Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add markInvalid arg to storeError for invalidating challenge

Browse Source
pull/496/head
max furman 3 years ago
parent 6b8585c702
commit 440678cb62
5 changed files with 190 additions and 109 deletions
Show Stats Download Patch File Download Diff File

2
acme/api/handler.go
Unescape Escape View File

@ -25,7 +25,7 @@ type Clock struct{}
// Now returns the UTC time rounded to seconds.
func (c *Clock) Now() time.Time {
return time.Now().UTC().Round(time.Second)
return time.Now().UTC().Truncate(time.Second)
}
var clock Clock

50
acme/challenge.go
Unescape Escape View File

@ -14,6 +14,7 @@ import (
"io/ioutil"
"net"
"net/http"
"net/url"
"strings"
"time"
@ -49,7 +50,7 @@ func (ch *Challenge) ToLog() (interface{}, error) {
// updated.
func (ch *Challenge) Validate(ctx context.Context, db DB, jwk *jose.JSONWebKey, vo *ValidateChallengeOptions) error {
// If already valid or invalid then return without performing validation.
if ch.Status == StatusValid || ch.Status == StatusInvalid {
if ch.Status != StatusPending {
return nil
}
switch ch.Type {
@ -65,32 +66,32 @@ func (ch *Challenge) Validate(ctx context.Context, db DB, jwk *jose.JSONWebKey,
}
func http01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebKey, vo *ValidateChallengeOptions) error {
url := fmt.Sprintf("http://%s/.well-known/acme-challenge/%s", ch.Value, ch.Token)
url := &url.URL{Scheme: "http", Host: ch.Value, Path: fmt.Sprintf("/.well-known/acme-challenge/%s", ch.Token)}
resp, err := vo.HTTPGet(url)
resp, err := vo.HTTPGet(url.String())
if err != nil {
return storeError(ctx, ch, db, WrapError(ErrorConnectionType, err,
return storeError(ctx, db, ch, false, WrapError(ErrorConnectionType, err,
"error doing http GET for url %s", url))
}
defer resp.Body.Close()
if resp.StatusCode >= 400 {
return storeError(ctx, ch, db, NewError(ErrorConnectionType,
return storeError(ctx, db, ch, false, NewError(ErrorConnectionType,
"error doing http GET for url %s with status code %d", url, resp.StatusCode))
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
return WrapErrorISE(err, "error reading "+
"response body for url %s", url)
}
keyAuth := strings.Trim(string(body), "\r\n")
keyAuth := strings.TrimSpace(string(body))
expected, err := KeyAuthorization(ch.Token, jwk)
if err != nil {
return err
}
if keyAuth != expected {
return storeError(ctx, ch, db, NewError(ErrorRejectedIdentifierType,
return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType,
"keyAuthorization does not match; expected %s, but got %s", expected, keyAuth))
}
@ -107,7 +108,11 @@ func http01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWeb
func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebKey, vo *ValidateChallengeOptions) error {
config := &tls.Config{
NextProtos: []string{"acme-tls/1"},
NextProtos: []string{"acme-tls/1"},
// https://tools.ietf.org/html/rfc8737#section-4
// ACME servers that implement "acme-tls/1" MUST only negotiate TLS 1.2
// [RFC5246] or higher when connecting to clients for validation.
