diff --git a/ca/certificate-authority_test.go b/ca/certificate-authority_test.go index a52c342b4..0fc0403d3 100644 --- a/ca/certificate-authority_test.go +++ b/ca/certificate-authority_test.go @@ -98,8 +98,8 @@ const caKeyFile = "../test/test-ca.key" const caCertFile = "../test/test-ca.pem" const ( - paDBConnStr = "mysql+tcp://boulder@localhost:3306/boulder_policy_test" - saDBConnStr = "mysql+tcp://boulder@localhost:3306/boulder_sa_test" + paDBConnStr = "mysql+tcp://policy@localhost:3306/boulder_policy_test" + saDBConnStr = "mysql+tcp://sa@localhost:3306/boulder_sa_test" ) func mustRead(path string) []byte { @@ -131,13 +131,13 @@ func setup(t *testing.T) *testCtx { if err != nil { t.Fatalf("Failed to create SA: %s", err) } - saDBCleanUp := test.ResetTestDatabase(t, dbMap.Db) + saDBCleanUp := test.ResetSATestDatabase(t) paDbMap, err := sa.NewDbMap(paDBConnStr) test.AssertNotError(t, err, "Could not construct dbMap") pa, err := policy.NewPolicyAuthorityImpl(paDbMap, false) test.AssertNotError(t, err, "Couldn't create PADB") - paDBCleanUp := test.ResetTestDatabase(t, paDbMap.Db) + paDBCleanUp := test.ResetPolicyTestDatabase(t) cleanUp := func() { saDBCleanUp() diff --git a/cmd/cert-checker/main_test.go b/cmd/cert-checker/main_test.go index 47c01d3d7..03ffdf3a5 100644 --- a/cmd/cert-checker/main_test.go +++ b/cmd/cert-checker/main_test.go @@ -29,8 +29,8 @@ import ( ) var ( - saDbConnStr = "mysql+tcp://boulder@localhost:3306/boulder_sa_test" - paDbConnStr = "mysql+tcp://boulder@localhost:3306/boulder_policy_test" + saDbConnStr = "mysql+tcp://sa@localhost:3306/boulder_sa_test" + paDbConnStr = "mysql+tcp://policy@localhost:3306/boulder_policy_test" ) func BenchmarkCheckCert(b *testing.B) { @@ -80,10 +80,10 @@ func BenchmarkCheckCert(b *testing.B) { func TestCheckCert(t *testing.T) { saDbMap, err := sa.NewDbMap(saDbConnStr) test.AssertNotError(t, err, "Couldn't connect to database") - saCleanup := test.ResetTestDatabase(t, saDbMap.Db) + saCleanup := test.ResetSATestDatabase(t) paDbMap, err := sa.NewDbMap(paDbConnStr) test.AssertNotError(t, err, "Couldn't connect to policy database") - paCleanup := test.ResetTestDatabase(t, paDbMap.Db) + paCleanup := test.ResetPolicyTestDatabase(t) defer func() { saCleanup() paCleanup() @@ -188,8 +188,8 @@ func TestGetAndProcessCerts(t *testing.T) { checker := newChecker(saDbMap, paDbMap, fc, false) sa, err := sa.NewSQLStorageAuthority(saDbMap, fc) test.AssertNotError(t, err, "Couldn't create SA to insert certificates") - saCleanUp := test.ResetTestDatabase(t, saDbMap.Db) - paCleanUp := test.ResetTestDatabase(t, paDbMap.Db) + saCleanUp := test.ResetSATestDatabase(t) + paCleanUp := test.ResetPolicyTestDatabase(t) defer func() { saCleanUp() paCleanUp() diff --git a/cmd/expiration-mailer/main_test.go b/cmd/expiration-mailer/main_test.go index 147a3c1f6..f56861154 100644 --- a/cmd/expiration-mailer/main_test.go +++ b/cmd/expiration-mailer/main_test.go @@ -146,7 +146,7 @@ var testKey = rsa.PrivateKey{ Primes: []*big.Int{p, q}, } -const dbConnStr = "mysql+tcp://boulder@localhost:3306/boulder_sa_test" +const dbConnStr = "mysql+tcp://mailer@localhost:3306/boulder_sa_test" func TestFindExpiringCertificates(t *testing.T) { ctx := setup(t, []time.Duration{time.Hour * 24, time.Hour * 24 * 4, time.Hour * 24 * 7}) @@ -256,17 +256,18 @@ func TestFindExpiringCertificates(t *testing.T) { Status: core.OCSPStatusGood, } - err = ctx.dbMap.Insert(certA) + setupDBMap, err := sa.NewDbMap("mysql+tcp://test_setup@localhost:3306/boulder_sa_test") + err = setupDBMap.Insert(certA) test.AssertNotError(t, err, "Couldn't add certA") - err = ctx.dbMap.Insert(certB) + err = setupDBMap.Insert(certB) test.AssertNotError(t, err, "Couldn't add certB") - err = ctx.dbMap.Insert(certC) + err = setupDBMap.Insert(certC) test.AssertNotError(t, err, "Couldn't add certC") - err = ctx.dbMap.Insert(certStatusA) + err = setupDBMap.Insert(certStatusA) test.AssertNotError(t, err, "Couldn't add certStatusA") - err = ctx.dbMap.Insert(certStatusB) + err = setupDBMap.Insert(certStatusB) test.AssertNotError(t, err, "Couldn't add certStatusB") - err = ctx.dbMap.Insert(certStatusC) + err = setupDBMap.Insert(certStatusC) test.AssertNotError(t, err, "Couldn't add certStatusC") log.Clear() @@ -330,9 +331,10 @@ func TestLifetimeOfACert(t *testing.T) { Status: core.OCSPStatusGood, } - err = ctx.dbMap.Insert(certA) + setupDBMap, err := sa.NewDbMap("mysql+tcp://test_setup@localhost:3306/boulder_sa_test") + err = setupDBMap.Insert(certA) test.AssertNotError(t, err, "unable to insert Certificate") - err = ctx.dbMap.Insert(certStatusA) + err = setupDBMap.Insert(certStatusA) test.AssertNotError(t, err, "unable to insert CertificateStatus") type lifeTest struct { @@ -434,9 +436,10 @@ func TestDontFindRevokedCert(t *testing.T) { Status: core.OCSPStatusRevoked, } - err = ctx.dbMap.Insert(certA) + setupDBMap, err := sa.NewDbMap("mysql+tcp://test_setup@localhost:3306/boulder_sa_test") + err = setupDBMap.Insert(certA) test.AssertNotError(t, err, "unable to insert Certificate") - err = ctx.dbMap.Insert(certStatusA) + err = setupDBMap.Insert(certStatusA) test.AssertNotError(t, err, "unable to insert CertificateStatus") err = ctx.m.findExpiringCertificates() @@ -449,7 +452,7 @@ func TestDontFindRevokedCert(t *testing.T) { type testCtx struct { dbMap *gorp.DbMap - ssa *sa.SQLStorageAuthority + ssa core.StorageAdder mc *mockMail fc clock.FakeClock m *mailer @@ -457,7 +460,9 @@ type testCtx struct { } func setup(t *testing.T, nagTimes []time.Duration) *testCtx { - dbMap, err := sa.NewDbMap(dbConnStr) + // We use the test_setup user (which has full permissions to everything) + // because the SA we return is used for inserting data to set up the test. + dbMap, err := sa.NewDbMap("mysql+tcp://test_setup@localhost:3306/boulder_sa_test") if err != nil { t.Fatalf("Couldn't connect the database: %s", err) } @@ -466,7 +471,7 @@ func setup(t *testing.T, nagTimes []time.Duration) *testCtx { if err != nil { t.Fatalf("unable to create SQLStorageAuthority: %s", err) } - cleanUp := test.ResetTestDatabase(t, dbMap.Db) + cleanUp := test.ResetSATestDatabase(t) stats, _ := statsd.NewNoopClient(nil) mc := &mockMail{} diff --git a/cmd/ocsp-responder/main_test.go b/cmd/ocsp-responder/main_test.go index 8d9bafdf7..2768aa6d6 100644 --- a/cmd/ocsp-responder/main_test.go +++ b/cmd/ocsp-responder/main_test.go @@ -13,6 +13,7 @@ import ( cfocsp "github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cloudflare/cfssl/ocsp" "github.com/letsencrypt/boulder/Godeps/_workspace/src/golang.org/x/crypto/ocsp" "github.com/letsencrypt/boulder/core" + "github.com/letsencrypt/boulder/sa" "github.com/letsencrypt/boulder/test" ) @@ -61,11 +62,11 @@ func TestHandler(t *testing.T) { } func TestDBHandler(t *testing.T) { - src, err := makeDBSource("mysql+tcp://boulder@localhost:3306/boulder_sa_test", "./testdata/test-ca.der.pem", false) + src, err := makeDBSource("mysql+tcp://ocsp_resp@localhost:3306/boulder_sa_test", "./testdata/test-ca.der.pem", false) if err != nil { t.Fatalf("makeDBSource: %s", err) } - defer test.ResetTestDatabase(t, src.dbMap.Db) + defer test.ResetSATestDatabase(t) ocspResp, err := ocsp.ParseResponse(resp, nil) if err != nil { t.Fatalf("ocsp.ParseResponse: %s", err) @@ -76,7 +77,11 @@ func TestDBHandler(t *testing.T) { OCSPLastUpdated: time.Now(), OCSPResponse: resp, } - err = src.dbMap.Insert(status) + setupDBMap, err := sa.NewDbMap("mysql+tcp://test_setup@localhost:3306/boulder_sa_test") + if err != nil { + t.Fatal(err) + } + err = setupDBMap.Insert(status) if err != nil { t.Fatalf("unable to insert response: %s", err) } diff --git a/cmd/ocsp-updater/main_test.go b/cmd/ocsp-updater/main_test.go index 6890db7aa..f4c2a2807 100644 --- a/cmd/ocsp-updater/main_test.go +++ b/cmd/ocsp-updater/main_test.go @@ -47,7 +47,7 @@ func (p *mockPub) SubmitToCT(_ []byte) error { }) } -const dbConnStr = "mysql+tcp://boulder@localhost:3306/boulder_sa_test" +const dbConnStr = "mysql+tcp://sa@localhost:3306/boulder_sa_test" var log = mocks.UseMockLog() @@ -61,7 +61,7 @@ func setup(t *testing.T) (OCSPUpdater, core.StorageAuthority, *gorp.DbMap, clock sa, err := sa.NewSQLStorageAuthority(dbMap, fc) test.AssertNotError(t, err, "Failed to create SA") - cleanUp := test.ResetTestDatabase(t, dbMap.Db) + cleanUp := test.ResetSATestDatabase(t) stats, _ := statsd.NewNoopClient(nil) diff --git a/docs/database/db_users-main.sql b/docs/database/db_users-main.sql deleted file mode 100644 index 2e9ad68e5..000000000 --- a/docs/database/db_users-main.sql +++ /dev/null @@ -1,42 +0,0 @@ --- --- Copyright 2015 ISRG. All rights reserved --- This Source Code Form is subject to the terms of the Mozilla Public --- License, v. 2.0. If a copy of the MPL was not distributed with this --- file, You can obtain one at http://mozilla.org/MPL/2.0/. --- --- This file defines the default users for the primary database, used by --- all the parts of Boulder except the Certificate Authority module, which --- utilizes its own database. --- - --- Storage Authority -CREATE USER `sa`@`%` IDENTIFIED BY 'password'; -GRANT SELECT,INSERT,UPDATE ON authz TO 'sa'@'%'; -GRANT SELECT,INSERT,UPDATE,DELETE ON pendingAuthorizations TO 'sa'@'%'; -GRANT SELECT,INSERT ON certificates TO 'sa'@'%'; -GRANT SELECT,INSERT,UPDATE ON certificateStatus TO 'sa'@'%'; -GRANT SELECT,INSERT ON deniedCSRs TO 'sa'@'%'; -GRANT INSERT ON ocspResponses TO 'sa'@'%'; -GRANT SELECT,INSERT,UPDATE ON registrations TO 'sa'@'%'; -GRANT SELECT,INSERT,UPDATE ON challenges TO 'sa'@'%'; - --- OCSP Responder -CREATE USER `ocsp_resp`@`%` IDENTIFIED BY 'password'; -GRANT SELECT ON ocspResponses TO 'ocsp_resp'@'%'; - --- OCSP Generator Tool (Updater) -CREATE USER `ocsp_update`@`%` IDENTIFIED BY 'password'; -GRANT INSERT ON ocspResponses TO 'ocsp_update'@'%'; -GRANT SELECT ON certificates TO 'ocsp_update'@'%'; -GRANT SELECT,UPDATE ON certificateStatus TO 'ocsp_update'@'%'; - --- Revoker Tool -CREATE USER `revoker`@`%` IDENTIFIED BY 'password'; -GRANT SELECT ON registrations TO 'revoker'@'%'; -GRANT SELECT ON certificates TO 'revoker'@'%'; -GRANT SELECT,INSERT ON deniedCSRs TO 'revoker'@'%'; - --- External Cert Importer -CREATE USER `importer`@`%` IDENTIFIED BY 'password'; -GRANT SELECT,INSERT,UPDATE,DELETE