github.com/letsencrypt/boulder@v0.20251208.0/va/dns_test.go

github.com/letsencrypt/boulder@v0.20251208.0/va/dns_test.go (about)

     1  package va
     2  
     3  import (
     4  	"context"
     5  	"fmt"
     6  	"net/netip"
     7  	"testing"
     8  	"time"
     9  
    10  	"github.com/jmhodges/clock"
    11  
    12  	"github.com/letsencrypt/boulder/bdns"
    13  	"github.com/letsencrypt/boulder/identifier"
    14  	"github.com/letsencrypt/boulder/metrics"
    15  	"github.com/letsencrypt/boulder/probs"
    16  	"github.com/letsencrypt/boulder/test"
    17  )
    18  
    19  func TestDNS01ValidationWrong(t *testing.T) {
    20  	va, _ := setup(nil, "", nil, nil)
    21  	_, err := va.validateDNS01(context.Background(), identifier.NewDNS("wrong-dns01.com"), expectedKeyAuthorization)
    22  	if err == nil {
    23  		t.Fatalf("Successful DNS validation with wrong TXT record")
    24  	}
    25  	prob := detailedError(err)
    26  	test.AssertEquals(t, prob.String(), "unauthorized :: Incorrect TXT record \"a\" found at _acme-challenge.wrong-dns01.com")
    27  }
    28  
    29  func TestDNS01ValidationWrongMany(t *testing.T) {
    30  	va, _ := setup(nil, "", nil, nil)
    31  
    32  	_, err := va.validateDNS01(context.Background(), identifier.NewDNS("wrong-many-dns01.com"), expectedKeyAuthorization)
    33  	if err == nil {
    34  		t.Fatalf("Successful DNS validation with wrong TXT record")
    35  	}
    36  	prob := detailedError(err)
    37  	test.AssertEquals(t, prob.String(), "unauthorized :: Incorrect TXT record \"a\" (and 4 more) found at _acme-challenge.wrong-many-dns01.com")
    38  }
    39  
    40  func TestDNS01ValidationWrongLong(t *testing.T) {
    41  	va, _ := setup(nil, "", nil, nil)
    42  
    43  	_, err := va.validateDNS01(context.Background(), identifier.NewDNS("long-dns01.com"), expectedKeyAuthorization)
    44  	if err == nil {
    45  		t.Fatalf("Successful DNS validation with wrong TXT record")
    46  	}
    47  	prob := detailedError(err)
    48  	test.AssertEquals(t, prob.String(), "unauthorized :: Incorrect TXT record \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...\" found at _acme-challenge.long-dns01.com")
    49  }
    50  
    51  func TestDNS01ValidationFailure(t *testing.T) {
    52  	va, _ := setup(nil, "", nil, nil)
    53  
    54  	_, err := va.validateDNS01(ctx, identifier.NewDNS("localhost"), expectedKeyAuthorization)
    55  	prob := detailedError(err)
    56  
    57  	test.AssertEquals(t, prob.Type, probs.UnauthorizedProblem)
    58  }
    59  
    60  func TestDNS01ValidationIP(t *testing.T) {
    61  	va, _ := setup(nil, "", nil, nil)
    62  
    63  	_, err := va.validateDNS01(ctx, identifier.NewIP(netip.MustParseAddr("127.0.0.1")), expectedKeyAuthorization)
    64  	prob := detailedError(err)
    65  
    66  	test.AssertEquals(t, prob.Type, probs.MalformedProblem)
    67  }
    68  
    69  func TestDNS01ValidationInvalid(t *testing.T) {
    70  	var notDNS = identifier.ACMEIdentifier{
    71  		Type:  identifier.IdentifierType("iris"),
    72  		Value: "790DB180-A274-47A4-855F-31C428CB1072",
    73  	}
    74  
    75  	va, _ := setup(nil, "", nil, nil)
    76  
    77  	_, err := va.validateDNS01(ctx, notDNS, expectedKeyAuthorization)
    78  	prob := detailedError(err)
    79  
    80  	test.AssertEquals(t, prob.Type, probs.MalformedProblem)
    81  }
    82  
    83  func TestDNS01ValidationServFail(t *testing.T) {
    84  	va, _ := setup(nil, "", nil, nil)
    85  
    86  	_, err := va.validateDNS01(ctx, identifier.NewDNS("servfail.com"), expectedKeyAuthorization)
    87  
    88  	prob := detailedError(err)
    89  	test.AssertEquals(t, prob.Type, probs.DNSProblem)
    90  }
    91  
    92  func TestDNS01ValidationNoServer(t *testing.T) {
    93  	va, log := setup(nil, "", nil, nil)
    94  	staticProvider, err := bdns.NewStaticProvider([]string{})
    95  	test.AssertNotError(t, err, "Couldn't make new static provider")
    96  
    97  	va.dnsClient = bdns.New(
    98  		time.Second*5,
    99  		staticProvider,
   100  		metrics.NoopRegisterer,
   101  		clock.New(),
   102  		1,
   103  		"",
   104  		log,
   105  		nil)
   106  
   107  	_, err = va.validateDNS01(ctx, identifier.NewDNS("localhost"), expectedKeyAuthorization)
   108  	prob := detailedError(err)
   109  	test.AssertEquals(t, prob.Type, probs.DNSProblem)
   110  }
   111  
   112  func TestDNS01ValidationOK(t *testing.T) {
   113  	va, _ := setup(nil, "", nil, nil)
   114  
   115  	_, prob := va.validateDNS01(ctx, identifier.NewDNS("good-dns01.com"), expectedKeyAuthorization)
   116  
   117  	test.Assert(t, prob == nil, "Should be valid.")
