letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge master

This commit is contained in:
Roland Shoemaker 2015-08-26 12:11:43 -07:00
parent 2f406e2af0 18958e462b
commit 0689a962ee
6 changed files with 79 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ca/certificate-authority_test.go
View File

@ -384,7 +384,6 @@ func setup(t *testing.T) *testCtx {
Key: cmd.KeyConfig{
File: caKeyFile,
},
TestMode: true,
Expiry: "8760h",
LifespanOCSP: "45m",
MaxNames: 2,

16
cmd/boulder-va/main.go
View File

@ -36,7 +36,21 @@ func main() {
go cmd.ProfileCmd("VA", stats)
vai := va.NewValidationAuthorityImpl(c.CA.TestMode)
pc := &va.PortConfig{
SimpleHTTPPort: 80,
SimpleHTTPSPort: 443,
DVSNIPort: 443,
}
if c.VA.PortConfig.SimpleHTTPPort != 0 {
pc.SimpleHTTPPort = c.VA.PortConfig.SimpleHTTPPort
}
if c.VA.PortConfig.SimpleHTTPSPort != 0 {
pc.SimpleHTTPSPort = c.VA.PortConfig.SimpleHTTPSPort
}
if c.VA.PortConfig.DVSNIPort != 0 {
pc.DVSNIPort = c.VA.PortConfig.DVSNIPort
}
vai := va.NewValidationAuthorityImpl(pc)
dnsTimeout, err := time.ParseDuration(c.Common.DNSTimeout)
cmd.FailOnError(err, "Couldn't parse DNS timeout")
vai.DNSResolver = core.NewDNSResolverImpl(dnsTimeout, []string{c.Common.DNSResolver})

5
cmd/shell.go
View File

@ -99,6 +99,11 @@ type Config struct {
VA struct {
UserAgent string
PortConfig struct {
SimpleHTTPPort int
SimpleHTTPSPort int
DVSNIPort int
}
// DebugAddr is the address to run the /debug handlers on.
DebugAddr string
}

9
test/boulder-config.json
View File

@ -50,8 +50,6 @@
"profile": "ee",
"dbConnect": "mysql+tcp://boulder@localhost:3306/boulder_ca_integration",
"debugAddr": "localhost:8001",
"testMode": true,
"_comment": "This should only be present in testMode. In prod use an HSM.",
"Key": {
"File": "test/test-ca.key"
},
@ -124,7 +122,12 @@
"va": {
"userAgent": "boulder",
"debugAddr": "localhost:8004"
"debugAddr": "localhost:8004",
"portConfig": {
"simpleHTTPPort": 5001,
"simpleHTTPSPort": 5001,
"dvsniPort": 5001
}
},
"sql": {

34
va/validation-authority.go
View File

@ -50,27 +50,23 @@ type ValidationAuthorityImpl struct {
UserAgent string
}
// NewValidationAuthorityImpl constructs a new VA, and may place it
// into Test Mode (tm)
func NewValidationAuthorityImpl(tm bool) *ValidationAuthorityImpl {
// PortConfig specifies what ports the VA should call to on the remote
// host when performing its checks.
type PortConfig struct {
SimpleHTTPPort int
SimpleHTTPSPort int
DVSNIPort int
}
// NewValidationAuthorityImpl constructs a new VA
func NewValidationAuthorityImpl(pc *PortConfig) *ValidationAuthorityImpl {
logger := blog.GetAuditLogger()
logger.Notice("Validation Authority Starting")
// TODO(jsha): Remove TestMode entirely. Instead, the various validation ports
// should be exported, so the cmd file can set them based on a config.
if tm {
return &ValidationAuthorityImpl{
log: logger,
simpleHTTPPort: 5001,
simpleHTTPSPort: 5001,
dvsniPort: 5001,
}
} else {
return &ValidationAuthorityImpl{
log: logger,
simpleHTTPPort: 80,
simpleHTTPSPort: 443,
dvsniPort: 443,
}
return &ValidationAuthorityImpl{
log: logger,
simpleHTTPPort: pc.SimpleHTTPPort,
simpleHTTPSPort: pc.SimpleHTTPSPort,
dvsniPort: pc.DVSNIPort,
}
}

