|
22 | 22 |
|
23 | 23 | from acme import errors as acme_errors |
24 | 24 |
|
25 | | -from acme.messages import Status, CertificateRequest, Directory, RegistrationResource |
| 25 | +from acme.messages import Status, CertificateRequest, Directory |
26 | 26 | from acme import crypto_util as acme_crypto_util |
27 | 27 | from acme import client as acme_client |
28 | 28 | from acme import messages |
@@ -774,7 +774,7 @@ def test_only_return_existing_reg(): |
774 | 774 | email = "test@not-example.com" |
775 | 775 | client.new_account(messages.NewRegistration.from_data(email=email, |
776 | 776 | terms_of_service_agreed=True)) |
777 | | - |
| 777 | + |
778 | 778 | client = chisel2.uninitialized_client(key=client.net.key) |
779 | 779 | class extendedAcct(dict): |
780 | 780 | def json_dumps(self, indent=None): |
@@ -806,7 +806,7 @@ def BouncerHTTPRequestHandler(redirect, guestlist): |
806 | 806 | spot for that UA it will be redirected to the real server and the |
807 | 807 | guestlist will be decremented. Once the guestlist spots for a UA are |
808 | 808 | expended requests will get a bogus result and have to stand outside in the |
809 | | - cold |
| 809 | + cold |
810 | 810 | """ |
811 | 811 | class BouncerHandler(BaseHTTPRequestHandler): |
812 | 812 | def __init__(self, *args, **kwargs): |
@@ -851,19 +851,15 @@ def wait_for_server(addr): |
851 | 851 | pass |
852 | 852 | time.sleep(0.5) |
853 | 853 |
|
854 | | -def multiva_setup(client, guestlist, domain=None): |
| 854 | +def multiva_setup(client, guestlist): |
855 | 855 | """ |
856 | 856 | Setup a testing domain and backing multiva server setup. This will block |
857 | 857 | until the server is ready. The returned cleanup function should be used to |
858 | 858 | stop the server. The first bounceFirst requests to the server will be sent |
859 | 859 | to the real challtestsrv for a good answer, the rest will get a bad |
860 | | - answer. If no explicit testing domain is provided then one is randomly |
861 | | - chosen with random_domain(). |
| 860 | + answer. Domain name is randomly chosen with random_domain(). |
862 | 861 | """ |
863 | | - if domain is None: |
864 | | - hostname = random_domain() |
865 | | - else: |
866 | | - hostname = domain |
| 862 | + hostname = random_domain() |
867 | 863 |
|
868 | 864 | csr_pem = chisel2.make_csr([hostname]) |
869 | 865 | order = client.new_order(csr_pem) |
@@ -1000,109 +996,6 @@ def test_http_multiva_threshold_fail(): |
1000 | 996 | if not httpChall.error.detail.startswith("During secondary validation: "): |
1001 | 997 | raise(Exception("expected 'During secondary validation' problem detail, found {0}".format(httpChall.error.detail))) |
1002 | 998 |
|
1003 | | -def test_http_multiva_threshold_fail_domain_disabled(): |
1004 | | - client = chisel2.make_client() |
1005 | | - |
1006 | | - # Configure a guestlist that will fail the multiVA threshold test by |
1007 | | - # only allowing the primary VA. |
1008 | | - guestlist = {"boulder": 1} |
1009 | | - |
1010 | | - # Explicitly use a domain name that exists in |
1011 | | - # `test/example-multiva-policy.yaml`'s disabledDomains list |
1012 | | - domain = "brokenmultiva.letsencrypt.org" |
1013 | | - |
1014 | | - _, cleanup = multiva_setup(client, guestlist, domain) |
1015 | | - |
1016 | | - # We do not expect any errors, even though the guestlist ensured multi-va |
1017 | | - # failures, because the domain was in the multi VA policy disabledDomains |
1018 | | - # list. |
1019 | | - try: |
1020 | | - chisel2.auth_and_issue([domain], client=client, chall_type="http-01") |
1021 | | - finally: |
1022 | | - cleanup() |
1023 | | - |
1024 | | -def test_http_multiva_threshold_fail_account_disabled(): |
1025 | | - # Create an ACME account |
1026 | | - client = chisel2.make_client() |
1027 | | - |
1028 | | - # Find the numeric ID it was assigned by the ACME server |
1029 | | - acctURI = client.net.account.uri |
1030 | | - if len(acctURI.split("/")) < 1: |
1031 | | - raise(Exception("invalid account URI for newly registered account: {0}".format(acctURI))) |
1032 | | - acctID = acctURI.split("/")[-1:][0] |
1033 | | - |
1034 | | - def run_query(query): |
1035 | | - command=["mysql", |
1036 | | - "-h", "bmysql", |
1037 | | - "-u", "root", |
1038 | | - "--password=", |
1039 | | - "-e", query, |
1040 | | - "boulder_sa_integration", |
1041 | | - ] |
