From 86e64af35cbc0fa61e9c036e6ead34d57daa2d7b Mon Sep 17 00:00:00 2001
From: GitHub Actions Bot <xiaojunnuo@qq.com>
Date: Mon, 15 Jul 2024 19:24:17 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=B1:=20[acme]=20sync=20upgrade=20with?=
 =?UTF-8?q?=205=20commits=20[trident-sync]?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Temp remove Node v22 from matrix, broke CNAME tests
Invalidate ACME directory cache after 24 hours
Directory URLs for Google ACME provider
Bump Pebble v2.6.0
---
 .../.github/scripts/tests-install-cts.sh      |  4 ++-
 .../.github/scripts/tests-install-pebble.sh   |  4 ++-
 .../acme-client/.github/workflows/tests.yml   |  6 ++--
 packages/core/acme-client/CHANGELOG.md        |  5 ++++
 packages/core/acme-client/README.md           |  3 ++
 packages/core/acme-client/src/http.js         | 29 ++++++++++++-------
 packages/core/acme-client/src/index.js        |  4 +++
 .../core/acme-client/test/70-auto.spec.js     |  6 ++--
 packages/core/acme-client/types/index.d.ts    |  4 +++
 9 files changed, 46 insertions(+), 19 deletions(-)

diff --git a/packages/core/acme-client/.github/scripts/tests-install-cts.sh b/packages/core/acme-client/.github/scripts/tests-install-cts.sh
index ac929c8b..fcc585bc 100644
--- a/packages/core/acme-client/.github/scripts/tests-install-cts.sh
+++ b/packages/core/acme-client/.github/scripts/tests-install-cts.sh
@@ -5,8 +5,10 @@
 set -euo pipefail
 
 # Download and install
-wget -nv "https://github.com/letsencrypt/pebble/releases/download/v${PEBBLECTS_VERSION}/pebble-challtestsrv_linux-amd64" -O /usr/local/bin/pebble-challtestsrv
+wget -nv "https://github.com/letsencrypt/pebble/releases/download/v${PEBBLECTS_VERSION}/pebble-challtestsrv-linux-amd64.tar.gz" -O /tmp/pebble-challtestsrv.tar.gz
+tar zxvf /tmp/pebble-challtestsrv.tar.gz -C /tmp
 
+mv /tmp/pebble-challtestsrv-linux-amd64/linux/amd64/pebble-challtestsrv /usr/local/bin/pebble-challtestsrv
 chown root:root /usr/local/bin/pebble-challtestsrv
 chmod 0755 /usr/local/bin/pebble-challtestsrv
 
diff --git a/packages/core/acme-client/.github/scripts/tests-install-pebble.sh b/packages/core/acme-client/.github/scripts/tests-install-pebble.sh
index 56c263ab..6109a190 100644
--- a/packages/core/acme-client/.github/scripts/tests-install-pebble.sh
+++ b/packages/core/acme-client/.github/scripts/tests-install-pebble.sh
@@ -22,8 +22,10 @@ wget -nv "https://raw.githubusercontent.com/letsencrypt/pebble/v${PEBBLE_VERSION
 wget -nv "https://raw.githubusercontent.com/letsencrypt/pebble/v${PEBBLE_VERSION}/test/config/${CONFIG_NAME}" -O /etc/pebble/pebble.json
 
 # Download and install Pebble
-wget -nv "https://github.com/letsencrypt/pebble/releases/download/v${PEBBLE_VERSION}/pebble_linux-amd64" -O /usr/local/bin/pebble
+wget -nv "https://github.com/letsencrypt/pebble/releases/download/v${PEBBLE_VERSION}/pebble-linux-amd64.tar.gz" -O /tmp/pebble.tar.gz
+tar zxvf /tmp/pebble.tar.gz -C /tmp
 
+mv /tmp/pebble-linux-amd64/linux/amd64/pebble /usr/local/bin/pebble
 chown root:root /usr/local/bin/pebble
 chmod 0755 /usr/local/bin/pebble
 
diff --git a/packages/core/acme-client/.github/workflows/tests.yml b/packages/core/acme-client/.github/workflows/tests.yml
index 5d031c5e..1d2ff97b 100644
--- a/packages/core/acme-client/.github/workflows/tests.yml
+++ b/packages/core/acme-client/.github/workflows/tests.yml
@@ -8,7 +8,7 @@ jobs:
 
     strategy:
       matrix:
-        node: [16, 18, 20, 22]
+        node: [16, 18, 20]
         eab: [0, 1]
 
     #
@@ -19,9 +19,9 @@ jobs:
       FORCE_COLOR: 1
       NPM_CONFIG_COLOR: always
 
-      PEBBLE_VERSION: 2.3.1
+      PEBBLE_VERSION: 2.6.0
       PEBBLE_ALTERNATE_ROOTS: 2
-      PEBBLECTS_VERSION: 2.3.1
+      PEBBLECTS_VERSION: 2.6.0
       PEBBLECTS_DNS_PORT: 8053
       COREDNS_VERSION: 1.11.1
 
diff --git a/packages/core/acme-client/CHANGELOG.md b/packages/core/acme-client/CHANGELOG.md
index 775077a0..6f08cb2f 100644
--- a/packages/core/acme-client/CHANGELOG.md
+++ b/packages/core/acme-client/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## v5.4.0
+
+* `added` Directory URLs for [Google](https://cloud.google.com/certificate-manager/docs/overview) ACME provider
+* `fixed` Invalidate ACME directory cache after 24 hours
+
 ## v5.3.1 (2024-05-22)
 