ON identifierData TO 'importer'@'%'; -GRANT SELECT,INSERT,UPDATE,DELETE ON externalCerts TO 'importer'@'%'; diff --git a/policy/_db/dbconf.yml b/policy/_db/dbconf.yml index 74496c6cc..f3baf0b87 100644 --- a/policy/_db/dbconf.yml +++ b/policy/_db/dbconf.yml @@ -1,9 +1,6 @@ -development: - driver: mysql - open: boulder@tcp(localhost:3306)/boulder_policy_development test: driver: mysql - open: boulder@tcp(localhost:3306)/boulder_policy_test + open: root@tcp(localhost:3306)/boulder_policy_test integration: driver: mysql - open: boulder@tcp(localhost:3306)/boulder_policy_integration + open: root@tcp(localhost:3306)/boulder_policy_integration diff --git a/policy/policy-authority-data_test.go b/policy/policy-authority-data_test.go index 81137617d..73a69ae1a 100644 --- a/policy/policy-authority-data_test.go +++ b/policy/policy-authority-data_test.go @@ -19,7 +19,7 @@ func padbImpl(t *testing.T) (*PolicyAuthorityDatabaseImpl, func()) { padb, err := NewPolicyAuthorityDatabaseImpl(dbMap) test.AssertNotError(t, err, "Couldn't create PADB") - cleanUp := test.ResetTestDatabase(t, dbMap.Db) + cleanUp := test.ResetPolicyTestDatabase(t) return padb, cleanUp } diff --git a/policy/policy-authority_test.go b/policy/policy-authority_test.go index 1ffddf203..28a77665b 100644 --- a/policy/policy-authority_test.go +++ b/policy/policy-authority_test.go @@ -19,7 +19,7 @@ import ( ) var log = mocks.UseMockLog() -var dbConnStr = "mysql+tcp://boulder@localhost:3306/boulder_policy_test" +var dbConnStr = "mysql+tcp://policy@localhost:3306/boulder_policy_test" func paImpl(t *testing.T) (*PolicyAuthorityImpl, func()) { dbMap, cleanUp := paDBMap(t) @@ -34,7 +34,7 @@ func paImpl(t *testing.T) (*PolicyAuthorityImpl, func()) { func paDBMap(t *testing.T) (*gorp.DbMap, func()) { dbMap, err := sa.NewDbMap(dbConnStr) test.AssertNotError(t, err, "Could not construct dbMap") - cleanUp := test.ResetTestDatabase(t, dbMap.Db) + cleanUp := test.ResetPolicyTestDatabase(t) return dbMap, cleanUp } diff --git a/ra/registration-authority_test.go b/ra/registration-authority_test.go index 42b8bbb8c..a763855be 100644 --- a/ra/registration-authority_test.go +++ b/ra/registration-authority_test.go @@ -122,8 +122,8 @@ var ( ) const ( - paDBConnStr = "mysql+tcp://boulder@localhost:3306/boulder_policy_test" - saDBConnStr = "mysql+tcp://boulder@localhost:3306/boulder_sa_test" + paDBConnStr = "mysql+tcp://policy@localhost:3306/boulder_policy_test" + saDBConnStr = "mysql+tcp://sa@localhost:3306/boulder_sa_test" ) func makeResponse(ch core.Challenge) (out core.Challenge, err error) { @@ -165,7 +165,7 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, *sa.SQLStorageAut t.Fatalf("Failed to create SA: %s", err) } - saDBCleanUp := test.ResetTestDatabase(t, dbMap.Db) + saDBCleanUp := test.ResetSATestDatabase(t) va := &DummyValidationAuthority{} @@ -192,7 +192,7 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, *sa.SQLStorageAut if err != nil { t.Fatalf("Failed to create dbMap: %s", err) } - policyDBCleanUp := test.ResetTestDatabase(t, paDbMap.Db) + policyDBCleanUp := test.ResetPolicyTestDatabase(t) pa, err := policy.NewPolicyAuthorityImpl(paDbMap, false) test.AssertNotError(t, err, "Couldn't create PA") ca := ca.CertificateAuthorityImpl{ diff --git a/sa/_db/dbconf.yml b/sa/_db/dbconf.yml index 0d401f504..24f84cf9d 100644 --- a/sa/_db/dbconf.yml +++ b/sa/_db/dbconf.yml @@ -1,9 +1,6 @@ -development: - driver: mysql - open: boulder@tcp(localhost:3306)/boulder_sa_development test: driver: mysql - open: boulder@tcp(localhost:3306)/boulder_sa_test + open: root@tcp(localhost:3306)/boulder_sa_test integration: driver: mysql - open: boulder@tcp(localhost:3306)/boulder_sa_integration \ No newline at end of file + open: root@tcp(localhost:3306)/boulder_sa_integration diff --git a/sa/satest/satest.go b/sa/satest/satest.go index 268185b78..280791fcc 100644 --- a/sa/satest/satest.go +++ b/sa/satest/satest.go @@ -50,7 +50,7 @@ func CreateWorkingRegistration(t *testing.T, sa core.StorageAuthority) core.Regi CreatedAt: time.Date(2003, 5, 10, 0, 0, 0, 0, time.UTC), }) if err != nil { - t.Fatalf("Unable to create new registration") + t.Fatalf("Unable to create new registration: %s", err) } return reg } diff --git a/sa/storage-authority_test.go b/sa/storage-authority_test.go index 869b9a7dd..0709e7956 100644 --- a/sa/storage-authority_test.go +++ b/sa/storage-authority_test.go @@ -30,7 +30,7 @@ import ( "github.com/letsencrypt/boulder/test" ) -const dbConnStr = "mysql+tcp://boulder@localhost:3306/boulder_sa_test" +const dbConnStr = "mysql+tcp://sa@localhost:3306/boulder_sa_test" var log = mocks.UseMockLog() @@ -50,7 +50,8 @@ func initSA(t *testing.T) (*SQLStorageAuthority, clock.FakeClock, func()) { if err != nil { t.Fatalf("Failed to create SA: %s", err) } - cleanUp := test.ResetTestDatabase(t, dbMap.Db) + + cleanUp := test.ResetSATestDatabase(t) return sa, fc, cleanUp } diff --git a/test/boulder-config.json b/test/boulder-config.json index 939ba26ac..32f307d5a 100644 --- a/test/boulder-config.json +++ b/test/boulder-config.json @@ -115,7 +115,7 @@ }, "pa": { - "dbConnect": "mysql+tcp://boulder@localhost:3306/boulder_policy_test" + "dbConnect": "mysql+tcp://policy@localhost:3306/boulder_policy_integration" }, "ra": { @@ -126,7 +126,7 @@ }, "sa": { - "dbConnect": "mysql+tcp://boulder@localhost:3306/boulder_sa_integration", + "dbConnect": "mysql+tcp://sa@localhost:3306/boulder_sa_integration", "maxConcurrentRPCServerRequests": 16, "debugAddr": "localhost:8003" }, @@ -147,11 +147,11 @@ }, "revoker": { - "dbConnect": "mysql+tcp://boulder@localhost:3306/boulder_sa_integration" + "dbConnect": "mysql+tcp://revoker@localhost:3306/boulder_sa_integration" }, "ocspResponder": { - "source": "mysql+tcp://boulder@localhost:3306/boulder_sa_integration", + "source": "mysql+tcp://ocsp_resp@localhost:3306/boulder_sa_integration", "path": "/", "listenAddress": "localhost:4002", "maxAge": "10s", @@ -161,7 +161,7 @@ }, "ocspUpdater": { - "dbConnect": "mysql+tcp://boulder@localhost:3306/boulder_sa_integration", + "dbConnect": "mysql+tcp://ocsp_update@localhost:3306/boulder_sa_integration", "newCertificateWindow": "1s", "oldOCSPWindow": "2s", "missingSCTWindow": "1m", @@ -184,7 +184,7 @@ "port": "25", "username": "cert-master@example.com", "password": "password", - "dbConnect": "mysql+tcp://boulder@localhost:3306/boulder_sa_integration", + "dbConnect": "mysql+tcp://mailer@localhost:3306/boulder_sa_integration", "messageLimit": 0, "nagTimes": ["24h", "72h", "168h", "336h"], "emailTemplate": "test/example-expiration-template", @@ -216,7 +216,7 @@ }, "certChecker": { - "dbConnect": "mysql+tcp://boulder@localhost:3306/boulder_sa_integration" + "dbConnect": "mysql+tcp://cert_checker@localhost:3306/boulder_sa_integration" }, "subscriberAgreementURL": "http://localhost:4001/terms/v1" diff --git a/test/create_db.sh b/test/create_db.sh index 138b49351..4bcac8a58 100755 --- a/test/create_db.sh +++ b/test/create_db.sh @@ -1,16 +1,27 @@ #!