def test_caa():
"""Request issuance for two CAA domains, one where we are permitted and one where we are not.
Two further sub-domains have restricted validationmethods.
"""
if len(caa_authzs) == 0:
raise Exception("CAA authzs not prepared for test_caa")
for a in caa_authzs:
response = requests.get(a.uri)
if response.status_code != 200:
raise Exception("Unexpected response for CAA authz: ",
response.status_code)
goodCAA = "happy-hacker-ca.invalid"
badCAA = "sad-hacker-ca.invalid"
caa_account_uri = caa_client.account.uri if caa_client is not None else None
caa_records = [
{"domain": "bad-caa-reserved.com", "value": badCAA},
{"domain": "good-caa-reserved.com", "value": goodCAA},
{"domain": "accounturi.good-caa-reserved.com", "value":"{0}; accounturi={1}".format(goodCAA, caa_account_uri)},
{"domain": "recheck.good-caa-reserved.com", "value":badCAA},
{"domain": "dns-01-only.good-caa-reserved.com", "value": "{0}; validationmethods=dns-01".format(goodCAA)},
{"domain": "http-01-only.good-caa-reserved.com", "value": "{0}; validationmethods=http-01".format(goodCAA)},
{"domain": "dns-01-or-http01.good-caa-reserved.com", "value": "{0}; validationmethods=dns-01,http-01".format(goodCAA)},
]
for policy in caa_records:
challSrv.add_caa_issue(policy["domain"], policy["value"])
# We include a random domain so we don't hit the "exact match" rate limit
# when testing locally with a persistent database.
auth_and_issue(["good-caa-reserved.com"])
# Request issuance for recheck.good-caa-reserved.com, which should
# now be denied due to CAA.
chisel.expect_problem("urn:acme:error:caa", lambda: chisel.issue(caa_client, caa_authzs))
challSrv.add_caa_issue("bad-caa-reserved.com", badCAA)
chisel.expect_problem("urn:acme:error:caa",
lambda: auth_and_issue(["bad-caa-reserved.com"]))
# TODO(@4a6f656c): Once the `CAAValidationMethods` feature flag is enabled by
# default, remove this early return.
if not CONFIG_NEXT:
return
chisel.expect_problem("urn:acme:error:caa",
lambda: auth_and_issue(["dns-01-only.good-caa-reserved.com"], chall_type="http-01"))
chisel.expect_problem("urn:acme:error:caa",
lambda: auth_and_issue(["http-01-only.good-caa-reserved.com"], chall_type="dns-01"))
# Note: the additional names are to avoid rate limiting...
auth_and_issue(["dns-01-only.good-caa-reserved.com", "www.dns-01-only.good-caa-reserved.com"], chall_type="dns-01")
auth_and_issue(["http-01-only.good-caa-reserved.com", "www.http-01-only.good-caa-reserved.com"], chall_type="http-01")
auth_and_issue(["dns-01-or-http-01.good-caa-reserved.com", "dns-01-only.good-caa-reserved.com"], chall_type="dns-01")
auth_and_issue(["dns-01-or-http-01.good-caa-reserved.com", "http-01-only.good-caa-reserved.com"], chall_type="http-01")
# CAA should fail with an arbitrary account, but succeed with the caa_client.
chisel.expect_problem("urn:acme:error:caa", lambda: auth_and_issue(["accounturi.good-caa-reserved.com"]))
auth_and_issue(["accounturi.good-caa-reserved.com"], client=caa_client)
def test_caa():
"""Request issuance for two CAA domains, one where we are permitted and one where we are not.
Two further sub-domains have restricted validation-methods.