 * `fixed` Allow `client.auto()` being called with an empty CSR common name
diff --git a/packages/core/acme-client/README.md b/packages/core/acme-client/README.md
index f69dfd18..cafdd671 100644
--- a/packages/core/acme-client/README.md
+++ b/packages/core/acme-client/README.md
@@ -59,6 +59,9 @@ const client = new acme.Client({
 acme.directory.buypass.staging;
 acme.directory.buypass.production;
 
+acme.directory.google.staging;
+acme.directory.google.production;
+
 acme.directory.letsencrypt.staging;
 acme.directory.letsencrypt.production;
 
diff --git a/packages/core/acme-client/src/http.js b/packages/core/acme-client/src/http.js
index d553ebff..cf56d940 100644
--- a/packages/core/acme-client/src/http.js
+++ b/packages/core/acme-client/src/http.js
@@ -25,8 +25,11 @@ class HttpClient {
         this.externalAccountBinding = externalAccountBinding;
 
         this.maxBadNonceRetries = 5;
-        this.directory = null;
         this.jwk = null;
+
+        this.directoryCache = null;
+        this.directoryMaxAge = 86400;
+        this.directoryTimestamp = 0;
     }
 
     /**
@@ -59,15 +62,17 @@ class HttpClient {
     }
 
     /**
-     * Ensure provider directory exists
+     * Get ACME provider directory
      *
      * https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.1
      *
-     * @returns {Promise}
+     * @returns {Promise<object>} ACME directory contents
      */
 
     async getDirectory() {
-        if (!this.directory) {
+        const age = (Math.floor(Date.now() / 1000) - this.directoryTimestamp);
+
+        if (!this.directoryCache || (age > this.directoryMaxAge)) {
             const resp = await this.request(this.directoryUrl, 'get');
 
             if (resp.status >= 400) {
@@ -78,8 +83,10 @@ class HttpClient {
                 throw new Error('Attempting to read ACME directory returned no data');
             }
 
-            this.directory = resp.data;
+            this.directoryCache = resp.data;
         }
+
+        return this.directoryCache;
     }
 
     /**
@@ -123,13 +130,13 @@ class HttpClient {
      */
 
     async getResourceUrl(resource) {
-        await this.getDirectory();
+        const dir = await this.getDirectory();
 
-        if (!this.directory[resource]) {
+        if (!dir[resource]) {
             throw new Error(`Unable to locate API resource URL in ACME directory: "${resource}"`);
         }
 
-        return this.directory[resource];
+        return dir[resource];
     }
 
     /**
@@ -140,10 +147,10 @@ class HttpClient {
      */
 
     async getMetaField(field) {
-        await this.getDirectory();
+        const dir = await this.getDirectory();
 
-        if (('meta' in this.directory) && (field in this.directory.meta)) {
-            return this.directory.meta[field];
+        if (('meta' in dir) && (field in dir.meta)) {
+            return dir.meta[field];
         }
 
         return null;
diff --git a/packages/core/acme-client/src/index.js b/packages/core/acme-client/src/index.js
index 209cf1da..e463ac04 100644
--- a/packages/core/acme-client/src/index.js
+++ b/packages/core/acme-client/src/index.js
@@ -13,6 +13,10 @@ exports.directory = {
         staging: 'https://api.test4.buypass.no/acme/directory',
         production: 'https://api.buypass.com/acme/directory',
     },
+    google: {
+        staging: 'https://dv.acme-v02.test-api.pki.goog/directory',
+        production: 'https://dv.acme-v02.api.pki.goog/directory',
+    },
     letsencrypt: {
         staging: 'https://acme-staging-v02.api.letsencrypt.org/directory',
         production: 'https://acme-v02.api.letsencrypt.org/directory',
diff --git a/packages/core/acme-client/test/70-auto.spec.js b/packages/core/acme-client/test/70-auto.spec.js
index 16812aac..8e6f0eb3 100644
--- a/packages/core/acme-client/test/70-auto.spec.js
+++ b/packages/core/acme-client/test/70-auto.spec.js
@@ -414,7 +414,7 @@ describe('client.auto', () => {
                 const info = acme.crypto.readCertificateInfo(testCertificate);
 
                 spec.crypto.certificateInfo(info);
-                assert.strictEqual(info.domains.commonName, testDomain);
+                assert.isNull(info.domains.commonName);
                 assert.deepStrictEqual(info.domains.altNames, [testDomain]);
             });
 
@@ -422,7 +422,7 @@ describe('client.auto', () => {
                 const info = acme.crypto.readCertificateInfo(testSanCertificate);
 
                 spec.crypto.certificateInfo(info);
-                assert.strictEqual(info.domains.commonName, testSanDomains[0]);
+                assert.isNull(info.domains.commonName);
                 assert.deepStrictEqual(info.domains.altNames, testSanDomains);
             });
 
@@ -430,7 +430,7 @@ describe('client.auto', () => {
                 const info = acme.crypto.readCertificateInfo(testWildcardCertificate);
 
                 spec.crypto.certificateInfo(info);
-                assert.strictEqual(info.domains.commonName, testWildcardDomain);
+                assert.isNull(info.domains.commonName);
                 assert.deepStrictEqual(info.domains.altNames, [testWildcardDomain, `*.${testWildcardDomain}`]);
             });
         });
diff --git a/packages/core/acme-client/types/index.d.ts b/packages/core/acme-client/types/index.d.ts
index e77941e7..59a064a5 100644
--- a/packages/core/acme-client/types/index.d.ts
+++ b/packages/core/acme-client/types/index.d.ts
@@ -87,6 +87,10 @@ export const directory: {
         staging: string,
         production: string
     },
+    google: {
+        staging: string,
+        production: string
+    },
     letsencrypt: {
         staging: string,
         production: string