open-vault/command/server_test.go

// +build !race
// The server tests have a go-metrics/exp manager race condition :(.

package command

import (
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"io/ioutil"
	"net"
	"os"
	"strings"
	"sync"
	"testing"
	"time"

	"github.com/hashicorp/vault/physical"
	"github.com/mitchellh/cli"

	physConsul "github.com/hashicorp/vault/physical/consul"
	physFile "github.com/hashicorp/vault/physical/file"
)

func testRandomPort(tb testing.TB) int {
	tb.Helper()

	addr, err := net.ResolveTCPAddr("tcp", "127.0.0.1:0")
	if err != nil {
		tb.Fatal(err)
	}

	l, err := net.ListenTCP("tcp", addr)
	if err != nil {
		tb.Fatal(err)
	}
	defer l.Close()

	return l.Addr().(*net.TCPAddr).Port
}

func testBaseHCL(tb testing.TB) string {
	tb.Helper()

	return strings.TrimSpace(fmt.Sprintf(`
		disable_mlock = true
		listener "tcp" {
		  address     = "127.0.0.1:%d"
		  tls_disable = "true"
		}
	`, testRandomPort(tb)))
}

const (
	consulHCL = `
backend "consul" {
  prefix               = "foo/"
  advertise_addr       = "http://127.0.0.1:8200"
  disable_registration = "true"
}
`
	haConsulHCL = `
ha_backend "consul" {
  prefix               = "bar/"
  redirect_addr        = "http://127.0.0.1:8200"
  disable_registration = "true"
}
`

	badHAConsulHCL = `
ha_backend "file" {
  path = "/dev/null"
}
`

	reloadHCL = `
backend "file" {
  path = "/dev/null"
}
disable_mlock = true
listener "tcp" {
  address       = "127.0.0.1:8203"
  tls_cert_file = "TMPDIR/reload_cert.pem"
  tls_key_file  = "TMPDIR/reload_key.pem"
}
`
)

func testServerCommand(tb testing.TB) (*cli.MockUi, *ServerCommand) {
	tb.Helper()

	ui := cli.NewMockUi()
	return ui, &ServerCommand{
		BaseCommand: &BaseCommand{
			UI: ui,
		},
		ShutdownCh: MakeShutdownCh(),
		SighupCh:   MakeSighupCh(),
		PhysicalBackends: map[string]physical.Factory{
			"file":   physFile.NewFileBackend,
			"consul": physConsul.NewConsulBackend,
		},

		// These prevent us from random sleep guessing...
		startedCh:  make(chan struct{}, 5),
		reloadedCh: make(chan struct{}, 5),
	}
}

func TestServer_ReloadListener(t *testing.T) {
	t.Parallel()

	wd, _ := os.Getwd()
	wd += "/server/test-fixtures/reload/"

	td, err := ioutil.TempDir("", "vault-test-")
	if err != nil {
		t.Fatal(err)
	}
	defer os.RemoveAll(td)

	wg := &sync.WaitGroup{}

	// Setup initial certs
	inBytes, _ := ioutil.ReadFile(wd + "reload_foo.pem")
	ioutil.WriteFile(td+"/reload_cert.pem", inBytes, 0777)
	inBytes, _ = ioutil.ReadFile(wd + "reload_foo.key")
	ioutil.WriteFile(td+"/reload_key.pem", inBytes, 0777)

	relhcl := strings.Replace(reloadHCL, "TMPDIR", td, -1)
	ioutil.WriteFile(td+"/reload.hcl", []byte(relhcl), 0777)

	inBytes, _ = ioutil.ReadFile(wd + "reload_ca.pem")
	certPool := x509.NewCertPool()
	ok := certPool.AppendCertsFromPEM(inBytes)
	if !ok {
		t.Fatal("not ok when appending CA cert")
	}

	ui, cmd := testServerCommand(t)
	_ = ui

	finished := false
	finishedMutex := sync.Mutex{}

	wg.Add(1)
	args := []string{"-config", td + "/reload.hcl"}
	go func() {
		if code := cmd.Run(args); code != 0 {
			output := ui.ErrorWriter.String() + ui.OutputWriter.String()
			t.Errorf("got a non-zero exit status: %s", output)
		}
		finishedMutex.Lock()
		finished = true
		finishedMutex.Unlock()
		wg.Done()
	}()

