Merge branch 'master' into simple-http-5002

ca/certificate-authority_test.go

@@ -98,8 +98,8 @@ const caKeyFile = "../test/test-ca.key"
 const caCertFile = "../test/test-ca.pem"
 
 const (
-	paDBConnStr = "mysql+tcp://boulder@localhost:3306/boulder_policy_test"
-	saDBConnStr = "mysql+tcp://boulder@localhost:3306/boulder_sa_test"
+	paDBConnStr = "mysql+tcp://policy@localhost:3306/boulder_policy_test"
+	saDBConnStr = "mysql+tcp://sa@localhost:3306/boulder_sa_test"
 )
 
 func mustRead(path string) []byte {
@@ -131,13 +131,13 @@ func setup(t *testing.T) *testCtx {
 	if err != nil {
 		t.Fatalf("Failed to create SA: %s", err)
 	}
-	saDBCleanUp := test.ResetTestDatabase(t, dbMap.Db)
+	saDBCleanUp := test.ResetSATestDatabase(t)
 
 	paDbMap, err := sa.NewDbMap(paDBConnStr)
 	test.AssertNotError(t, err, "Could not construct dbMap")
 	pa, err := policy.NewPolicyAuthorityImpl(paDbMap, false)
 	test.AssertNotError(t, err, "Couldn't create PADB")
-	paDBCleanUp := test.ResetTestDatabase(t, paDbMap.Db)
+	paDBCleanUp := test.ResetPolicyTestDatabase(t)
 
 	cleanUp := func() {
 		saDBCleanUp()

cmd/cert-checker/main_test.go

@@ -29,8 +29,8 @@ import (
 )
 
 var (
-	saDbConnStr = "mysql+tcp://boulder@localhost:3306/boulder_sa_test"
-	paDbConnStr = "mysql+tcp://boulder@localhost:3306/boulder_policy_test"
+	saDbConnStr = "mysql+tcp://sa@localhost:3306/boulder_sa_test"
+	paDbConnStr = "mysql+tcp://policy@localhost:3306/boulder_policy_test"
 )
 
 func BenchmarkCheckCert(b *testing.B) {
@@ -80,10 +80,10 @@ func BenchmarkCheckCert(b *testing.B) {
 func TestCheckCert(t *testing.T) {
 	saDbMap, err := sa.NewDbMap(saDbConnStr)
 	test.AssertNotError(t, err, "Couldn't connect to database")
-	saCleanup := test.ResetTestDatabase(t, saDbMap.Db)
+	saCleanup := test.ResetSATestDatabase(t)
 	paDbMap, err := sa.NewDbMap(paDbConnStr)
 	test.AssertNotError(t, err, "Couldn't connect to policy database")
-	paCleanup := test.ResetTestDatabase(t, paDbMap.Db)
+	paCleanup := test.ResetPolicyTestDatabase(t)
 	defer func() {
 		saCleanup()
 		paCleanup()
@@ -188,8 +188,8 @@ func TestGetAndProcessCerts(t *testing.T) {
 	checker := newChecker(saDbMap, paDbMap, fc, false)
 	sa, err := sa.NewSQLStorageAuthority(saDbMap, fc)
 	test.AssertNotError(t, err, "Couldn't create SA to insert certificates")
-	saCleanUp := test.ResetTestDatabase(t, saDbMap.Db)
-	paCleanUp := test.ResetTestDatabase(t, paDbMap.Db)
+	saCleanUp := test.ResetSATestDatabase(t)
+	paCleanUp := test.ResetPolicyTestDatabase(t)
 	defer func() {
 		saCleanUp()
 		paCleanUp()

cmd/expiration-mailer/main_test.go

@@ -146,7 +146,7 @@ var testKey = rsa.PrivateKey{
 	Primes:    []*big.Int{p, q},
 }
 
