSNI01] {
challenges = append(challenges, core.TLSSNIChallenge01(accountKey))
}
if pa.enabledChallenges[core.ChallengeTypeDNS01] {
challenges = append(challenges, core.DNSChallenge01(accountKey))
}
// We shuffle the challenges and combinations to prevent ACME clients from
// relying on the specific order that boulder returns them in.
shuffled := make([]core.Challenge, len(challenges))
combinations := make([][]int, len(challenges))
for i, challIdx := range pa.pseudoRNG.Perm(len(challenges)) {
shuffled[i] = challenges[challIdx]
combinations[i] = []int{i}
}
shuffledCombos := make([][]int, len(combinations))
for i, comboIdx := range pa.pseudoRNG.Perm(len(combinations)) {
shuffledCombos[i] = combinations[comboIdx]
}
return shuffled, shuffledCombos, nil
}