Functional/integration testing

[breard-r]

ACMEd already include a few unit tests within its code. Although that's a good thing, it's also insufficient. One way to improve it is to create functional/integration tests (I don't know/care about the exact differences).

Currently, I have a local directory containing a few configuration files for pebble and ACMEd and I run them once in a while in order to tests is everything works. However, there is no automation at all and those files have a few issues that requires me to comment/uncomment some parts in order to run some tests. It would be nice if a similar process would be included in the repository and, maybe automated.

Functionalities

A single command should run those tests. A bash or sh script should do.

All the outputs (certificates, keys, etc.) should be located in a directory, maybe something like /tmp/acmed-test. This directory should be cleaned at the beginning of the tests so the files stays afterwards in order to be manually checked.

The goal is to test all possible ACMEd features (challenges, key types, internationalized domain name and so on), however most tests may be added after the script itself is done.

Bonus: run it as a GitHub action

Which domain name?

RFC 2606 reserves a few top level DNS names for specific purposes and recommends to use the .test TLD for testing. Therefore, all domains included in those tests should use the .test TLD.

I would also recommend to use exclusively the acmed.test domain name as well as any other subdomain that might help.

External tools

Testing ACMEd requires a few external tools:

• an ACME server: pebble is a good choice, if not the only
• an authoritative DNS server: dnsmasq should be easy ton configure so it can resolve the acmed.test domain name, I don't know if it's possible to dynamically add entries so it could help validating with the dns-01 challenge
• an HTTP server: Python's http.server or lighttpd should do the trick for the http-01 challenge, however I don't know for tls-alpn-01
• some certificate checking tool: openssl x509 should do the job although it's not always easy to parse

Implementation consideration

Daemons

All daemons should be killed at the end of tests. This might require to store their respective PID.

Pebble

As far as I know, Pebble can only be run with or without the external account requirement. Therefore, two Pebble instance should be run.

Pebble should always run in strict mode.

ACMEd

Currently, an easy way to run ACMEd for such tests is the following:

cargo run --bin acmed -- --config "/path/to/acmed-config.toml" --root-cert "/path/to/pebble/root_cert.pem" --no-pid-file --foreground --log-stderr --log-level trace