letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
boulder/va/caa_test.go

439 lines
14 KiB
Go
Raw Blame History

package va
import (
"context"
"errors"
"fmt"
"net"
"strings"
"testing"
"github.com/miekg/dns"
"github.com/letsencrypt/boulder/core"
"github.com/letsencrypt/boulder/probs"
"github.com/letsencrypt/boulder/test"
blog "github.com/letsencrypt/boulder/log"
vapb "github.com/letsencrypt/boulder/va/proto"
)
// caaMockDNS implements the `dns.DNSClient` interface with a set of useful test
// answers for CAA queries.
type caaMockDNS struct{}
func (mock caaMockDNS) LookupTXT(_ context.Context, hostname string) ([]string, []string, error) {
return nil, nil, nil
}
func (mock caaMockDNS) LookupHost(_ context.Context, hostname string) ([]net.IP, error) {
ip := net.ParseIP("127.0.0.1")
return []net.IP{ip}, nil
}
func (mock caaMockDNS) LookupMX(_ context.Context, domain string) ([]string, error) {
return nil, nil
}
func (mock caaMockDNS) LookupCAA(_ context.Context, domain string) ([]*dns.CAA, error) {
var results []*dns.CAA
var record dns.CAA
switch strings.TrimRight(domain, ".") {
case "caa-timeout.com":
return nil, fmt.Errorf("error")
case "reserved.com":
record.Tag = "issue"
record.Value = "ca.com"
results = append(results, &record)
case "mixedcase.com":
record.Tag = "iSsUe"
record.Value = "ca.com"
results = append(results, &record)
case "critical.com":
record.Flag = 1
record.Tag = "issue"
record.Value = "ca.com"
results = append(results, &record)
case "present.com", "present.servfail.com":
record.Tag = "issue"
record.Value = "letsencrypt.org"
results = append(results, &record)
case "com":
// com has no CAA records.
return nil, nil
case "servfail.com", "servfail.present.com":
return results, fmt.Errorf("SERVFAIL")
case "multi-crit-present.com":
record.Flag = 1
record.Tag = "issue"
record.Value = "ca.com"
results = append(results, &record)
secondRecord := record
secondRecord.Value = "letsencrypt.org"
results = append(results, &secondRecord)
case "unknown-critical.com":
record.Flag = 128
record.Tag = "foo"
record.Value = "bar"
results = append(results, &record)
case "unknown-critical2.com":
record.Flag = 1
record.Tag = "foo"
record.Value = "bar"
results = append(results, &record)
case "unknown-noncritical.com":
record.Flag = 0x7E // all bits we don't treat as meaning "critical"
record.Tag = "foo"
record.Value = "bar"
results = append(results, &record)
case "present-with-parameter.com":
record.Tag = "issue"
record.Value = " letsencrypt.org ;foo=bar;baz=bar"
results = append(results, &record)
case "unsatisfiable.com":
record.Tag = "issue"
record.Value = ";"
results = append(results, &record)
case "unsatisfiable-wildcard.com":
// Forbidden issuance - issuewild doesn't contain LE
record.Tag = "issuewild"
record.Value = ";"
results = append(results, &record)
case "unsatisfiable-wildcard-override.com":
// Forbidden issuance - issue allows LE, issuewild overrides and does not
record.Tag = "issue"
record.Value = "letsencrypt.org"
results = append(results, &record)
secondRecord := record
secondRecord.Tag = "issuewild"
secondRecord.Value = "ca.com"
results = append(results, &secondRecord)
case "satisfiable-wildcard-override.com":
// Ok issuance - issue doesn't allow LE, issuewild overrides and does
record.Tag = "issue"
record.Value = "ca.com"
results = append(results, &record)
secondRecord := record
secondRecord.Tag = "issuewild"
secondRecord.Value = "letsencrypt.org"
