Minor refactoring, error returns and e2e testing suite

.github/workflows/e2e.yml

@@ -0,0 +1,21 @@
+name: E2E Tests
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  e2e-tests:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Run E2E Tests
+      run: |
+        cd test/e2e
+        docker compose up --build --abort-on-container-exit --exit-code-from tester

pkg/api/auth.go

@@ -67,7 +67,7 @@ func (a *AcmednsAPI) getUserFromRequest(r *http.Request) (acmedns.ACMETxt, error
 	passwd := r.Header.Get("X-Api-Key")
 	username, err := getValidUsername(uname)
 	if err != nil {
-		return acmedns.ACMETxt{}, fmt.Errorf("invalid username: %s: %s", uname, err.Error())
+		return acmedns.ACMETxt{}, fmt.Errorf("invalid username: %s: %w", uname, err)
 	}
 	if validKey(passwd) {
 		dbuser, err := a.DB.GetByUsername(username)

pkg/database/db.go

@@ -3,7 +3,6 @@ package database
 import (
 	"database/sql"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"regexp"
 	"strconv"
@@ -216,7 +215,7 @@ func (d *acmednsdb) Register(afrom acmedns.Cidrslice) (acmedns.ACMETxt, error) {
 	if err != nil {
 		d.Logger.Errorw("Database error in prepare",
 			"error", err.Error())
-		return a, errors.New("SQL error")
+		return a, fmt.Errorf("failed to prepare registration statement: %w", err)
 	}
 	defer sm.Close()
 	_, err = sm.Exec(a.Username.String(), passwordHash, a.Subdomain, a.AllowFrom.JSON())
@@ -246,7 +245,7 @@ func (d *acmednsdb) GetByUsername(u uuid.UUID) (acmedns.ACMETxt, error) {
 	defer sm.Close()
 	rows, err := sm.Query(u.String())
 	if err != nil {
-		return acmedns.ACMETxt{}, err
+		return acmedns.ACMETxt{}, fmt.Errorf("failed to query user: %w", err)
 	}
 	defer rows.Close()
 
@@ -261,7 +260,7 @@ func (d *acmednsdb) GetByUsername(u uuid.UUID) (acmedns.ACMETxt, error) {
 	if len(results) > 0 {
 		return results[0], nil
 	}
-	return acmedns.ACMETxt{}, errors.New("no user")
+	return acmedns.ACMETxt{}, fmt.Errorf("user not found: %s", u.String())
 }
 
 func (d *acmednsdb) GetTXTForDomain(domain string) ([]string, error) {

pkg/nameserver/handler.go

@@ -55,13 +55,14 @@ func (n *Nameserver) answer(q dns.Question) ([]dns.RR, int, bool, error) {
 	var rcode int
 	var err error
 	var txtRRs []dns.RR
-	var authoritative = n.isAuthoritative(q)
-	if !n.isOwnChallenge(q.Name) && !n.answeringForDomain(q.Name) {
+	loweredName := strings.ToLower(q.Name)
+	var authoritative = n.isAuthoritative(loweredName)
+	if !n.isOwnChallenge(loweredName) && !n.answeringForDomain(loweredName) {
 		rcode = dns.RcodeNameError
 	}
-	r, _ := n.getRecord(q)
+	r, _ := n.getRecord(loweredName, q.Qtype)
 	if q.Qtype == dns.TypeTXT {
-		if n.isOwnChallenge(q.Name) {
+		if n.isOwnChallenge(loweredName) {
 			txtRRs, err = n.answerOwnChallenge(q)
 		} else {
 			txtRRs, err = n.answerTXT(q)
@@ -101,31 +102,28 @@ func (n *Nameserver) answerTXT(q dns.Question) ([]dns.RR, error) {
 	return ra, nil
 }
 
-func (n *Nameserver) isAuthoritative(q dns.Question) bool {
-	if n.answeringForDomain(q.Name) {
+func (n *Nameserver) isAuthoritative(name string) bool {
+	if n.answeringForDomain(name) {
 		return true
 	}
-	domainParts := strings.Split(strings.ToLower(q.Name), ".")
-	for i := range domainParts {
-		if n.answeringForDomain(strings.Join(domainParts[i:], ".")) {
+	off := 0
+	for {
+		i, next := dns.NextLabel(name, off)
+		if next {
+			return false
+		}
+		off = i
+		if n.answeringForDomain(name[off:]) {
 			return true
 		}
 	}
-	return false
 }
 