-const dbConnStr = "mysql+tcp://boulder@localhost:3306/boulder_sa_test"
+const dbConnStr = "mysql+tcp://mailer@localhost:3306/boulder_sa_test"
 
 func TestFindExpiringCertificates(t *testing.T) {
 	ctx := setup(t, []time.Duration{time.Hour * 24, time.Hour * 24 * 4, time.Hour * 24 * 7})
@@ -256,17 +256,18 @@ func TestFindExpiringCertificates(t *testing.T) {
 		Status: core.OCSPStatusGood,
 	}
 
-	err = ctx.dbMap.Insert(certA)
+	setupDBMap, err := sa.NewDbMap("mysql+tcp://test_setup@localhost:3306/boulder_sa_test")
+	err = setupDBMap.Insert(certA)
 	test.AssertNotError(t, err, "Couldn't add certA")
-	err = ctx.dbMap.Insert(certB)
+	err = setupDBMap.Insert(certB)
 	test.AssertNotError(t, err, "Couldn't add certB")
-	err = ctx.dbMap.Insert(certC)
+	err = setupDBMap.Insert(certC)
 	test.AssertNotError(t, err, "Couldn't add certC")
-	err = ctx.dbMap.Insert(certStatusA)
+	err = setupDBMap.Insert(certStatusA)
 	test.AssertNotError(t, err, "Couldn't add certStatusA")
-	err = ctx.dbMap.Insert(certStatusB)
+	err = setupDBMap.Insert(certStatusB)
 	test.AssertNotError(t, err, "Couldn't add certStatusB")
-	err = ctx.dbMap.Insert(certStatusC)
+	err = setupDBMap.Insert(certStatusC)
 	test.AssertNotError(t, err, "Couldn't add certStatusC")
 
 	log.Clear()
@@ -330,9 +331,10 @@ func TestLifetimeOfACert(t *testing.T) {
 		Status: core.OCSPStatusGood,
 	}
 
-	err = ctx.dbMap.Insert(certA)
+	setupDBMap, err := sa.NewDbMap("mysql+tcp://test_setup@localhost:3306/boulder_sa_test")
+	err = setupDBMap.Insert(certA)
 	test.AssertNotError(t, err, "unable to insert Certificate")
-	err = ctx.dbMap.Insert(certStatusA)
+	err = setupDBMap.Insert(certStatusA)
 	test.AssertNotError(t, err, "unable to insert CertificateStatus")
 
 	type lifeTest struct {
@@ -434,9 +436,10 @@ func TestDontFindRevokedCert(t *testing.T) {
 		Status: core.OCSPStatusRevoked,
 	}
 
-	err = ctx.dbMap.Insert(certA)
+	setupDBMap, err := sa.NewDbMap("mysql+tcp://test_setup@localhost:3306/boulder_sa_test")
+	err = setupDBMap.Insert(certA)
 	test.AssertNotError(t, err, "unable to insert Certificate")
-	err = ctx.dbMap.Insert(certStatusA)
+	err = setupDBMap.Insert(certStatusA)
 	test.AssertNotError(t, err, "unable to insert CertificateStatus")
 
 	err = ctx.m.findExpiringCertificates()
@@ -449,7 +452,7 @@ func TestDontFindRevokedCert(t *testing.T) {
 
 type testCtx struct {
 	dbMap   *gorp.DbMap
-	ssa     *sa.SQLStorageAuthority
+	ssa     core.StorageAdder
 	mc      *mockMail
 	fc      clock.FakeClock
 	m       *mailer
@@ -457,7 +460,9 @@ type testCtx struct {
 }
 
 func setup(t *testing.T, nagTimes []time.Duration) *testCtx {
-	dbMap, err := sa.NewDbMap(dbConnStr)
+	// We use the test_setup user (which has full permissions to everything)
+	// because the SA we return is used for inserting data to set up the test.
+	dbMap, err := sa.NewDbMap("mysql+tcp://test_setup@localhost:3306/boulder_sa_test")
 	if err != nil {
 		t.Fatalf("Couldn't connect the database: %s", err)
 	}
@@ -466,7 +471,7 @@ func setup(t *testing.T, nagTimes []time.Duration) *testCtx {
 	if err != nil {
 		t.Fatalf("unable to create SQLStorageAuthority: %s", err)
 	}
-	cleanUp := test.ResetTestDatabase(t, dbMap.Db)
+	cleanUp := test.ResetSATestDatabase(t)
 
