Skip to content

Commit ff5beaf

Browse files
aarongableaarongable
committed
Restore logging of dig-like string for CAA
1 parent 12cf297 commit ff5beaf

File tree

2 files changed

+37
-29
lines changed

2 files changed

+37
-29
lines changed

va/caa.go

Lines changed: 17 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -130,13 +130,13 @@ func (va *ValidationAuthorityImpl) checkCAA(
130130
return errors.New("expected validationMethod or accountURIID not provided to checkCAA")
131131
}
132132

133-
foundAt, valid, err := va.checkCAARecords(ctx, ident, params)
133+
foundAt, valid, response, err := va.checkCAARecords(ctx, ident, params)
134134
if err != nil {
135135
return berrors.DNSError("%s", err)
136136
}
137137

138-
va.log.AuditInfof("Checked CAA records for %s, [Present: %t, Account ID: %d, Challenge: %s, Valid for issuance: %t, Found at: %q]",
139-
ident.Value, foundAt != "", params.accountURIID, params.validationMethod, valid, foundAt)
138+
va.log.AuditInfof("Checked CAA records for %s, [Present: %t, Account ID: %d, Challenge: %s, Valid for issuance: %t, Found at: %q] Response=%q",
139+
ident.Value, foundAt != "", params.accountURIID, params.validationMethod, valid, foundAt, response)
140140
if !valid {
141141
return berrors.CAAError("CAA record for %s prevents issuance", foundAt)
142142
}
@@ -153,6 +153,7 @@ type caaResult struct {
153153
issue []*dns.CAA
154154
issuewild []*dns.CAA
155155
criticalUnknown bool
156+
dig string
156157
resolver string
157158
err error
158159
}
@@ -219,6 +220,7 @@ func (va *ValidationAuthorityImpl) parallelCAALookup(ctx context.Context, name s
219220
if r.err != nil {
220221
return
221222
}
223+
r.dig = records.String()
222224
if len(records.Final) > 0 {
223225
r.present = true
224226
}
@@ -274,14 +276,16 @@ func (va *ValidationAuthorityImpl) getCAA(ctx context.Context, hostname string)
274276
// validates them. If the identifier argument's value has a wildcard prefix then
275277
// the prefix is stripped and validation will be performed against the base
276278
// domain, honouring any issueWild CAA records encountered as appropriate.
277-
// checkCAARecords returns three values: the first is a string indicating at
279+
// checkCAARecords returns four values: the first is a string indicating at
278280
// which name (i.e. FQDN or parent thereof) CAA records were found, if any. The
279-
// second is a bool indicating whether issuance for the identifier is valid. Any
280-
// errors encountered are returned as the last return value (or nil).
281+
// second is a bool indicating whether issuance for the identifier is valid. The
282+
// unmodified *dns.CAA records that were processed/filtered are returned as the
283+
// third argument. Any errors encountered are returned as the fourth return
284+
// value (or nil).
281285
func (va *ValidationAuthorityImpl) checkCAARecords(
282286
ctx context.Context,
283287
ident identifier.ACMEIdentifier,
284-
params *caaParams) (string, bool, error) {
288+
params *caaParams) (string, bool, string, error) {
285289
hostname := strings.ToLower(ident.Value)
286290
// If this is a wildcard name, remove the prefix
287291
var wildcard bool
@@ -291,10 +295,14 @@ func (va *ValidationAuthorityImpl) checkCAARecords(
291295
}
292296
caaSet, err := va.getCAA(ctx, hostname)
293297
if err != nil {
294-
return "", false, err
298+
return "", false, "", err
299+
}
300+
raw := ""
301+
if caaSet != nil {
302+
raw = caaSet.dig
295303
}
296304
valid, foundAt := va.validateCAA(caaSet, wildcard, params)
297-
return foundAt, valid, nil
305+
return foundAt, valid, raw, nil
298306
}
299307