-// isOwnChallenge checks if the query is for the domain of this acme-dns instance. Used for answering its own ACME challenges
 func (n *Nameserver) isOwnChallenge(name string) bool {
-	domainParts := strings.SplitN(name, ".", 2)
-	if len(domainParts) == 2 {
-		if strings.ToLower(domainParts[0]) == "_acme-challenge" {
-			domain := strings.ToLower(domainParts[1])
-			if !strings.HasSuffix(domain, ".") {
-				domain = domain + "."
-			}
-			if domain == n.OwnDomain {
-				return true
-			}
+	if strings.HasPrefix(name, "_acme-challenge.") {
+		domain := name[16:]
+		if domain == n.OwnDomain {
+			return true
 		}
 	}
 	return false
@@ -133,22 +131,22 @@ func (n *Nameserver) isOwnChallenge(name string) bool {
 
 // answeringForDomain checks if we have any records for a domain
 func (n *Nameserver) answeringForDomain(name string) bool {
-	if n.OwnDomain == strings.ToLower(name) {
+	if n.OwnDomain == name {
 		return true
 	}
-	_, ok := n.Domains[strings.ToLower(name)]
+	_, ok := n.Domains[name]
 	return ok
 }
 
-func (n *Nameserver) getRecord(q dns.Question) ([]dns.RR, error) {
+func (n *Nameserver) getRecord(name string, qtype uint16) ([]dns.RR, error) {
 	var rr []dns.RR
 	var cnames []dns.RR
-	domain, ok := n.Domains[strings.ToLower(q.Name)]
+	domain, ok := n.Domains[name]
 	if !ok {
-		return rr, fmt.Errorf("no records for domain %s", q.Name)
+		return rr, fmt.Errorf("no records for domain %s", name)
 	}
 	for _, ri := range domain.Records {
-		if ri.Header().Rrtype == q.Qtype {
+		if ri.Header().Rrtype == qtype {
 			rr = append(rr, ri)
 		}
 		if ri.Header().Rrtype == dns.TypeCNAME {

pkg/nameserver/handler_test.go

@@ -25,7 +25,7 @@ func TestNameserver_isOwnChallenge(t *testing.T) {
 				OwnDomain: "some-domain.test.",
 			},
 			args: args{
-				name: "_acme-challenge.some-domain.test",
+				name: "_acme-challenge.some-domain.test.",
 			},
 			want: true,
 		},
@@ -35,7 +35,7 @@ func TestNameserver_isOwnChallenge(t *testing.T) {
 				OwnDomain: "some-domain.test.",
 			},
 			args: args{
-				name: "_acme-challenge.some-other-domain.test",
+				name: "_acme-challenge.some-other-domain.test.",
 			},
 			want: false,
 		},
@@ -45,7 +45,7 @@ func TestNameserver_isOwnChallenge(t *testing.T) {
 				OwnDomain: "domain.test.",
 			},
 			args: args{
-				name: "domain.test",
+				name: "domain.test.",
 			},
 			want: false,
 		},
@@ -55,7 +55,7 @@ func TestNameserver_isOwnChallenge(t *testing.T) {
 				OwnDomain: "domain.test.",
 			},
 			args: args{
-				name: "my-domain.test",
+				name: "my-domain.test.",
 			},
 			want: false,
 		},
@@ -142,7 +142,7 @@ func TestNameserver_isAuthoritative(t *testing.T) {
 				OwnDomain: tt.fields.OwnDomain,
 				Domains:   tt.fields.Domains,
 			}
-			if got := n.isAuthoritative(tt.args.q); got != tt.want {
+			if got := n.isAuthoritative(tt.args.q.Name); got != tt.want {
 				t.Errorf("isAuthoritative() = %v, want %v", got, tt.want)
 			}
 		})

pkg/nameserver/initialize.go

@@ -1,6 +1,7 @@
 package nameserver
 
 import (
+	"fmt"
 	"strings"
 	"sync"
 