 	stats, _ := statsd.NewNoopClient(nil)
 	mc := &mockMail{}

cmd/ocsp-responder/main_test.go

@@ -13,6 +13,7 @@ import (
 	cfocsp "github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cloudflare/cfssl/ocsp"
 	"github.com/letsencrypt/boulder/Godeps/_workspace/src/golang.org/x/crypto/ocsp"
 	"github.com/letsencrypt/boulder/core"
+	"github.com/letsencrypt/boulder/sa"
 	"github.com/letsencrypt/boulder/test"
 )
 
@@ -61,11 +62,11 @@ func TestHandler(t *testing.T) {
 }
 
 func TestDBHandler(t *testing.T) {
-	src, err := makeDBSource("mysql+tcp://boulder@localhost:3306/boulder_sa_test", "./testdata/test-ca.der.pem", false)
+	src, err := makeDBSource("mysql+tcp://ocsp_resp@localhost:3306/boulder_sa_test", "./testdata/test-ca.der.pem", false)
 	if err != nil {
 		t.Fatalf("makeDBSource: %s", err)
 	}
-	defer test.ResetTestDatabase(t, src.dbMap.Db)
+	defer test.ResetSATestDatabase(t)
 	ocspResp, err := ocsp.ParseResponse(resp, nil)
 	if err != nil {
 		t.Fatalf("ocsp.ParseResponse: %s", err)
@@ -76,7 +77,11 @@ func TestDBHandler(t *testing.T) {
 		OCSPLastUpdated: time.Now(),
 		OCSPResponse:    resp,
 	}
-	err = src.dbMap.Insert(status)
+	setupDBMap, err := sa.NewDbMap("mysql+tcp://test_setup@localhost:3306/boulder_sa_test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = setupDBMap.Insert(status)
 	if err != nil {
 		t.Fatalf("unable to insert response: %s", err)
 	}

cmd/ocsp-updater/main_test.go

@@ -47,7 +47,7 @@ func (p *mockPub) SubmitToCT(_ []byte) error {
 	})
 }
 
-const dbConnStr = "mysql+tcp://boulder@localhost:3306/boulder_sa_test"
+const dbConnStr = "mysql+tcp://sa@localhost:3306/boulder_sa_test"
 
 var log = mocks.UseMockLog()
 
@@ -61,7 +61,7 @@ func setup(t *testing.T) (OCSPUpdater, core.StorageAuthority, *gorp.DbMap, clock
 	sa, err := sa.NewSQLStorageAuthority(dbMap, fc)
 	test.AssertNotError(t, err, "Failed to create SA")
 
-	cleanUp := test.ResetTestDatabase(t, dbMap.Db)
+	cleanUp := test.ResetSATestDatabase(t)
 
 	stats, _ := statsd.NewNoopClient(nil)
 

