backport of commit 12d851de3755aaeba6531c87db5c488a5782b9cb (#20853)

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2023-05-30 15:01:44 -04:00 · 2023-05-30 15:01:44 -04:00 · a1d3c88f56
parent 765427257e
commit a1d3c88f56
2 changed files with 19 additions and 8 deletions
--- a/builtin/logical/pki/path_acme_challenges.go
+++ b/builtin/logical/pki/path_acme_challenges.go
@ -87,13 +87,17 @@ func (b *backend) acmeChallengeFetchHandler(acmeCtx *acmeContext, r *logical.Req
 		return nil, fmt.Errorf("unexpected request parameters: %w", ErrMalformed)
 	}

-	thumbprint, err := userCtx.GetKeyThumbprint()
-	if err != nil {
-		return nil, fmt.Errorf("failed to get thumbprint for key: %w", err)
-	}
+	// If data was nil, we got a POST-as-GET request, just return current challenge without an accept,
+	// otherwise we most likely got a "{}" payload which we should now accept the challenge.
+	if data != nil {
+		thumbprint, err := userCtx.GetKeyThumbprint()
+		if err != nil {
+			return nil, fmt.Errorf("failed to get thumbprint for key: %w", err)
+		}

-	if err := b.acmeState.validator.AcceptChallenge(acmeCtx.sc, userCtx.Kid, authz, challenge, thumbprint); err != nil {
-		return nil, fmt.Errorf("error submitting challenge for validation: %w", err)
+		if err := b.acmeState.validator.AcceptChallenge(acmeCtx.sc, userCtx.Kid, authz, challenge, thumbprint); err != nil {
+			return nil, fmt.Errorf("error submitting challenge for validation: %w", err)
+		}
 	}

 	return &logical.Response{
--- a/builtin/logical/pki/path_acme_test.go
+++ b/builtin/logical/pki/path_acme_test.go
@ -191,7 +191,7 @@ func TestAcmeBasicWorkflow(t *testing.T) {
 			require.Equal(t, "dns-01", domainAuth.Challenges[1].Type)
 			require.NotEmpty(t, domainAuth.Challenges[1].Token, "missing challenge token")

-			// Test the values for the wilcard authentication
+			// Test the values for the wildcard authentication
 			require.Equal(t, acme.StatusPending, wildcardAuth.Status)
 			require.Equal(t, "dns", wildcardAuth.Identifier.Type)
 			require.Equal(t, "localdomain", wildcardAuth.Identifier.Value) // Make sure we strip the *. in auth responses
@ -204,9 +204,16 @@ func TestAcmeBasicWorkflow(t *testing.T) {
 			require.Equal(t, "dns-01", wildcardAuth.Challenges[0].Type)
 			require.NotEmpty(t, domainAuth.Challenges[0].Token, "missing challenge token")

-			// Load a challenge directly; this triggers validation to start.
+			// Make sure that getting a challenge does not start it.
 			challenge, err := acmeClient.GetChallenge(testCtx, domainAuth.Challenges[0].URI)
 			require.NoError(t, err, "failed to load challenge")
+			require.Equal(t, acme.StatusPending, challenge.Status)
+			require.True(t, challenge.Validated.IsZero(), "validated time should be 0 on challenge")
+			require.Equal(t, "http-01", challenge.Type)
+
+			// Accept a challenge; this triggers validation to start.
+			challenge, err = acmeClient.Accept(testCtx, domainAuth.Challenges[0])
+			require.NoError(t, err, "failed to load challenge")
 			require.Equal(t, acme.StatusProcessing, challenge.Status)
 			require.True(t, challenge.Validated.IsZero(), "validated time should be 0 on challenge")
 			require.Equal(t, "http-01", challenge.Type)