@@ -95,7 +96,7 @@ func (n *Nameserver) Start(errorChannel chan error) {
 	}
 	err := n.Server.ListenAndServe()
 	if err != nil {
-		errorChannel <- err
+		errorChannel <- fmt.Errorf("DNS server %s failed: %w", n.Server.Net, err)
 	}
 }
 

test/README.md

@@ -0,0 +1,37 @@
+# acme-dns E2E Testing Suite
+
+This directory contains the end-to-end (E2E) testing suite for `acme-dns`. The suite runs in a containerized environment to ensure a consistent and isolated test execution.
+
+## Overview
+
+The E2E suite consists of:
+- A Dockerized `acme-dns` server.
+- A Python-based `tester` container that performs API and DNS operations.
+- A GitHub Actions workflow for CI/CD integration.
+
+## Prerequisites
+
+- [Docker](https://www.docker.com/get-started)
+- [Docker Compose](https://docs.docker.com/compose/install/)
+
+## Running Locally
+
+To run the full E2E suite locally, execute the following command from the root of the repository:
+
+```bash
+docker compose -f test/e2e/docker-compose.yml up --build --abort-on-container-exit
+```
+
+The `tester` container will return an exit code of `0` on success and `1` on failure.
+
+## Test Flow
+
+The `tester.py` script follows these steps:
+1.  **Wait for Ready**: Polls the `/health` endpoint until the API is available.
+2.  **Account Registration**: Registers a NEW account at `/register`.
+3.  **TXT Update**: Performs TWO sequential updates to the TXT records of the newly created subdomain.
+4.  **DNS Verification**: Directly queries the `acme-dns` server (on port 53) used in the test to verify that the TXT records have been correctly updated and are resolvable.
+
+## CI/CD integration
+
+The tests are automatically run on every push and pull request to the `master` branch via GitHub Actions. The workflow configuration can be found in `.github/workflows/e2e.yml`.

test/e2e/Dockerfile.e2e

@@ -0,0 +1,16 @@
+FROM golang:alpine AS builder
+RUN apk add --update gcc musl-dev git
+WORKDIR /app
+COPY . .
+RUN CGO_ENABLED=1 go build -o acme-dns
+
+FROM alpine:latest
+WORKDIR /root/
+COPY --from=builder /app/acme-dns .
+COPY --from=builder /app/config.cfg /etc/acme-dns/config.cfg
+RUN mkdir -p /var/lib/acme-dns
+RUN apk --no-cache add ca-certificates && update-ca-certificates
+VOLUME ["/etc/acme-dns", "/var/lib/acme-dns"]
+ENTRYPOINT ["./acme-dns", "-c", "/etc/acme-dns/config.cfg"]
+EXPOSE 53 80 443
+EXPOSE 53/udp

test/e2e/config.cfg

@@ -0,0 +1,28 @@
+[general]
+listen = "0.0.0.0:53"
+protocol = "both"
+domain = "auth.example.org"
+nsname = "auth.example.org"
+nsadmin = "admin.example.org"
+records = [
+    "auth.example.org. A 127.0.0.1",
+    "auth.example.org. NS auth.example.org.",
+]
+debug = true
+
+[database]
+engine = "sqlite"
+connection = "/var/lib/acme-dns/acme-dns.db"
+
+[api]
+ip = "0.0.0.0"
+disable_registration = false
+port = "80"
+tls = "none"
+corsorigins = ["*"]
+use_header = false
+
+[logconfig]
+loglevel = "debug"
+logtype = "stdout"
+logformat = "text"