docs/database/db_users-main.sql

@@ -1,42 +0,0 @@
---
--- Copyright 2015 ISRG.  All rights reserved
--- This Source Code Form is subject to the terms of the Mozilla Public
--- License, v. 2.0. If a copy of the MPL was not distributed with this
--- file, You can obtain one at http://mozilla.org/MPL/2.0/.
---
--- This file defines the default users for the primary database, used by
--- all the parts of Boulder except the Certificate Authority module, which
--- utilizes its own database.
---
-
--- Storage Authority
-CREATE USER `sa`@`%` IDENTIFIED BY 'password';
-GRANT SELECT,INSERT,UPDATE ON authz TO 'sa'@'%';
-GRANT SELECT,INSERT,UPDATE,DELETE ON pendingAuthorizations TO 'sa'@'%';
-GRANT SELECT,INSERT ON certificates TO 'sa'@'%';
-GRANT SELECT,INSERT,UPDATE ON certificateStatus TO 'sa'@'%';
-GRANT SELECT,INSERT ON deniedCSRs TO 'sa'@'%';
-GRANT INSERT ON ocspResponses TO 'sa'@'%';
-GRANT SELECT,INSERT,UPDATE ON registrations TO 'sa'@'%';
-GRANT SELECT,INSERT,UPDATE ON challenges TO 'sa'@'%';
-
--- OCSP Responder
-CREATE USER `ocsp_resp`@`%` IDENTIFIED BY 'password';
-GRANT SELECT ON ocspResponses TO 'ocsp_resp'@'%';
-
--- OCSP Generator Tool (Updater)
-CREATE USER `ocsp_update`@`%` IDENTIFIED BY 'password';
-GRANT INSERT ON ocspResponses TO 'ocsp_update'@'%';
-GRANT SELECT ON certificates TO 'ocsp_update'@'%';
-GRANT SELECT,UPDATE ON certificateStatus TO 'ocsp_update'@'%';
-
--- Revoker Tool
-CREATE USER `revoker`@`%` IDENTIFIED BY 'password';
-GRANT SELECT ON registrations TO 'revoker'@'%';
-GRANT SELECT ON certificates TO 'revoker'@'%';
-GRANT SELECT,INSERT ON deniedCSRs TO 'revoker'@'%';
-
--- External Cert Importer
-CREATE USER `importer`@`%` IDENTIFIED BY 'password';
-GRANT SELECT,INSERT,UPDATE,DELETE ON identifierData TO 'importer'@'%';
-GRANT SELECT,INSERT,UPDATE,DELETE ON externalCerts TO 'importer'@'%';

policy/_db/dbconf.yml

@@ -1,9 +1,6 @@
-development:
-  driver: mysql
-  open: boulder@tcp(localhost:3306)/boulder_policy_development
 test:
   driver: mysql
-  open: boulder@tcp(localhost:3306)/boulder_policy_test
+  open: root@tcp(localhost:3306)/boulder_policy_test
 integration:
   driver: mysql
-  open: boulder@tcp(localhost:3306)/boulder_policy_integration
+  open: root@tcp(localhost:3306)/boulder_policy_integration

policy/policy-authority-data_test.go

@@ -19,7 +19,7 @@ func padbImpl(t *testing.T) (*PolicyAuthorityDatabaseImpl, func()) {
 	padb, err := NewPolicyAuthorityDatabaseImpl(dbMap)
 	test.AssertNotError(t, err, "Couldn't create PADB")
 
-	cleanUp := test.ResetTestDatabase(t, dbMap.Db)
+	cleanUp := test.ResetPolicyTestDatabase(t)
 
 	return padb, cleanUp
 }

policy/policy-authority_test.go

@@ -19,7 +19,7 @@ import (
 )
 
 var log = mocks.UseMockLog()
-var dbConnStr = "mysql+tcp://boulder@localhost:3306/boulder_policy_test"
+var dbConnStr = "mysql+tcp://policy@localhost:3306/boulder_policy_test"
 
 func paImpl(t *testing.T) (*PolicyAuthorityImpl, func()) {
 	dbMap, cleanUp := paDBMap(t)
@@ -34,7 +34,7 @@ func paImpl(t *testing.T) (*PolicyAuthorityImpl, func()) {
 func paDBMap(t *testing.T) (*gorp.DbMap, func()) {
 	dbMap, err := sa.NewDbMap(dbConnStr)
 	test.AssertNotError(t, err, "Could not construct dbMap")
-	cleanUp := test.ResetTestDatabase(t, dbMap.Db)
+	cleanUp := test.ResetPolicyTestDatabase(t)
 	return dbMap, cleanUp
 }
 

