diff --git a/src/domains.js b/src/domains.js index 315ed5852..5c7bc6ba2 100644 --- a/src/domains.js +++ b/src/domains.js @@ -116,7 +116,7 @@ function add(domain, zoneName, provider, config, fallbackCertificate, tlsConfig, } if (fallbackCertificate) { - let error = reverseProxy.validateCertificate(fallbackCertificate.cert, fallbackCertificate.key, domain); + let error = reverseProxy.validateCertificate(`test.${domain}`, fallbackCertificate.cert, fallbackCertificate.key); if (error) return callback(new DomainError(DomainError.BAD_FIELD, error.message)); } @@ -196,7 +196,7 @@ function update(domain, provider, config, fallbackCertificate, tlsConfig, callba if (error) return callback(new DomainError(DomainError.INTERNAL_ERROR, error)); if (fallbackCertificate) { - let error = reverseProxy.validateCertificate(fallbackCertificate.cert, fallbackCertificate.key, domain); + let error = reverseProxy.validateCertificate(`test.${domain}`, fallbackCertificate.cert, fallbackCertificate.key); if (error) return callback(new DomainError(DomainError.BAD_FIELD, error.message)); } diff --git a/src/reverseproxy.js b/src/reverseproxy.js index 3896c1ef4..6d53d244d 100644 --- a/src/reverseproxy.js +++ b/src/reverseproxy.js @@ -137,7 +137,8 @@ function validateCertificate(domain, cert, key) { if (!cert && key) return new ReverseProxyError(ReverseProxyError.INVALID_CERT, 'missing cert'); if (cert && !key) return new ReverseProxyError(ReverseProxyError.INVALID_CERT, 'missing key'); - var result = safe.child_process.execSync('openssl x509 -noout -checkhost "' + domain + '"', { encoding: 'utf8', input: cert }); + console.log(`openssl x509 -noout -checkhost "${domain}"`); + var result = safe.child_process.execSync(`openssl x509 -noout -checkhost "${domain}"`, { encoding: 'utf8', input: cert }); if (!result) return new ReverseProxyError(ReverseProxyError.INVALID_CERT, 'Unable to get certificate subject.'); // if no match, check alt names diff --git a/src/routes/test/domains-test.js b/src/routes/test/domains-test.js index 21a2b5f52..b55b0e83d 100644 --- a/src/routes/test/domains-test.js +++ b/src/routes/test/domains-test.js @@ -6,11 +6,16 @@ /* global after:false */ var async = require('async'), + child_process = require('child_process'), config = require('../../config.js'), database = require('../../database.js'), expect = require('expect.js'), + fs = require('fs'), + path = require('path'), + paths = require('../../paths.js'), superagent = require('superagent'), - server = require('../../server.js'); + server = require('../../server.js'), + _ = require('underscore'); var SERVER_URL = 'http://localhost:' + config.get('port'); @@ -128,6 +133,17 @@ describe('Domains API', function () { }); }); + it('fails without token', function (done) { + superagent.post(SERVER_URL + '/api/v1/domains') + .query({ }) + .send(DOMAIN_0) + .end(function (error, result) { + expect(result.statusCode).to.equal(401); + + done(); + }); + }); + it('succeeds', function (done) { superagent.post(SERVER_URL + '/api/v1/domains') .query({ access_token: token }) @@ -252,4 +268,116 @@ describe('Domains API', function () { }); }); }); + + describe('Certificates API', function () { + var validCert0, validKey0, // example.com + validCert1, validKey1; // *.example.com + + before(function (done) { + child_process.execSync(`openssl req -subj "/CN=${DOMAIN_0.domain}/O=My Company Name LTD./C=US" -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout /tmp/server.key -out /tmp/server.crt`); + validKey0 = fs.readFileSync('/tmp/server.key', 'utf8'); + validCert0 = fs.readFileSync('/tmp/server.crt', 'utf8'); + + child_process.execSync(`openssl req -subj "/CN=*.