	testCertificateName := func(cn string) error {
		conn, err := tls.Dial("tcp", "127.0.0.1:8203", &tls.Config{
			RootCAs: certPool,
		})
		if err != nil {
			return err
		}
		defer conn.Close()
		if err = conn.Handshake(); err != nil {
			return err
		}
		servName := conn.ConnectionState().PeerCertificates[0].Subject.CommonName
		if servName != cn {
			return fmt.Errorf("expected %s, got %s", cn, servName)
		}
		return nil
	}

	select {
	case <-cmd.startedCh:
	case <-time.After(5 * time.Second):
		t.Fatalf("timeout")
	}

	if err := testCertificateName("foo.example.com"); err != nil {
		t.Fatalf("certificate name didn't check out: %s", err)
	}

	relhcl = strings.Replace(reloadHCL, "TMPDIR", td, -1)
	inBytes, _ = ioutil.ReadFile(wd + "reload_bar.pem")
	ioutil.WriteFile(td+"/reload_cert.pem", inBytes, 0777)
	inBytes, _ = ioutil.ReadFile(wd + "reload_bar.key")
	ioutil.WriteFile(td+"/reload_key.pem", inBytes, 0777)
	ioutil.WriteFile(td+"/reload.hcl", []byte(relhcl), 0777)

	cmd.SighupCh <- struct{}{}
	select {
	case <-cmd.reloadedCh:
	case <-time.After(5 * time.Second):
		t.Fatalf("timeout")
	}

	if err := testCertificateName("bar.example.com"); err != nil {
		t.Fatalf("certificate name didn't check out: %s", err)
	}

	cmd.ShutdownCh <- struct{}{}

	wg.Wait()
}

func TestServer(t *testing.T) {
	t.Parallel()

	cases := []struct {
		name     string
		contents string
		exp      string
		code     int
	}{
		{
			"common_ha",
			testBaseHCL(t) + consulHCL,
			"(HA available)",
			0,
		},
		{
			"separate_ha",
			testBaseHCL(t) + consulHCL + haConsulHCL,
			"HA Storage:",
			0,
		},
		{
			"bad_separate_ha",
			testBaseHCL(t) + consulHCL + badHAConsulHCL,
			"Specified HA storage does not support HA",
			1,
		},
	}

	for _, tc := range cases {
		tc := tc

		t.Run(tc.name, func(t *testing.T) {
			t.Parallel()

			ui, cmd := testServerCommand(t)
			f, err := ioutil.TempFile("", "")
			if err != nil {
				t.Fatalf("error creating temp dir: %v", err)
			}
			f.WriteString(tc.contents)
			f.Close()
			defer os.Remove(f.Name())

			code := cmd.Run([]string{
				"-config", f.Name(),
				"-test-verify-only",
			})
			output := ui.ErrorWriter.String() + ui.OutputWriter.String()
			if code != tc.code {
				t.Errorf("expected %d to be %d: %s", code, tc.code, output)
			}

			if !strings.Contains(output, tc.exp) {
				t.Fatalf("expected %q to contain %q", output, tc.exp)
			}
		})
	}
}
Add test for HA availability to command/server 2016-02-02 22:47:02 +00:00			`// +build !race`
Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			`// The server tests have a go-metrics/exp manager race condition :(.`
Fix build tag 2016-02-03 13:41:31 +00:00
Allow separate HA physical backend. With no separate backend specified, HA will be attempted on the normal physical backend. Fixes #395. 2015-12-11 20:58:10 +00:00			`package command`