ra/registration-authority_test.go

@@ -122,8 +122,8 @@ var (
 )
 
 const (
-	paDBConnStr = "mysql+tcp://boulder@localhost:3306/boulder_policy_test"
-	saDBConnStr = "mysql+tcp://boulder@localhost:3306/boulder_sa_test"
+	paDBConnStr = "mysql+tcp://policy@localhost:3306/boulder_policy_test"
+	saDBConnStr = "mysql+tcp://sa@localhost:3306/boulder_sa_test"
 )
 
 func makeResponse(ch core.Challenge) (out core.Challenge, err error) {
@@ -165,7 +165,7 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, *sa.SQLStorageAut
 		t.Fatalf("Failed to create SA: %s", err)
 	}
 
-	saDBCleanUp := test.ResetTestDatabase(t, dbMap.Db)
+	saDBCleanUp := test.ResetSATestDatabase(t)
 
 	va := &DummyValidationAuthority{}
 
@@ -192,7 +192,7 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, *sa.SQLStorageAut
 	if err != nil {
 		t.Fatalf("Failed to create dbMap: %s", err)
 	}
-	policyDBCleanUp := test.ResetTestDatabase(t, paDbMap.Db)
+	policyDBCleanUp := test.ResetPolicyTestDatabase(t)
 	pa, err := policy.NewPolicyAuthorityImpl(paDbMap, false)
 	test.AssertNotError(t, err, "Couldn't create PA")
 	ca := ca.CertificateAuthorityImpl{

sa/_db/dbconf.yml

@@ -1,9 +1,6 @@
-development:
-  driver: mysql
-  open: boulder@tcp(localhost:3306)/boulder_sa_development
 test:
   driver: mysql
-  open: boulder@tcp(localhost:3306)/boulder_sa_test
+  open: root@tcp(localhost:3306)/boulder_sa_test
 integration:
   driver: mysql
-  open: boulder@tcp(localhost:3306)/boulder_sa_integration
+  open: root@tcp(localhost:3306)/boulder_sa_integration

sa/satest/satest.go

@@ -50,7 +50,7 @@ func CreateWorkingRegistration(t *testing.T, sa core.StorageAuthority) core.Regi
 		CreatedAt: time.Date(2003, 5, 10, 0, 0, 0, 0, time.UTC),
 	})
 	if err != nil {
-		t.Fatalf("Unable to create new registration")
+		t.Fatalf("Unable to create new registration: %s", err)
 	}
 	return reg
 }

sa/storage-authority_test.go

@@ -30,7 +30,7 @@ import (
 	"github.com/letsencrypt/boulder/test"
 )
 
-const dbConnStr = "mysql+tcp://boulder@localhost:3306/boulder_sa_test"
+const dbConnStr = "mysql+tcp://sa@localhost:3306/boulder_sa_test"
 
 var log = mocks.UseMockLog()
 
@@ -50,7 +50,8 @@ func initSA(t *testing.T) (*SQLStorageAuthority, clock.FakeClock, func()) {
 	if err != nil {
 		t.Fatalf("Failed to create SA: %s", err)
 	}
-	cleanUp := test.ResetTestDatabase(t, dbMap.Db)
+
+	cleanUp := test.ResetSATestDatabase(t)
 	return sa, fc, cleanUp
 }
 

test/boulder-config.json

@@ -115,7 +115,7 @@
   },
 
   "pa": {
-    "dbConnect": "mysql+tcp://boulder@localhost:3306/boulder_policy_test"
+    "dbConnect": "mysql+tcp://policy@localhost:3306/boulder_policy_integration"
   },
 
   "ra": {
@@ -126,7 +126,7 @@
   },
 
   "sa": {
-    "dbConnect": "mysql+tcp://boulder@localhost:3306/boulder_sa_integration",
+    "dbConnect": "mysql+tcp://sa@localhost:3306/boulder_sa_integration",
     "maxConcurrentRPCServerRequests": 16,
     "debugAddr": "localhost:8003"
   },
@@ -147,11 +147,11 @@
   },
 