MinVersion: tls.VersionTLS12,
ServerName: ch.Value,
InsecureSkipVerify: true, // we expect a self-signed challenge certificate
}
@ -116,7 +121,7 @@ func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSON
conn, err := vo.TLSDial("tcp", hostPort, config)
if err != nil {
return storeError(ctx, ch, db, WrapError(ErrorConnectionType, err,
return storeError(ctx, db, ch, false, WrapError(ErrorConnectionType, err,
"error doing TLS dial for %s", hostPort))
}
defer conn.Close()
@ -125,19 +130,19 @@ func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSON
certs := cs.PeerCertificates
if len(certs) == 0 {
return storeError(ctx, ch, db, NewError(ErrorRejectedIdentifierType,
return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType,
"%s challenge for %s resulted in no certificates", ch.Type, ch.Value))
}
if !cs.NegotiatedProtocolIsMutual || cs.NegotiatedProtocol != "acme-tls/1" {
return storeError(ctx, ch, db, NewError(ErrorRejectedIdentifierType,
return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType,
"cannot negotiate ALPN acme-tls/1 protocol for tls-alpn-01 challenge"))
}
leafCert := certs[0]
if len(leafCert.DNSNames) != 1 || !strings.EqualFold(leafCert.DNSNames[0], ch.Value) {
return storeError(ctx, ch, db, NewError(ErrorRejectedIdentifierType,
return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType,
"incorrect certificate for tls-alpn-01 challenge: leaf certificate must contain a single DNS name, %v", ch.Value))
}
@ -154,7 +159,7 @@ func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSON
for _, ext := range leafCert.Extensions {
if idPeAcmeIdentifier.Equal(ext.Id) {
if !ext.Critical {
return storeError(ctx, ch, db, NewError(ErrorRejectedIdentifierType,
return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType,
"incorrect certificate for tls-alpn-01 challenge: acmeValidationV1 extension not critical"))
}
@ -162,12 +167,12 @@ func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSON
rest, err := asn1.Unmarshal(ext.Value, &extValue)
if err != nil || len(rest) > 0 || len(hashedKeyAuth) != len(extValue) {
return storeError(ctx, ch, db, NewError(ErrorRejectedIdentifierType,
return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType,
"incorrect certificate for tls-alpn-01 challenge: malformed acmeValidationV1 extension value"))
}
if subtle.ConstantTimeCompare(hashedKeyAuth[:], extValue) != 1 {
return storeError(ctx, ch, db, NewError(ErrorRejectedIdentifierType,
return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType,
"incorrect certificate for tls-alpn-01 challenge: "+
"expected acmeValidationV1 extension value %s for this challenge but got %s",
hex.EncodeToString(hashedKeyAuth[:]), hex.EncodeToString(extValue)))
@ -189,11 +194,11 @@ func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSON
}
if foundIDPeAcmeIdentifierV1Obsolete {
return storeError(ctx, ch, db, NewError(ErrorRejectedIdentifierType,
return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType,
"incorrect certificate for tls-alpn-01 challenge: obsolete id-pe-acmeIdentifier in acmeValidationV1 extension"))
}
return storeError(ctx, ch, db, NewError(ErrorRejectedIdentifierType,
return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType,
"incorrect certificate for tls-alpn-01 challenge: missing acmeValidationV1 extension"))
}
@ -206,7 +211,7 @@ func dns01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebK
txtRecords, err := vo.LookupTxt("_acme-challenge." + domain)
if err != nil {
return storeError(ctx, ch, db, WrapError(ErrorDNSType, err,
return storeError(ctx, db, ch, false, WrapError(ErrorDNSType, err,
"error looking up TXT records for domain %s", domain))
}
@ -224,7 +229,7 @@ func dns01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebK
}
}
if !found {
return storeError(ctx, ch, db, NewError(ErrorRejectedIdentifierType,
return storeError(ctx, db, ch, false, NewError(ErrorRejectedIdentifierType,
"keyAuthorization does not match; expected %s, but got %s", expectedKeyAuth, txtRecords))
}
@ -251,8 +256,11 @@ func KeyAuthorization(token string, jwk *jose.JSONWebKey) (string, error) {
}
// storeError the given error to an ACME error and saves using the DB interface.