300308
// validateCAA checks a provided *caaResult. When the wildcard argument is true

va/caa_test.go

Lines changed: 20 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -414,7 +414,7 @@ func TestCAAChecking(t *testing.T) {
414414
defer mockLog.Clear()
415415
t.Run(caaTest.Name, func(t *testing.T) {
416416
ident := identifier.NewDNS(caaTest.Domain)
417-
foundAt, valid, err := va.checkCAARecords(ctx, ident, params)
417+
foundAt, valid, _, err := va.checkCAARecords(ctx, ident, params)
418418
if err != nil {
419419
t.Errorf("checkCAARecords error for %s: %s", caaTest.Domain, err)
420420
}
@@ -442,55 +442,55 @@ func TestCAALogging(t *testing.T) {
442442
Domain: "reserved.com",
443443
AccountURIID: 12345,
444444
ChallengeType: core.ChallengeTypeHTTP01,
445-
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for reserved.com, [Present: true, Account ID: 12345, Challenge: http-01, Valid for issuance: false, Found at: \"reserved.com\"]",
445+
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for reserved.com, [Present: true, Account ID: 12345, Challenge: http-01, Valid for issuance: false, Found at: \"reserved.com\"] Response=\"<nil> MsgHdr\"",
446446
},
447447
{
448448
Domain: "reserved.com",
449449
AccountURIID: 12345,
450450
ChallengeType: core.ChallengeTypeDNS01,
451-
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for reserved.com, [Present: true, Account ID: 12345, Challenge: dns-01, Valid for issuance: false, Found at: \"reserved.com\"]",
451+
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for reserved.com, [Present: true, Account ID: 12345, Challenge: dns-01, Valid for issuance: false, Found at: \"reserved.com\"] Response=\"<nil> MsgHdr\"",
452452
},
453453
{
454454
Domain: "mixedcase.com",
455455
AccountURIID: 12345,
456456
ChallengeType: core.ChallengeTypeHTTP01,
457-
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for mixedcase.com, [Present: true, Account ID: 12345, Challenge: http-01, Valid for issuance: false, Found at: \"mixedcase.com\"]",
457+
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for mixedcase.com, [Present: true, Account ID: 12345, Challenge: http-01, Valid for issuance: false, Found at: \"mixedcase.com\"] Response=\"<nil> MsgHdr\"",
458458
},
459459
{
460460
Domain: "critical.com",
461461
AccountURIID: 12345,
462462
ChallengeType: core.ChallengeTypeHTTP01,
463-
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for critical.com, [Present: true, Account ID: 12345, Challenge: http-01, Valid for issuance: false, Found at: \"critical.com\"]",
463+
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for critical.com, [Present: true, Account ID: 12345, Challenge: http-01, Valid for issuance: false, Found at: \"critical.com\"] Response=\"<nil> MsgHdr\"",
464464
},
465465
{
466466
Domain: "present.com",
467467
AccountURIID: 12345,
468468
ChallengeType: core.ChallengeTypeHTTP01,
469-
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for present.com, [Present: true, Account ID: 12345, Challenge: http-01, Valid for issuance: true, Found at: \"present.com\"]",
469+
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for present.com, [Present: true, Account ID: 12345, Challenge: http-01, Valid for issuance: true, Found at: \"present.com\"] Response=\"<nil> MsgHdr\"",
470470
},
471471
{
472472
Domain: "not.here.but.still.present.com",
473473
AccountURIID: 12345,
474474
ChallengeType: core.ChallengeTypeHTTP01,
475-
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for not.here.but.still.present.com, [Present: true, Account ID: 12345, Challenge: http-01, Valid for issuance: true, Found at: \"present.com\"]",
475+
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for not.here.but.still.present.com, [Present: true, Account ID: 12345, Challenge: http-01, Valid for issuance: true, Found at: \"present.com\"] Response=\"<nil> MsgHdr\"",
476476
},
477477
{
478478
Domain: "multi-crit-present.com",
479479
AccountURIID: 12345,
480480
ChallengeType: core.ChallengeTypeHTTP01,
481-
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for multi-crit-present.com, [Present: true, Account ID: 12345, Challenge: http-01, Valid for issuance: true, Found at: \"multi-crit-present.com\"]",
481+
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for multi-crit-present.com, [Present: true, Account ID: 12345, Challenge: http-01, Valid for issuance: true, Found at: \"multi-crit-present.com\"] Response=\"<nil> MsgHdr\"",
482482
},
483483
{
484484
Domain: "present-with-parameter.com",
485485
AccountURIID: 12345,
486486
ChallengeType: core.ChallengeTypeHTTP01,
487-
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for present-with-parameter.com, [Present: true, Account ID: 12345, Challenge: http-01, Valid for issuance: true, Found at: \"present-with-parameter.com\"]",
487+
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for present-with-parameter.com, [Present: true, Account ID: 12345, Challenge: http-01, Valid for issuance: true, Found at: \"present-with-parameter.com\"] Response=\"<nil> MsgHdr\"",
488488
},
489489
{
490490
Domain: "satisfiable-wildcard-override.com",
491491
AccountURIID: 12345,
492492
ChallengeType: core.ChallengeTypeHTTP01,
493-
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for satisfiable-wildcard-override.com, [Present: true, Account ID: 12345, Challenge: http-01, Valid for issuance: false, Found at: \"satisfiable-wildcard-override.com\"]",
493+
ExpectedLogline: "INFO: [AUDIT] Checked CAA records for satisfiable-wildcard-override.com, [Present: true, Account ID: 12345, Challenge: http-01, Valid for issuance: false, Found at: \"satisfiable-wildcard-override.com\"] Response=\"<nil> MsgHdr\"",
494494
},
495495
}
496496

