From f2373a09ded2c709474645160b7e6da12941e821 Mon Sep 17 00:00:00 2001
From: AJ ONeal <coolaj86@gmail.com>
Date: Thu, 6 Jun 2019 22:48:34 -0600
Subject: [PATCH] Update record test, use random prefix

* Test multiple zone records (@, foo, *.foo)
* Use random _acme-challenge-xxxx
---
 example.js        |  17 ++--
 index.js          | 239 +++++++++++++++++++++++++---------------------
 package-lock.json |   5 +
 package.json      |   2 +-
 4 files changed, 144 insertions(+), 119 deletions(-)
 create mode 100644 package-lock.json

diff --git a/example.js b/example.js
index 3c23ab1..912400f 100644
--- a/example.js
+++ b/example.js
@@ -1,10 +1,10 @@
-"use strict";
+'use strict';
 
 //var tester = require('acme-challenge-test');
-var tester = require("./");
+var tester = require('./');
 
-var type = "http-01";
-var challenger = require("acme-http-01-cli").create({});
+var type = 'http-01';
+var challenger = require('acme-http-01-cli').create({});
 //var type = 'dns-01';
 //var challenger = require('acme-dns-01-cli').create({});
 //var challenger = require('./YOUR-CHALLENGE-STRATEGY').create({});
@@ -12,16 +12,15 @@ var challenger = require("acme-http-01-cli").create({});
 
 // The dry-run tests can pass on, literally, 'example.com'
 // but the integration tests require that you have control over the domain
-var domain = "example.com";
-//var domain = '*.example.com';
+var zone = 'example.com';
 
 tester
-	.test(type, domain, challenger)
+	.test(type, zone, challenger)
 	.then(function() {
-		console.info("PASS");
+		console.info('ALL PASSED');
 	})
 	.catch(function(err) {
-		console.error("FAIL");
+		console.error('FAIL');
 		console.error(err);
 		process.exit(20);
 	});
diff --git a/index.js b/index.js
index 51e9e68..0582083 100644
--- a/index.js
+++ b/index.js
@@ -75,121 +75,140 @@ function run(challenger, opts) {
 