func storeError(ctx context.Context, ch *Challenge, db DB, err *Error) error {
func storeError(ctx context.Context, db DB, ch *Challenge, markInvalid bool, err *Error) error {
ch.Error = err
if markInvalid {
ch.Status = StatusInvalid
}
if err := db.UpdateChallenge(ctx, ch); err != nil {
return WrapErrorISE(err, "failure saving error to acme challenge")
}

239
acme/challenge_test.go
Unescape Escape View File

@ -31,17 +31,19 @@ import (
func Test_storeError(t *testing.T) {
type test struct {
ch *Challenge
db DB
err *Error
ch *Challenge
db DB
markInvalid bool
err *Error
}
err := NewError(ErrorMalformedType, "foo")
tests := map[string]func(t *testing.T) test{
"fail/db.UpdateChallenge-error": func(t *testing.T) test {
ch := &Challenge{
ID: "chID",
Token: "token",
Value: "zap.internal",
ID: "chID",
Token: "token",
Value: "zap.internal",
Status: StatusValid,
}
return test{
ch: ch,
@ -50,6 +52,7 @@ func Test_storeError(t *testing.T) {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Value, ch.Value)
assert.Equals(t, updch.Status, StatusValid)
assert.HasPrefix(t, updch.Error.Err.Error(), err.Err.Error())
assert.Equals(t, updch.Error.Type, err.Type)
@ -64,9 +67,10 @@ func Test_storeError(t *testing.T) {
},
"fail/db.UpdateChallenge-acme-error": func(t *testing.T) test {
ch := &Challenge{
ID: "chID",
Token: "token",
Value: "zap.internal",
ID: "chID",
Token: "token",
Value: "zap.internal",
Status: StatusValid,
}
return test{
ch: ch,
@ -75,6 +79,7 @@ func Test_storeError(t *testing.T) {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Value, ch.Value)
assert.Equals(t, updch.Status, StatusValid)
assert.HasPrefix(t, updch.Error.Err.Error(), err.Err.Error())
assert.Equals(t, updch.Error.Type, err.Type)
@ -89,9 +94,10 @@ func Test_storeError(t *testing.T) {
},
"ok": func(t *testing.T) test {
ch := &Challenge{
ID: "chID",
Token: "token",
Value: "zap.internal",
ID: "chID",
Token: "token",
Value: "zap.internal",
Status: StatusValid,
}
return test{
ch: ch,
@ -100,6 +106,7 @@ func Test_storeError(t *testing.T) {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Value, ch.Value)
assert.Equals(t, updch.Status, StatusValid)
assert.HasPrefix(t, updch.Error.Err.Error(), err.Err.Error())
assert.Equals(t, updch.Error.Type, err.Type)
@ -111,11 +118,38 @@ func Test_storeError(t *testing.T) {
},
}
},
"ok/mark-invalid": func(t *testing.T) test {
ch := &Challenge{
ID: "chID",
Token: "token",
Value: "zap.internal",
Status: StatusValid,
}
return test{
ch: ch,
db: &MockDB{
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Value, ch.Value)
assert.Equals(t, updch.Status, StatusInvalid)
assert.HasPrefix(t, updch.Error.Err.Error(), err.Err.Error())
assert.Equals(t, updch.Error.Type, err.Type)
assert.Equals(t, updch.Error.Detail, err.Detail)
assert.Equals(t, updch.Error.Status, err.Status)
assert.Equals(t, updch.Error.Detail, err.Detail)
return nil
},
},
markInvalid: true,
}
},
}
for name, run := range tests {
t.Run(name, func(t *testing.T) {
tc := run(t)
if err := storeError(context.Background(), tc.ch, tc.db, err); err != nil {
if err := storeError(context.Background(), tc.db, tc.ch, tc.markInvalid, err); err != nil {
if assert.NotNil(t, tc.err) {
switch k := err.(type) {
case *Error:
@ -499,9 +533,10 @@ func TestHTTP01Validate(t *testing.T) {
tests := map[string]func(t *testing.T) test{
"fail/http-get-error-store-error": func(t *testing.T) test {
ch := &Challenge{
ID: "chID",
Token: "token",
Value: "zap.internal",
ID: "chID",
Token: "token",
Value: "zap.internal",
Status: StatusPending,
}
return test{