@@ -1210,9 +1210,9 @@ func TestSelectCAA(t *testing.T) {
12101210

12111211
// A slice of empty caaResults should return nil, "", nil
12121212
r = []caaResult{
1213-
{"", false, nil, nil, false, "", nil},
1214-
{"", false, nil, nil, false, "", nil},
1215-
{"", false, nil, nil, false, "", nil},
1213+
{"", false, nil, nil, false, "", "", nil},
1214+
{"", false, nil, nil, false, "", "", nil},
1215+
{"", false, nil, nil, false, "", "", nil},
12161216
}
12171217
s, err = selectCAA(r)
12181218
test.Assert(t, s == nil, "set is not nil")
@@ -1221,8 +1221,8 @@ func TestSelectCAA(t *testing.T) {
12211221
// A slice of caaResults containing an error followed by a CAA
12221222
// record should return the error
12231223
r = []caaResult{
1224-
{"foo.com", false, nil, nil, false, "", errors.New("oops")},
1225-
{"com", true, []*dns.CAA{&expected}, nil, false, "foo", nil},
1224+
{"foo.com", false, nil, nil, false, "", "", errors.New("oops")},
1225+
{"com", true, []*dns.CAA{&expected}, nil, false, "dig", "res", nil},
12261226
}
12271227
s, err = selectCAA(r)
12281228
test.Assert(t, s == nil, "set is not nil")
@@ -1232,8 +1232,8 @@ func TestSelectCAA(t *testing.T) {
12321232
// A slice of caaResults containing a good record that precedes an
12331233
// error, should return that good record, not the error
12341234
r = []caaResult{
1235-
{"foo.com", true, []*dns.CAA{&expected}, nil, false, "foo", nil},
1236-
{"com", false, nil, nil, false, "", errors.New("")},
1235+
{"foo.com", true, []*dns.CAA{&expected}, nil, false, "dig", "res", nil},
1236+
{"com", false, nil, nil, false, "", "", errors.New("")},
12371237
}
12381238
s, err = selectCAA(r)
12391239
test.AssertEquals(t, len(s.issue), 1)
@@ -1243,9 +1243,9 @@ func TestSelectCAA(t *testing.T) {
12431243
// A slice of caaResults containing multiple CAA records should
12441244
// return the first non-empty CAA record
12451245
r = []caaResult{
1246-
{"bar.foo.com", false, []*dns.CAA{}, []*dns.CAA{}, false, "", nil},
1247-
{"foo.com", true, []*dns.CAA{&expected}, nil, false, "foo", nil},
1248-
{"com", true, []*dns.CAA{&expected}, nil, false, "bar", nil},
1246+
{"bar.foo.com", false, []*dns.CAA{}, []*dns.CAA{}, false, "", "", nil},
1247+
{"foo.com", true, []*dns.CAA{&expected}, nil, false, "dig", "res", nil},
1248+
{"com", true, []*dns.CAA{&expected}, nil, false, "dig", "res", nil},
12491249
}
12501250
s, err = selectCAA(r)
12511251
test.AssertEquals(t, len(s.issue), 1)

0 commit comments

Comments
 (0)