Add support for testing ARI in Pebble

[pgporada]

This change is dependent upon a Pebble change I made here: letsencrypt/pebble#461

• Added makeReplacementOrderFinalized which issues a replacement order and progresses through the entire issuance workflow. It does not create a new account each time it's called which is different from the existing makeOrder and makeOrderFinalised.
• Refactored iterating over every authorization and validating its challenges into a separate helper function validateChallenges.

[pgporada]

Testing pebble and this change was performed as follows:

# Run challtestsrv, version doesn't particularly matter because we're not touching this code
$ docker rm challtestsrv 2>&1; docker run -p 5001:5001 -p 5002:5002 -p 5003:5003 -p 8053:8053 -p 8055:8055 -p 8443:8443 --name challtestsrv ghcr.io/letsencrypt/pebble-challtestsrv:latest

# Get the IP of that container
$ CHALLTESTSRV=$(docker inspect challtestsrv | jq -r '.[].NetworkSettings.Networks.bridge.IPAddress')

# Run pebble
$ go run cmd/pebble/main.go -config ./test/config/pebble-config.json -dnsserver ${CHALLTESTSRV}:8053

-----------------------------
# In the eggsampler repo
$ export PEBBLE_PATH=/path/to/pebble/on/your/computer
$ go test -test.run TestClient_IssueReplacementCert

which should result in

$ go test -run TestClient_IssueReplacementCert -v
2024/05/17 15:09:33 error reading: /home/phil/.gvm/pkgsets/go1.22.2/global/src/github.com/letsencrypt/boulder/.hierarchy/root-cert-ecdsa.pem - open /home/phil/.gvm/pkgsets/go1.22.2/global/src/github.com/letsencrypt/boulder/.hierarchy/root-cert-ecdsa.pem: no such file or directory
2024/05/17 15:09:33 error reading: /home/phil/.gvm/pkgsets/go1.22.2/global/src/github.com/letsencrypt/boulder/.hierarchy/root-cert-rsa.pem - open /home/phil/.gvm/pkgsets/go1.22.2/global/src/github.com/letsencrypt/boulder/.hierarchy/root-cert-rsa.pem: no such file or directory
2024/05/17 15:09:33 error creating client for http://localhost:4001/directory - acme: error fetching response: Get "http://localhost:4001/directory": dial tcp [::1]:4001: connect: connection refused
2024/05/17 15:09:33 using pebble directory at: https://localhost:14000/dir
=== RUN   TestClient_IssueReplacementCert
    ari_test.go:65: Issuing initial order
    ari_test.go:72: Issuing first replacement order
    ari_test.go:79: Issuing second replacement order
    ari_test.go:86: Should not be able to create a duplicate replacement
--- PASS: TestClient_IssueReplacementCert (18.59s)
PASS
ok      github.com/eggsampler/acme/v3   18.604s


$ go test -run TestClient_FailedReplacementOrderAllowsAnotherReplacement -v
2024/05/21 15:56:23 error reading: /home/phil/.gvm/pkgsets/go1.22.2/global/src/github.com/letsencrypt/boulder/.hierarchy/root-cert-ecdsa.pem - open /home/phil/.gvm/pkgsets/go1.22.2/global/src/github.com/letsencrypt/boulder/.hierarchy/root-cert-ecdsa.pem: no such file or directory
2024/05/21 15:56:23 error reading: /home/phil/.gvm/pkgsets/go1.22.2/global/src/github.com/letsencrypt/boulder/.hierarchy/root-cert-rsa.pem - open /home/phil/.gvm/pkgsets/go1.22.2/global/src/github.com/letsencrypt/boulder/.hierarchy/root-cert-rsa.pem: no such file or directory
2024/05/21 15:56:23 using pebble directory at: https://localhost:14000/dir
=== RUN   TestClient_FailedReplacementOrderAllowsAnotherReplacement
    ari_test.go:94: Issuing initial order
    ari_test.go:112: Issuing replacement order which will intentionally fail
    ari_test.go:119: Issuing replacement order for a parent order who previously had a failed replacement order
--- PASS: TestClient_FailedReplacementOrderAllowsAnotherReplacement (16.55s)
PASS
ok      github.com/eggsampler/acme/v3   16.571s

[aarongable]

This is cool, I like these extended tests! LGTM, in case my opinion helps :D

[pgporada]

@eggsampler ARI support has landed in Pebble as of a few moments ago. letsencrypt/pebble#461

Would you mind taking a look at this when you can, please?

[eggsampler]

Code looks good, thankyou!

My only query is, should there be some form of guard on the ari test code where the acme server in test does not support ari? ie,

acme/order_test.go

Lines 138 to 141 in 79b263f

	if testClient.dir.RenewalInfo == "" {
	t.Skip("acme server does not support ari renewals")
	return
	}

It's not super critical as this is primarily for boulder and pebble anyway, but when I first ran the make pebble test, I didn't realise the pebble ari code hadn't been tagged in a release and some of the tests failed.

[pgporada]

There probably should be, that's a good point. I'll update it as soon as I find myself back at a real keyboard. Thank you for taking a look.

…

On Fri, May 24, 2024, 6:48 PM Isaac Truscott ***@***.***> wrote: Code looks good, thankyou! My only query is, should there be some form of guard on the ari test code where the acme server in test does not support ari? ie, https://github.com/eggsampler/acme/blob/79b263fb796ce674c8e8bf08ff719d88291365e5/order_test.go#L138-L141 It's not super critical as this is primarily for boulder and pebble anyway, but when I first ran the make pebble test, I didn't realise the pebble ari code hadn't been tagged in a release and some of the tests failed. — Reply to this email directly, view it on GitHub <#24 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AASFVZI4YQQYHUORQVKWRGTZD67TDAVCNFSM6AAAAABH4VCWBWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMZQGQ4DAOBYGQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[pgporada]

@eggsampler I've just cut pebble v2.6.0 which has ARI support, rather than having to pull the main branch.