@ -515,6 +550,8 @@ func TestHTTP01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Value, ch.Value)
assert.Equals(t, updch.Status, StatusPending)
err := NewError(ErrorConnectionType, "error doing http GET for url http://zap.internal/.well-known/acme-challenge/%s: force", ch.Token)
assert.HasPrefix(t, updch.Error.Err.Error(), err.Err.Error())
@ -530,9 +567,10 @@ func TestHTTP01Validate(t *testing.T) {
},
"ok/http-get-error": func(t *testing.T) test {
ch := &Challenge{
ID: "chID",
Token: "token",
Value: "zap.internal",
ID: "chID",
Token: "token",
Value: "zap.internal",
Status: StatusPending,
}
return test{
@ -546,6 +584,8 @@ func TestHTTP01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Value, ch.Value)
assert.Equals(t, updch.Status, StatusPending)
err := NewError(ErrorConnectionType, "error doing http GET for url http://zap.internal/.well-known/acme-challenge/%s: force", ch.Token)
assert.HasPrefix(t, updch.Error.Err.Error(), err.Err.Error())
@ -560,9 +600,10 @@ func TestHTTP01Validate(t *testing.T) {
},
"fail/http-get->=400-store-error": func(t *testing.T) test {
ch := &Challenge{
ID: "chID",
Token: "token",
Value: "zap.internal",
ID: "chID",
Token: "token",
Value: "zap.internal",
Status: StatusPending,
}
return test{
@ -571,6 +612,7 @@ func TestHTTP01Validate(t *testing.T) {
HTTPGet: func(url string) (*http.Response, error) {
return &http.Response{
StatusCode: http.StatusBadRequest,
Body: errReader(0),
}, nil
},
},
@ -578,6 +620,8 @@ func TestHTTP01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Value, ch.Value)
assert.Equals(t, updch.Status, StatusPending)
err := NewError(ErrorConnectionType, "error doing http GET for url http://zap.internal/.well-known/acme-challenge/%s with status code 400", ch.Token)
assert.HasPrefix(t, updch.Error.Err.Error(), err.Err.Error())
@ -593,9 +637,10 @@ func TestHTTP01Validate(t *testing.T) {
},
"ok/http-get->=400": func(t *testing.T) test {
ch := &Challenge{
ID: "chID",
Token: "token",
Value: "zap.internal",
ID: "chID",
Token: "token",
Value: "zap.internal",
Status: StatusPending,
}
return test{
@ -604,6 +649,7 @@ func TestHTTP01Validate(t *testing.T) {
HTTPGet: func(url string) (*http.Response, error) {
return &http.Response{
StatusCode: http.StatusBadRequest,
Body: errReader(0),
}, nil
},
},
@ -611,6 +657,8 @@ func TestHTTP01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Value, ch.Value)
assert.Equals(t, updch.Status, StatusPending)
err := NewError(ErrorConnectionType, "error doing http GET for url http://zap.internal/.well-known/acme-challenge/%s with status code 400", ch.Token)
assert.HasPrefix(t, updch.Error.Err.Error(), err.Err.Error())
@ -625,9 +673,10 @@ func TestHTTP01Validate(t *testing.T) {
},
"fail/read-body": func(t *testing.T) test {
ch := &Challenge{
ID: "chID",
Token: "token",
Value: "zap.internal",
ID: "chID",
Token: "token",
Value: "zap.internal",
Status: StatusPending,
}
return test{
@ -644,9 +693,10 @@ func TestHTTP01Validate(t *testing.T) {
},
"fail/key-auth-gen-error": func(t *testing.T) test {
ch := &Challenge{
ID: "chID",
Token: "token",
Value: "zap.internal",
ID: "chID",
Token: "token",
Value: "zap.internal",
Status: StatusPending,
}
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
@ -667,9 +717,10 @@ func TestHTTP01Validate(t *testing.T) {
},
"ok/key-auth-mismatch": func(t *testing.T) test {
ch := &Challenge{
ID: "chID",
Token: "token",
Value: "zap.internal",
ID: "chID",
Token: "token",
Value: "zap.internal",
Status: StatusPending,
}
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
