Add basic configuration validation (#4)

This adds a check that the key types are valid, that an issuer CN is present, and that domains aren't duplicated.

Author: mcpherrinm

config/config.go

@@ -3,10 +3,19 @@ package config
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"os"
 )
 
+const (
+	// KeyTypeP256 is one of the valid key types in configuration.
+	KeyTypeP256 = "p256"
+
+	// KeyTypeRSA2048 is one of the valid key types in configuration.
+	KeyTypeRSA2048 = "rsa2048"
+)
+
 // Load a configuration file from cfgPath.
 func Load(cfgPath string) (*Config, error) {
 	cfgBytes, err := os.ReadFile(cfgPath) //nolint:gosec // Reading arbitrary config file is expected
@@ -21,9 +30,43 @@ func Load(cfgPath string) (*Config, error) {
 		return nil, fmt.Errorf("parsing %s: %w", cfgPath, err)
 	}
 
+	err = validate(&cfg)
+	if err != nil {
+		return nil, fmt.Errorf("validating %s: %w", cfgPath, err)
+	}
+
 	return &cfg, nil
 }
 
+// validate the loaded configuration.
+// This checks domains are unique, key types are valid, and that an issuer CN is set.
+func validate(cfg *Config) error {
+	domains := make(map[string]struct{}, 0)
+	var errs []error
+	for i, site := range cfg.Sites {
+		switch site.KeyType {
+		case KeyTypeP256, KeyTypeRSA2048:
+			// Valid key types
+		default:
+			errs = append(errs, fmt.Errorf("site %d unsupported key type: %s", i, site.KeyType))
+		}
+
+		for _, d := range []string{site.Domains.Valid, site.Domains.Revoked, site.Domains.Expired} {
+			_, seen := domains[d]
+			if seen {
+				errs = append(errs, fmt.Errorf("site %d duplicate domain: %s", i, d))
+			}
+			domains[d] = struct{}{}
+		}
+
+		if site.IssuerCN == "" {
+			errs = append(errs, fmt.Errorf("site %d missing issuer CN", i))
+		}
+	}
+
+	return errors.Join(errs...)
+}
+
 // Config is the structure of the JSON configuration file.
 type Config struct {
 	// Sites is a list of sites to host.
@@ -47,6 +90,7 @@ type Site struct {
 	KeyType string
 
 	// Profile selects the ACME profile to use for this certificate.
+	// Optional.
 	Profile string
 
 	// Domain names to use.

config/config_test.go

@@ -2,6 +2,7 @@ package config_test
 
 import (
 	"reflect"
+	"strings"
 	"testing"
 
 	"github.com/letsencrypt/test-certs-site/config"
@@ -56,3 +57,25 @@ func TestLoadConfig(t *testing.T) {
 		t.Fatalf("got:\n%+q\nwant:\n%+q", cfg, &expected)
 	}
 }
+
+func TestInvalidConfig(t *testing.T) {
+	t.Parallel()
+	_, err := config.Load("invalid.json")
+	if err == nil {
+		t.Fatal("LoadConfig should have returned an error on invalid json")
+	}
+
+	errStr := err.Error()
+
+	for _, expected := range []string{
+		"site 0 missing issuer CN",
+		"site 0 duplicate domain: duplicate.domain",
+		"site 1 duplicate domain: valid.salad",
+		"site 0 unsupported key type: 3des",
+		"site 1 unsupported key type: ",
+	} {
+		if !strings.Contains(errStr, expected) {
+			t.Errorf("got error %q, want error containing %q", errStr, expected)
+		}
+	}
+}

config/invalid.json

@@ -0,0 +1,20 @@
+{
+  "sites": [
+    {
+      "keyType": "3des",
+      "domains": {
+        "valid": "valid.salad",
+        "expired": "duplicate.domain",
+        "revoked": "duplicate.domain"
+      }
+    },
+    {
+      "issuerCN": "root",
+      "domains": {
+        "valid": "valid.salad",
+        "expired": "expired.salad",
+        "revoked": "revoked.salad"
+      }
+    }
+  ]
+}