results = append(results, &secondRecord)
case "satisfiable-multi-wildcard.com":
// Ok issuance - first issuewild doesn't permit LE but second does
record.Tag = "issuewild"
record.Value = "ca.com"
results = append(results, &record)
secondRecord := record
secondRecord.Tag = "issuewild"
secondRecord.Value = "letsencrypt.org"
results = append(results, &secondRecord)
case "satisfiable-wildcard.com":
// Ok issuance - issuewild allows LE
record.Tag = "issuewild"
record.Value = "letsencrypt.org"
results = append(results, &record)
}
return results, nil
}
func TestCAATimeout(t *testing.T) {
va, _ := setup(nil, 0)
va.dnsClient = caaMockDNS{}
err := va.checkCAA(ctx, core.AcmeIdentifier{Type: core.IdentifierDNS, Value: "caa-timeout.com"})
if err.Type != probs.DNSProblem {
t.Errorf("Expected timeout error type %s, got %s", probs.DNSProblem, err.Type)
}
expected := "error"
if err.Detail != expected {
t.Errorf("checkCAA: got %#v, expected %#v", err.Detail, expected)
}
}
func TestCAAChecking(t *testing.T) {
testCases := []struct {
Name string
Domain string
Present bool
Valid bool
}{
{
Name: "Bad (Reserved)",
Domain: "reserved.com",
Present: true,
Valid: false,
},
{
Name: "Bad (Reserved, Mixed case Issue)",
Domain: "mixedcase.com",
Present: true,
Valid: false,
},
{
Name: "Bad (Critical)",
Domain: "critical.com",
Present: true,
Valid: false,
},
{
Name: "Bad (NX Critical)",
Domain: "nx.critical.com",
Present: true,
Valid: false,
},
{
Name: "Good (absent)",
Domain: "absent.com",
Present: false,
Valid: true,
},
{
Name: "Good (Example.co.uk, absent)",
Domain: "example.co.uk",
Present: false,
Valid: true,
},
{
Name: "Good (present and valid)",
Domain: "present.com",
Present: true,
Valid: true,
},
{
Name: "Good (Present w/ servfail exception?)",
Domain: "present.servfail.com",
Present: true,
Valid: true,
},
{
Name: "Good (multiple critical, one matching)",
Domain: "multi-crit-present.com",
Present: true,
Valid: true,
},
{
Name: "Bad (unknown critical)",
Domain: "unknown-critical.com",
Present: true,
Valid: false,
},
{
Name: "Bad (unknown critical 2)",
Domain: "unknown-critical2.com",
Present: true,
Valid: false,
},
{
Name: "Good (unknown non-critical, no issue/issuewild)",
Domain: "unknown-noncritical.com",
Present: true,
Valid: true,
},
{
Name: "Good (issue rec with unknown params)",
Domain: "present-with-parameter.com",
Present: true,
Valid: true,
},
{
Name: "Bad (unsatisfiable issue record)",
Domain: "unsatisfiable.com",
Present: true,
Valid: false,
},
{
Name: "Bad (unsatisfiable issue, wildcard)",
Domain: "*.unsatisfiable.com",
Present: true,
Valid: false,
},
{
Name: "Bad (unsatisfiable wildcard)",
Domain: "*.unsatisfiable-wildcard.com",
Present: true,
Valid: false,
},
{
Name: "Bad (unsatisfiable wildcard override)",
Domain: "*.unsatisfiable-wildcard-override.com",
Present: true,
Valid: false,
},
{
Name: "Good (satisfiable wildcard)",
Domain: "*.satisfiable-wildcard.com",
Present: true,
Valid: true,
},
{
Name: "Good (multiple issuewild, one satisfiable)",
Domain: "*.satisfiable-multi-wildcard.com",
Present: true,
Valid: true,
},
{
Name: "Good (satisfiable wildcard override)",
Domain: "*.satisfiable-wildcard-override.com",
Present: true,
Valid: true,
},
}
va, _ := setup(nil, 0)
va.dnsClient = caaMockDNS{}
for _, caaTest := range testCases {
mockLog := va.log.(*blog.Mock)
mockLog.Clear()
t.Run(caaTest.Name, func(t *testing.T) {
