2016-02-02 22:47:02 +00:00
|
|
|
// +build !race
|
2016-02-03 13:41:31 +00:00
|
|
|
|
2015-12-11 20:58:10 +00:00
|
|
|
package command
|
|
|
|
|
2016-02-02 22:47:02 +00:00
|
|
|
import (
|
2016-03-14 18:05:47 +00:00
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
|
|
|
"fmt"
|
2016-02-02 22:47:02 +00:00
|
|
|
"io/ioutil"
|
2016-03-14 18:05:47 +00:00
|
|
|
"math/rand"
|
2016-02-02 22:47:02 +00:00
|
|
|
"os"
|
|
|
|
"strings"
|
2016-03-14 18:05:47 +00:00
|
|
|
"sync"
|
2016-02-02 22:47:02 +00:00
|
|
|
"testing"
|
2016-03-14 18:05:47 +00:00
|
|
|
"time"
|
2016-02-02 22:47:02 +00:00
|
|
|
|
2016-04-01 17:16:05 +00:00
|
|
|
"github.com/hashicorp/vault/meta"
|
2017-08-03 17:24:27 +00:00
|
|
|
"github.com/hashicorp/vault/physical"
|
2016-02-02 22:47:02 +00:00
|
|
|
"github.com/mitchellh/cli"
|
2017-08-03 17:24:27 +00:00
|
|
|
|
|
|
|
physFile "github.com/hashicorp/vault/physical/file"
|
2016-02-02 22:47:02 +00:00
|
|
|
)
|
|
|
|
|
2015-12-11 20:58:10 +00:00
|
|
|
var (
|
|
|
|
basehcl = `
|
|
|
|
disable_mlock = true
|
|
|
|
|
|
|
|
listener "tcp" {
|
|
|
|
address = "127.0.0.1:8200"
|
|
|
|
tls_disable = "true"
|
|
|
|
}
|
|
|
|
`
|
|
|
|
|
|
|
|
consulhcl = `
|
|
|
|
backend "consul" {
|
|
|
|
prefix = "foo/"
|
2016-04-24 02:53:51 +00:00
|
|
|
advertise_addr = "http://127.0.0.1:8200"
|
2016-04-24 03:32:06 +00:00
|
|
|
disable_registration = "true"
|
2015-12-11 20:58:10 +00:00
|
|
|
}
|
|
|
|
`
|
|
|
|
haconsulhcl = `
|
|
|
|
ha_backend "consul" {
|
|
|
|
prefix = "bar/"
|
2016-08-15 13:42:42 +00:00
|
|
|
redirect_addr = "http://127.0.0.1:8200"
|
2016-04-24 03:32:06 +00:00
|
|
|
disable_registration = "true"
|
2015-12-11 20:58:10 +00:00
|
|
|
}
|
|
|
|
`
|
|
|
|
|
|
|
|
badhaconsulhcl = `
|
|
|
|
ha_backend "file" {
|
|
|
|
path = "/dev/null"
|
|
|
|
}
|
2016-03-14 18:05:47 +00:00
|
|
|
`
|
|
|
|
|
|
|
|
reloadhcl = `
|
|
|
|
backend "file" {
|
|
|
|
path = "/dev/null"
|
|
|
|
}
|
|
|
|
|
|
|
|
disable_mlock = true
|
|
|
|
|
|
|
|
listener "tcp" {
|
|
|
|
address = "127.0.0.1:8203"
|
2017-07-31 15:28:06 +00:00
|
|
|
tls_cert_file = "TMPDIR/reload_cert.pem"
|
|
|
|
tls_key_file = "TMPDIR/reload_key.pem"
|
2016-03-14 18:05:47 +00:00
|
|
|
}
|
2015-12-11 20:58:10 +00:00
|
|
|
`
|
|
|
|
)
|
|
|
|
|
2016-02-02 22:47:02 +00:00
|
|
|
// The following tests have a go-metrics/exp manager race condition
|
2016-03-14 18:05:47 +00:00
|
|
|
func TestServer_ReloadListener(t *testing.T) {
|
|
|
|
wd, _ := os.Getwd()
|
|
|
|
wd += "/server/test-fixtures/reload/"
|
|
|
|
|
|
|
|
td, err := ioutil.TempDir("", fmt.Sprintf("vault-test-%d", rand.New(rand.NewSource(time.Now().Unix())).Int63))
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
defer os.RemoveAll(td)
|
|
|
|
|
|
|
|
wg := &sync.WaitGroup{}
|
|
|
|
|
|
|
|
// Setup initial certs
|
|
|
|
inBytes, _ := ioutil.ReadFile(wd + "reload_foo.pem")
|
2017-07-31 15:28:06 +00:00
|
|
|
ioutil.WriteFile(td+"/reload_cert.pem", inBytes, 0777)
|
2016-03-14 18:05:47 +00:00
|
|
|
inBytes, _ = ioutil.ReadFile(wd + "reload_foo.key")
|
2017-07-31 15:28:06 +00:00
|
|
|
ioutil.WriteFile(td+"/reload_key.pem", inBytes, 0777)
|
2016-03-14 18:05:47 +00:00
|
|
|
|
2017-07-31 15:28:06 +00:00
|
|
|