Add test for HA availability to command/server 2016-02-02 22:47:02 +00:00			`import (`
Add test for listener reloading, and update website docs. 2016-03-14 18:05:47 +00:00			`"crypto/tls"`
			`"crypto/x509"`
			`"fmt"`
Add test for HA availability to command/server 2016-02-02 22:47:02 +00:00			`"io/ioutil"`
Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			`"net"`
Add test for HA availability to command/server 2016-02-02 22:47:02 +00:00			`"os"`
			`"strings"`
Add test for listener reloading, and update website docs. 2016-03-14 18:05:47 +00:00			`"sync"`
Add test for HA availability to command/server 2016-02-02 22:47:02 +00:00			`"testing"`
Add test for listener reloading, and update website docs. 2016-03-14 18:05:47 +00:00			`"time"`
Add test for HA availability to command/server 2016-02-02 22:47:02 +00:00
Migrate physical backends into separate packages (#3106) 2017-08-03 17:24:27 +00:00			`"github.com/hashicorp/vault/physical"`
Add test for HA availability to command/server 2016-02-02 22:47:02 +00:00			`"github.com/mitchellh/cli"`
Migrate physical backends into separate packages (#3106) 2017-08-03 17:24:27 +00:00
Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			`physConsul "github.com/hashicorp/vault/physical/consul"`
Migrate physical backends into separate packages (#3106) 2017-08-03 17:24:27 +00:00			`physFile "github.com/hashicorp/vault/physical/file"`
Add test for HA availability to command/server 2016-02-02 22:47:02 +00:00			`)`

Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			`func testRandomPort(tb testing.TB) int {`
			`tb.Helper()`
Allow separate HA physical backend. With no separate backend specified, HA will be attempted on the normal physical backend. Fixes #395. 2015-12-11 20:58:10 +00:00
Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			`addr, err := net.ResolveTCPAddr("tcp", "127.0.0.1:0")`
			`if err != nil {`
			`tb.Fatal(err)`
			`}`

			`l, err := net.ListenTCP("tcp", addr)`
			`if err != nil {`
			`tb.Fatal(err)`
			`}`
			`defer l.Close()`

			`return l.Addr().(*net.TCPAddr).Port`
Allow separate HA physical backend. With no separate backend specified, HA will be attempted on the normal physical backend. Fixes #395. 2015-12-11 20:58:10 +00:00			`}`

Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			`func testBaseHCL(tb testing.TB) string {`
			`tb.Helper()`

			return strings.TrimSpace(fmt.Sprintf(`
			`disable_mlock = true`
			`listener "tcp" {`
			`address = "127.0.0.1:%d"`
			`tls_disable = "true"`
			`}`
			`, testRandomPort(tb)))
			`}`

			`const (`
			consulHCL = `
Allow separate HA physical backend. With no separate backend specified, HA will be attempted on the normal physical backend. Fixes #395. 2015-12-11 20:58:10 +00:00			`backend "consul" {`
Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			`prefix = "foo/"`
			`advertise_addr = "http://127.0.0.1:8200"`
			`disable_registration = "true"`
Allow separate HA physical backend. With no separate backend specified, HA will be attempted on the normal physical backend. Fixes #395. 2015-12-11 20:58:10 +00:00			`}`
			`
Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			haConsulHCL = `
Allow separate HA physical backend. With no separate backend specified, HA will be attempted on the normal physical backend. Fixes #395. 2015-12-11 20:58:10 +00:00			`ha_backend "consul" {`
Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			`prefix = "bar/"`
			`redirect_addr = "http://127.0.0.1:8200"`
			`disable_registration = "true"`
Allow separate HA physical backend. With no separate backend specified, HA will be attempted on the normal physical backend. Fixes #395. 2015-12-11 20:58:10 +00:00			`}`
			`

Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			badHAConsulHCL = `
Allow separate HA physical backend. With no separate backend specified, HA will be attempted on the normal physical backend. Fixes #395. 2015-12-11 20:58:10 +00:00			`ha_backend "file" {`
Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			`path = "/dev/null"`
Allow separate HA physical backend. With no separate backend specified, HA will be attempted on the normal physical backend. Fixes #395. 2015-12-11 20:58:10 +00:00			`}`
Add test for listener reloading, and update website docs. 2016-03-14 18:05:47 +00:00			`

Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			reloadHCL = `
Add test for listener reloading, and update website docs. 2016-03-14 18:05:47 +00:00			`backend "file" {`
Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			`path = "/dev/null"`
Add test for listener reloading, and update website docs. 2016-03-14 18:05:47 +00:00			`}`
			`disable_mlock = true`
			`listener "tcp" {`
Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			`address = "127.0.0.1:8203"`
			`tls_cert_file = "TMPDIR/reload_cert.pem"`
			`tls_key_file = "TMPDIR/reload_key.pem"`
Add test for listener reloading, and update website docs. 2016-03-14 18:05:47 +00:00			`}`
Allow separate HA physical backend. With no separate backend specified, HA will be attempted on the normal physical backend. Fixes #395. 2015-12-11 20:58:10 +00:00			`
			`)`

Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			`func testServerCommand(tb testing.TB) (cli.MockUi, ServerCommand) {`
			`tb.Helper()`

			`ui := cli.NewMockUi()`
			`return ui, &ServerCommand{`
			`BaseCommand: &BaseCommand{`
			`UI: ui,`
			`},`
			`ShutdownCh: MakeShutdownCh(),`
			`SighupCh: MakeSighupCh(),`
			`PhysicalBackends: map[string]physical.Factory{`
			`"file": physFile.NewFileBackend,`
			`"consul": physConsul.NewConsulBackend,`
			`},`

			`// These prevent us from random sleep guessing...`
			`startedCh: make(chan struct{}, 5),`
			`reloadedCh: make(chan struct{}, 5),`
			`}`
			`}`

Add test for listener reloading, and update website docs. 2016-03-14 18:05:47 +00:00			`func TestServer_ReloadListener(t *testing.T) {`
Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			`t.Parallel()`

Add test for listener reloading, and update website docs. 2016-03-14 18:05:47 +00:00			`wd, _ := os.Getwd()`
			`wd += "/server/test-fixtures/reload/"`

Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			`td, err := ioutil.TempDir("", "vault-test-")`
Add test for listener reloading, and update website docs. 2016-03-14 18:05:47 +00:00			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`defer os.RemoveAll(td)`

			`wg := &sync.WaitGroup{}`

			`// Setup initial certs`
			`inBytes, _ := ioutil.ReadFile(wd + "reload_foo.pem")`
Add a -dev-three-node option for devs. (#3081) 2017-07-31 15:28:06 +00:00			`ioutil.WriteFile(td+"/reload_cert.pem", inBytes, 0777)`
Add test for listener reloading, and update website docs. 2016-03-14 18:05:47 +00:00			`inBytes, _ = ioutil.ReadFile(wd + "reload_foo.key")`
Add a -dev-three-node option for devs. (#3081) 2017-07-31 15:28:06 +00:00			`ioutil.WriteFile(td+"/reload_key.pem", inBytes, 0777)`
Add test for listener reloading, and update website docs. 2016-03-14 18:05:47 +00:00
Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			`relhcl := strings.Replace(reloadHCL, "TMPDIR", td, -1)`
Add test for listener reloading, and update website docs. 2016-03-14 18:05:47 +00:00			`ioutil.WriteFile(td+"/reload.hcl", []byte(relhcl), 0777)`

			`inBytes, _ = ioutil.ReadFile(wd + "reload_ca.pem")`
			`certPool := x509.NewCertPool()`
			`ok := certPool.AppendCertsFromPEM(inBytes)`
			`if !ok {`
			`t.Fatal("not ok when appending CA cert")`
			`}`

Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			`ui, cmd := testServerCommand(t)`
			`_ = ui`
Add test for listener reloading, and update website docs. 2016-03-14 18:05:47 +00:00
			`finished := false`
			`finishedMutex := sync.Mutex{}`

			`wg.Add(1)`
			`args := []string{"-config", td + "/reload.hcl"}`
			`go func() {`
Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			`if code := cmd.Run(args); code != 0 {`
Do not fail if api_addr and cluster_addr are empty (#4286) 2018-04-05 16:54:15 +00:00			`output := ui.ErrorWriter.String() + ui.OutputWriter.String()`
			`t.Errorf("got a non-zero exit status: %s", output)`
Add test for listener reloading, and update website docs. 2016-03-14 18:05:47 +00:00			`}`
			`finishedMutex.Lock()`
			`finished = true`
			`finishedMutex.Unlock()`
			`wg.Done()`
			`}()`

