pebble-challtestsrv: add SERVFAIL mocking support. (#274)

Requires updating the `github.com/letsencrypt/challtestsrv` dependency
to v1.2.0.

cmd/pebble-challtestsrv/README.md

@@ -103,6 +103,18 @@ To remove a mocked CNAME record for `_acme-challenge.test-host.letsencrypt.org`
 
     curl -X POST -d '{"host":"_acme-challenge.test-host.letsencrypt.org", "target": "challenges.letsencrypt.org"}' http://localhost:8055/clear-cname
 
+##### Mocked SERVFAIL Responses
+
+To configure the DNS server to return SERVFAIL for all queries for `test-host.letsencrypt.org` run:
+
+    curl -X POST -d '{"host":"test-host.letsencrypt.org"}' http://localhost:8055/set-servfail
+
+Subsequently any query types (A, AAAA, TXT) for the name will return a SERVFAIL response, overriding any A/AAAA/TXT/CNAME mocks that may also be configured.
+
+To remove the SERVFAIL configuration for `test-host.letsencrypt.org` run:
+
+    curl -X POST -d '{"host":"test-host.letsencrypt.org"}' http://localhost:8055/clear-servfail
+
 #### HTTP-01
 
 To add an HTTP-01 challenge response for the token `"aaaa"` with the content `"bbbb"` run:

cmd/pebble-challtestsrv/main.go

@@ -108,6 +108,9 @@ func main() {
 	if *dnsOneBind != "" {
 		http.HandleFunc("/set-default-ipv4", oobSrv.setDefaultDNSIPv4)
 		http.HandleFunc("/set-default-ipv6", oobSrv.setDefaultDNSIPv6)
+		// TODO(@cpu): It might make sense to revisit this API in the future to have
+		// one endpoint that accepts the mock type required (A, AAAA, CNAME, etc)
+		// instead of having separate endpoints per type.
 		http.HandleFunc("/set-txt", oobSrv.addDNS01)
 		http.HandleFunc("/clear-txt", oobSrv.delDNS01)
 		http.HandleFunc("/add-a", oobSrv.addDNSARecord)
@@ -118,6 +121,8 @@ func main() {
 		http.HandleFunc("/clear-caa", oobSrv.delDNSCAARecord)
 		http.HandleFunc("/set-cname", oobSrv.addDNSCNAMERecord)
 		http.HandleFunc("/clear-cname", oobSrv.delDNSCNAMERecord)
+		http.HandleFunc("/set-servfail", oobSrv.addDNSServFailRecord)
+		http.HandleFunc("/clear-servfail", oobSrv.delDNSServFailRecord)
 
 		srv.SetDefaultDNSIPv4(*defaultIPv4)
 		srv.SetDefaultDNSIPv6(*defaultIPv6)

cmd/pebble-challtestsrv/mockdns.go

@@ -294,3 +294,58 @@ func (srv *managementServer) delDNSCNAMERecord(w http.ResponseWriter, r *http.Re
 	srv.log.Printf("Removed response for DNS CNAME queries to %q", request.Host)
 	w.WriteHeader(http.StatusOK)
 }
+
+// addDNSServFailRecord handles an HTTP POST request to add a mock SERVFAIL
+// response record for a host. All queries for that host will subsequently
+// result in SERVFAIL responses, overriding any other mocks.
+//
+// The POST body is expected to have one non-empty parameter:
+// "host" - the hostname that should return SERVFAIL responses.
+//
+// A successful POST will write http.StatusOK to the client.
+func (srv *managementServer) addDNSServFailRecord(w http.ResponseWriter, r *http.Request) {
+	var request struct {
+		Host string
+	}
+	if err := mustParsePOST(&request, r); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	// If the request has no host it's a bad request
+	if request.Host == "" {
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+
+	srv.challSrv.AddDNSServFailRecord(request.Host)
+	srv.log.Printf("Added SERVFAIL response for DNS queries to %q", request.Host)
+	w.WriteHeader(http.StatusOK)
+}
+
+// delDNSServFailRecord handles an HTTP POST request to delete an existing mock
+// SERVFAIL record for a host.
+//
+// The POST body is expected to have one non-empty parameters:
+// "host" - the hostname to remove the mock SERVFAIL response from.
+//
+// A successful POST will write http.StatusOK to the client.
+func (srv *managementServer) delDNSServFailRecord(w http.ResponseWriter, r *http.Request) {
+	var request struct {
+		Host string
+	}
+	if err := mustParsePOST(&request, r); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	// If the request has an empty host it's a bad request
+	if request.Host == "" {
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+
+	srv.challSrv.DeleteDNSServFailRecord(request.Host)
+	srv.log.Printf("Removed SERVFAIL response for DNS queries to %q", request.Host)
+	w.WriteHeader(http.StatusOK)
+}

go.mod

@@ -1,7 +1,7 @@
 module github.com/letsencrypt/pebble
 
 require (
-	github.com/letsencrypt/challtestsrv v1.1.0
+	github.com/letsencrypt/challtestsrv v1.2.0
 	github.com/miekg/dns v1.1.15
 	golang.org/x/net v0.0.0-20181207154023-610586996380 // indirect
 	golang.org/x/sys v0.0.0-20181206074257-70b957f3b65e // indirect

go.sum

@@ -28,8 +28,12 @@ github.com/letsencrypt/challtestsrv v1.0.2 h1:nBAQjKvVMLhpj4cg2Px6jMyvMbQNdJrCEd
 github.com/letsencrypt/challtestsrv v1.0.2/go.mod h1:/gzSMb+5FjprRIa1TtW6ngjhUOr8JbEFM2XESzK2zPg=
 github.com/letsencrypt/challtestsrv v1.1.0 h1:2r5Wa7LvOqUsM8skGSaRnf3CV6WYPQ/OgLF1U6bCt4I=
 github.com/letsencrypt/challtestsrv v1.1.0/go.mod h1:/gzSMb+5FjprRIa1TtW6ngjhUOr8JbEFM2XESzK2zPg=
+github.com/letsencrypt/challtestsrv v1.2.0 h1:Z/hu1JPFR+cCuI92Hb+LFNxSHG4ARjRYGUipW1S71Vo=
+github.com/letsencrypt/challtestsrv v1.2.0/go.mod h1:/gzSMb+5FjprRIa1TtW6ngjhUOr8JbEFM2XESzK2zPg=
 github.com/miekg/dns v1.1.1 h1:DVkblRdiScEnEr0LR9nTnEQqHYycjkXW9bOjd+2EL2o=
 github.com/miekg/dns v1.1.1/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
+github.com/miekg/dns v1.1.15 h1:CSSIDtllwGLMoA6zjdKnaE6Tx6eVUxQ29LUgGetiDCI=
+github.com/miekg/dns v1.1.15/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9 h1:mKdxBk7AujPs8kU4m80U72y/zjbZ3UcXC7dClwKbUI0=
 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/net v0.0.0-20181201002055-351d144fa1fc h1:a3CU5tJYVj92DY2LaA1kUkrsqD5/3mLDhx2NcNqyW+0=