present, valid, _, err := va.checkCAARecords(ctx, core.AcmeIdentifier{Type: "dns", Value: caaTest.Domain})
if err != nil {
t.Errorf("checkCAARecords error for %s: %s", caaTest.Domain, err)
}
if present != caaTest.Present {
t.Errorf("checkCAARecords presence mismatch for %s: got %t expected %t", caaTest.Domain, present, caaTest.Present)
}
if valid != caaTest.Valid {
t.Errorf("checkCAARecords validity mismatch for %s: got %t expected %t", caaTest.Domain, valid, caaTest.Valid)
}
})
}
present, valid, _, err := va.checkCAARecords(ctx, core.AcmeIdentifier{Type: "dns", Value: "servfail.com"})
test.AssertError(t, err, "servfail.com")
test.Assert(t, !present, "Present should be false")
test.Assert(t, !valid, "Valid should be false")
_, _, _, err = va.checkCAARecords(ctx, core.AcmeIdentifier{Type: "dns", Value: "servfail.com"})
if err == nil {
t.Errorf("Should have returned error on CAA lookup, but did not: %s", "servfail.com")
}
present, valid, _, err = va.checkCAARecords(ctx, core.AcmeIdentifier{Type: "dns", Value: "servfail.present.com"})
test.AssertError(t, err, "servfail.present.com")
test.Assert(t, !present, "Present should be false")
test.Assert(t, !valid, "Valid should be false")
_, _, _, err = va.checkCAARecords(ctx, core.AcmeIdentifier{Type: "dns", Value: "servfail.present.com"})
if err == nil {
t.Errorf("Should have returned error on CAA lookup, but did not: %s", "servfail.present.com")
}
}
func TestCAALogging(t *testing.T) {
va, _ := setup(nil, 0)
va.dnsClient = caaMockDNS{}
testCases := []struct {
Name string
Domain string
ExpectedLogline string
}{
{
Domain: "reserved.com",
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for reserved.com, [Present: true, Valid for issuance: false] Records=[{\"Hdr\":{\"Name\":\"\",\"Rrtype\":0,\"Class\":0,\"Ttl\":0,\"Rdlength\":0},\"Flag\":0,\"Tag\":\"issue\",\"Value\":\"ca.com\"}]",
},
{
Domain: "mixedcase.com",
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for mixedcase.com, [Present: true, Valid for issuance: false] Records=[{\"Hdr\":{\"Name\":\"\",\"Rrtype\":0,\"Class\":0,\"Ttl\":0,\"Rdlength\":0},\"Flag\":0,\"Tag\":\"iSsUe\",\"Value\":\"ca.com\"}]",
},
{
Domain: "critical.com",
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for critical.com, [Present: true, Valid for issuance: false] Records=[{\"Hdr\":{\"Name\":\"\",\"Rrtype\":0,\"Class\":0,\"Ttl\":0,\"Rdlength\":0},\"Flag\":1,\"Tag\":\"issue\",\"Value\":\"ca.com\"}]",
},
{
Domain: "present.com",
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for present.com, [Present: true, Valid for issuance: true] Records=[{\"Hdr\":{\"Name\":\"\",\"Rrtype\":0,\"Class\":0,\"Ttl\":0,\"Rdlength\":0},\"Flag\":0,\"Tag\":\"issue\",\"Value\":\"letsencrypt.org\"}]",
},
{
Domain: "multi-crit-present.com",
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for multi-crit-present.com, [Present: true, Valid for issuance: true] Records=[{\"Hdr\":{\"Name\":\"\",\"Rrtype\":0,\"Class\":0,\"Ttl\":0,\"Rdlength\":0},\"Flag\":1,\"Tag\":\"issue\",\"Value\":\"ca.com\"},{\"Hdr\":{\"Name\":\"\",\"Rrtype\":0,\"Class\":0,\"Ttl\":0,\"Rdlength\":0},\"Flag\":1,\"Tag\":\"issue\",\"Value\":\"letsencrypt.org\"}]",
},
{
Domain: "present-with-parameter.com",
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for present-with-parameter.com, [Present: true, Valid for issuance: true] Records=[{\"Hdr\":{\"Name\":\"\",\"Rrtype\":0,\"Class\":0,\"Ttl\":0,\"Rdlength\":0},\"Flag\":0,\"Tag\":\"issue\",\"Value\":\" letsencrypt.org ;foo=bar;baz=bar\"}]",
