Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial challtestsrv package & vendored deps. #1

Merged
merged 2 commits into from
Dec 6, 2018
Merged

Initial challtestsrv package & vendored deps. #1

merged 2 commits into from
Dec 6, 2018

Conversation

cpu
Copy link
Contributor

@cpu cpu commented Dec 5, 2018

Boulder has a nice handy challtestsrv package and command used for integration tests. Its small, stand-alone, and useful enough to live in its own repo. This will make it easy for Boulder's load-generator to use the common package and for Pebble's pebble-challtestsrv command to use it as well.

The challtestsrv package is ported over from Boulder mostly-as is with a few small improvements. Notably:

  • The TLS-ALPN-01 and HTTPS HTTP-01 features were split into two separate binds. This helps us preserve strict TLS-ALPN-01 challenge responses while also supporting HTTP-01 -> HTTPS HTTP-01 redirects. (See Separate TLS-ALPN-01 and HTTPS HTTP-01 in challtestsrv boulder#3962)
  • The "FAKE_DNS" env var is removed. Now there is a default IPv4 and a default IPv6 address that can be set via the management API. These default addresses are used for A/AAAA query responses when there is not a more specific mock.
  • Hardcoded Boulder specific mock DNS data is removed. In its place are new management API functions for adding/removing mock A, AAAA, and CAA records
  • The output is less noisy now. The DNS server no longer prints a line per reply.

Initial challtestsrv package & vendored deps.
5002395 
Boulder has a nice handy [`challtestsrv` package and
command](https://github.com/letsencrypt/boulder/tree/9e39680e3f78c410e2d780a7badfe200a31698eb/test/challtestsrv)
used for integration tests. Its small and useful enough to live in its
own repo. This will make it easy for Boulder's load-generator to use the
common package and for Pebble's pebble-challtestsrv command to use it as
well.

The `challtestsrv` package is ported over from Boulder mostly-as is with
a few small improvements. Notably:

* The TLS-ALPN-01 and HTTPS HTTP-01 features were split into two
separate binds. This helps us preserve strict TLS-ALPN-01 challenge
responses while also supporting HTTP-01 -> HTTPS HTTP-01 redirects. (See
letsencrypt/boulder#3962)
* The "FAKE_DNS" env var is removed. Now there is a default IPv4 and
a default IPv6 address that can be set via the management API. These
default addresses are used for A/AAAA query responses when there is not
a more specific mock.
* Hardcoded Boulder specific mock DNS data is removed. In its place are
new management API functions for adding/removing mock A, AAAA, and CAA
records
* The output is less noisy now. The DNS server no longer prints a line
per reply.
@cpu cpu self-assigned this Dec 5, 2018
@cpu cpu mentioned this pull request Dec 5, 2018
Merged
jsha
jsha approved these changes Dec 6, 2018
View reviewed changes
Copy link
Collaborator

@jsha jsha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thanks for this refactoring! I've got some comment-level feedback. I'm going to try something a little different and go ahead and merge this PR, then send you a PR with my proposed fixes.

httpone.go

// ListenAndServe for a challHTTPServer will call the underlying http.Server's
// ListenAndServeTLS if the server has a non-nil TLSConfig, otherwise it will
// use the underlying http.Server's ListenAndServe(). This allos for
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

*This allows

httpone.go
func (c challHTTPServer) ListenAndServe() error {
// If the server has a TLSConfig then use ListenAndServeTLS with empty
// certfile/keyfile arguments. This will use the self-signed certificate we
// issued when constructing the TLSConfig in `httpOneServer`.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We actually issued the self-signed certificate at init time (via the var assignment above). Also, it might be clearer here to say:

"This will use the certificate and key from TLSConfig"

Then, below at line 179-184 we can see that we're using the self-signed certificate generated at startup.

Duplicating the comment both here and there is suboptimal because it increases the chance that one comment will become out of date.

mockdns.go
if !strings.HasSuffix(host, ".") {
host = host + "."
}
fmt.Printf("Adding %#v for %q\n", policies, host)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's leave out this Printf.

tlsalpnone.go
}

func (c challTLSServer) ListenAndServe() error {
// We never want to serve a plain cert so leave certFile and keyFile
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here I would say instead: "Since we set TLSConfig.GetCertificate, the certfile and keyFile arguments are ignored and we leave them blank."

@jsha jsha merged commit 73f3082 into master Dec 6, 2018
@cpu cpu deleted the cpu-initial-package branch December 6, 2018 20:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsha jsha jsha approved these changes

Assignees

@cpu cpu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cpu @jsha