@ -692,6 +743,7 @@ func TestHTTP01Validate(t *testing.T) {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Value, ch.Value)
assert.Equals(t, updch.Status, StatusInvalid)
err := NewError(ErrorRejectedIdentifierType,
"keyAuthorization does not match; expected %s, but got foo", expKeyAuth)
@ -707,9 +759,10 @@ func TestHTTP01Validate(t *testing.T) {
},
"fail/key-auth-mismatch-store-error": func(t *testing.T) test {
ch := &Challenge{
ID: "chID",
Token: "token",
Value: "zap.internal",
ID: "chID",
Token: "token",
Value: "zap.internal",
Status: StatusPending,
}
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
@ -732,6 +785,7 @@ func TestHTTP01Validate(t *testing.T) {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Value, ch.Value)
assert.Equals(t, updch.Status, StatusInvalid)
err := NewError(ErrorRejectedIdentifierType,
"keyAuthorization does not match; expected %s, but got foo", expKeyAuth)
@ -748,9 +802,10 @@ func TestHTTP01Validate(t *testing.T) {
},
"fail/update-challenge-error": func(t *testing.T) test {
ch := &Challenge{
ID: "chID",
Token: "token",
Value: "zap.internal",
ID: "chID",
Token: "token",
Value: "zap.internal",
Status: StatusPending,
}
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
@ -789,9 +844,10 @@ func TestHTTP01Validate(t *testing.T) {
},
"ok": func(t *testing.T) test {
ch := &Challenge{
ID: "chID",
Token: "token",
Value: "zap.internal",
ID: "chID",
Token: "token",
Value: "zap.internal",
Status: StatusPending,
}
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
@ -864,9 +920,10 @@ func TestDNS01Validate(t *testing.T) {
tests := map[string]func(t *testing.T) test{
"fail/lookupTXT-store-error": func(t *testing.T) test {
ch := &Challenge{
ID: "chID",
Token: "token",
Value: fulldomain,
ID: "chID",
Token: "token",
Value: fulldomain,
Status: StatusPending,
}
return test{
@ -880,6 +937,8 @@ func TestDNS01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Value, ch.Value)
assert.Equals(t, updch.Status, StatusPending)
err := NewError(ErrorDNSType, "error looking up TXT records for domain %s: force", domain)
@ -896,9 +955,10 @@ func TestDNS01Validate(t *testing.T) {
},
"ok/lookupTXT-error": func(t *testing.T) test {
ch := &Challenge{
ID: "chID",
Token: "token",
Value: fulldomain,
ID: "chID",
Token: "token",
Value: fulldomain,
Status: StatusPending,
}
return test{
@ -912,6 +972,8 @@ func TestDNS01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Value, ch.Value)
assert.Equals(t, updch.Status, StatusPending)
err := NewError(ErrorDNSType, "error looking up TXT records for domain %s: force", domain)
@ -927,9 +989,10 @@ func TestDNS01Validate(t *testing.T) {
},
"fail/key-auth-gen-error": func(t *testing.T) test {
ch := &Challenge{
ID: "chID",
Token: "token",
Value: fulldomain,
ID: "chID",
Token: "token",
Value: fulldomain,
Status: StatusPending,
}
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
@ -949,9 +1012,10 @@ func TestDNS01Validate(t *testing.T) {
},
"fail/key-auth-mismatch-store-error": func(t *testing.T) test {
ch := &Challenge{
ID: "chID",
Token: "token",
Value: fulldomain,
ID: "chID",
Token: "token",
Value: fulldomain,
Status: StatusPending,
}
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
@ -971,6 +1035,8 @@ func TestDNS01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Value, ch.Value)
assert.Equals(t, updch.Status, StatusPending)
err := NewError(ErrorRejectedIdentifierType, "keyAuthorization does not match; expected %s, but got %s", expKeyAuth, []string{"foo", "bar"})
@ -988,9 +1054,10 @@ func TestDNS01Validate(t *testing.T) {
},
"ok/key-auth-mismatch-store-error": func(t *testing.T) test {