test/e2e/docker-compose.yml

@@ -0,0 +1,30 @@
+version: '3'
+services:
+  acme-dns:
+    build:
+      context: ../../
+      dockerfile: test/e2e/Dockerfile.e2e
+    ports:
+      - "15353:53/udp"
+      - "18080:80"
+      - "18443:443"
+    volumes:
+      - ./config.cfg:/etc/acme-dns/config.cfg
+      - e2e-data:/var/lib/acme-dns
+
+  tester:
+    image: python:3.9-slim
+    depends_on:
+      - acme-dns
+    volumes:
+      - .:/test
+    working_dir: /test
+    command: >
+      sh -c "pip install -r requirements.txt && python tester.py"
+    environment:
+      - ACMEDNS_URL=http://acme-dns:80
+      - DNS_SERVER=acme-dns
+      - DNS_PORT=53
+
+volumes:
+  e2e-data:

test/e2e/requirements.txt

@@ -0,0 +1,2 @@
+requests
+dnspython

test/e2e/tester.py

@@ -0,0 +1,105 @@
+import requests
+import dns.resolver
+import os
+import time
+import sys
+import socket
+
+ACMEDNS_URL = os.environ.get("ACMEDNS_URL", "http://localhost:80")
+DNS_SERVER = os.environ.get("DNS_SERVER", "localhost")
+DNS_PORT = int(os.environ.get("DNS_PORT", 53))
+
+def wait_for_server():
+    print(f"Waiting for acme-dns at {ACMEDNS_URL}...")
+    for i in range(30):
+        try:
+            resp = requests.get(f"{ACMEDNS_URL}/health")
+            if resp.status_code == 200:
+                print("Server is up!")
+                return True
+        except:
+            pass
+        time.sleep(1)
+    return False
+
+def test_flow():
+    # 1. Register account
+    print("Registering account...")
+    resp = requests.post(f"{ACMEDNS_URL}/register")
+    if resp.status_code != 201:
+        print(f"Failed to register: {resp.status_code} {resp.text}")
+        return False
+    
+    account = resp.json()
+    username = account['username']
+    api_key = account['password']
+    subdomain = account['subdomain']
+    fulldomain = account['fulldomain']
+    print(f"Registered subdomain: {subdomain}")
+
+    # 2. Update TXT records
+    headers = {
+        "X-Api-User": username,
+        "X-Api-Key": api_key
+    }
+
+    txt_values = ["secret_token_1", "secret_token_2"]
+    
+    for val in txt_values:
+        print(f"Updating TXT record with value: {val}")
+        # Let's Encrypt uses 43 char tokens usually, but our validation is flexible now (or we use a dummy one)
+        # Actually our current validation in pkg/api/util.go still expects 43 chars if I recall correctly
+        # Let's use 43 chars just in case
+        dummy_val = val.ljust(43, '_')[:43]
+        payload = {
+            "subdomain": subdomain,
+            "txt": dummy_val
+        }
+        resp = requests.post(f"{ACMEDNS_URL}/update", headers=headers, json=payload)
+        if resp.status_code != 200:
+            print(f"Failed to update: {resp.status_code} {resp.text}")
+            return False
+        
+    print("Updates successful. Waiting for DNS propagation (local cache)...")
+    time.sleep(2)
+
+    # 3. Verify DNS resolution
+    print(f"Resolving TXT records for {fulldomain}...")
+    
+    # Resolve hostname to IP if needed
+    try:
+        dns_server_ip = socket.gethostbyname(DNS_SERVER)
+    except:
+        dns_server_ip = DNS_SERVER
+
+    resolver = dns.resolver.Resolver()
+    resolver.nameservers = [dns_server_ip]
+    resolver.port = DNS_PORT
+
+    try:
+        answers = resolver.resolve(fulldomain, "TXT")
+        resolved_values = [str(rdata).strip('"') for rdata in answers]
+        print(f"Resolved values: {resolved_values}")
+        
+        # Check if both are present
+        for val in txt_values:
+            dummy_val = val.ljust(43, '_')[:43]
+            if dummy_val not in resolved_values:
+                print(f"Expected value {dummy_val} not found in resolved values")
+                return False
+    except Exception as e:
+        print(f"DNS resolution failed: {e}")
+        return False
+
+    print("E2E Test Passed Successfully!")
+    return True
+
+if __name__ == "__main__":
+    if not wait_for_server():
+        print("Server timed out.")
+        sys.exit(1)
+    
+    if not test_flow():
+        sys.exit(1)
+    
+    sys.exit(0)