   "revoker": {
-    "dbConnect": "mysql+tcp://boulder@localhost:3306/boulder_sa_integration"
+    "dbConnect": "mysql+tcp://revoker@localhost:3306/boulder_sa_integration"
   },
 
   "ocspResponder": {
-    "source": "mysql+tcp://boulder@localhost:3306/boulder_sa_integration",
+    "source": "mysql+tcp://ocsp_resp@localhost:3306/boulder_sa_integration",
     "path": "/",
     "listenAddress": "localhost:4002",
     "maxAge": "10s",
@@ -161,7 +161,7 @@
   },
 
   "ocspUpdater": {
-    "dbConnect": "mysql+tcp://boulder@localhost:3306/boulder_sa_integration",
+    "dbConnect": "mysql+tcp://ocsp_update@localhost:3306/boulder_sa_integration",
     "newCertificateWindow": "1s",
     "oldOCSPWindow": "2s",
     "missingSCTWindow": "1m",
@@ -184,7 +184,7 @@
     "port": "25",
     "username": "cert-master@example.com",
     "password": "password",
-    "dbConnect": "mysql+tcp://boulder@localhost:3306/boulder_sa_integration",
+    "dbConnect": "mysql+tcp://mailer@localhost:3306/boulder_sa_integration",
     "messageLimit": 0,
     "nagTimes": ["24h", "72h", "168h", "336h"],
     "emailTemplate": "test/example-expiration-template",
@@ -216,7 +216,7 @@
   },
 
   "certChecker": {
-    "dbConnect": "mysql+tcp://boulder@localhost:3306/boulder_sa_integration"
+    "dbConnect": "mysql+tcp://cert_checker@localhost:3306/boulder_sa_integration"
   },
 
   "subscriberAgreementURL": "http://localhost:4001/terms/v1"

test/create_db.sh

@@ -1,16 +1,27 @@
 #!/bin/bash
+set -o errexit
 cd $(dirname $0)/..
 source test/db-common.sh
 
+# Drop all users to get a fresh start
+mysql -u root < test/drop_users.sql
+
 for svc in $SERVICES; do
   for dbenv in $DBENVS; do
     db="boulder_${svc}_${dbenv}"
 
-    mysql -u root -e "drop database if exists \`${db}\`; create database if not exists \`${db}\`; grant all privileges on ${db}.* to 'boulder'@'localhost'" || die "unable to create ${db}"
+    (mysql -u root -e "drop database if exists \`${db}\`; create database if not exists \`${db}\`;" || die "unable to create ${db}"
     echo "created empty ${db} database"
 
     goose -path=./$svc/_db/ -env=$dbenv up || die "unable to migrate ${db}"
     echo "migrated ${db} database"
+
+    USERS_SQL=test/${svc}_db_users.sql
+    if [ -f $USERS_SQL ] ; then
+      mysql -u root -D boulder_${svc}_${dbenv} < $USERS_SQL
+    fi) &
   done
 done
+wait
+
 echo "created all databases"

test/db-common.sh

@@ -8,6 +8,5 @@ function die() {
 
 SERVICES="sa
 policy"
-DBENVS="development
-test
+DBENVS="test
 integration"

test/db.go

@@ -2,6 +2,7 @@ package test
 
 import (
 	"database/sql"
+	"fmt"
 	"io"
 	"testing"
 )
@@ -20,15 +21,30 @@ type CleanUpDB interface {
 	io.Closer
 }
 