ch := &Challenge{
ID: "chID",
Token: "token",
Value: fulldomain,
ID: "chID",
Token: "token",
Value: fulldomain,
Status: StatusPending,
}
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
@ -1010,6 +1077,8 @@ func TestDNS01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Value, ch.Value)
assert.Equals(t, updch.Status, StatusPending)
err := NewError(ErrorRejectedIdentifierType, "keyAuthorization does not match; expected %s, but got %s", expKeyAuth, []string{"foo", "bar"})
@ -1026,9 +1095,10 @@ func TestDNS01Validate(t *testing.T) {
},
"fail/update-challenge-error": func(t *testing.T) test {
ch := &Challenge{
ID: "chID",
Token: "token",
Value: fulldomain,
ID: "chID",
Token: "token",
Value: fulldomain,
Status: StatusPending,
}
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
@ -1051,6 +1121,7 @@ func TestDNS01Validate(t *testing.T) {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Value, ch.Value)
assert.Equals(t, updch.Status, StatusValid)
assert.Equals(t, updch.Status, StatusValid)
assert.Equals(t, updch.Error, nil)
@ -1069,9 +1140,10 @@ func TestDNS01Validate(t *testing.T) {
},
"ok": func(t *testing.T) test {
ch := &Challenge{
ID: "chID",
Token: "token",
Value: fulldomain,
ID: "chID",
Token: "token",
Value: fulldomain,
Status: StatusPending,
}
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
@ -1094,6 +1166,7 @@ func TestDNS01Validate(t *testing.T) {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Value, ch.Value)
assert.Equals(t, updch.Status, StatusValid)
assert.Equals(t, updch.Status, StatusValid)
assert.Equals(t, updch.Error, nil)
@ -1349,7 +1422,7 @@ func TestTLSALPN01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Status, ch.Status)
assert.Equals(t, updch.Status, StatusInvalid)
assert.Equals(t, updch.Type, ch.Type)
assert.Equals(t, updch.Value, ch.Value)
@ -1379,7 +1452,7 @@ func TestTLSALPN01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Status, ch.Status)
assert.Equals(t, updch.Status, StatusInvalid)
assert.Equals(t, updch.Type, ch.Type)
assert.Equals(t, updch.Value, ch.Value)
@ -1415,7 +1488,7 @@ func TestTLSALPN01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Status, ch.Status)
assert.Equals(t, updch.Status, StatusInvalid)
assert.Equals(t, updch.Type, ch.Type)
assert.Equals(t, updch.Value, ch.Value)
@ -1452,7 +1525,7 @@ func TestTLSALPN01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Status, ch.Status)
assert.Equals(t, updch.Status, StatusInvalid)
assert.Equals(t, updch.Type, ch.Type)
assert.Equals(t, updch.Value, ch.Value)
@ -1496,7 +1569,7 @@ func TestTLSALPN01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Status, ch.Status)
assert.Equals(t, updch.Status, StatusInvalid)
assert.Equals(t, updch.Type, ch.Type)
assert.Equals(t, updch.Value, ch.Value)
@ -1539,7 +1612,7 @@ func TestTLSALPN01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Status, ch.Status)
assert.Equals(t, updch.Status, StatusInvalid)
assert.Equals(t, updch.Type, ch.Type)
assert.Equals(t, updch.Value, ch.Value)
@ -1583,7 +1656,7 @@ func TestTLSALPN01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Status, ch.Status)
assert.Equals(t, updch.Status, StatusInvalid)
assert.Equals(t, updch.Type, ch.Type)
assert.Equals(t, updch.Value, ch.Value)
@ -1626,7 +1699,7 @@ func TestTLSALPN01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Status, ch.Status)
assert.Equals(t, updch.Status, StatusInvalid)
assert.Equals(t, updch.Type, ch.Type)
assert.Equals(t, updch.Value, ch.Value)
@ -1692,7 +1765,7 @@ func TestTLSALPN01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Status, ch.Status)
