fixup! Tests: ACME client tests.

bavshin-f5 · bavshin-f5 · commit 8f09a1781fda · 2025-08-06T16:42:48.000-07:00
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -88,12 +88,19 @@ jobs:
             ~/.cargo/registry/index/
             ~/.cargo/registry/cache/
             ~/.cargo/git/db/
+            bin/pebble
             nginx/objs/**/CACHEDIR.TAG
             nginx/objs/**/ngx-debug
             nginx/objs/**/ngx-release
           key: ${{ runner.os }}-nginx-${{ hashFiles('**/Cargo.lock') }}
           restore-keys: ${{ runner.os }}-nginx-
 
+      - name: test prerequisites
+        run: |
+          cpan -i IO::Socket::SSL
+          build/get-pebble.sh
+          echo TEST_NGINX_PEBBLE_BINARY="$PWD/bin/pebble" >> "$GITHUB_ENV"
+
       - name: build
         id: build
         run: make BUILD=${{ matrix.build }} -j $(nproc) build
diff --git a/.github/workflows/sanitizers.yaml b/.github/workflows/sanitizers.yaml
@@ -15,7 +15,7 @@ env:
     cargo rust-src rustfmt
     clang compiler-rt llvm
     git-core
-    make patch
+    make openssl patch which
     perl-FindBin
     perl-IO-Socket-SSL
     perl-Test-Harness
@@ -56,12 +56,18 @@ jobs:
             ~/.cargo/registry/index/
             ~/.cargo/registry/cache/
             ~/.cargo/git/db/
+            bin/pebble
             nginx/objs/**/CACHEDIR.TAG
             nginx/objs/**/ngx-debug
             nginx/objs/**/ngx-release
           key: ${{ runner.os }}-cargo-asan-${{ hashFiles('**/Cargo.lock') }}
           restore-keys: ${{ runner.os }}-cargo-asan-
 
+      - name: Install test prerequisites
+        run: |
+          build/get-pebble.sh
+          echo TEST_NGINX_PEBBLE_BINARY="$PWD/bin/pebble" >> "$GITHUB_ENV"
+
       - name: Configure and build nginx
         run: |
           make -j$(nproc) BUILD=sanitize build
diff --git a/build/get-pebble.sh b/build/get-pebble.sh
@@ -0,0 +1,54 @@
+#!/bin/sh
+
+set -e
+
+VERSION="${1:-2.8.0}"
+SHA256SUM="$2"
+TARGET=${3:-bin/pebble}
+TARGET=$(realpath "$TARGET")
+
+SYSTEM=$(uname -s | tr "[:upper:]" "[:lower:]")
+
+if [ -z "$SHA256SUM" ]; then
+    case "$SYSTEM" in
+        linux)
+            SHA256SUM="837d1fba39715fed3a378dea0ece5f3ddf404d114ec48fcc5c69bb987f22bdb3";;
+        darwin)
+            SHA256SUM="7a25d25aacb33e1939e44648f32347f922c1a51e54d3a92125f0881df7da9e4b";;
+        *)
+            echo "Unsupported platform: $SYSTEM";
+            exit 1;
+    esac
+fi
+
+if echo "$SHA256SUM $TARGET" | sha256sum -c; then
+    exit 0;
+fi
+
+MACHINE=$(uname -m)
+case "$MACHINE" in
+    aarch64)
+        MACHINE=arm64;;
+    x86_64)
+        MACHINE=amd64;;
+esac
+
+PREFIX="pebble-${SYSTEM}-${MACHINE}"
+
+WORKDIR=$(mktemp -d)
+trap 'rm -rf "$WORKDIR"' EXIT
+
+cd "$WORKDIR"
+curl -L -o "$PREFIX.tar.gz" \
+    "https://github.com/letsencrypt/pebble/releases/download/v${VERSION}/${PREFIX}.tar.gz"
+tar -xzf "$PREFIX.tar.gz"
+
+BINARY="$PREFIX/$SYSTEM/$MACHINE/pebble"
+if ! echo "$SHA256SUM $BINARY" | sha256sum -c; then
+    echo "checksum mismatch"
+    exit 1;
+fi
+
+chmod +x "$BINARY"
+mkdir -p "$(dirname "$TARGET")"
+mv "$BINARY" "$TARGET"
diff --git a/t/acme_http.t b/t/acme_http.t
@@ -26,8 +26,8 @@ use Test::Nginx::DNS;
 select STDERR; $| = 1;
 select STDOUT; $| = 1;
 
-my $t = Test::Nginx->new()->has(qw/http socket_ssl/)
-	->has_daemon('openssl')->has_daemon('pebble');
+my $t = Test::Nginx->new()->has(qw/http http_ssl socket_ssl/)
+	->has_daemon('openssl');
 
 $t->write_file_expand('nginx.conf', <<'EOF');
 
@@ -129,7 +129,6 @@ sub get {
 	http_get('/',
 		PeerAddr => '127.0.0.1:' . port($port),
 		SSL => 1,
-		SSL_hostname => $host,
 		$ca ? (
 		SSL_ca_file => "$d/$ca.crt",
 		SSL_verifycn_name => $host,
diff --git a/t/acme_key_type.t b/t/acme_key_type.t
@@ -26,8 +26,8 @@ use Test::Nginx::DNS;
 select STDERR; $| = 1;
 select STDOUT; $| = 1;
 
