diff --git a/ca/certificate-authority_test.go b/ca/certificate-authority_test.go index b45e8f73d..2936781a9 100644 --- a/ca/certificate-authority_test.go +++ b/ca/certificate-authority_test.go @@ -384,7 +384,6 @@ func setup(t *testing.T) *testCtx { Key: cmd.KeyConfig{ File: caKeyFile, }, - TestMode: true, Expiry: "8760h", LifespanOCSP: "45m", MaxNames: 2, diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go index 518af3b15..c5e8067c4 100644 --- a/cmd/boulder-va/main.go +++ b/cmd/boulder-va/main.go @@ -36,7 +36,21 @@ func main() { go cmd.ProfileCmd("VA", stats) - vai := va.NewValidationAuthorityImpl(c.CA.TestMode) + pc := &va.PortConfig{ + SimpleHTTPPort: 80, + SimpleHTTPSPort: 443, + DVSNIPort: 443, + } + if c.VA.PortConfig.SimpleHTTPPort != 0 { + pc.SimpleHTTPPort = c.VA.PortConfig.SimpleHTTPPort + } + if c.VA.PortConfig.SimpleHTTPSPort != 0 { + pc.SimpleHTTPSPort = c.VA.PortConfig.SimpleHTTPSPort + } + if c.VA.PortConfig.DVSNIPort != 0 { + pc.DVSNIPort = c.VA.PortConfig.DVSNIPort + } + vai := va.NewValidationAuthorityImpl(pc) dnsTimeout, err := time.ParseDuration(c.Common.DNSTimeout) cmd.FailOnError(err, "Couldn't parse DNS timeout") vai.DNSResolver = core.NewDNSResolverImpl(dnsTimeout, []string{c.Common.DNSResolver}) diff --git a/cmd/shell.go b/cmd/shell.go index 75aef4f37..e48bb7d88 100644 --- a/cmd/shell.go +++ b/cmd/shell.go @@ -99,6 +99,11 @@ type Config struct { VA struct { UserAgent string + PortConfig struct { + SimpleHTTPPort int + SimpleHTTPSPort int + DVSNIPort int + } // DebugAddr is the address to run the /debug handlers on. DebugAddr string } diff --git a/test/boulder-config.json b/test/boulder-config.json index 3119f9358..1e1163b99 100644 --- a/test/boulder-config.json +++ b/test/boulder-config.json @@ -50,8 +50,6 @@ "profile": "ee", "dbConnect": "mysql+tcp://boulder@localhost:3306/boulder_ca_integration", "debugAddr": "localhost:8001", - "testMode": true, - "_comment": "This should only be present in testMode. In prod use an HSM.", "Key": { "File": "test/test-ca.key" }, @@ -124,7 +122,12 @@ "va": { "userAgent": "boulder", - "debugAddr": "localhost:8004" + "debugAddr": "localhost:8004", + "portConfig": { + "simpleHTTPPort": 5001, + "simpleHTTPSPort": 5001, + "dvsniPort": 5001 + } }, "sql": { diff --git a/va/validation-authority.go b/va/validation-authority.go index b42dd799c..aab6455ac 100644 --- a/va/validation-authority.go +++ b/va/validation-authority.go @@ -50,27 +50,23 @@ type ValidationAuthorityImpl struct { UserAgent string } -// NewValidationAuthorityImpl constructs a new VA, and may place it -// into Test Mode (tm) -func NewValidationAuthorityImpl(tm bool) *ValidationAuthorityImpl { +// PortConfig specifies what ports the VA should call to on the remote +// host when performing its checks. +type PortConfig struct { + SimpleHTTPPort int + SimpleHTTPSPort int + DVSNIPort int +} + +// NewValidationAuthorityImpl constructs a new VA +func NewValidationAuthorityImpl(pc *PortConfig) *ValidationAuthorityImpl { logger := blog.GetAuditLogger() logger.Notice("Validation Authority Starting") - // TODO(jsha): Remove TestMode entirely. Instead, the various validation ports - // should be