Tests: ACME client tests.

Author: bavshin-f5

.github/workflows/ci.yaml

@@ -81,19 +81,30 @@ jobs:
           toolchain: ${{ matrix.rust-version }}
           components: clippy, rustfmt
 
+      - uses: perl-actions/install-with-cpm@8b1a9840b26cc3885ae2889749a48629be2501b0 # v1.9
+        with:
+          install: IO::Socket::SSL
+
       - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: |
             ~/.cargo/bin/
             ~/.cargo/registry/index/
             ~/.cargo/registry/cache/
             ~/.cargo/git/db/
+            bin/pebble
             nginx/objs/**/CACHEDIR.TAG
             nginx/objs/**/ngx-debug
             nginx/objs/**/ngx-release
+            target/
           key: ${{ runner.os }}-nginx-${{ hashFiles('**/Cargo.lock') }}
           restore-keys: ${{ runner.os }}-nginx-
 
+      - name: download pebble
+        run: |
+          build/get-pebble.sh
+          echo TEST_NGINX_PEBBLE_BINARY="$PWD/bin/pebble" >> "$GITHUB_ENV"
+
       - name: build
         id: build
         run: make BUILD=${{ matrix.build }} -j $(nproc) build

.github/workflows/sanitizers.yaml

@@ -15,7 +15,8 @@ env:
     cargo rust-src rustfmt
     clang compiler-rt llvm
     git-core
-    make patch
+    make openssl patch which
+    perl-Digest-SHA
     perl-FindBin
     perl-IO-Socket-SSL
     perl-Test-Harness
@@ -56,12 +57,18 @@ jobs:
             ~/.cargo/registry/index/
             ~/.cargo/registry/cache/
             ~/.cargo/git/db/
+            bin/pebble
             nginx/objs/**/CACHEDIR.TAG
             nginx/objs/**/ngx-debug
             nginx/objs/**/ngx-release
           key: ${{ runner.os }}-cargo-asan-${{ hashFiles('**/Cargo.lock') }}
           restore-keys: ${{ runner.os }}-cargo-asan-
 
+      - name: download pebble 
+        run: |
+          build/get-pebble.sh
+          echo TEST_NGINX_PEBBLE_BINARY="$PWD/bin/pebble" >> "$GITHUB_ENV"
+
       - name: Configure and build nginx
         run: |
           make -j$(nproc) BUILD=sanitize build
@@ -75,4 +82,4 @@ jobs:
           TEST_NGINX_GLOBALS: >-
               user root;
         run: |
-          make -j$(nproc) BUILD=sanitize test
+          make -j$(nproc) BUILD=sanitize TEST_PREREQ= test

build/get-pebble.sh

@@ -0,0 +1,59 @@
+#!/bin/sh
+
+# Copyright (c) F5, Inc.
+#
+# This source code is licensed under the Apache License, Version 2.0 license
+# found in the LICENSE file in the root directory of this source tree.
+
+set -e
+
+VERSION="${1:-2.8.0}"
+SHA256SUM="$2"
+TARGET=${3:-$PWD/bin/pebble}
+
+SHA256SUM_darwin_amd64=9b9625651f8ce47706235179503fec149f8f38bce2b2554efe8c0f2a021f877c
+SHA256SUM_darwin_arm64=39e07d63dc776521f2ffe0584e5f4f081c984ac02742c882b430891d89f0c866
+SHA256SUM_linux_amd64=34595d915bbc2fc827affb3f58593034824df57e95353b031c8d5185724485ce
+SHA256SUM_linux_arm64=0e70f2537353f61cbf06aa54740bf7f7bb5f963ba00e909f23af5f85bc13fd1a
+
+if "$TARGET" -version | grep "$VERSION"; then
+    exit 0
+fi
+
+SYSTEM=$(uname -s | tr "[:upper:]" "[:lower:]")
+MACHINE=$(uname -m)
+case "$MACHINE" in
+    aarch64)
+        MACHINE=arm64;;
+    x86_64)
+        MACHINE=amd64;;
+esac
+
+if [ -z "$SHA256SUM" ]; then
+    eval "SHA256SUM=\$SHA256SUM_${SYSTEM}_${MACHINE}"
+fi
+
+if echo "$SHA256SUM  $TARGET" | shasum -a 256 -c; then
+    exit 0;
+fi
+
+PREFIX="pebble-${SYSTEM}-${MACHINE}"
+
+WORKDIR=$(mktemp -d)
+trap 'rm -rf "$WORKDIR"' EXIT
+
+cd "$WORKDIR"
+
+curl -L -o "$PREFIX.tar.gz" \
+    "https://github.com/letsencrypt/pebble/releases/download/v${VERSION}/${PREFIX}.tar.gz"
+
+if ! echo "$SHA256SUM  $PREFIX.tar.gz" | shasum -a 256 -c; then
+    echo "checksum mismatch"
+    exit 1;
+fi
+
+tar -xzf "$PREFIX.tar.gz"
+
+mkdir -p "$(dirname "$TARGET")"
+mv "$PREFIX/$SYSTEM/$MACHINE/pebble" "$TARGET"
+chmod +x "$TARGET"

