Track challenge server request history. (#3)

Its useful for testing purposes to be able to find out what requests have been processed by the challenge test servers.

For example it may be useful to see that redirects were properly followed or that CAA tree climbing resulted in the expected DNS queries.

Author: cpu

README.md

@@ -50,6 +50,18 @@ value `"bbb"`, defer cleaning it up again:
   defer challSrv.DeleteHTTPOneChallenge("_acme-challenge.example.com.")
 ```
 
+Get the history of HTTP requests processed by the challenge server for the host
+"example.com":
+```
+requestHistory := challSrv.RequestHistory("example.com", challtestsrv.HTTPRequestEventType)
+```
+
+Clear the history of HTTP requests processed by the challenge server for the
+host "example.com":
+```
+challSrv.ClearRequestHistory("example.com", challtestsrv.HTTPRequestEventType)
+```
+
 Stop the Challenge server and subservers:
 ```
   // Shutdown the Challenge server

challenge-servers.go

@@ -35,6 +35,10 @@ type ChallSrv struct {
 	// response data maps below.
 	challMu sync.RWMutex
 
+	// requestHistory is a map from hostname to a map of event type to a list of
+	// sequential request events
+	requestHistory map[string]map[RequestEventType][]RequestEvent
+
 	// httpOne is a map of token values to key authorizations used for HTTP-01
 	// responses.
 	httpOne map[string]string
@@ -120,11 +124,12 @@ func New(config Config) (*ChallSrv, error) {
 	}
 
 	challSrv := &ChallSrv{
-		log:        config.Log,
-		httpOne:    make(map[string]string),
-		dnsOne:     make(map[string][]string),
-		tlsALPNOne: make(map[string]string),
-		redirects:  make(map[string]string),
+		log:            config.Log,
+		requestHistory: make(map[string]map[RequestEventType][]RequestEvent),
+		httpOne:        make(map[string]string),
+		dnsOne:         make(map[string][]string),
+		tlsALPNOne:     make(map[string]string),
+		redirects:      make(map[string]string),
 		dnsMocks: mockDNSData{
 			defaultIPv4: defaultIPv4,
 			defaultIPv6: defaultIPv6,

dns.go

@@ -142,6 +142,9 @@ func (s *ChallSrv) dnsHandler(w dns.ResponseWriter, r *dns.Msg) {
 
 	// For each question, add answers based on the type of question
 	for _, q := range r.Question {
+		s.AddRequestEvent(DNSRequestEvent{
+			Question: q,
+		})
 		var answerFunc dnsAnswerFunc
 		switch q.Qtype {
 		case dns.TypeTXT:

event.go

@@ -0,0 +1,133 @@
+package challtestsrv
+
+import (
+	"net"
+	"strings"
+
+	"github.com/miekg/dns"
+)
+
+// RequestEventType indicates what type of event occurred.
+type RequestEventType int
+
+const (
+	// HTTP requests
+	HTTPRequestEventType RequestEventType = iota
+	// DNS requests
+	DNSRequestEventType
+	// TLS-ALPN-01 requests
+	TLSALPNRequestEventType
+)
+
+// A RequestEvent is anything that can identify its RequestEventType and a key
+// for storing the request event in the history.
+type RequestEvent interface {
+	Type() RequestEventType
+	Key() string
+}
+
+// HTTPRequestEvent corresponds to an HTTP request received by a httpOneServer.
+// It implements the RequestEvent interface.
+type HTTPRequestEvent struct {
+	// The full request URL (path and query arguments)
+	URL string
+	// The Host header from the request
+	Host string
+	// Whether the request was received over HTTPS or HTTP
+	HTTPS bool
+	// The ServerName from the ClientHello. May be empty if there was no SNI or if
+	// the request was not HTTPS
+	ServerName string
+}
+
+// HTTPRequestEvents always have type HTTPRequestEventType
+func (e HTTPRequestEvent) Type() RequestEventType {
+	return HTTPRequestEventType
+}
+
+// HTTPRequestEvents use the HTTP Host as the storage key. Any explicit port
+// will be removed.
+func (e HTTPRequestEvent) Key() string {
+	if h, _, err := net.SplitHostPort(e.Host); err == nil {
+		return h
+	}
+	return e.Host
+}
+
+// DNSRequestEvent corresponds to a DNS request received by a dnsOneServer. It
+// implements the RequestEvent interface.
+type DNSRequestEvent struct {
+	// The DNS question received.
+	Question dns.Question
+}
+
+// DNSRequestEvents always have type DNSRequestEventType
+func (e DNSRequestEvent) Type() RequestEventType {
+	return DNSRequestEventType
+}
+
+// DNSRequestEvents use the Question Name as the storage key. Any trailing `.`
+// in the question name is removed.
+func (e DNSRequestEvent) Key() string {
+	key := e.Question.Name
+	if strings.HasSuffix(key, ".") {
+		key = strings.TrimSuffix(key, ".")
+	}
+	return key
+}
+
+// TLSALPNRequestEvent corresponds to a TLS request received by
+// a tlsALPNOneServer. It implements the RequestEvent interface.
+type TLSALPNRequestEvent struct {
+	// ServerName from the TLS Client Hello.
+	ServerName string
+	// SupportedProtos from the TLS Client Hello.
+	SupportedProtos []string
+}
+
+// TLSALPNRequestEvents always have type TLSALPNRequestEventType
+func (e TLSALPNRequestEvent) Type() RequestEventType {
+	return TLSALPNRequestEventType
+}
+
+// TLSALPNRequestEvents use the SNI value as the storage key
+func (e TLSALPNRequestEvent) Key() string {
+	return e.ServerName
+}
+
+// AddRequestEvent adds a RequestEvent to the server's request history. It is
+// appeneded to a list of RequestEvents indexed by the event's Type().
+func (s *ChallSrv) AddRequestEvent(event RequestEvent) {
+	s.challMu.Lock()
+	defer s.challMu.Unlock()
+
+	typ := event.Type()
+	host := event.Key()
+	if s.requestHistory[host] == nil {
+		s.requestHistory[host] = make(map[RequestEventType][]RequestEvent)
+	}
+	s.requestHistory[host][typ] = append(s.requestHistory[host][typ], event)
+}
+
+// RequestHistory returns the server's request history for the given hostname
+// and event type.
+func (s *ChallSrv) RequestHistory(hostname string, typ RequestEventType) []RequestEvent {
+	s.challMu.RLock()
+	defer s.challMu.RUnlock()
+
+	if hostEvents, ok := s.requestHistory[hostname]; ok {
+		return hostEvents[typ]
+	}
+	return []RequestEvent{}
+}
+
+// ClearRequestHistory clears the server's request history for the given
+// hostname and event type.
+func (s *ChallSrv) ClearRequestHistory(hostname string, typ RequestEventType) {
+	s.challMu.Lock()
+	defer s.challMu.Unlock()
+
+	if hostEvents, ok := s.requestHistory[hostname]; ok {
+		hostEvents[typ] = []RequestEvent{}
+	}
+}

httpone.go

@@ -49,7 +49,7 @@ func selfSignedCert() tls.Certificate {
 		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
 		BasicConstraintsValid: true,
-		IsCA: true,
+		IsCA:                  true,
 	}
 
 	der, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key)
@@ -118,6 +118,18 @@ func (s *ChallSrv) GetHTTPRedirect(path string) (string, bool) {
 func (s *ChallSrv) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	requestPath := r.URL.Path
 
+	serverName := ""
+	if r.TLS != nil {
+		serverName = r.TLS.ServerName
+	}
+
+	s.AddRequestEvent(HTTPRequestEvent{
+		URL:        r.URL.String(),
+		Host:       r.Host,
+		HTTPS:      r.TLS != nil,
+		ServerName: serverName,
+	})
+
 	// If the request was not over HTTPS and we have a redirect, serve it.
 	// Redirects are ignored over HTTPS so we can easily do an HTTP->HTTPS
 	// redirect for a token path without creating a loop.

tlsalpnone.go

@@ -50,6 +50,10 @@ func (s *ChallSrv) GetTLSALPNChallenge(host string) (string, bool) {
 
 func (s *ChallSrv) ServeChallengeCertFunc(k *ecdsa.PrivateKey) func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
 	return func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		s.AddRequestEvent(TLSALPNRequestEvent{
+			ServerName:      hello.ServerName,
+			SupportedProtos: hello.SupportedProtos,
+		})
 		if len(hello.SupportedProtos) != 1 || hello.SupportedProtos[0] != ACMETLS1Protocol {
 			return nil, fmt.Errorf(
 				"ALPN failed, ClientHelloInfo.SupportedProtos: %s",