pebble-challtestsrv: add support for simple mocked CNAMEs (#226)

* Update challtestsrv dependency to 1.1.0

This version of `github.com/letsencrypt/challtestsrv` supports mock CNAMEs.

* Fix IDPeAcmeIdentifier rename

In letsencrypt/challtestsrv@618ad7c this field was renamed and references must be adjusted for 1.1.0

* Allow setting simple mock CNAME records for hosts

Records will be returned for DNS CNAME requests and act as an alias for
the given target for all other accepted DNS requests (up to one level deep).

cmd/pebble-challtestsrv/README.md

@@ -93,6 +93,16 @@ To remove the mocked CAA policy for `test-host.letsencrypt.org` run:
 
     curl -X POST -d '{"host":"test-host.letsencrypt.org"}' http://localhost:8055/clear-caa
 
+##### Mocked CNAME Responses
+
+To add a mocked CNAME record for `_acme-challenge.test-host.letsencrypt.org` run:
+
+    curl -X POST -d '{"host":"_acme-challenge.test-host.letsencrypt.org", "target": "challenges.letsencrypt.org"}' http://localhost:8055/set-cname
+
+To remove a mocked CNAME record for `_acme-challenge.test-host.letsencrypt.org` run:
+
+    curl -X POST -d '{"host":"_acme-challenge.test-host.letsencrypt.org", "target": "challenges.letsencrypt.org"}' http://localhost:8055/clear-cname
+
 #### HTTP-01
 
 To add an HTTP-01 challenge response for the token `"aaaa"` with the content `"bbbb"` run:

cmd/pebble-challtestsrv/main.go

@@ -116,6 +116,8 @@ func main() {
 		http.HandleFunc("/clear-aaaa", oobSrv.delDNSAAAARecord)
 		http.HandleFunc("/add-caa", oobSrv.addDNSCAARecord)
 		http.HandleFunc("/clear-caa", oobSrv.delDNSCAARecord)
+		http.HandleFunc("/set-cname", oobSrv.addDNSCNAMERecord)
+		http.HandleFunc("/clear-cname", oobSrv.delDNSCNAMERecord)
 
 		srv.SetDefaultDNSIPv4(*defaultIPv4)
 		srv.SetDefaultDNSIPv6(*defaultIPv6)

cmd/pebble-challtestsrv/mockdns.go

@@ -238,3 +238,59 @@ func (srv *managementServer) delDNSCAARecord(w http.ResponseWriter, r *http.Requ
 	srv.log.Printf("Removed response for DNS CAA queries to %q", request.Host)
 	w.WriteHeader(http.StatusOK)
 }
+
+// addDNSCNAMERecord handles an HTTP POST request to add a mock CNAME query
+// response record and alias for a host.
+//
+// The POST body is expected to have two non-empty parameters:
+// "host" - the hostname that should be treated as an alias to the target
+// "target" - the hostname whose mocked DNS records should be returned
+//
+// A successful POST will write http.StatusOK to the client.
+func (srv *managementServer) addDNSCNAMERecord(w http.ResponseWriter, r *http.Request) {
+	var request struct {
+		Host   string
+		Target string
+	}
+	if err := mustParsePOST(&request, r); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	// If the request has no host or no caa policies it's a bad request
+	if request.Host == "" || request.Target == "" {
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+
+	srv.challSrv.AddDNSCNAMERecord(request.Host, request.Target)
+	srv.log.Printf("Added response for DNS CNAME queries to %q targeting %q", request.Host, request.Target)
+	w.WriteHeader(http.StatusOK)
+}
+
+// delDNSCNAMERecord handles an HTTP POST request to delete an existing mock
+// CNAME record for a host.
+//
+// The POST body is expected to have one non-empty parameters:
+// "host" - the hostname to remove the mock CNAME alias for.
+//
+// A successful POST will write http.StatusOK to the client.
+func (srv *managementServer) delDNSCNAMERecord(w http.ResponseWriter, r *http.Request) {
+	var request struct {
+		Host string
+	}
+	if err := mustParsePOST(&request, r); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	// If the request has an empty host it's a bad request
+	if request.Host == "" {
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+
+	srv.challSrv.DeleteDNSCAARecord(request.Host)
+	srv.log.Printf("Removed response for DNS CNAME queries to %q", request.Host)
+	w.WriteHeader(http.StatusOK)
+}

go.mod

@@ -2,7 +2,7 @@ module github.com/letsencrypt/pebble
 
 require (
 	github.com/jmhodges/clock v0.0.0-20160418191101-880ee4c33548
-	github.com/letsencrypt/challtestsrv v1.0.2
+	github.com/letsencrypt/challtestsrv v1.1.0
 	golang.org/x/net v0.0.0-20181207154023-610586996380 // indirect
 	golang.org/x/sys v0.0.0-20181206074257-70b957f3b65e // indirect
 	gopkg.in/square/go-jose.v2 v2.1.9

go.sum

@@ -26,6 +26,8 @@ github.com/letsencrypt/challtestsrv v1.0.1 h1:9K3DJleJxOnP3YlFPWeNydca61Lwj4vySq
 github.com/letsencrypt/challtestsrv v1.0.1/go.mod h1:/gzSMb+5FjprRIa1TtW6ngjhUOr8JbEFM2XESzK2zPg=
 github.com/letsencrypt/challtestsrv v1.0.2 h1:nBAQjKvVMLhpj4cg2Px6jMyvMbQNdJrCEd6gdcmEuOU=
 github.com/letsencrypt/challtestsrv v1.0.2/go.mod h1:/gzSMb+5FjprRIa1TtW6ngjhUOr8JbEFM2XESzK2zPg=
+github.com/letsencrypt/challtestsrv v1.1.0 h1:2r5Wa7LvOqUsM8skGSaRnf3CV6WYPQ/OgLF1U6bCt4I=
+github.com/letsencrypt/challtestsrv v1.1.0/go.mod h1:/gzSMb+5FjprRIa1TtW6ngjhUOr8JbEFM2XESzK2zPg=
 github.com/miekg/dns v1.1.1 h1:DVkblRdiScEnEr0LR9nTnEQqHYycjkXW9bOjd+2EL2o=
 github.com/miekg/dns v1.1.1/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9 h1:mKdxBk7AujPs8kU4m80U72y/zjbZ3UcXC7dClwKbUI0=

va/va.go

@@ -387,7 +387,7 @@ func (va VAImpl) validateTLSALPN01(task *vaTask) *core.ValidationRecord {
 	h := sha256.Sum256([]byte(expectedKeyAuthorization))
 	for _, ext := range leafCert.Extensions {
 		if ext.Critical {
-			hasAcmeIdentifier := challtestsrv.IdPeAcmeIdentifier.Equal(ext.Id)
+			hasAcmeIdentifier := challtestsrv.IDPeAcmeIdentifier.Equal(ext.Id)
 			if hasAcmeIdentifier {
 				var extValue []byte
 				if _, err := asn1.Unmarshal(ext.Value, &extValue); err != nil {

vendor/modules.txt

@@ -1,6 +1,6 @@
 # github.com/jmhodges/clock v0.0.0-20160418191101-880ee4c33548
 github.com/jmhodges/clock
-# github.com/letsencrypt/challtestsrv v1.0.2
+# github.com/letsencrypt/challtestsrv v1.1.0
 github.com/letsencrypt/challtestsrv
 # github.com/miekg/dns v1.1.1
 github.com/miekg/dns