relhcl := strings.Replace(reloadhcl, "TMPDIR", td, -1)
|
2016-03-14 18:05:47 +00:00
|
|
|
ioutil.WriteFile(td+"/reload.hcl", []byte(relhcl), 0777)
|
|
|
|
|
|
|
|
inBytes, _ = ioutil.ReadFile(wd + "reload_ca.pem")
|
|
|
|
certPool := x509.NewCertPool()
|
|
|
|
ok := certPool.AppendCertsFromPEM(inBytes)
|
|
|
|
if !ok {
|
|
|
|
t.Fatal("not ok when appending CA cert")
|
|
|
|
}
|
|
|
|
|
|
|
|
ui := new(cli.MockUi)
|
|
|
|
c := &ServerCommand{
|
2016-04-01 17:16:05 +00:00
|
|
|
Meta: meta.Meta{
|
2016-03-14 18:05:47 +00:00
|
|
|
Ui: ui,
|
|
|
|
},
|
2016-09-30 04:06:40 +00:00
|
|
|
ShutdownCh: MakeShutdownCh(),
|
|
|
|
SighupCh: MakeSighupCh(),
|
2017-08-03 17:24:27 +00:00
|
|
|
PhysicalBackends: map[string]physical.Factory{
|
|
|
|
"file": physFile.NewFileBackend,
|
|
|
|
},
|
2016-03-14 18:05:47 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
finished := false
|
|
|
|
finishedMutex := sync.Mutex{}
|
|
|
|
|
|
|
|
wg.Add(1)
|
|
|
|
args := []string{"-config", td + "/reload.hcl"}
|
|
|
|
go func() {
|
|
|
|
if code := c.Run(args); code != 0 {
|
|
|
|
t.Error("got a non-zero exit status")
|
|
|
|
}
|
|
|
|
finishedMutex.Lock()
|
|
|
|
finished = true
|
|
|
|
finishedMutex.Unlock()
|
|
|
|
wg.Done()
|
|
|
|
}()
|
|
|
|
|
|
|
|
checkFinished := func() {
|
|
|
|
finishedMutex.Lock()
|
|
|
|
if finished {
|
2016-12-21 18:08:27 +00:00
|
|
|
t.Fatalf(fmt.Sprintf("finished early; relhcl was\n%s\nstdout was\n%s\nstderr was\n%s\n", relhcl, ui.OutputWriter.String(), ui.ErrorWriter.String()))
|
2016-03-14 18:05:47 +00:00
|
|
|
}
|
|
|
|
finishedMutex.Unlock()
|
|
|
|
}
|
|
|
|
|
|
|
|
testCertificateName := func(cn string) error {
|
|
|
|
conn, err := tls.Dial("tcp", "127.0.0.1:8203", &tls.Config{
|
|
|
|
RootCAs: certPool,
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer conn.Close()
|
|
|
|
if err = conn.Handshake(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
servName := conn.ConnectionState().PeerCertificates[0].Subject.CommonName
|
|
|
|
if servName != cn {
|
|
|
|
return fmt.Errorf("expected %s, got %s", cn, servName)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
checkFinished()
|
2016-06-27 19:37:25 +00:00
|
|
|
time.Sleep(5 * time.Second)
|
2016-03-14 18:05:47 +00:00
|
|
|
checkFinished()
|
|
|
|
|
|
|
|
if err := testCertificateName("foo.example.com"); err != nil {
|
|
|
|
t.Fatalf("certificate name didn't check out: %s", err)
|
|
|
|
}
|
|
|
|
|
2017-07-31 15:28:06 +00:00
|
|
|
relhcl = strings.Replace(reloadhcl, "TMPDIR", td, -1)
|
|
|
|
inBytes, _ = ioutil.ReadFile(wd + "reload_bar.pem")
|
|
|
|
ioutil.WriteFile(td+"/reload_cert.pem", inBytes, 0777)
|
|
|
|
inBytes, _ = ioutil.ReadFile(wd + "reload_bar.key")
|
|
|
|
ioutil.WriteFile(td+"/reload_key.pem", inBytes, 0777)
|
2016-03-14 18:05:47 +00:00
|
|
|
ioutil.WriteFile(td+"/reload.hcl", []byte(relhcl), 0777)
|
|
|
|
|
|
|
|
c.SighupCh <- struct{}{}
|
|
|
|
checkFinished()
|
|
|
|
time.Sleep(2 * time.Second)
|
|
|
|
checkFinished()
|
|
|
|
|
|
|
|
if err := testCertificateName("bar.example.com"); err != nil {
|
|
|
|
t.Fatalf("certificate name didn't check out: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
c.ShutdownCh <- struct{}{}
|
|
|
|
|
|
|
|
wg.Wait()
|
|
|
|
}
|