},
{
Domain: "satisfiable-wildcard-override.com",
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for satisfiable-wildcard-override.com, [Present: true, Valid for issuance: false] Records=[{\"Hdr\":{\"Name\":\"\",\"Rrtype\":0,\"Class\":0,\"Ttl\":0,\"Rdlength\":0},\"Flag\":0,\"Tag\":\"issue\",\"Value\":\"ca.com\"},{\"Hdr\":{\"Name\":\"\",\"Rrtype\":0,\"Class\":0,\"Ttl\":0,\"Rdlength\":0},\"Flag\":0,\"Tag\":\"issuewild\",\"Value\":\"letsencrypt.org\"}]",
},
}
for _, tc := range testCases {
t.Run(tc.Domain, func(t *testing.T) {
mockLog := va.log.(*blog.Mock)
mockLog.Clear()
_ = va.checkCAA(ctx, core.AcmeIdentifier{Type: core.IdentifierDNS, Value: tc.Domain})
caaLogLines := mockLog.GetAllMatching(`Checked CAA records for`)
if len(caaLogLines) != 1 {
t.Errorf("checkCAARecords didn't audit log CAA record info. Instead got:\n%s\n",
strings.Join(mockLog.GetAllMatching(`.*`), "\n"))
} else {
test.AssertEquals(t, caaLogLines[0], tc.ExpectedLogline)
}
})
}
}
// TestIsCAAValidErrMessage tests that an error result from `va.IsCAAValid`
// includes the domain name that was being checked in the failure detail.
func TestIsCAAValidErrMessage(t *testing.T) {
va, _ := setup(nil, 0)
va.dnsClient = caaMockDNS{}
// Call IsCAAValid with a domain we know fails with a generic error from the
// caaMockDNS.
domain := "caa-timeout.com"
resp, err := va.IsCAAValid(ctx, &vapb.IsCAAValidRequest{
Domain: &domain,
})
// The lookup itself should not return an error
test.AssertNotError(t, err, "Unexpected error calling IsCAAValidRequest")
// The result should not be nil
test.AssertNotNil(t, resp, "Response to IsCAAValidRequest was nil")
// The result's Problem should not be nil
test.AssertNotNil(t, resp.Problem, "Response Problem was nil")
// The result's Problem should be an error message that includes the domain.
test.AssertEquals(t, *resp.Problem.Detail, fmt.Sprintf("While processing CAA for %s: error", domain))
}
func TestCAAFailure(t *testing.T) {
chall := createChallenge(core.ChallengeTypeTLSSNI01)
hs := tlssni01Srv(t, chall)
defer hs.Close()
va, _ := setup(hs, 0)
va.dnsClient = caaMockDNS{}
_, prob := va.validateChallengeAndIdentifier(ctx, dnsi("reserved.com"), chall)
if prob == nil {
t.Fatalf("Expected CAA rejection for reserved.com, got success")
}
test.AssertEquals(t, prob.Type, probs.CAAProblem)
}
func TestParseResults(t *testing.T) {
r := []caaResult{}
s, records, err := parseResults(r)
test.Assert(t, s == nil, "set is not nil")
test.Assert(t, err == nil, "error is not nil")
test.Assert(t, records == nil, "records is not nil")
test.AssertNotError(t, err, "no error should be returned")
r = []caaResult{{nil, errors.New("")}, {[]*dns.CAA{{Value: "test"}}, nil}}
s, records, err = parseResults(r)
test.Assert(t, s == nil, "set is not nil")
test.AssertEquals(t, err.Error(), "")
expected := dns.CAA{Value: "other-test"}
test.AssertEquals(t, len(records), 0)
r = []caaResult{{[]*dns.CAA{&expected}, nil}, {[]*dns.CAA{{Value: "test"}}, nil}}
s, records, err = parseResults(r)
test.AssertEquals(t, len(s.Unknown), 1)
test.Assert(t, s.Unknown[0] == &expected, "Incorrect record returned")
test.AssertNotError(t, err, "no error should be returned")
test.AssertEquals(t, len(records), len(r[0].records))
for i, rec := range records {
test.AssertEquals(t, rec.String(), r[0].records[i].String())
}
}
Reference in New Issue View Git Blame Copy Permalink