85
va/validation-authority_test.go
View File

@ -231,9 +231,6 @@ func brokenTLSSrv() *httptest.Server {
}
func TestSimpleHttpTLS(t *testing.T) {
va := NewValidationAuthorityImpl(false)
va.DNSResolver = &mocks.MockDNS{}
chall := core.Challenge{Type: core.ChallengeTypeSimpleHTTP, Token: expectedToken, ValidationRecord: []core.ValidationRecord{}}
hs := simpleSrv(t, expectedToken, true)
@ -241,7 +238,8 @@ func TestSimpleHttpTLS(t *testing.T) {
port, err := getPort(hs)
test.AssertNotError(t, err, "failed to get test server port")
va.simpleHTTPSPort = port
va := NewValidationAuthorityImpl(&PortConfig{SimpleHTTPSPort: port})
va.DNSResolver = &mocks.MockDNS{}
log.Clear()
finChall, err := va.validateSimpleHTTP(ident, chall, AccountKey)
@ -253,9 +251,6 @@ func TestSimpleHttpTLS(t *testing.T) {
}
func TestSimpleHttp(t *testing.T) {
va := NewValidationAuthorityImpl(false)
va.DNSResolver = &mocks.MockDNS{}
tls := false
chall := core.Challenge{Type: core.ChallengeTypeSimpleHTTP, Token: expectedToken, TLS: &tls, ValidationRecord: []core.ValidationRecord{}}
@ -266,23 +261,28 @@ func TestSimpleHttp(t *testing.T) {
// there appears to be an issue in httptest that trips Go's race detector when
// that happens, failing the test. So instead, we live with leaving the server
// around till the process exits.
// TODO(#661): add hs.Close back, see ticket for blocker
hs := simpleSrv(t, expectedToken, tls)
port, err := getPort(hs)
goodPort, err := getPort(hs)
test.AssertNotError(t, err, "failed to get test server port")
// Attempt to fail a challenge by telling the VA to connect to a port we are
// not listening on.
va.simpleHTTPPort = port + 1
if va.simpleHTTPPort == 65536 {
va.simpleHTTPPort = port - 1
badPort := goodPort + 1
if badPort == 65536 {
badPort = goodPort - 1
}
va := NewValidationAuthorityImpl(&PortConfig{SimpleHTTPPort: badPort})
va.DNSResolver = &mocks.MockDNS{}
invalidChall, err := va.validateSimpleHTTP(ident, chall, AccountKey)
test.AssertEquals(t, invalidChall.Status, core.StatusInvalid)
test.AssertError(t, err, "Server's down; expected refusal. Where did we connect?")
test.AssertEquals(t, invalidChall.Error.Type, core.ConnectionProblem)
va.simpleHTTPPort = port
va = NewValidationAuthorityImpl(&PortConfig{SimpleHTTPPort: goodPort})
va.DNSResolver = &mocks.MockDNS{}
log.Clear()
finChall, err := va.validateSimpleHTTP(ident, chall, AccountKey)
test.AssertEquals(t, finChall.Status, core.StatusValid)
@ -346,9 +346,6 @@ func TestSimpleHttp(t *testing.T) {
}
func TestSimpleHttpRedirectLookup(t *testing.T) {
va := NewValidationAuthorityImpl(false)
va.DNSResolver = &mocks.MockDNS{}
tls := false
chall := core.Challenge{Token: expectedToken, TLS: &tls, ValidationRecord: []core.ValidationRecord{}}
@ -356,7 +353,8 @@ func TestSimpleHttpRedirectLookup(t *testing.T) {
defer hs.Close()
port, err := getPort(hs)
test.AssertNotError(t, err, "failed to get test server port")
va.simpleHTTPPort = port
va := NewValidationAuthorityImpl(&PortConfig{SimpleHTTPPort: port})
va.DNSResolver = &mocks.MockDNS{}
log.Clear()
chall.Token = pathMoved
@ -404,9 +402,6 @@ func TestSimpleHttpRedirectLookup(t *testing.T) {
}
func TestSimpleHttpRedirectLoop(t *testing.T) {
va := NewValidationAuthorityImpl(false)
va.DNSResolver = &mocks.MockDNS{}
tls := false
chall := core.Challenge{Token: "looper", TLS: &tls, ValidationRecord: []core.ValidationRecord{}}
@ -414,7 +409,8 @@ func TestSimpleHttpRedirectLoop(t *testing.T) {
defer hs.Close()
port, err := getPort(hs)
test.AssertNotError(t, err, "failed to get test server port")
va.simpleHTTPPort = port
va := NewValidationAuthorityImpl(&PortConfig{SimpleHTTPPort: port})
va.DNSResolver = &mocks.MockDNS{}
log.Clear()
finChall, err := va.validateSimpleHTTP(ident, chall, AccountKey)
@ -446,8 +442,7 @@ func TestDvsni(t *testing.T) {
port, err := getPort(hs)
test.AssertNotError(t, err, "failed to get test server port")
va := NewValidationAuthorityImpl(false)
va.dvsniPort = port
va := NewValidationAuthorityImpl(&PortConfig{DVSNIPort: port})
va.DNSResolver = &mocks.MockDNS{}
@ -502,15 +497,13 @@ func TestDvsni(t *testing.T) {
}
func TestTLSError(t *testing.T) {
va := NewValidationAuthorityImpl(false)
va.DNSResolver = &mocks.MockDNS{}
chall := createChallenge(core.ChallengeTypeDVSNI)
hs := brokenTLSSrv()
port, err := getPort(hs)
test.AssertNotError(t, err, "failed to get test server port")