exported, so the cmd file can set them based on a config. - if tm { - return &ValidationAuthorityImpl{ - log: logger, - simpleHTTPPort: 5001, - simpleHTTPSPort: 5001, - dvsniPort: 5001, - } - } else { - return &ValidationAuthorityImpl{ - log: logger, - simpleHTTPPort: 80, - simpleHTTPSPort: 443, - dvsniPort: 443, - } + return &ValidationAuthorityImpl{ + log: logger, + simpleHTTPPort: pc.SimpleHTTPPort, + simpleHTTPSPort: pc.SimpleHTTPSPort, + dvsniPort: pc.DVSNIPort, } } diff --git a/va/validation-authority_test.go b/va/validation-authority_test.go index bf05bcfc9..fcdad04af 100644 --- a/va/validation-authority_test.go +++ b/va/validation-authority_test.go @@ -231,9 +231,6 @@ func brokenTLSSrv() *httptest.Server { } func TestSimpleHttpTLS(t *testing.T) { - va := NewValidationAuthorityImpl(false) - va.DNSResolver = &mocks.MockDNS{} - chall := core.Challenge{Type: core.ChallengeTypeSimpleHTTP, Token: expectedToken, ValidationRecord: []core.ValidationRecord{}} hs := simpleSrv(t, expectedToken, true) @@ -241,7 +238,8 @@ func TestSimpleHttpTLS(t *testing.T) { port, err := getPort(hs) test.AssertNotError(t, err, "failed to get test server port") - va.simpleHTTPSPort = port + va := NewValidationAuthorityImpl(&PortConfig{SimpleHTTPSPort: port}) + va.DNSResolver = &mocks.MockDNS{} log.Clear() finChall, err := va.validateSimpleHTTP(ident, chall, AccountKey) @@ -253,9 +251,6 @@ func TestSimpleHttpTLS(t *testing.T) { } func TestSimpleHttp(t *testing.T) { - va := NewValidationAuthorityImpl(false) - va.DNSResolver = &mocks.MockDNS{} - tls := false chall := core.Challenge{Type: core.ChallengeTypeSimpleHTTP, Token: expectedToken, TLS: &tls, ValidationRecord: []core.ValidationRecord{}} @@ -266,23 +261,28 @@ func TestSimpleHttp(t *testing.T) { // there appears to be an issue in httptest that trips Go's race detector when // that happens, failing the test. So instead, we live with leaving the server // around till the process exits. + // TODO(#661): add hs.Close back, see ticket for blocker hs := simpleSrv(t, expectedToken, tls) - port, err := getPort(hs) + goodPort, err := getPort(hs) test.AssertNotError(t, err, "failed to get test server port") // Attempt to fail a challenge by telling the VA to connect to a port we are // not listening on. - va.simpleHTTPPort = port + 1 - if va.simpleHTTPPort == 65536 { - va.simpleHTTPPort = port - 1 + badPort := goodPort + 1 + if badPort == 65536 { + badPort = goodPort - 1 } + va := NewValidationAuthorityImpl(&PortConfig{SimpleHTTPPort: badPort}) + va.DNSResolver = &mocks.MockDNS{} + invalidChall, err := va.validateSimpleHTTP(ident, chall, AccountKey) test.AssertEquals(t, invalidChall.Status, core.StatusInvalid) test.AssertError(t, err, "Server's down; expected refusal. Where did we connect?") test.AssertEquals(t, invalidChall.Error.Type, core.ConnectionProblem) - va.simpleHTTPPort = port + va = NewValidationAuthorityImpl(&PortConfig{SimpleHTTPPort: goodPort}) + va.DNSResolver = &mocks.MockDNS{} log.Clear() finChall, err := va.validateSimpleHTTP(ident, chall, AccountKey) test.AssertEquals(t, finChall.Status, core.StatusValid) @@ -346,9 +346,6 @@ func TestSimpleHttp(t *testing.T) { } func