37320f8798
Add request forwarding.
256 lines
5.5 KiB
Go
256 lines
5.5 KiB
Go
// +build !race
|
|
|
|
package command
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"math/rand"
|
|
"os"
|
|
"strings"
|
|
"sync"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/hashicorp/vault/command/server"
|
|
"github.com/hashicorp/vault/meta"
|
|
"github.com/mitchellh/cli"
|
|
)
|
|
|
|
var (
|
|
basehcl = `
|
|
disable_mlock = true
|
|
|
|
listener "tcp" {
|
|
address = "127.0.0.1:8200"
|
|
tls_disable = "true"
|
|
}
|
|
`
|
|
|
|
consulhcl = `
|
|
backend "consul" {
|
|
prefix = "foo/"
|
|
advertise_addr = "http://127.0.0.1:8200"
|
|
disable_registration = "true"
|
|
}
|
|
`
|
|
haconsulhcl = `
|
|
ha_backend "consul" {
|
|
prefix = "bar/"
|
|
redirect_addr = "http://127.0.0.1:8200"
|
|
disable_registration = "true"
|
|
}
|
|
`
|
|
|
|
badhaconsulhcl = `
|
|
ha_backend "file" {
|
|
path = "/dev/null"
|
|
}
|
|
`
|
|
|
|
reloadhcl = `
|
|
backend "file" {
|
|
path = "/dev/null"
|
|
}
|
|
|
|
disable_mlock = true
|
|
|
|
listener "tcp" {
|
|
address = "127.0.0.1:8203"
|
|
tls_cert_file = "TMPDIR/reload_FILE.pem"
|
|
tls_key_file = "TMPDIR/reload_FILE.key"
|
|
}
|
|
`
|
|
)
|
|
|
|
// The following tests have a go-metrics/exp manager race condition
|
|
func TestServer_CommonHA(t *testing.T) {
|
|
ui := new(cli.MockUi)
|
|
c := &ServerCommand{
|
|
Meta: meta.Meta{
|
|
Ui: ui,
|
|
},
|
|
}
|
|
|
|
tmpfile, err := ioutil.TempFile("", "")
|
|
if err != nil {
|
|
t.Fatalf("error creating temp dir: %v", err)
|
|
}
|
|
|
|
tmpfile.WriteString(basehcl + consulhcl)
|
|
tmpfile.Close()
|
|
defer os.Remove(tmpfile.Name())
|
|
|
|
args := []string{"-config", tmpfile.Name(), "-verify-only", "true"}
|
|
|
|
if code := c.Run(args); code != 0 {
|
|
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
|
}
|
|
|
|
if !strings.Contains(ui.OutputWriter.String(), "(HA available)") {
|
|
t.Fatalf("did not find HA available: %s", ui.OutputWriter.String())
|
|
}
|
|
}
|
|
|
|
func TestServer_GoodSeparateHA(t *testing.T) {
|
|
ui := new(cli.MockUi)
|
|
c := &ServerCommand{
|
|
Meta: meta.Meta{
|
|
Ui: ui,
|
|
},
|
|
}
|
|
|
|
tmpfile, err := ioutil.TempFile("", "")
|
|
if err != nil {
|
|
t.Fatalf("error creating temp dir: %v", err)
|
|
}
|
|
|
|
tmpfile.WriteString(basehcl + consulhcl + haconsulhcl)
|
|
tmpfile.Close()
|
|
defer os.Remove(tmpfile.Name())
|
|
|
|
args := []string{"-config", tmpfile.Name(), "-verify-only", "true"}
|
|
|
|
if code := c.Run(args); code != 0 {
|
|
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
|
}
|
|
|
|
if !strings.Contains(ui.OutputWriter.String(), "HA Backend:") {
|
|
t.Fatalf("did not find HA Backend: %s", ui.OutputWriter.String())
|
|
}
|
|
}
|
|
|
|
func TestServer_BadSeparateHA(t *testing.T) {
|
|
ui := new(cli.MockUi)
|
|
c := &ServerCommand{
|
|
Meta: meta.Meta{
|
|
Ui: ui,
|
|
},
|
|
}
|
|
|
|
tmpfile, err := ioutil.TempFile("", "")
|
|
if err != nil {
|
|
t.Fatalf("error creating temp dir: %v", err)
|
|
}
|
|
|
|
tmpfile.WriteString(basehcl + consulhcl + badhaconsulhcl)
|
|
tmpfile.Close()
|
|
defer os.Remove(tmpfile.Name())
|
|
|
|
args := []string{"-config", tmpfile.Name()}
|
|
|
|
if code := c.Run(args); code == 0 {
|
|
