manager_test.go

package acmeserver

import (
	"context"
	"crypto"
	"crypto/x509"
	"errors"
	"io/ioutil"
	"os"
	"path/filepath"
	"testing"
	"time"
)

// A CertGenerator that is just very slow (and will return an error
// in any case).
type slowACME struct{}

func (s *slowACME) GetCertificate(ctx context.Context, _ crypto.Signer, _ *certConfig) ([][]byte, *x509.Certificate, error) {
	t := time.After(60 * time.Second)
	select {
	case <-t:
		return nil, nil, errors.New("timed out")
	case <-ctx.Done():
		return nil, nil, ctx.Err()
	}
}

func newTestConfig(dir string) *Config {
	c := Config{
		Dirs:           []string{filepath.Join(dir, "config")},
		AccountKeyPath: filepath.Join(dir, "account.key"),
		Email:          "test@example.com",
	}
	c.Output.Path = filepath.Join(dir, "certs")
	return &c
}

// Create a new test function.
// The first function returned is a cleanup callback.
// The second function returned is the cancel callback.
func newTestManager(t testing.TB, g CertGenerator) (func(), context.CancelFunc, *Manager) {
	dir, err := ioutil.TempDir("", "")
	if err != nil {
		t.Fatal(err)
	}

	os.Mkdir(filepath.Join(dir, "config"), 0700)
	ioutil.WriteFile(
		filepath.Join(dir, "config", "test.yml"),
		[]byte("- { names: [example.com] }\n"),
		0644,
	)

	m, err := NewManager(newTestConfig(dir), g)
	if err != nil {
		t.Fatal(err)
	}

	ctx, cancel := context.WithCancel(context.Background())
	if err := m.Start(ctx); err != nil {
		t.Fatal("Start:", err)
	}

	// Wait just a little bit to give a chance to m.loop() to run.
	time.Sleep(50 * time.Millisecond)

	return func() {
		cancel()
		m.Wait()
		os.RemoveAll(dir)
	}, cancel, m
}

func TestManager_Reload(t *testing.T) {
	cleanup, _, m := newTestManager(t, NewSelfSignedCertGenerator())
	defer cleanup()

	// Data race: we read data owned by another goroutine!
	if len(m.certs) < 1 {
		t.Fatal("configuration not loaded?")
	}
	if m.certs[0].cn() != "example.com" {
		t.Fatalf("certs[0].cn() is %s, expected example.com", m.certs[0].cn())
	}

	// Try a reload, catch obvious errors.
	m.Reload()
	time.Sleep(50 * time.Millisecond)

	if len(m.certs) != 1 {
		t.Fatalf("certs count is %d, expected 1", len(m.certs))
	}
	if m.certs[0].cn() != "example.com" {
		t.Fatalf("certs[0].cn() is %s, expected example.com", m.certs[0].cn())
	}
}

func TestManager_NewCert(t *testing.T) {
	cleanup, _, m := newTestManager(t, NewSelfSignedCertGenerator())
	defer cleanup()

	now := time.Now()
	ci := m.certs[0]
	if ci.retryDeadline.After(now) {
		t.Fatalf("retry deadline is in the future: %v", ci.retryDeadline)
	}

	testUpdateCh <- true
	time.Sleep(100 * time.Millisecond)

	// Verify that the retry/renewal timestamp is in the future.
	if ci.retryDeadline.Before(now) {
		t.Fatalf("retry deadline is in the past after renewal: %v", ci.retryDeadline)
	}

	// Do we think we have a valid certificate?
	if !ci.valid {
		t.Fatal("we don't have a valid certificate")
	}

	// Verify that the credentials have successfully been written
	// to storage.
	p := filepath.Join(m.configDirs[0], "../certs/example.com/cert.pem")
	if _, err := os.Stat(p); err != nil {
		t.Fatalf("file not created: %v", err)
	}
	p = filepath.Join(m.configDirs[0], "../certs/example.com/private_key.pem")
	if _, err := os.Stat(p); err != nil {
		t.Fatalf("file not created: %v", err)
	}

	// By triggering a reload now, we should cause the Manager to
	// reload the certificate from storage.
	m.Reload()
	time.Sleep(50 * time.Millisecond)

	ci = m.certs[0]
	if !ci.valid {
		t.Fatal("certificate is invalid after a reload")
	}
}

func TestManager_CancelUpdate(t *testing.T) {
	start := time.Now()
	cleanup, cancel, m := newTestManager(t, &slowACME{})
	defer cleanup()

	time.Sleep(100 * time.Millisecond)
	cancel()
	m.Wait()
	elapsed := time.Since(start)
	if elapsed > 1*time.Second {
		t.Fatalf("too much time elapsed (%fs), canceling didn't work?", elapsed.Seconds())
	}
}