-// ResetTestDatabase deletes all rows in all tables available to the
-// passed in CleanUpDB, failing the tests if that errors and returning
-// a clean up function that will attempt the same plus close the
-// database.  "Tables available" means all tables that can be seen in
-// the MariaDB configuration by the database user except for ones that
-// are configuration only like goose_db_version (for migrations) or
-// the ones describing the internal configuration of the server.To be
+// ResetSATestDatabase deletes all rows in all tables in the SA DB.
+// If fails the tests if that errors and returns a clean up function
+// that will delete all rows again and close the database.
+// "Tables available" means all tables that can be seen in the MariaDB
+// configuration by the database user except for ones that are
+// configuration only like goose_db_version (for migrations) or
+// the ones describing the internal configuration of the server. To be
 // used only in test code.
-func ResetTestDatabase(t *testing.T, db CleanUpDB) func() {
+func ResetSATestDatabase(t *testing.T) func() {
+	return resetTestDatabase(t, "sa")
+}
+
+// ResetPolicyTestDatabase deletes all rows in all tables in the Policy DB. It
+// acts the same as ResetSATestDatabase.
+func ResetPolicyTestDatabase(t *testing.T) func() {
+	return resetTestDatabase(t, "policy")
+}
+
+func resetTestDatabase(t *testing.T, dbType string) func() {
+	db, err := sql.Open("mysql", fmt.Sprintf("test_setup@tcp(localhost:3306)/boulder_%s_test", dbType))
+	if err != nil {
+		t.Fatalf("Couldn't create db: %s", err)
+	}
+	fmt.Printf("db %#v\n", db)
 	if err := deleteEverythingInAllTables(db); err != nil {
 		t.Fatalf("Failed to delete everything: %s", err)
 	}
@@ -47,7 +63,7 @@ func ResetTestDatabase(t *testing.T, db CleanUpDB) func() {
 func deleteEverythingInAllTables(db CleanUpDB) error {
 	ts, err := allTableNamesInDB(db)
 	if err != nil {
-		return nil
+		return err
 	}
 	for _, tn := range ts {
 		// 1 = 1 here prevents the MariaDB i_am_a_dummy setting from
@@ -57,7 +73,7 @@ func deleteEverythingInAllTables(db CleanUpDB) error {
 			return err
 		}
 	}
-	return nil
+	return err
 }
 
 // allTableNamesInDB returns the names of the tables available to the

test/drop_users.sql

@@ -0,0 +1,22 @@
+-- Before setting up any privileges, we revoke existing ones to make sure we
+-- start from a clean slate.
+-- Note that dropping a non-existing user produces an error that aborts the
+-- script, so we first grant a harmless privilege to each user to ensure it
+-- exists.
+GRANT USAGE ON *.* TO 'policy'@'localhost';
+DROP USER 'policy'@'localhost';
+GRANT USAGE ON *.* TO 'sa'@'localhost';
+DROP USER 'sa'@'localhost';
+GRANT USAGE ON *.* TO 'ocsp_resp'@'localhost';
+DROP USER 'ocsp_resp'@'localhost';
+GRANT USAGE ON *.* TO 'ocsp_update'@'localhost';
+DROP USER 'ocsp_update'@'localhost';
+GRANT USAGE ON *.* TO 'revoker'@'localhost';
+DROP USER 'revoker'@'localhost';
+GRANT USAGE ON *.* TO 'importer'@'localhost';
+DROP USER 'importer'@'localhost';
+GRANT USAGE ON *.* TO 'mailer'@'localhost';
+DROP USER 'mailer'@'localhost';
+GRANT USAGE ON *.* TO 'cert_checker'@'localhost';
+DROP USER 'cert_checker'@'localhost';
+