-my $t = Test::Nginx->new()->has(qw/http http_ssl socket_ssl/)
-	->has_daemon('openssl')->has_daemon('pebble');
+my $t = Test::Nginx->new()->has(qw/http http_ssl sni socket_ssl_sni/)
+	->has_daemon('openssl');
 
 $t->write_file_expand('nginx.conf', <<'EOF');
 
diff --git a/t/acme_multiple_issuers.t b/t/acme_multiple_issuers.t
@@ -26,8 +26,8 @@ use Test::Nginx::DNS;
 select STDERR; $| = 1;
 select STDOUT; $| = 1;
 
-my $t = Test::Nginx->new()->has(qw/http socket_ssl/)
-	->has_daemon('openssl')->has_daemon('pebble');
+my $t = Test::Nginx->new()->has(qw/http http_ssl sni socket_ssl_sni/)
+	->has_daemon('openssl');
 
 $t->write_file_expand('nginx.conf', <<'EOF');
 
diff --git a/t/acme_reload.t b/t/acme_reload.t
@@ -26,8 +26,8 @@ use Test::Nginx::DNS;
 select STDERR; $| = 1;
 select STDOUT; $| = 1;
 
-my $t = Test::Nginx->new()->has(qw/http socket_ssl/)
-	->has_daemon('openssl')->has_daemon('pebble');
+my $t = Test::Nginx->new()->has(qw/http http_ssl socket_ssl/)
+	->has_daemon('openssl');
 
 $t->write_file_expand('nginx.conf', <<'EOF');
 
@@ -134,7 +134,6 @@ sub get {
 	http_get('/',
 		PeerAddr => '127.0.0.1:' . port($port),
 		SSL => 1,
-		SSL_hostname => $host,
 		$ca ? (
 		SSL_ca_file => "$d/$ca.crt",
 		SSL_verifycn_name => $host,
diff --git a/t/acme_renewal.t b/t/acme_renewal.t
@@ -26,8 +26,8 @@ use Test::Nginx::DNS;
 select STDERR; $| = 1;
 select STDOUT; $| = 1;
 
-my $t = Test::Nginx->new()->has(qw/http socket_ssl/)
-	->has_daemon('openssl')->has_daemon('pebble');
+my $t = Test::Nginx->new()->has(qw/http http_ssl socket_ssl/)
+	->has_daemon('openssl');
 
 $t->write_file_expand('nginx.conf', <<'EOF');
 
@@ -133,7 +133,6 @@ sub get {
 	http_get('/',
 		PeerAddr => '127.0.0.1:' . port($port),
 		SSL => 1,
-		SSL_hostname => $host,
 		$ca ? (
 		SSL_ca_file => "$d/$ca.crt",
 		SSL_verifycn_name => $host,
diff --git a/t/acme_ssl_verify.t b/t/acme_ssl_verify.t
@@ -26,8 +26,8 @@ use Test::Nginx::DNS;
 select STDERR; $| = 1;
 select STDOUT; $| = 1;
 
-my $t = Test::Nginx->new()->has(qw/http socket_ssl/)
-	->has_daemon('openssl')->has_daemon('pebble');
+my $t = Test::Nginx->new()->has(qw/http http_ssl socket_ssl/)
+	->has_daemon('openssl');
 
 $t->write_file_expand('nginx.conf', <<'EOF');
 
@@ -126,7 +126,6 @@ sub get {
 	http_get('/',
 		PeerAddr => '127.0.0.1:' . port($port),
 		SSL => 1,
-		SSL_hostname => $host,
 		$ca ? (
 		SSL_ca_file => "$d/$ca.crt",
 		SSL_verifycn_name => $host,
diff --git a/t/lib/Test/Nginx/ACME.pm b/t/lib/Test/Nginx/ACME.pm
@@ -16,12 +16,16 @@ our @EXPORT_OK = qw/ acme_test_daemon /;
 use File::Spec;
 use Test::Nginx qw//;
 
+our $PEBBLE = $ENV{TEST_NGINX_PEBBLE_BINARY} // 'pebble';
+
 sub new {
 	my $self = {};
 	bless $self, shift @_;
 
 	my ($t, $port, $mgmt, $cert, $key, %extra) = @_;
 
+	$t->has_daemon($PEBBLE);
+
 	my $http_port = $extra{http_port} || Test::Nginx::port(8080);
 	my $tls_port = $extra{tls_port} || Test::Nginx::port(8443);
 	my $validity = $extra{validity} || 3600;
@@ -115,7 +119,7 @@ sub acme_test_daemon {
 	open STDERR, ">", $t->testdir . '/pebble-' . $port . '.err'
 		or die "Can't reopen STDERR: $!";
 
-	exec('pebble', '-config', $t->testdir . '/pebble-' . $port . '.json',
+	exec($PEBBLE, '-config', $t->testdir . '/pebble-' . $port . '.json',
 		'-dnsserver', $dnsserver);
 }
 