${DOMAIN_0.domain}/O=My Company Name LTD./C=US" -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout /tmp/server.key -out /tmp/server.crt`); + validKey1 = fs.readFileSync('/tmp/server.key', 'utf8'); + validCert1 = fs.readFileSync('/tmp/server.crt', 'utf8'); + + superagent.post(SERVER_URL + '/api/v1/domains') + .query({ access_token: token }) + .send(DOMAIN_0) + .end(function (error, result) { + expect(result.statusCode).to.equal(201); + + done(); + }); + }); + + it('cannot set certificate without certificate', function (done) { + var d = _.extend({}, DOMAIN_0); + d.fallbackCertificate = { key: validKey1 }; + + superagent.put(`${SERVER_URL}/api/v1/domains/${DOMAIN_0.domain}`) + .query({ access_token: token }) + .send(d) + .end(function (error, result) { + expect(result.statusCode).to.equal(400); + done(); + }); + }); + + it('cannot set certificate without key', function (done) { + var d = _.extend({}, DOMAIN_0); + d.fallbackCertificate = { cert: validCert1 }; + + superagent.put(`${SERVER_URL}/api/v1/domains/${DOMAIN_0.domain}`) + .query({ access_token: token }) + .send(d) + .end(function (error, result) { + expect(result.statusCode).to.equal(400); + done(); + }); + }); + + xit('cannot set certificate with cert not being a string', function (done) { + var d = _.extend({}, DOMAIN_0); + d.fallbackCertificate = { cert: 1234, key: validKey1 }; + + superagent.put(`${SERVER_URL}/api/v1/domains/${DOMAIN_0.domain}`) + .query({ access_token: token }) + .send(d) + .end(function (error, result) { + expect(result.statusCode).to.equal(400); + done(); + }); + }); + + it('cannot set certificate with key not being a string', function (done) { + var d = _.extend({}, DOMAIN_0); + d.fallbackCertificate = { cert: validCert1, key: true }; + + superagent.put(`${SERVER_URL}/api/v1/domains/${DOMAIN_0.domain}`) + .query({ access_token: token }) + .send(d) + .end(function (error, result) { + expect(result.statusCode).to.equal(400); + done(); + }); + }); + + it('cannot set non-fallback certificate', function (done) { + var d = _.extend({}, DOMAIN_0); + d.fallbackCertificate = { cert: validCert0, key: validKey0 }; + + superagent.put(`${SERVER_URL}/api/v1/domains/${DOMAIN_0.domain}`) + .query({ access_token: token }) + .send(d) + .end(function (error, result) { + expect(result.statusCode).to.equal(400); + done(); + }); + }); + + it('can set fallback certificate', function (done) { + var d = _.extend({}, DOMAIN_0); + d.fallbackCertificate = { cert: validCert1, key: validKey1 }; + + superagent.put(`${SERVER_URL}/api/v1/domains/${DOMAIN_0.domain}`) + .query({ access_token: token }) + .send(d) + .end(function (error, result) { + expect(result.statusCode).to.equal(204); + done(); + }); + }); + + it('did set the certificate', function (done) { + var cert = fs.readFileSync(path.join(paths.APP_CERTS_DIR, `${DOMAIN_0.domain}.host.cert`), 'utf-8'); + expect(cert).to.eql(validCert1); + + var key = fs.readFileSync(path.join(paths.APP_CERTS_DIR, `${DOMAIN_0.domain}.host.key`), 'utf-8'); + expect(key).to.eql(validKey1); + + done(); + }); + }); }); diff --git a/src/routes/test/settings-test.js b/src/routes/test/settings-test.js index 1d9393ad6..77e364da9 100644 --- a/src/routes/test/settings-test.js +++ b/src/routes/test/settings-test.js @@ -2,19 +2,16 @@ /* global it:false */ /* global describe:false */ -/* global xdescribe:false */ /* global before:false */ /* global after:false */ var async = require('async'), - child_process = require('child_process'), config = require('../../config.js'), constants = require('../../constants.js'), database = require('../../database.js'), expect = require('expect.js'), fs = require('fs'), nock = require('nock'), - path = require('path'), paths = require('../../paths.js'), server = require('../../server.js'), settings = require('../../settings.js'), @@ -283,99 +280,6 @@ describe('Settings API', function () { }); }); - xdescribe('Certificates API', function () { - var validCert0, validKey0, // example.com - validCert1, validKey1; // *.example.com - - before(function () { - child_process.execSync('openssl req -subj "/CN=example.com/O=My Company Name LTD./C=US" -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout /tmp/server.key -out /tmp/server.crt'); - validKey0 = fs.readFileSync('/tmp/server.key', 'utf8'); - validCert0 = fs.readFileSync('/tmp/server.crt', 'utf8'); - - child_process.execSync('openssl req -subj "/CN=*.example.com/O=My Company Name LTD./C=US" -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout /tmp/server.key -out /tmp/server.crt'); - validKey1 = fs.readFileSync('/tmp/server.key', 'utf8'); - validCert1 = fs.readFileSync('/tmp/server.crt', 'utf8'); - }); - - it('cannot set certificate without token', function (done) { - superagent.post(SERVER_URL + '/api/v1/settings/certificate') - .end(function (error, result) { - expect(result.statusCode).to.equal(401); - done(); - }); - }); - - it('cannot set certificate without certificate', function (done) { - superagent.post(SERVER_URL + '/api/v1/settings/certificate') - .query({ access_token: token }) - .send({ key: validKey1 }) - .end(function (error, result) { - expect(result.statusCode).to.equal(400); - done(); - }); - }); - - it('cannot set certificate without key', function (done) { - superagent.post(SERVER_URL + '/api/v1/settings/certificate') - .query({ access_token: token }) - .send({ cert: validCert1 }) - .end(function (error, result) { - expect(result.statusCode).to.equal(400); - done(); - }); - }); - - it('cannot set certificate with cert not being a string', function (done) { - superagent.post(SERVER_URL + '/api/v1/settings/certificate') - .query({ access_token: token }) - .send({ cert: 1234, key: validKey1 }) - .end(function (error, result) { - expect(result.statusCode).to.equal(400); - done(); - }); - }); - - it('cannot set certificate with key not being a string', function (done) { - superagent.post(SERVER_URL + '/api/v1/settings/certificate') - .query({ access_token: token }) - .send({ cert: validCert1, key: true }) - .end(function (error, result) { - expect(result.statusCode).to.equal(400); - done(); - }); - }); - - it('cannot set non wildcard certificate', function (done) { - superagent.post(SERVER_URL + '/api/v1/settings/certificate') - .query({ access_token: token }) - .send({ cert: validCert0, key: validKey0 }) - .end(function (error, result) { - expect(result.statusCode).to.equal(400); - done(); - }); - }); - - it('can set certificate', function (done) { - superagent.post(SERVER_URL + '/api/v1/settings/certificate') - .query({ access_token: token }) - .send({ cert: validCert1, key: validKey1 }) - .end(function (error, result) { - expect(result.statusCode).to.equal(202); - done(); - }); - }); - - it('did set the certificate', function (done) { - var cert = fs.readFileSync(path.join(paths.NGINX_CERT_DIR, 'host.cert'), 'utf-8'); - expect(cert).to.eql(validCert1); - - var key = fs.readFileSync(path.join(paths.NGINX_CERT_DIR, 'host.key'), 'utf-8'); - expect(key).to.eql(validKey1); - - done(); - }); - }); - describe('time_zone', function () { it('succeeds', function (done) { superagent.get(SERVER_URL + '/api/v1/settings/time_zone')