t/acme_http.t

@@ -0,0 +1,142 @@
+#!/usr/bin/perl
+
+# Copyright (c) F5, Inc.
+#
+# This source code is licensed under the Apache License, Version 2.0 license
+# found in the LICENSE file in the root directory of this source tree.
+
+# Tests for ACME client: HTTP-01 challenge.
+
+###############################################################################
+
+use warnings;
+use strict;
+
+use Test::More;
+
+use IO::Select;
+
+BEGIN { use FindBin; chdir($FindBin::Bin); }
+
+use lib 'lib';
+use Test::Nginx;
+use Test::Nginx::ACME;
+use Test::Nginx::DNS;
+
+###############################################################################
+
+select STDERR; $| = 1;
+select STDOUT; $| = 1;
+
+my $t = Test::Nginx->new()->has(qw/http http_ssl socket_ssl/)
+	->has_daemon('openssl');
+
+$t->write_file_expand('nginx.conf', <<'EOF');
+
+%%TEST_GLOBALS%%
+
+daemon off;
+
+events {
+}
+
+http {
+    %%TEST_GLOBALS_HTTP%%
+
+    resolver 127.0.0.1:%%PORT_8980_UDP%%;
+
+    acme_issuer default {
+        uri https://acme.test:%%PORT_9000%%/dir;
+        ssl_trusted_certificate acme.test.crt;
+        state_path %%TESTDIR%%;
+        accept_terms_of_service;
+    }
+
+    server {
+        listen       127.0.0.1:8080;
+        server_name  example.test;
+    }
+
+    server {
+        listen       127.0.0.1:8443 ssl;
+        server_name  example.test;
+
+        acme_certificate default;
+
+        ssl_certificate $acme_certificate;
+        ssl_certificate_key $acme_certificate_key;
+    }
+}
+
+EOF
+
+$t->write_file('openssl.conf', <<EOF);
+[ req ]
+default_bits = 2048
+encrypt_key = no
+distinguished_name = req_distinguished_name
+[ req_distinguished_name ]
+EOF
+
+my $d = $t->testdir();
+
+foreach my $name ('acme.test') {
+	system('openssl req -x509 -new '
+		. "-config $d/openssl.conf -subj /CN=$name/ "
+		. "-out $d/$name.crt -keyout $d/$name.key "
+		. ">>$d/openssl.out 2>&1") == 0
+		or die "Can't create certificate for $name: $!\n";
+}
+
+my $dp = port(8980, udp=>1);
+my @dc = (
+	{ name => 'acme.test', A => '127.0.0.1' },
+	{ name => 'example.test', A => '127.0.0.1' }
+);
+
+my $acme = Test::Nginx::ACME->new($t, port(9000), port(9001),
+	$t->testdir . '/acme.test.crt',
+	$t->testdir . '/acme.test.key',
+	http_port => port(8080),
+	tls_port => port(8443),
+	dns_port => $dp,
+	nosleep => 1,
+	validity => 60,
+);
+
+$t->run_daemon(\&Test::Nginx::DNS::dns_test_daemon, $t, $dp, \@dc);
+$t->waitforfile($t->testdir . '/' . $dp);
+
+$t->run_daemon(\&Test::Nginx::ACME::acme_test_daemon, $t, $acme);
+$t->waitforsocket('127.0.0.1:' . $acme->port());
+$t->write_file('acme-root.crt', $acme->trusted_ca());
+
+$t->write_file('index.html', 'SUCCESS');
+$t->plan(1)->run();
+
+###############################################################################
+
+$acme->wait_certificate('example.test') or die "no certificate";
+
+like(get(8443, 'example.test', 'acme-root'), qr/SUCCESS/, 'tls request');
+
+###############################################################################
+
+sub get {
+	my ($port, $host, $ca) = @_;
+
+	$ca = undef if $IO::Socket::SSL::VERSION < 2.062
+		|| !eval { Net::SSLeay::X509_V_FLAG_PARTIAL_CHAIN() };
+
+	http_get('/',
+		PeerAddr => '127.0.0.1:' . port($port),
+		SSL => 1,
+		$ca ? (
+		SSL_ca_file => "$d/$ca.crt",
+		SSL_verifycn_name => $host,
+		SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_PEER(),
+		) : ()
+	);
+}
+
+###############################################################################