t.Fatalf("bad: should have gotten an error on a bad HA config")
|
|
}
|
|
}
|
|
|
|
func TestServer_ReloadListener(t *testing.T) {
|
|
wd, _ := os.Getwd()
|
|
wd += "/server/test-fixtures/reload/"
|
|
|
|
td, err := ioutil.TempDir("", fmt.Sprintf("vault-test-%d", rand.New(rand.NewSource(time.Now().Unix())).Int63))
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
defer os.RemoveAll(td)
|
|
|
|
wg := &sync.WaitGroup{}
|
|
|
|
// Setup initial certs
|
|
inBytes, _ := ioutil.ReadFile(wd + "reload_foo.pem")
|
|
ioutil.WriteFile(td+"/reload_foo.pem", inBytes, 0777)
|
|
inBytes, _ = ioutil.ReadFile(wd + "reload_foo.key")
|
|
ioutil.WriteFile(td+"/reload_foo.key", inBytes, 0777)
|
|
inBytes, _ = ioutil.ReadFile(wd + "reload_bar.pem")
|
|
ioutil.WriteFile(td+"/reload_bar.pem", inBytes, 0777)
|
|
inBytes, _ = ioutil.ReadFile(wd + "reload_bar.key")
|
|
ioutil.WriteFile(td+"/reload_bar.key", inBytes, 0777)
|
|
|
|
relhcl := strings.Replace(strings.Replace(reloadhcl, "TMPDIR", td, -1), "FILE", "foo", -1)
|
|
ioutil.WriteFile(td+"/reload.hcl", []byte(relhcl), 0777)
|
|
|
|
inBytes, _ = ioutil.ReadFile(wd + "reload_ca.pem")
|
|
certPool := x509.NewCertPool()
|
|
ok := certPool.AppendCertsFromPEM(inBytes)
|
|
if !ok {
|
|
t.Fatal("not ok when appending CA cert")
|
|
}
|
|
|
|
ui := new(cli.MockUi)
|
|
c := &ServerCommand{
|
|
Meta: meta.Meta{
|
|
Ui: ui,
|
|
},
|
|
ShutdownCh: MakeShutdownCh(),
|
|
SighupCh: MakeSighupCh(),
|
|
ReloadFuncs: map[string][]server.ReloadFunc{},
|
|
}
|
|
|
|
finished := false
|
|
finishedMutex := sync.Mutex{}
|
|
|
|
wg.Add(1)
|
|
args := []string{"-config", td + "/reload.hcl"}
|
|
go func() {
|
|
if code := c.Run(args); code != 0 {
|
|
t.Error("got a non-zero exit status")
|
|
}
|
|
finishedMutex.Lock()
|
|
finished = true
|
|
finishedMutex.Unlock()
|
|
wg.Done()
|
|
}()
|
|
|
|
checkFinished := func() {
|
|
finishedMutex.Lock()
|
|
if finished {
|
|
t.Fatal(fmt.Sprintf("finished early; relhcl was\n%s\nstdout was\n%s\nstderr was\n%s\n", relhcl, ui.OutputWriter.String(), ui.ErrorWriter.String()))
|
|
}
|
|
finishedMutex.Unlock()
|
|
}
|
|
|
|
testCertificateName := func(cn string) error {
|
|
conn, err := tls.Dial("tcp", "127.0.0.1:8203", &tls.Config{
|
|
RootCAs: certPool,
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer conn.Close()
|
|
if err = conn.Handshake(); err != nil {
|
|
return err
|
|
}
|
|
servName := conn.ConnectionState().PeerCertificates[0].Subject.CommonName
|
|
if servName != cn {
|
|
return fmt.Errorf("expected %s, got %s", cn, servName)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
checkFinished()
|
|
time.Sleep(5 * time.Second)
|
|
checkFinished()
|
|
|
|
if err := testCertificateName("foo.example.com"); err != nil {
|
|
t.Fatalf("certificate name didn't check out: %s", err)
|
|
}
|
|
|
|
relhcl = strings.Replace(strings.Replace(reloadhcl, "TMPDIR", td, -1), "FILE", "bar", -1)
|
|
ioutil.WriteFile(td+"/reload.hcl", []byte(relhcl), 0777)
|
|
|
|
c.SighupCh <- struct{}{}
|
|
checkFinished()
|
|
time.Sleep(2 * time.Second)
|
|
checkFinished()
|
|
|
|
if err := testCertificateName("bar.example.com"); err != nil {
|
|
t.Fatalf("certificate name didn't check out: %s", err)
|
|
}
|
|
|
|
c.ShutdownCh <- struct{}{}
|
|
|
|
wg.Wait()
|
|
}
|