			`testCertificateName := func(cn string) error {`
			`conn, err := tls.Dial("tcp", "127.0.0.1:8203", &tls.Config{`
			`RootCAs: certPool,`
			`})`
			`if err != nil {`
			`return err`
			`}`
			`defer conn.Close()`
			`if err = conn.Handshake(); err != nil {`
			`return err`
			`}`
			`servName := conn.ConnectionState().PeerCertificates[0].Subject.CommonName`
			`if servName != cn {`
			`return fmt.Errorf("expected %s, got %s", cn, servName)`
			`}`
			`return nil`
			`}`

Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			`select {`
			`case <-cmd.startedCh:`
			`case <-time.After(5 * time.Second):`
			`t.Fatalf("timeout")`
			`}`
Add test for listener reloading, and update website docs. 2016-03-14 18:05:47 +00:00
			`if err := testCertificateName("foo.example.com"); err != nil {`
			`t.Fatalf("certificate name didn't check out: %s", err)`
			`}`

Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			`relhcl = strings.Replace(reloadHCL, "TMPDIR", td, -1)`
Add a -dev-three-node option for devs. (#3081) 2017-07-31 15:28:06 +00:00			`inBytes, _ = ioutil.ReadFile(wd + "reload_bar.pem")`
			`ioutil.WriteFile(td+"/reload_cert.pem", inBytes, 0777)`
			`inBytes, _ = ioutil.ReadFile(wd + "reload_bar.key")`
			`ioutil.WriteFile(td+"/reload_key.pem", inBytes, 0777)`
Add test for listener reloading, and update website docs. 2016-03-14 18:05:47 +00:00			`ioutil.WriteFile(td+"/reload.hcl", []byte(relhcl), 0777)`

Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			`cmd.SighupCh <- struct{}{}`
			`select {`
			`case <-cmd.reloadedCh:`
			`case <-time.After(5 * time.Second):`
			`t.Fatalf("timeout")`
			`}`
Add test for listener reloading, and update website docs. 2016-03-14 18:05:47 +00:00
			`if err := testCertificateName("bar.example.com"); err != nil {`
			`t.Fatalf("certificate name didn't check out: %s", err)`
			`}`

Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00			`cmd.ShutdownCh <- struct{}{}`
Add test for listener reloading, and update website docs. 2016-03-14 18:05:47 +00:00
			`wg.Wait()`
			`}`
Fix bad rebase Apparently I can't git... 2017-09-22 00:51:12 +00:00
			`func TestServer(t *testing.T) {`
			`t.Parallel()`

			`cases := []struct {`
			`name string`
			`contents string`
			`exp string`
			`code int`
			`}{`
			`{`
			`"common_ha",`
			`testBaseHCL(t) + consulHCL,`
			`"(HA available)",`
			`0,`
			`},`
			`{`
			`"separate_ha",`
			`testBaseHCL(t) + consulHCL + haConsulHCL,`
			`"HA Storage:",`
			`0,`
			`},`
			`{`
			`"bad_separate_ha",`
			`testBaseHCL(t) + consulHCL + badHAConsulHCL,`
			`"Specified HA storage does not support HA",`
			`1,`
			`},`
			`}`

			`for _, tc := range cases {`
			`tc := tc`

			`t.Run(tc.name, func(t *testing.T) {`
			`t.Parallel()`

			`ui, cmd := testServerCommand(t)`
			`f, err := ioutil.TempFile("", "")`
			`if err != nil {`
			`t.Fatalf("error creating temp dir: %v", err)`
			`}`
			`f.WriteString(tc.contents)`
			`f.Close()`
			`defer os.Remove(f.Name())`

			`code := cmd.Run([]string{`
			`"-config", f.Name(),`
			`"-test-verify-only",`
			`})`
			`output := ui.ErrorWriter.String() + ui.OutputWriter.String()`
			`if code != tc.code {`
			`t.Errorf("expected %d to be %d: %s", code, tc.code, output)`
			`}`

			`if !strings.Contains(output, tc.exp) {`
			`t.Fatalf("expected %q to contain %q", output, tc.exp)`
			`}`
			`})`
			`}`
			`}`