From 2a383ada483489b82f5ce544b13ce668a79052f9 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Sat, 15 Jun 2019 11:10:45 -0600 Subject: [PATCH] v3.3.0: include request, cleanup --- index.js | 375 ++++++++++++++++++++++++++++------------------ node-v6-compat.js | 25 ++++ package.json | 2 +- 3 files changed, 255 insertions(+), 147 deletions(-) create mode 100644 node-v6-compat.js diff --git a/index.js b/index.js index 6df82d1..4a7f22d 100644 --- a/index.js +++ b/index.js @@ -1,6 +1,29 @@ 'use strict'; /*global Promise*/ + +if (process.version.match(/^v(\d+)/)[1] > 6) { + console.warn(); + console.warn('#########################'); + console.warn('# Node v6 Compatibility #'); + console.warn('#########################'); + console.warn(); + console.warn("You're using node " + process.version); + console.warn( + 'Please write node-v6 compatible JavaScript (not Babel/ECMAScript) and test with node v6.' + ); + console.warn(); + console.warn( + '(ACME.js and Greenlock.js are widely deployed in enterprise node v6 environments. The few node v6 bugs in Buffer and Promise are hotfixed by ACME.js in just a few lines of code)' + ); + console.warn(); +} +require('./node-v6-compat.js'); + +// Load _after_ node v6 compat var crypto = require('crypto'); +var promisify = require('util').promisify; +var request = require('@root/request'); +request = promisify(request); module.exports.create = function() { throw new Error( @@ -10,13 +33,12 @@ module.exports.create = function() { // ignore all of this, it's just to normalize Promise vs node-style callback thunk vs synchronous function promiseCheckAndCatch(obj, name) { - var promisify = require('util').promisify; // don't loose this-ness, just in case that's important var fn = obj[name].bind(obj); var promiser; // function signature must match, or an error will be thrown - if (1 === fn.length) { + if (fn.length <= 1) { // wrap so that synchronous errors are caught (alsa handles synchronous results) promiser = function(opts) { return Promise.resolve().then(function() { @@ -27,13 +49,11 @@ function promiseCheckAndCatch(obj, name) { // wrap as a promise promiser = promisify(fn); } else { - return Promise.reject( - new Error( - "'challenge." + - name + - "' should accept either one argument, the options," + - ' and return a Promise or accept two arguments, the options and a node-style callback thunk' - ) + throw new Error( + "'challenge." + + name + + "' should accept either one argument, the options," + + ' and return a Promise or accept two arguments, the options and a node-style callback thunk' ); } @@ -42,7 +62,7 @@ function promiseCheckAndCatch(obj, name) { throw new Error( "'challenge.'" + name + - "' should never return `undefined`. Please explicitly return null" + + "' should never return `undefined`. Please explicitly `return null`" + " (or fix the place where a value should have been returned but wasn't)." ); } @@ -79,6 +99,7 @@ function newZoneRegExp(zonename) { // fooexample.com return new RegExp('(^|\\.)' + zonename.replace(/\./g, '\\.') + '$'); } + function pluckZone(zones, dnsHost) { return zones .filter(function(zonename) { @@ -95,155 +116,201 @@ function pluckZone(zones, dnsHost) { // Here's the meat, where the tests are happening: function testEach(type, domains, challenger) { var chr = wrapChallenger(type, challenger); - var all = domains.map(function(d) { - return { domain: d }; - }); + // We want the same rnd for all domains so that we catch errors like removing + // the apex (bare) domain TXT record to when creating the wildcard record var rnd = crypto.randomBytes(2).toString('hex'); console.info("Testing each of '%s'", domains.join(', ')); - return chr.zones({ dnsHosts: domains }).then(function(zones) { - return mapAsync(all, function(opts) { - var zone = pluckZone(zones, opts.domain); - opts.challenge = fakeChallenge(type, zone, opts.domain, rnd); - var ch = opts.challenge; - if ('http-01' === ch.type && ch.wildname) { - throw new Error('http-01 cannot be used for wildcard domains'); - } - // The first time we just check it against itself - // this will cause the prompt to appear - return chr.set(opts).then(function() { - // this will cause the final completion message to appear - // _test is used by the manual cli reference implementations - var query = { type: ch.type, /*debug*/ status: ch.status, _test: true }; - if ('http-01' === ch.type) { - query.identifier = ch.identifier; - query.token = ch.token; - // For testing only - query.url = ch.challengeUrl; - } else if ('dns-01' === ch.type) { - query.identifier = { type: 'dns', value: ch.dnsHost }; - // For testing only - query.altname = ch.altname; - // there should only be two possible TXT records per challenge domain: - // one for the bare domain, and the other if and only if there's a wildcard - query.wildcard = ch.wildcard; - query.dnsAuthorization = ch.dnsAuthorization; - query.dnsZone = ch.dnsZone; - query.dnsPrefix = ch.dnsPrefix; - } else { - query = JSON.parse(JSON.stringify(ch)); - query.comment = 'unknown challenge type, supplying everything'; - } - opts.query = query; - return opts; - }); + // + // Zones + // + // Get ALL zones for all records on the certificate + // + return chr + .init({ request: request }) + .then(function() { + return chr.zones({ request: request, dnsHosts: domains }); }) - .then(function(all) { - return mapAsync(all, function(opts) { - var ch = opts.challenge; - return chr.get({ challenge: opts.query }).then(function(secret) { - if ('string' === typeof secret) { - console.info( - 'secret was passed as a string, which works historically, but should be an object instead:' - ); - console.info('{ "keyAuthorization": "' + secret + '" }'); - console.info('or'); - // TODO this should be "keyAuthorizationDigest" - console.info('{ "dnsAuthorization": "' + secret + '" }'); - console.info( - 'This is to help keep acme / greenlock (and associated plugins) future-proof for new challenge types' - ); - } - // historically 'secret' has been a string, but I'd like it to transition to be an object. - // to make it backwards compatible in v2.7 to change it, - // so I'm not sure that we really need to. - if ('http-01' === ch.type) { - secret = secret.keyAuthorization || secret; - if (ch.keyAuthorization !== secret) { - throw new Error( - "http-01 challenge.get() returned '" + - secret + - "', which does not match the keyAuthorization" + - " saved with challenge.set(), which was '" + - ch.keyAuthorization + - "'" - ); - } - } else if ('dns-01' === ch.type) { - secret = secret.dnsAuthorization || secret; - if (ch.dnsAuthorization !== secret) { - throw new Error( - "dns-01 challenge.get() returned '" + - secret + - "', which does not match the dnsAuthorization" + - " (keyAuthDigest) saved with challenge.set(), which was '" + - ch.dnsAuthorization + - "'" - ); - } - } else { - if ('tls-alpn-01' === ch.type) { - console.warn( - "'tls-alpn-01' support is in development" + - " (or developed and we haven't update this yet). Please contact us." - ); - } else { - console.warn( - "We don't know how to test '" + - ch.type + - "'... are you sure that's a thing?" - ); - } - secret = secret.keyAuthorization || secret; - if (ch.keyAuthorization !== secret) { - console.warn( - "The returned value doesn't match keyAuthorization", - ch.keyAuthorization, - secret - ); - } - } + .then(function(zones) { + var all = domains.map(function(domain) { + var zone = pluckZone(zones, domain); + return { + domain: domain, + challenge: fakeChallenge(type, zone, domain, rnd), + request: request + }; + }); + + // resolving for the sake of same indentation / scope + return Promise.resolve() + .then(function() { + return mapAsync(all, function(opts) { + return set(chr, opts); }); - }); - }) - .then(function() { - return mapAsync(all, function(opts) { - return chr.remove(opts).then(function() { - return chr.get(opts).then(function(result) { - if (result) { - throw new Error( - 'challenge.remove() should have made it not possible for challenge.get() to return a value' - ); - } - if (null !== result) { - throw new Error( - 'challenge.get() should return null when the value is not set' - ); - } + }) + .then(function() { + return mapAsync(all, function(opts) { + return check(chr, opts); + }); + }) + .then(function() { + return mapAsync(all, function(opts) { + return remove(chr, opts).then(function() { console.info("PASS '%s'", opts.domain); }); }); + }) + .then(function() { + console.info(); + console.info('It looks like the soft tests all passed.'); + console.log('It is highly likely that your plugin is correct.'); + console.log( + 'Now go test with Greenlock.js and/or ACME.js to be sure.' + ); + console.info(); }); - }) - .then(function() { - console.info('All soft tests: PASS'); - console.warn( - 'Hard tests (actually checking http URLs and dns records) is implemented in acme-v2.' - ); - console.warn( - "We'll copy them over here as well, but that's a TODO for next week." - ); - }); + }); +} + +function set(chr, opts) { + var ch = opts.challenge; + if ('http-01' === ch.type && ch.wildname) { + throw new Error('http-01 cannot be used for wildcard domains'); + } + + // + // Set + // + // Add (not replace) a TXT for the domain + // + return chr.set(opts).then(function() { + // _test is used by the manual cli reference implementations + var query = { type: ch.type, /*debug*/ status: ch.status, _test: true }; + if ('http-01' === ch.type) { + query.identifier = ch.identifier; + query.token = ch.token; + // For testing only + query.url = ch.challengeUrl; + } else if ('dns-01' === ch.type) { + query.identifier = { type: 'dns', value: ch.dnsHost }; + // For testing only + query.altname = ch.altname; + // there should only be two possible TXT records per challenge domain: + // one for the bare domain, and the other if and only if there's a wildcard + query.wildcard = ch.wildcard; + query.dnsAuthorization = ch.dnsAuthorization; + query.dnsZone = ch.dnsZone; + query.dnsPrefix = ch.dnsPrefix; + } else { + query = JSON.parse(JSON.stringify(ch)); + query.comment = 'unknown challenge type, supplying everything'; + } + opts.query = query; + return opts; }); } -function testZone(type, zone, challenger) { - var domains = [zone, 'foo.' + zone]; - if ('dns-01' === type) { - domains.push('*.foo.' + zone); - } - return testEach(type, domains, challenger); +function check(chr, opts) { + var ch = opts.challenge; + + // + // Get + // + // Check that ONE of the relevant TXT records matches + // + return chr + .get({ request: request, challenge: opts.query }) + .then(function(secret) { + if (!secret) { + throw new Error( + '`secret` should be an object containing `keyAuthorization` or `dnsAuthorization`' + ); + } + if ('string' === typeof secret) { + console.info( + 'secret was passed as a string, which works historically, but should be an object instead:' + ); + console.info('{ "keyAuthorization": "' + secret + '" }'); + console.info('or'); + // TODO this should be "keyAuthorizationDigest" + console.info('{ "dnsAuthorization": "' + secret + '" }'); + console.info( + 'This is to help keep acme / greenlock (and associated plugins) future-proof for new challenge types' + ); + } + // historically 'secret' has been a string, but I'd like it to transition to be an object. + // to make it backwards compatible in v2.7 to change it, + // so I'm not sure that we really need to. + if ('http-01' === ch.type) { + secret = secret.keyAuthorization || secret; + if (ch.keyAuthorization !== secret) { + throw new Error( + "http-01 challenge.get() returned '" + + secret + + "', which does not match the keyAuthorization" + + " saved with challenge.set(), which was '" + + ch.keyAuthorization + + "'" + ); + } + } else if ('dns-01' === ch.type) { + secret = secret.dnsAuthorization || secret; + if (ch.dnsAuthorization !== secret) { + throw new Error( + "dns-01 challenge.get() returned '" + + secret + + "', which does not match the dnsAuthorization" + + " (keyAuthDigest) saved with challenge.set(), which was '" + + ch.dnsAuthorization + + "'" + ); + } + } else { + if ('tls-alpn-01' === ch.type) { + console.warn( + "'tls-alpn-01' support is in development" + + " (or developed and we haven't update this yet). Please contact us." + ); + } else { + console.warn( + "We don't know how to test '" + + ch.type + + "'... are you sure that's a thing?" + ); + } + secret = secret.keyAuthorization || secret; + if (ch.keyAuthorization !== secret) { + console.warn( + "The returned value doesn't match keyAuthorization", + ch.keyAuthorization, + secret + ); + } + } + }); +} + +function remove(chr, opts) { + // + // Remove + // + // Delete ONLY the SINGLE relevant TXT record + // + return chr.remove(opts).then(function() { + return chr.get(opts).then(function(result) { + if (result) { + throw new Error( + 'challenge.remove() should have made it not possible for challenge.get() to return a value' + ); + } + if (null !== result) { + throw new Error( + 'challenge.get() should return null when the value is not set' + ); + } + }); + }); } function wrapChallenger(type, challenger) { @@ -278,7 +345,14 @@ function wrapChallenger(type, challenger) { return; } + var init = challenger.init; + if ('function' !== typeof init) { + init = function(opts) { + return null; + }; + } return { + init: promiseCheckAndCatch(challenger, 'init'), zones: zones, set: promiseCheckAndCatch(challenger, 'set'), get: promiseCheckAndCatch(challenger, 'get'), @@ -309,6 +383,7 @@ function fakeChallenge(type, zone, altname, rnd) { thumbprint: thumb, keyAuthorization: keyAuth, url: null, // completed below + // we create a random record to prevent self cache-poisoning dnsHost: '_' + rnd.slice(0, 2) + '-acme-challenge-' + rnd.slice(2) + '.', // completed below dnsAuthorization: dnsAuth, altname: altname, @@ -332,6 +407,14 @@ function fakeChallenge(type, zone, altname, rnd) { return challenge; } +function testZone(type, zone, challenger) { + var domains = [zone, 'foo.' + zone]; + if ('dns-01' === type) { + domains.push('*.foo.' + zone); + } + return testEach(type, domains, challenger); +} + function testRecord(type, altname, challenger) { return testEach(type, [altname], challenger); } diff --git a/node-v6-compat.js b/node-v6-compat.js new file mode 100644 index 0000000..df73e1e --- /dev/null +++ b/node-v6-compat.js @@ -0,0 +1,25 @@ +"use strict"; + +function requireBluebird() { + try { + return require("bluebird"); + } catch (e) { + console.error(""); + console.error("DON'T PANIC. You're running an old version of node with incomplete Promise support."); + console.error("EASY FIX: `npm install --save bluebird`"); + console.error(""); + throw e; + } +} + +if ("undefined" === typeof Promise) { + global.Promise = requireBluebird(); +} + +if ("function" !== typeof require("util").promisify) { + require("util").promisify = requireBluebird().promisify; +} + +if (!console.debug) { + console.debug = console.log; +} diff --git a/package.json b/package.json index 6d35022..77d9883 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "acme-challenge-test", - "version": "3.2.1", + "version": "3.3.0", "description": "ACME challenge test harness for Let's Encrypt integrations. Any `acme-http-01-` or `acme-dns-01-` challenge strategy or Greenlock plugin should be able to pass these tests.", "main": "index.js", "homepage": "https://git.rootprojects.org/root/acme-challenge-test.js",