   118  }
   119  
   120  func TestDNS01ValidationNoAuthorityOK(t *testing.T) {
   121  	va, _ := setup(nil, "", nil, nil)
   122  
   123  	_, prob := va.validateDNS01(ctx, identifier.NewDNS("no-authority-dns01.com"), expectedKeyAuthorization)
   124  
   125  	test.Assert(t, prob == nil, "Should be valid.")
   126  }
   127  
   128  func TestAvailableAddresses(t *testing.T) {
   129  	v6a := netip.MustParseAddr("::1")
   130  	v6b := netip.MustParseAddr("2001:db8::2:1") // 2001:DB8 is reserved for docs (RFC 3849)
   131  	v4a := netip.MustParseAddr("127.0.0.1")
   132  	v4b := netip.MustParseAddr("192.0.2.1") // 192.0.2.0/24 is reserved for docs (RFC 5737)
   133  
   134  	testcases := []struct {
   135  		input []netip.Addr
   136  		v4    []netip.Addr
   137  		v6    []netip.Addr
   138  	}{
   139  		// An empty validation record
   140  		{
   141  			[]netip.Addr{},
   142  			[]netip.Addr{},
   143  			[]netip.Addr{},
   144  		},
   145  		// A validation record with one IPv4 address
   146  		{
   147  			[]netip.Addr{v4a},
   148  			[]netip.Addr{v4a},
   149  			[]netip.Addr{},
   150  		},
   151  		// A dual homed record with an IPv4 and IPv6 address
   152  		{
   153  			[]netip.Addr{v4a, v6a},
   154  			[]netip.Addr{v4a},
   155  			[]netip.Addr{v6a},
   156  		},
   157  		// The same as above but with the v4/v6 order flipped
   158  		{
   159  			[]netip.Addr{v6a, v4a},
   160  			[]netip.Addr{v4a},
   161  			[]netip.Addr{v6a},
   162  		},
   163  		// A validation record with just IPv6 addresses
   164  		{
   165  			[]netip.Addr{v6a, v6b},
   166  			[]netip.Addr{},
   167  			[]netip.Addr{v6a, v6b},
   168  		},
   169  		// A validation record with interleaved IPv4/IPv6 records
   170  		{
   171  			[]netip.Addr{v6a, v4a, v6b, v4b},
   172  			[]netip.Addr{v4a, v4b},
   173  			[]netip.Addr{v6a, v6b},
   174  		},
   175  	}
   176  
   177  	for _, tc := range testcases {
   178  		// Split the input record into v4/v6 addresses
   179  		v4result, v6result := availableAddresses(tc.input)
   180  
   181  		// Test that we got the right number of v4 results
   182  		test.Assert(t, len(tc.v4) == len(v4result),
   183  			fmt.Sprintf("Wrong # of IPv4 results: expected %d, got %d", len(tc.v4), len(v4result)))
   184  
   185  		// Check that all of the v4 results match expected values
   186  		for i, v4addr := range tc.v4 {
   187  			test.Assert(t, v4addr.String() == v4result[i].String(),
   188  				fmt.Sprintf("Wrong v4 result index %d: expected %q got %q", i, v4addr.String(), v4result[i].String()))
   189  		}
   190  
   191  		// Test that we got the right number of v6 results
   192  		test.Assert(t, len(tc.v6) == len(v6result),
   193  			fmt.Sprintf("Wrong # of IPv6 results: expected %d, got %d", len(tc.v6), len(v6result)))
   194  
   195  		// Check that all of the v6 results match expected values
   196  		for i, v6addr := range tc.v6 {
   197  			test.Assert(t, v6addr.String() == v6result[i].String(),
   198  				fmt.Sprintf("Wrong v6 result index %d: expected %q got %q", i, v6addr.String(), v6result[i].String()))
   199  		}
   200  	}
   201  }