"""
if len(caa_authzs) == 0:
raise Exception("CAA authzs not prepared for test_caa")
for a in caa_authzs:
response = requests.get(a.uri)
if response.status_code != 200:
raise Exception("Unexpected response for CAA authz: ",
response.status_code)
auth_and_issue(["good-caa-reserved.com"])
# Request issuance for recheck.good-caa-reserved.com, which should
# now be denied due to CAA.
global caa_client
chisel.expect_problem("urn:acme:error:caa",
lambda: chisel.issue(caa_client, caa_authzs))
chisel.expect_problem("urn:acme:error:caa",
lambda: auth_and_issue(["bad-caa-reserved.com"]))
# TODO(@4a6f656c): Once the `CAAValidationMethods` feature flag is enabled by
# default, remove this early return.
if not default_config_dir.startswith("test/config-next"):
return
chisel.expect_problem(
"urn:acme:error:caa",
lambda: auth_and_issue(["dns-01-only.good-caa-reserved.com"],
chall_type="http-01"))
chisel.expect_problem(
"urn:acme:error:caa",
lambda: auth_and_issue(["http-01-only.good-caa-reserved.com"],
chall_type="dns-01"))
# Note: the additional names are to avoid rate limiting...
auth_and_issue([
"dns-01-only.good-caa-reserved.com",
"www.dns-01-only.good-caa-reserved.com"
],
chall_type="dns-01")
auth_and_issue([
"http-01-only.good-caa-reserved.com",
"www.http-01-only.good-caa-reserved.com"
],
chall_type="http-01")
auth_and_issue([
"dns-01-or-http-01.good-caa-reserved.com",
"dns-01-only.good-caa-reserved.com"
],
chall_type="dns-01")
auth_and_issue([
"dns-01-or-http-01.good-caa-reserved.com",
"http-01-only.good-caa-reserved.com"
],
chall_type="http-01")
def test_caa():
"""Request issuance for two CAA domains, one where we are permitted and one where we are not.
Two further sub-domains have restricted validationmethods.
"""
if len(caa_authzs) == 0:
raise Exception("CAA authzs not prepared for test_caa")
for a in caa_authzs:
response = requests.get(a.uri)
if response.status_code != 200:
raise Exception("Unexpected response for CAA authz: ",
response.status_code)
# We include a random domain so we don't hit the "exact match" rate limit
# when testing locally with a persistent database.
auth_and_issue(["good-caa-reserved.com"])
# Request issuance for recheck.good-caa-reserved.com, which should
# now be denied due to CAA.
chisel.expect_problem("urn:acme:error:caa", lambda: chisel.issue(caa_client, caa_authzs))
chisel.expect_problem("urn:acme:error:caa",
lambda: auth_and_issue(["bad-caa-reserved.com"]))
# TODO(@4a6f656c): Once the `CAAValidationMethods` feature flag is enabled by
# default, remove this early return.
if not CONFIG_NEXT:
return
chisel.expect_problem("urn:acme:error:caa",
lambda: auth_and_issue(["dns-01-only.good-caa-reserved.com"], chall_type="http-01"))
chisel.expect_problem("urn:acme:error:caa",
lambda: auth_and_issue(["http-01-only.good-caa-reserved.com"], chall_type="dns-01"))
# Note: the additional names are to avoid rate limiting...
auth_and_issue(["dns-01-only.good-caa-reserved.com", "www.dns-01-only.good-caa-reserved.com"], chall_type="dns-01")
auth_and_issue(["http-01-only.good-caa-reserved.com", "www.http-01-only.good-caa-reserved.com"], chall_type="http-01")
auth_and_issue(["dns-01-or-http-01.good-caa-reserved.com", "dns-01-only.good-caa-reserved.com"], chall_type="dns-01")
auth_and_issue(["dns-01-or-http-01.good-caa-reserved.com", "http-01-only.good-caa-reserved.com"], chall_type="http-01")
# CAA should fail with an arbitrary account, but succeed with the caa_client.
chisel.expect_problem("urn:acme:error:caa", lambda: auth_and_issue(["accounturi.good-caa-reserved.com"]))
auth_and_issue(["accounturi.good-caa-reserved.com"], client=caa_client)