assert.Equals(t, updch.Status, StatusInvalid)
assert.Equals(t, updch.Type, ch.Type)
assert.Equals(t, updch.Value, ch.Value)
@ -1731,7 +1804,7 @@ func TestTLSALPN01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Status, ch.Status)
assert.Equals(t, updch.Status, StatusInvalid)
assert.Equals(t, updch.Type, ch.Type)
assert.Equals(t, updch.Value, ch.Value)
@ -1775,7 +1848,7 @@ func TestTLSALPN01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Status, ch.Status)
assert.Equals(t, updch.Status, StatusInvalid)
assert.Equals(t, updch.Type, ch.Type)
assert.Equals(t, updch.Value, ch.Value)
@ -1818,7 +1891,7 @@ func TestTLSALPN01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Status, ch.Status)
assert.Equals(t, updch.Status, StatusInvalid)
assert.Equals(t, updch.Type, ch.Type)
assert.Equals(t, updch.Value, ch.Value)
@ -1858,7 +1931,7 @@ func TestTLSALPN01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Status, ch.Status)
assert.Equals(t, updch.Status, StatusInvalid)
assert.Equals(t, updch.Type, ch.Type)
assert.Equals(t, updch.Value, ch.Value)
@ -1897,7 +1970,7 @@ func TestTLSALPN01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Status, ch.Status)
assert.Equals(t, updch.Status, StatusInvalid)
assert.Equals(t, updch.Type, ch.Type)
assert.Equals(t, updch.Value, ch.Value)
@ -1942,7 +2015,7 @@ func TestTLSALPN01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Status, ch.Status)
assert.Equals(t, updch.Status, StatusInvalid)
assert.Equals(t, updch.Type, ch.Type)
assert.Equals(t, updch.Value, ch.Value)
@ -1988,7 +2061,7 @@ func TestTLSALPN01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Status, ch.Status)
assert.Equals(t, updch.Status, StatusInvalid)
assert.Equals(t, updch.Type, ch.Type)
assert.Equals(t, updch.Value, ch.Value)
@ -2034,7 +2107,7 @@ func TestTLSALPN01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Status, ch.Status)
assert.Equals(t, updch.Status, StatusInvalid)
assert.Equals(t, updch.Type, ch.Type)
assert.Equals(t, updch.Value, ch.Value)
@ -2078,7 +2151,7 @@ func TestTLSALPN01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Status, ch.Status)
assert.Equals(t, updch.Status, StatusInvalid)
assert.Equals(t, updch.Type, ch.Type)
assert.Equals(t, updch.Value, ch.Value)
@ -2123,7 +2196,7 @@ func TestTLSALPN01Validate(t *testing.T) {
MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
assert.Equals(t, updch.ID, ch.ID)
assert.Equals(t, updch.Token, ch.Token)
assert.Equals(t, updch.Status, ch.Status)
assert.Equals(t, updch.Status, StatusValid)
assert.Equals(t, updch.Type, ch.Type)
assert.Equals(t, updch.Value, ch.Value)
assert.Equals(t, updch.Error, nil)

2
acme/common.go
Unescape Escape View File

@ -19,7 +19,7 @@ type Clock struct{}
// Now returns the UTC time rounded to seconds.
func (c *Clock) Now() time.Time {
return time.Now().UTC().Round(time.Second)
return time.Now().UTC().Truncate(time.Second)
}
var clock Clock

6
acme/order.go
Unescape Escape View File

@ -24,10 +24,10 @@ type Order struct {
AccountID string `json:"-"`
ProvisionerID string `json:"-"`
Status Status `json:"status"`
ExpiresAt time.Time `json:"expires,omitempty"`
ExpiresAt time.Time `json:"expires"`
Identifiers []Identifier `json:"identifiers"`
NotBefore time.Time `json:"notBefore,omitempty"`
NotAfter time.Time `json:"notAfter,omitempty"`
NotBefore time.Time `json:"notBefore"`
NotAfter time.Time `json:"notAfter"`
Error *Error `json:"error,omitempty"`
AuthorizationIDs []string `json:"-"`
AuthorizationURLs []string `json:"authorizations"`

Write Preview
Loading…
Cancel
Save