 	// The first time we just check it against itself
 	// this will cause the prompt to appear
-	return set(opts)
-		.then(function() {
-			// this will cause the final completion message to appear
-			// _test is used by the manual cli reference implementations
-			var query = { type: ch.type, /*debug*/ status: ch.status, _test: true };
-			if ('http-01' === ch.type) {
-				query.identifier = ch.identifier;
-				query.token = ch.token;
-				// For testing only
-				query.url = ch.challengeUrl;
-			} else if ('dns-01' === ch.type) {
-				query.identifier = { type: 'dns', value: ch.dnsHost };
-				// For testing only
-				query.altname = ch.altname;
-				// there should only be two possible TXT records per challenge domain:
-				// one for the bare domain, and the other if and only if there's a wildcard
-				query.wildcard = ch.wildcard;
-				query.dnsAuthorization = ch.dnsAuthorization;
-			} else {
-				query = JSON.parse(JSON.stringify(ch));
-				query.comment = 'unknown challenge type, supplying everything';
-			}
-			return get({ challenge: query })
-				.then(function(secret) {
-					if ('string' === typeof secret) {
-						console.info(
-							'secret was passed as a string, which works historically, but should be an object instead:'
-						);
-						console.info('{ "keyAuthorization": "' + secret + '" }');
-						console.info('or');
-						// TODO this should be "keyAuthorizationDigest"
-						console.info('{ "dnsAuthorization": "' + secret + '" }');
-						console.info(
-							'This is to help keep acme / greenlock (and associated plugins) future-proof for new challenge types'
+	return set(opts).then(function() {
+		// this will cause the final completion message to appear
+		// _test is used by the manual cli reference implementations
+		var query = { type: ch.type, /*debug*/ status: ch.status, _test: true };
+		if ('http-01' === ch.type) {
+			query.identifier = ch.identifier;
+			query.token = ch.token;
+			// For testing only
+			query.url = ch.challengeUrl;
+		} else if ('dns-01' === ch.type) {
+			query.identifier = { type: 'dns', value: ch.dnsHost };
+			// For testing only
+			query.altname = ch.altname;
+			// there should only be two possible TXT records per challenge domain:
+			// one for the bare domain, and the other if and only if there's a wildcard
+			query.wildcard = ch.wildcard;
+			query.dnsAuthorization = ch.dnsAuthorization;
+		} else {
+			query = JSON.parse(JSON.stringify(ch));
+			query.comment = 'unknown challenge type, supplying everything';
+		}
+		return get({ challenge: query })
+			.then(function(secret) {
+				if ('string' === typeof secret) {
+					console.info(
+						'secret was passed as a string, which works historically, but should be an object instead:'
+					);
+					console.info('{ "keyAuthorization": "' + secret + '" }');
+					console.info('or');
+					// TODO this should be "keyAuthorizationDigest"
+					console.info('{ "dnsAuthorization": "' + secret + '" }');
+					console.info(
+						'This is to help keep acme / greenlock (and associated plugins) future-proof for new challenge types'
+					);
+				}
+				// historically 'secret' has been a string, but I'd like it to transition to be an object.
+				// to make it backwards compatible in v2.7 to change it,
+				// so I'm not sure that we really need to.
+				if ('http-01' === ch.type) {
+					secret = secret.keyAuthorization || secret;
+					if (ch.keyAuthorization !== secret) {
+						throw new Error(
+							"http-01 challenge.get() returned '" +
+								secret +
+								"', which does not match the keyAuthorization" +
+								" saved with challenge.set(), which was '" +
+								ch.keyAuthorization +
+								"'"
 						);
 					}
-					// historically 'secret' has been a string, but I'd like it to transition to be an object.
-					// to make it backwards compatible in v2.7 to change it,
-					// so I'm not sure that we really need to.
-					if ('http-01' === ch.type) {
-						secret = secret.keyAuthorization || secret;
-						if (ch.keyAuthorization !== secret) {
-							throw new Error(
-								"http-01 challenge.get() returned '" +
-									secret +
-									"', which does not match the keyAuthorization" +
-									" saved with challenge.set(), which was '" +
-									ch.keyAuthorization +
-									"'"
-							);
-						}
-					} else if ('dns-01' === ch.type) {
-						secret = secret.dnsAuthorization || secret;
-						if (ch.dnsAuthorization !== secret) {
-							throw new Error(
-								"dns-01 challenge.get() returned '" +
-									secret +
-									"', which does not match the dnsAuthorization" +
-									" (keyAuthDigest) saved with challenge.set(), which was '" +
-									ch.dnsAuthorization +
-									"'"
-							);
-						}
+				} else if ('dns-01' === ch.type) {
+					secret = secret.dnsAuthorization || secret;
+					if (ch.dnsAuthorization !== secret) {
+						throw new Error(
+							"dns-01 challenge.get() returned '" +
+								secret +
+								"', which does not match the dnsAuthorization" +
+								" (keyAuthDigest) saved with challenge.set(), which was '" +
+								ch.dnsAuthorization +
+								"'"
+						);
+					}
+				} else {
+					if ('tls-alpn-01' === ch.type) {
+						console.warn(
+							"'tls-alpn-01' support is in development" +
+								" (or developed and we haven't update this yet). Please contact us."
+						);
 					} else {
-						if ('tls-alpn-01' === ch.type) {
-							console.warn(
-								"'tls-alpn-01' support is in development" +
-									" (or developed and we haven't update this yet). Please contact us."
-							);
-						} else {
-							console.warn(
-								"We don't know how to test '" +
-									ch.type +
-									"'... are you sure that's a thing?"
-							);
-						}
-						secret = secret.keyAuthorization || secret;
-						if (ch.keyAuthorization !== secret) {
-							console.warn(
-								"The returned value doesn't match keyAuthorization",
-								ch.keyAuthorization,
-								secret
-							);
-						}
+						console.warn(
+							"We don't know how to test '" +
+								ch.type +
+								"'... are you sure that's a thing?"
+						);
 					}
-				})
-				.then(function() {
-					return remove(opts).then(function() {
-						return get(opts).then(function(result) {
-							if (result) {
-								throw new Error(
-									'challenge.remove() should have made it not possible for challenge.get() to return a value'
-								);
-							}
-							if (null !== result) {
-								throw new Error(
-									'challenge.get() should return null when the value is not set'
-								);
-							}
-						});
+					secret = secret.keyAuthorization || secret;
+					if (ch.keyAuthorization !== secret) {
+						console.warn(
+							"The returned value doesn't match keyAuthorization",
+							ch.keyAuthorization,
+							secret
+						);
+					}
+				}
+			})
+			.then(function() {
+				return remove(opts).then(function() {
+					return get(opts).then(function(result) {
+						if (result) {
+							throw new Error(
+								'challenge.remove() should have made it not possible for challenge.get() to return a value'
+							);
+						}
+						if (null !== result) {
+							throw new Error(
+								'challenge.get() should return null when the value is not set'
+							);
+						}
 					});
 				});
-		})
-		.then(function() {
-			console.info('All soft tests: PASS');
-			console.warn(
-				'Hard tests (actually checking http URLs and dns records) is implemented in acme-v2.'
-			);
-			console.warn(
-				"We'll copy them over here as well, but that's a TODO for next week."
-			);
-		});
+			});
+	});
 }
 
