6525cb1a41
internal/handlers/acme.go: GET /.well-known/acme-challenge/:token serviert Token-Files aus /var/lib/edgeguard/acme/.well-known/ acme-challenge/ (default; override via EDGEGUARD_ACME_WEBROOT). Validiert Token-Charset gegen RFC 8555 §8.3 (base64url, 1..128 chars) und prüft mit filepath.Abs+HasPrefix gegen path-traversal. Mounted auf der bare gin Engine vor SetupGate/RequireAuth — ACME muss unmittelbar nach HAProxy-Start funktionieren, lange bevor ein Admin Setup abgeschlossen hat. 4 Unit-Tests (valid/missing/dir/invalid-charset). Live-Smoke gegen /tmp/eg-acme bestanden. Test gegen 89.163.205.6 mit echtem certbot wird Teil von (d) — unnötig Let's-Encrypt-Rate-Limits zu verbrennen ohne stehendes HAProxy-Frontend auf dem Server. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
85 lines
2.2 KiB
Go
85 lines
2.2 KiB
Go
package handlers
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"os"
|
|
"path/filepath"
|
|
"testing"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
func init() { gin.SetMode(gin.TestMode) }
|
|
|
|
func setupACME(t *testing.T) (*gin.Engine, string) {
|
|
t.Helper()
|
|
root := t.TempDir()
|
|
if err := os.MkdirAll(filepath.Join(root, ".well-known", "acme-challenge"), 0o755); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
r := gin.New()
|
|
NewACMEHandler(root).Register(r)
|
|
return r, root
|
|
}
|
|
|
|
func TestACME_ServesExistingToken(t *testing.T) {
|
|
r, root := setupACME(t)
|
|
tokenContent := "abc123-some-key-authorisation"
|
|
tokenPath := filepath.Join(root, ".well-known", "acme-challenge", "tok_42")
|
|
if err := os.WriteFile(tokenPath, []byte(tokenContent), 0o644); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
rec := httptest.NewRecorder()
|
|
req, _ := http.NewRequest(http.MethodGet, "/.well-known/acme-challenge/tok_42", nil)
|
|
r.ServeHTTP(rec, req)
|
|
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("status: %d, body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
if rec.Body.String() != tokenContent {
|
|
t.Errorf("body: %q", rec.Body.String())
|
|
}
|
|
}
|
|
|
|
func TestACME_MissingToken_Returns404(t *testing.T) {
|
|
r, _ := setupACME(t)
|
|
rec := httptest.NewRecorder()
|
|
req, _ := http.NewRequest(http.MethodGet, "/.well-known/acme-challenge/notthere", nil)
|
|
r.ServeHTTP(rec, req)
|
|
if rec.Code != http.StatusNotFound {
|
|
t.Errorf("status: %d", rec.Code)
|
|
}
|
|
}
|
|
|
|
func TestACME_RejectsTraversal(t *testing.T) {
|
|
// gin parses `:token` as one path segment, so `..` literally
|
|
// can't reach the handler — but we still want the validToken
|
|
// guard to reject any non-charset value defensively.
|
|
cases := []string{
|
|
"a/b",
|
|
"..",
|
|
"a%2Fb",
|
|
"with space",
|
|
"semi;colon",
|
|
}
|
|
for _, c := range cases {
|
|
if validToken(c) {
|
|
t.Errorf("validToken(%q) should be false", c)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestACME_DirIsNotAFile(t *testing.T) {
|
|
r, root := setupACME(t)
|
|
if err := os.Mkdir(filepath.Join(root, ".well-known", "acme-challenge", "subdir"), 0o755); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
rec := httptest.NewRecorder()
|
|
req, _ := http.NewRequest(http.MethodGet, "/.well-known/acme-challenge/subdir", nil)
|
|
r.ServeHTTP(rec, req)
|
|
if rec.Code != http.StatusNotFound {
|
|
t.Errorf("expected 404 for directory, got %d", rec.Code)
|
|
}
|
|
}
|