va.dvsniPort = port
va := NewValidationAuthorityImpl(&PortConfig{DVSNIPort: port})
va.DNSResolver = &mocks.MockDNS{}
invalidChall, err := va.validateDvsni(ident, chall, AccountKey)
test.AssertEquals(t, invalidChall.Status, core.StatusInvalid)
@ -519,11 +512,6 @@ func TestTLSError(t *testing.T) {
}
func TestValidateHTTP(t *testing.T) {
va := NewValidationAuthorityImpl(false)
va.DNSResolver = &mocks.MockDNS{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
tls := false
challHTTP := core.SimpleHTTPChallenge()
challHTTP.TLS = &tls
@ -532,7 +520,11 @@ func TestValidateHTTP(t *testing.T) {
hs := simpleSrv(t, challHTTP.Token, tls)
port, err := getPort(hs)
test.AssertNotError(t, err, "failed to get test server port")
va.simpleHTTPPort = port
va := NewValidationAuthorityImpl(&PortConfig{SimpleHTTPPort: port})
va.DNSResolver = &mocks.MockDNS{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
defer hs.Close()
var authz = core.Authorization{
@ -566,18 +558,17 @@ func createChallenge(challengeType string) core.Challenge {
}
func TestValidateDvsni(t *testing.T) {
va := NewValidationAuthorityImpl(false)
va.DNSResolver = &mocks.MockDNS{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
chall := createChallenge(core.ChallengeTypeDVSNI)
hs := dvsniSrv(t, chall)
defer hs.Close()
port, err := getPort(hs)
test.AssertNotError(t, err, "failed to get test server port")
va.dvsniPort = port
va := NewValidationAuthorityImpl(&PortConfig{DVSNIPort: port})
va.DNSResolver = &mocks.MockDNS{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
var authz = core.Authorization{
ID: core.NewToken(),
@ -591,7 +582,7 @@ func TestValidateDvsni(t *testing.T) {
}
func TestValidateDvsniNotSane(t *testing.T) {
va := NewValidationAuthorityImpl(false)
va := NewValidationAuthorityImpl(&PortConfig{}) // no calls made
va.DNSResolver = &mocks.MockDNS{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
@ -612,7 +603,7 @@ func TestValidateDvsniNotSane(t *testing.T) {
}
func TestUpdateValidations(t *testing.T) {
va := NewValidationAuthorityImpl(false)
va := NewValidationAuthorityImpl(&PortConfig{})
va.DNSResolver = &mocks.MockDNS{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
@ -667,7 +658,7 @@ func TestCAAChecking(t *testing.T) {
// CNAME to critical
}
va := NewValidationAuthorityImpl(false)
va := NewValidationAuthorityImpl(&PortConfig{})
va.DNSResolver = &mocks.MockDNS{}
va.IssuerDomain = "letsencrypt.org"
for _, caaTest := range tests {
@ -699,7 +690,7 @@ func TestCAAChecking(t *testing.T) {
}
func TestDNSValidationFailure(t *testing.T) {
va := NewValidationAuthorityImpl(false)
va := NewValidationAuthorityImpl(&PortConfig{})
va.DNSResolver = &mocks.MockDNS{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
@ -735,7 +726,7 @@ func TestDNSValidationInvalid(t *testing.T) {
Challenges: []core.Challenge{chalDNS},
}
va := NewValidationAuthorityImpl(false)
va := NewValidationAuthorityImpl(&PortConfig{})
va.DNSResolver = &mocks.MockDNS{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
@ -748,7 +739,7 @@ func TestDNSValidationInvalid(t *testing.T) {
}
func TestDNSValidationNotSane(t *testing.T) {
va := NewValidationAuthorityImpl(false)
va := NewValidationAuthorityImpl(&PortConfig{})
va.DNSResolver = &mocks.MockDNS{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
@ -778,7 +769,7 @@ func TestDNSValidationNotSane(t *testing.T) {
}
func TestDNSValidationServFail(t *testing.T) {
va := NewValidationAuthorityImpl(false)
va := NewValidationAuthorityImpl(&PortConfig{})
va.DNSResolver = &mocks.MockDNS{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
@ -803,7 +794,7 @@ func TestDNSValidationServFail(t *testing.T) {
}
func TestDNSValidationNoServer(t *testing.T) {
va := NewValidationAuthorityImpl(false)
va := NewValidationAuthorityImpl(&PortConfig{})
va.DNSResolver = core.NewDNSResolverImpl(time.Second*5, []string{})
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA
@ -827,7 +818,7 @@ func TestDNSValidationNoServer(t *testing.T) {
// the existance of some Internet resources. Because of that,
// it asserts nothing; it is intended for coverage.
func TestDNSValidationLive(t *testing.T) {
va := NewValidationAuthorityImpl(false)
va := NewValidationAuthorityImpl(&PortConfig{})
va.DNSResolver = &mocks.MockDNS{}
mockRA := &MockRegistrationAuthority{}
va.RA = mockRA