TestSimpleHttpRedirectLookup(t *testing.T) { - va := NewValidationAuthorityImpl(false) - va.DNSResolver = &mocks.MockDNS{} - tls := false chall := core.Challenge{Token: expectedToken, TLS: &tls, ValidationRecord: []core.ValidationRecord{}} @@ -356,7 +353,8 @@ func TestSimpleHttpRedirectLookup(t *testing.T) { defer hs.Close() port, err := getPort(hs) test.AssertNotError(t, err, "failed to get test server port") - va.simpleHTTPPort = port + va := NewValidationAuthorityImpl(&PortConfig{SimpleHTTPPort: port}) + va.DNSResolver = &mocks.MockDNS{} log.Clear() chall.Token = pathMoved @@ -404,9 +402,6 @@ func TestSimpleHttpRedirectLookup(t *testing.T) { } func TestSimpleHttpRedirectLoop(t *testing.T) { - va := NewValidationAuthorityImpl(false) - va.DNSResolver = &mocks.MockDNS{} - tls := false chall := core.Challenge{Token: "looper", TLS: &tls, ValidationRecord: []core.ValidationRecord{}} @@ -414,7 +409,8 @@ func TestSimpleHttpRedirectLoop(t *testing.T) { defer hs.Close() port, err := getPort(hs) test.AssertNotError(t, err, "failed to get test server port") - va.simpleHTTPPort = port + va := NewValidationAuthorityImpl(&PortConfig{SimpleHTTPPort: port}) + va.DNSResolver = &mocks.MockDNS{} log.Clear() finChall, err := va.validateSimpleHTTP(ident, chall, AccountKey) @@ -446,8 +442,7 @@ func TestDvsni(t *testing.T) { port, err := getPort(hs) test.AssertNotError(t, err, "failed to get test server port") - va := NewValidationAuthorityImpl(false) - va.dvsniPort = port + va := NewValidationAuthorityImpl(&PortConfig{DVSNIPort: port}) va.DNSResolver = &mocks.MockDNS{} @@ -502,15 +497,13 @@ func TestDvsni(t *testing.T) { } func TestTLSError(t *testing.T) { - va := NewValidationAuthorityImpl(false) - va.DNSResolver = &mocks.MockDNS{} - chall := createChallenge(core.ChallengeTypeDVSNI) hs := brokenTLSSrv() port, err := getPort(hs) test.AssertNotError(t, err, "failed to get test server port") - va.dvsniPort = port + va := NewValidationAuthorityImpl(&PortConfig{DVSNIPort: port}) + va.DNSResolver = &mocks.MockDNS{} invalidChall, err := va.validateDvsni(ident, chall, AccountKey) test.AssertEquals(t, invalidChall.Status, core.StatusInvalid) @@ -519,11 +512,6 @@ func TestTLSError(t *testing.T) { } func TestValidateHTTP(t *testing.T) { - va := NewValidationAuthorityImpl(false) - va.DNSResolver = &mocks.MockDNS{} - mockRA := &MockRegistrationAuthority{} - va.RA = mockRA - tls := false challHTTP := core.SimpleHTTPChallenge() challHTTP.TLS = &tls @@ -532,7 +520,11 @@ func TestValidateHTTP(t *testing.T) { hs := simpleSrv(t, challHTTP.Token, tls) port, err := getPort(hs) test.AssertNotError(t, err, "failed to get test server port") - va.simpleHTTPPort = port + va := NewValidationAuthorityImpl(&PortConfig{SimpleHTTPPort: port}) + va.DNSResolver = &mocks.MockDNS{} + mockRA := &MockRegistrationAuthority{} + va.RA = mockRA + defer hs.Close() var authz = core.Authorization{ @@ -566,18 +558,17 @@ func createChallenge(challengeType string) core.Challenge { } func TestValidateDvsni(t *testing.T) { - va := NewValidationAuthorityImpl(false) - va.DNSResolver = &mocks.MockDNS{} - mockRA := &MockRegistrationAuthority{} - va.RA = mockRA - chall := createChallenge(core.ChallengeTypeDVSNI) hs := dvsniSrv(t, chall) defer hs.Close() port, err := getPort(hs) test.AssertNotError(t, err, "failed to get test server port") - va.dvsniPort = port + + va := NewValidationAuthorityImpl(&PortConfig{DVSNIPort: port}) + va.DNSResolver = &mocks.MockDNS{} + mockRA := &MockRegistrationAuthority{} + va.RA = mockRA var authz = core.Authorization{ ID: core.NewToken(), @@ -591,7 +582,7 @@ func TestValidateDvsni(t *testing.T) { } func TestValidateDvsniNotSane(t *testing.T) { - va := NewValidationAuthorityImpl(false) + va := NewValidationAuthorityImpl(&PortConfig{}) // no calls made va.DNSResolver = &mocks.MockDNS{} mockRA := &MockRegistrationAuthority{} va.RA = mockRA @@ -612,7 +603,7 @@ func TestValidateDvsniNotSane(t *testing.T) { } func TestUpdateValidations(t *testing.T) { - va := NewValidationAuthorityImpl(false) + va := NewValidationAuthorityImpl(&PortConfig{}) va.DNSResolver = &mocks.MockDNS{} mockRA := &MockRegistrationAuthority{} va.RA = mockRA @@ -667,7 +658,7 @@ func TestCAAChecking(t *testing.T) { // CNAME to critical } - va := NewValidationAuthorityImpl(false) + va := NewValidationAuthorityImpl(&PortConfig{}) va.DNSResolver = &mocks.MockDNS{} va.IssuerDomain = "letsencrypt.org" for _, caaTest := range tests { @@ -699,7 +690,7 @@ func TestCAAChecking(t *testing.T) { } func TestDNSValidationFailure(t *testing.T) { - va := NewValidationAuthorityImpl(false) + va := NewValidationAuthorityImpl(&PortConfig{}) va.DNSResolver = &mocks.MockDNS{} mockRA := &MockRegistrationAuthority{} va.RA = mockRA @@ -735,7 +726,7 @@ func TestDNSValidationInvalid(t *testing.T) { Challenges: []core.Challenge{chalDNS}, } - va := NewValidationAuthorityImpl(false) + va := NewValidationAuthorityImpl(&PortConfig{}) va.DNSResolver = &mocks.MockDNS{} mockRA := &MockRegistrationAuthority{} va.RA = mockRA @@ -748,7 +739,7 @@ func TestDNSValidationInvalid(t *testing.T) { } func TestDNSValidationNotSane(t *testing.T) { - va := NewValidationAuthorityImpl(false) + va := NewValidationAuthorityImpl(&PortConfig{}) va.DNSResolver = &mocks.MockDNS{} mockRA := &MockRegistrationAuthority{} va.RA = mockRA @@ -778,7 +769,7 @@ func TestDNSValidationNotSane(t *testing.T) { } func TestDNSValidationServFail(t *testing.T) { - va := NewValidationAuthorityImpl(false) + va := NewValidationAuthorityImpl(&PortConfig{}) va.DNSResolver = &mocks.MockDNS{} mockRA := &MockRegistrationAuthority{} va.RA = mockRA @@ -803,7 +794,7 @@ func TestDNSValidationServFail(t *testing.T) { } func TestDNSValidationNoServer(t *testing.T) { - va := NewValidationAuthorityImpl(false) + va := NewValidationAuthorityImpl(&PortConfig{}) va.DNSResolver = core.NewDNSResolverImpl(time.Second*5, []string{}) mockRA := &MockRegistrationAuthority{} va.RA = mockRA @@ -827,7 +818,7 @@ func TestDNSValidationNoServer(t *testing.T) { // the existance of some Internet resources. Because of that, // it asserts nothing; it is intended for coverage. func TestDNSValidationLive(t *testing.T) { - va := NewValidationAuthorityImpl(false) + va := NewValidationAuthorityImpl(&PortConfig{}) va.DNSResolver = &mocks.MockDNS{} mockRA := &MockRegistrationAuthority{} va.RA = mockRA