1042 | | - subprocess.check_call(command, shell=False, stderr=subprocess.STDOUT) |
1043 | | - |
1044 | | - def flip_ids(oldID, newID): |
1045 | | - """ |
1046 | | - flip_ids changes a registrations ID from one value to another. Note that |
1047 | | - in order for this to succeed all other tables with foreign key |
1048 | | - constraints on the registration.ID field must be adjusted or otherwise |
1049 | | - dealt with. |
1050 | | - """ |
1051 | | - run_query("UPDATE registrations SET id={0} WHERE id={1}".format(newID, oldID)) |
1052 | | - |
1053 | | - def remove_certs(newID): |
1054 | | - """ |
1055 | | - remove_certs deletes rows created while the account registration ID was changed. |
1056 | | - We need to delete these rows so that the original account registration |
1057 | | - ID can be restored without violating the foreign key constraints on the |
1058 | | - certs, precerts and serials tables. Updating the registrationID of these |
1059 | | - rows first is difficult because the new value (the original ID) doesn't |
1060 | | - exist in the registrations table yet. The best solution would be doing |
1061 | | - all of this in one transaction but we're already deep in hacky |
1062 | | - integration test yak shaving at this point... |
1063 | | - """ |
1064 | | - run_query("DELETE FROM certificates WHERE registrationID={0}".format(newID)) |
1065 | | - run_query("DELETE FROM precertificates WHERE registrationID={0}".format(newID)) |
1066 | | - run_query("DELETE FROM serials WHERE registrationID={0}".format(newID)) |
1067 | | - |
1068 | | - try: |
1069 | | - # Update the account ID in the database to match an ID that exists in |
1070 | | - # `test/example-multi-va-policy.yaml`'s disabledAccounts list. We do this |
1071 | | - # with direct DB access because the alternative is hackish rewriting of the |
1072 | | - # policy YAML file at runtime (especially since the reload event can't be |
1073 | | - # easily detected). This approach is _also_ hackish, but marginally less so. |
1074 | | - newID=99991337 |
1075 | | - flip_ids(acctID, newID) |
1076 | | - |
1077 | | - # Update the in-memory account ID for the client instance to match |
1078 | | - client.net.account = RegistrationResource( |
1079 | | - body=client.net.account.body, |
1080 | | - uri=acctURI.replace(acctID, str(newID)), |
1081 | | - terms_of_service=client.net.account.terms_of_service) |
1082 | | - |
1083 | | - # Configure a guestlist that will fail the multiVA threshold test by |
1084 | | - # only allowing the primary VA. |
1085 | | - guestlist = {"boulder": 1} |
1086 | | - |
1087 | | - # Setup for a random domain name |
1088 | | - domain, cleanup = multiva_setup(client, guestlist, domain=None) |
1089 | | - |
1090 | | - # We do not expect any errors, even though the guestlist ensured multi-va |
1091 | | - # failures, because the client was set up with an account key corresponding |
1092 | | - # to a multi VA policy disabledAccount ID. |
1093 | | - chisel2.auth_and_issue([domain], client=client, chall_type="http-01") |
1094 | | - finally: |
1095 | | - cleanup() |
1096 | | - # Remove certificates and related resources issued by the |
1097 | | - # fixed example-multi-va-policy.yaml account ID. This avoids foreign key |
1098 | | - # constraints being broken when we flip_ids next. |
1099 | | - remove_certs(newID) |
1100 | | - # Change the account ID back to the old account ID. This will prevent |
1101 | | - # duplicate key errors when the integration test is run again and tries |
1102 | | - # to update a different newly created account to the fixed ID from the |
1103 | | - # example-multi-va-policy.yaml file. |
1104 | | - flip_ids(newID, acctID) |
1105 | | - |
1106 | 999 | class FakeH2ServerHandler(socketserver.BaseRequestHandler): |
1107 | 1000 | """ |
1108 | 1001 | FakeH2ServerHandler is a TCP socket handler that writes data representing an |
@@ -1184,7 +1077,7 @@ def test_new_order_policy_errs(): |
1184 | 1077 | client = chisel2.make_client(None) |
1185 | 1078 |
|
1186 | 1079 | # 'in-addr.arpa' is present in `test/hostname-policy.yaml`'s |
1187 | | - # HighRiskBlockedNames list. |
| 1080 | + # HighRiskBlockedNames list. |
1188 | 1081 | csr_pem = chisel2.make_csr(["out-addr.in-addr.arpa", "between-addr.in-addr.arpa"]) |
1189 | 1082 |
|
1190 | 1083 | # With two policy blocked names in the order we expect to get back a top |
|
0 commit comments