test/policy_db_users.sql

@@ -0,0 +1,26 @@
+--
+-- Copyright 2015 ISRG.  All rights reserved
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0. If a copy of the MPL was not distributed with this
+-- file, You can obtain one at http://mozilla.org/MPL/2.0/.
+--
+-- This file defines the default users for the primary database, used by
+-- all the parts of Boulder except the Certificate Authority module, which
+-- utilizes its own database.
+--
+
+-- Create users for each component with the appropriate permissions. We want to
+-- drop each user and recreate them, but if the user doesn't already exist, the
+-- drop command will fail. So we grant the dummy `USAGE` privilege to make sure
+-- the user exists and then drop the user.
+
+-- Policy loader, CA, RA
+-- Note: The same config section, "pa" is used by the policy loader (for writes)
+-- and the CA and RA (for reads). So right now we have the one user that has
+-- both read and write permission, even though it would be better to give only
+-- read permission to CA and RA.
+GRANT SELECT,INSERT,DELETE ON blacklist TO 'policy'@'localhost';
+GRANT SELECT,INSERT,DELETE ON whitelist TO 'policy'@'localhost';
+
+-- Test setup and teardown
+GRANT ALL PRIVILEGES ON * to 'test_setup'@'localhost';

test/sa_db_users.sql

@@ -0,0 +1,56 @@
+--
+-- Copyright 2015 ISRG.  All rights reserved
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0. If a copy of the MPL was not distributed with this
+-- file, You can obtain one at http://mozilla.org/MPL/2.0/.
+--
+-- This file defines the default users for the primary database, used by
+-- all the parts of Boulder except the Certificate Authority module, which
+-- utilizes its own database.
+--
+
+-- Create users for each component with the appropriate permissions. We want to
+-- drop each user and recreate them, but if the user doesn't already exist, the
+-- drop command will fail. So we grant the dummy `USAGE` privilege to make sure
+-- the user exists and then drop the user.
+
+-- Storage Authority
+GRANT SELECT,INSERT,UPDATE ON authz TO 'sa'@'localhost';
+GRANT SELECT,INSERT,UPDATE,DELETE ON pendingAuthorizations TO 'sa'@'localhost';
+GRANT SELECT(id,Lockcol) ON pendingAuthorizations TO 'sa'@'localhost';
+GRANT SELECT,INSERT ON certificates TO 'sa'@'localhost';
+GRANT SELECT,INSERT,UPDATE ON certificateStatus TO 'sa'@'localhost';
+GRANT SELECT,INSERT ON issuedNames TO 'sa'@'localhost';
+GRANT SELECT,INSERT ON sctReceipts TO 'sa'@'localhost';
+GRANT SELECT,INSERT ON deniedCSRs TO 'sa'@'localhost';
+GRANT INSERT ON ocspResponses TO 'sa'@'localhost';
+GRANT SELECT,INSERT,UPDATE ON registrations TO 'sa'@'localhost';
+GRANT SELECT,INSERT,UPDATE ON challenges TO 'sa'@'localhost';
+
+-- OCSP Responder
+GRANT SELECT ON certificateStatus TO 'ocsp_resp'@'localhost';
+GRANT SELECT ON ocspResponses TO 'ocsp_resp'@'localhost';
+
+-- OCSP Generator Tool (Updater)
+GRANT INSERT ON ocspResponses TO 'ocsp_update'@'localhost';
+GRANT SELECT ON certificates TO 'ocsp_update'@'localhost';
+GRANT SELECT,UPDATE ON certificateStatus TO 'ocsp_update'@'localhost';
+
+-- Revoker Tool
+GRANT SELECT ON registrations TO 'revoker'@'localhost';
+GRANT SELECT ON certificates TO 'revoker'@'localhost';
+GRANT SELECT,INSERT ON deniedCSRs TO 'revoker'@'localhost';
+
+-- External Cert Importer
+GRANT SELECT,INSERT,UPDATE,DELETE ON identifierData TO 'importer'@'localhost';
+GRANT SELECT,INSERT,UPDATE,DELETE ON externalCerts TO 'importer'@'localhost';
+
+-- Expiration mailer
+GRANT SELECT ON certificates TO 'mailer'@'localhost';
+GRANT SELECT,UPDATE ON certificateStatus TO 'mailer'@'localhost';
+
+-- Cert checker
+GRANT SELECT ON certificates TO 'cert_checker'@'localhost';
+
+-- Test setup and teardown
+GRANT ALL PRIVILEGES ON * to 'test_setup'@'localhost';