-module.exports.test = function(type, altname, challenger) {
+module.exports.test = function(type, zone, challenger) {
+	var domains = [zone, 'foo.' + zone];
+	if ('dns-01' === type) {
+		domains.push('*.foo.' + zone);
+	}
+
+	function next() {
+		var domain = domains.shift();
+		if (!domain) {
+			return;
+		}
+		console.info("TEST '%s'", domain);
+		return testOne(type, domain, challenger).then(function() {
+			console.info("PASS '%s'", domain);
+			return next();
+		});
+	}
+
+	return next().then(function() {
+		console.info('All soft tests: PASS');
+		console.warn(
+			'Hard tests (actually checking http URLs and dns records) is implemented in acme-v2.'
+		);
+		console.warn(
+			"We'll copy them over here as well, but that's a TODO for next week."
+		);
+	});
+};
+
+function testOne(type, altname, challenger) {
 	var expires = new Date(Date.now() + 10 * 60 * 1000).toISOString();
 	var token = crypto.randomBytes(8).toString('hex');
 	var thumb = crypto.randomBytes(16).toString('hex');
@@ -212,7 +231,7 @@ module.exports.test = function(type, altname, challenger) {
 		thumbprint: thumb,
 		keyAuthorization: keyAuth,
 		url: null, // completed below
-		dnsHost: '_acme-challenge.', // completed below
+		dnsHost: '_acme-challenge-' + token.slice(0, 4) + '.', // completed below
 		dnsAuthorization: dnsAuth,
 		altname: altname,
 		_test: true // used by CLI referenced implementations
@@ -227,4 +246,6 @@ module.exports.test = function(type, altname, challenger) {
 	challenge.dnsHost += altname;
 
 	return run(challenger, { challenge: challenge });
-};
+}
+
+module.exports._test = testOne;
diff --git a/package-lock.json b/package-lock.json
new file mode 100644
index 0000000..c93547c
--- /dev/null
+++ b/package-lock.json
@@ -0,0 +1,5 @@
+{
+	"name": "acme-challenge-test",
+	"version": "3.0.4",
+	"lockfileVersion": 1
+}
diff --git a/package.json b/package.json
index 6e5ffe9..ff4ba9a 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "acme-challenge-test",
-	"version": "3.0.4",
+	"version": "3.0.5",
 	"description": "The base set of tests for all ACME challenge strategies. Any `acme-http-01-`, `acme-dns-01-`, `acme-challenge-`, or greenlock plugin should be able to pass these tests.",
 	"main": "index.js",
 	"homepage": "https://git.rootprojects.org/root/acme-challenge-test.js",