Support unknown ACME challenge types (#9680)

This is, to my knowledge, an entirely inconsequential PR to add support for entirely novel challenge types. Presently in the [`challb_to_achall` function](399b932a86/certbot/certbot/_internal/auth_handler.py (L367)) if the challenge type is not of a type known to certbot an error is thrown. This check is mostly pointless as an authenticator would not request a challenge unknown to it. This check does however forbid any plugins from supporting entirely novel challenges not of the key authorisation form. * support unknown ACME challenge types * add to changelog * update tests --------- Co-authored-by: Brad Warren <bmw@eff.org>
2026-01-26 07:41:33 +03:00 · 2023-04-26 16:23:11 +01:00
parent 10fba2ee3f
commit 8a0b0f63de
5 changed files with 15 additions and 7 deletions
--- a/AUTHORS.md
+++ b/AUTHORS.md
@@ -221,6 +221,7 @@ Authors
 * [Piotr Kasprzyk](https://github.com/kwadrat)
 * [Prayag Verma](https://github.com/pra85)
 * [Preston Locke](https://github.com/Preston12321)
+* [Q Misell][https://magicalcodewit.ch]
 * [Rasesh Patel](https://github.com/raspat1)
 * [Reinaldo de Souza Jr](https://github.com/juniorz)
 * [Remi Rampin](https://github.com/remram44)
--- a/certbot/CHANGELOG.md
+++ b/certbot/CHANGELOG.md
@@ -9,7 +9,7 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).
 * `--dns-google-project` optionally allows for specifying the project that the DNS zone(s) reside in,
  which allows for Certbot usage in scenarios where the auth credentials reside in a different
  project to the zone(s) that are being managed.
-*
+* There is now a new `Other` annotated challenge object to allow plugins to support entirely novel challenges.

 ### Changed

--- a/certbot/certbot/_internal/auth_handler.py
+++ b/certbot/certbot/_internal/auth_handler.py
@@ -384,7 +384,8 @@ def challb_to_achall(challb: messages.ChallengeBody, account_key: josepy.JWK,
            challb=challb, domain=domain, account_key=account_key)
    elif isinstance(chall, challenges.DNS):
        return achallenges.DNS(challb=challb, domain=domain)
-    raise errors.Error(f"Received unsupported challenge of type: {chall.typ}")
+    else:
+        return achallenges.Other(challb=challb, domain=domain)


 def gen_challenge_path(challbs: List[messages.ChallengeBody],
--- a/certbot/certbot/_internal/tests/auth_handler_test.py
+++ b/certbot/certbot/_internal/tests/auth_handler_test.py
@@ -46,12 +46,12 @@ class ChallengeFactoryTest(unittest.TestCase):

    def test_unrecognized(self):
        authzr = acme_util.gen_authzr(
-             messages.STATUS_PENDING, "test",
-             [mock.Mock(chall="chall", typ="unrecognized")],
-             [messages.STATUS_PENDING])
+            messages.STATUS_PENDING, "test",
+            [mock.Mock(chall="chall", typ="unrecognized")],
+            [messages.STATUS_PENDING])

-        with pytest.raises(errors.Error):
-            self.handler._challenge_factory(authzr, [0])
+        achalls = self.handler._challenge_factory(authzr, [0])
+        assert type(achalls[0]) == achallenges.Other


 class HandleAuthorizationsTest(unittest.TestCase):
--- a/certbot/certbot/achallenges.py
+++ b/certbot/certbot/achallenges.py
@@ -59,3 +59,9 @@ class DNS(AnnotatedChallenge):
    """Client annotated "dns" ACME challenge."""
    __slots__ = ('challb', 'domain') # pylint: disable=redefined-slots-in-subclass
    acme_type = challenges.DNS
+
+
+class Other(AnnotatedChallenge):
+    """Client annotated ACME challenge of an unknown type."""
+    __slots__ = ('challb', 'domain') # pylint: disable=redefined-slots-in-subclass
+    acme_type = challenges.Challenge