/bin/bash +set -o errexit cd $(dirname $0)/.. source test/db-common.sh +# Drop all users to get a fresh start +mysql -u root < test/drop_users.sql + for svc in $SERVICES; do for dbenv in $DBENVS; do db="boulder_${svc}_${dbenv}" - mysql -u root -e "drop database if exists \`${db}\`; create database if not exists \`${db}\`; grant all privileges on ${db}.* to 'boulder'@'localhost'" || die "unable to create ${db}" + (mysql -u root -e "drop database if exists \`${db}\`; create database if not exists \`${db}\`;" || die "unable to create ${db}" echo "created empty ${db} database" goose -path=./$svc/_db/ -env=$dbenv up || die "unable to migrate ${db}" echo "migrated ${db} database" + + USERS_SQL=test/${svc}_db_users.sql + if [ -f $USERS_SQL ] ; then + mysql -u root -D boulder_${svc}_${dbenv} < $USERS_SQL + fi) & done done +wait + echo "created all databases" diff --git a/test/db-common.sh b/test/db-common.sh index a91f5e930..622da86a9 100644 --- a/test/db-common.sh +++ b/test/db-common.sh @@ -8,6 +8,5 @@ function die() { SERVICES="sa policy" -DBENVS="development -test +DBENVS="test integration" diff --git a/test/db.go b/test/db.go index ee766d3d8..d9e89764c 100644 --- a/test/db.go +++ b/test/db.go @@ -2,6 +2,7 @@ package test import ( "database/sql" + "fmt" "io" "testing" ) @@ -20,15 +21,30 @@ type CleanUpDB interface { io.Closer } -// ResetTestDatabase deletes all rows in all tables available to the -// passed in CleanUpDB, failing the tests if that errors and returning -// a clean up function that will attempt the same plus close the -// database. "Tables available" means all tables that can be seen in -// the MariaDB configuration by the database user except for ones that -// are configuration only like goose_db_version (for migrations) or -// the ones describing the internal configuration of the server.To be +// ResetSATestDatabase deletes all rows in all tables in the SA DB. +// If fails the tests if that errors and returns a clean up function +// that will delete all rows again and close the database. +// "Tables available" means all tables that can be seen in the MariaDB +// configuration by the database user except for ones that are +// configuration only like goose_db_version (for migrations) or +// the ones describing the internal configuration of the server. To be // used only in test code. -func ResetTestDatabase(t *testing.T, db CleanUpDB) func() { +func ResetSATestDatabase(t *testing.T) func() { + return resetTestDatabase(t, "sa") +} + +// ResetPolicyTestDatabase deletes all rows in all tables in the Policy DB. It +// acts the same as ResetSATestDatabase. +func ResetPolicyTestDatabase(t *testing.T) func() { + return resetTestDatabase(t, "policy") +} + +func resetTestDatabase(t *testing.T, dbType string) func() { + db, err := sql.Open("mysql", fmt.Sprintf("test_setup@tcp(localhost:3306)/boulder_%s_test", dbType)) + if err != nil { + t.Fatalf("Couldn't create db: %s", err) + } + fmt.Printf("db %#v\n", db) if err := deleteEverythingInAllTables(db); err != nil { t.Fatalf("Failed to delete everything: %s", err) } @@ -47,7 +63,7 @@ func ResetTestDatabase(t *testing.T, db CleanUpDB) func() { func deleteEverythingInAllTables(db CleanUpDB) error { ts, err := allTableNamesInDB(db) if err != nil { - return nil + return err } for _, tn := range ts { // 1 = 1 here prevents the MariaDB i_am_a_dummy setting from @@ -57,7 +73,7 @@ func deleteEverythingInAllTables(db CleanUpDB) error { return err } } - return nil + return err } // allTableNamesInDB returns the names of the tables available to the diff --git a/test/drop_users.sql b/test/drop_users.sql new file mode 100644 index 000000000..73649b722 --- /dev/null +++ b/test/drop_users.sql @@ -0,0 +1,22 @@ +-- Before setting up any privileges, we revoke existing ones to make sure we +-- start from a clean slate. +-- Note that dropping a non-existing user produces an error that aborts the +-- script, so we first grant a harmless privilege to each user to ensure it +-- exists. +GRANT USAGE ON *.* TO 'policy'@'localhost'; +DROP USER 'policy'@'localhost'; +GRANT USAGE ON *.* TO 'sa'@'localhost'; +DROP USER 'sa'@'localhost'; +GRANT USAGE ON *.* TO 'ocsp_resp'@'localhost'; +DROP USER 'ocsp_resp'@'localhost'; +GRANT USAGE ON *.* TO 'ocsp_update'@'localhost'; +DROP USER 'ocsp_update'@'localhost'; +GRANT USAGE ON *.* TO 'revoker'@'localhost'; +DROP USER 'revoker'@'localhost'; +GRANT USAGE ON *.* TO 'importer'@'localhost'; +DROP USER 'importer'@'localhost'; +GRANT USAGE ON *.* TO 'mailer'@'localhost'; +DROP USER 'mailer'@'localhost'; +GRANT USAGE ON *.* TO 'cert_checker'@'localhost'; +DROP USER 'cert_checker'@'localhost'; + diff --git a/test/policy_db_users.sql b/test/policy_db_users.sql new file mode 100644 index 000000000..e1a4f4c96 --- /dev/null +++ b/test/policy_db_users.sql @@ -0,0 +1,26 @@ +-- +-- Copyright 2015 ISRG. All rights reserved +-- This Source Code Form is subject to the terms of the Mozilla Public +-- License, v. 2.0. If a copy of the MPL was not distributed with this +-- file, You can obtain one at http://mozilla.org/MPL/2.0/. +-- +-- This file defines the default users for the primary database, used by +-- all the parts of Boulder except the Certificate Authority module, which +-- utilizes its own database. +-- + +-- Create users for each component with the appropriate permissions. We want to +-- drop each user and recreate them, but if the user doesn't already exist, the +-- drop command will fail. So we grant the dummy `USAGE` privilege to make sure +-- the user exists and then drop the user. + +-- Policy loader, CA, RA +-- Note: The same config section, "pa" is used by the policy loader (for writes) +-- and the CA and RA (for reads). So right now we have the one user that has +-- both read and write permission, even though it would be better to give only +-- read permission to CA and RA. +GRANT SELECT,INSERT,DELETE ON blacklist TO 'policy'@'localhost'; +GRANT SELECT,INSERT,DELETE ON whitelist TO 'policy'@'localhost'; + +-- Test setup and teardown +GRANT ALL PRIVILEGES ON * to 'test_setup'@'localhost'; diff --git a/test/sa_db_users.sql b/test/sa_db_users.sql new file mode 100644 index 000000000..d3005a620 --- /dev/null +++ b/test/sa_db_users.sql @@ -0,0 +1,56 @@ +-- +-- Copyright 2015 ISRG. All rights reserved +-- This Source Code Form is subject to the terms of the Mozilla Public +-- License, v. 2.0. If a copy of the MPL was not distributed with this +-- file, You can obtain one at http://mozilla.org/MPL/2.0/. +-- +-- This file defines the default users for the primary database, used by +-- all the parts of Boulder except the Certificate Authority module, which +-- utilizes its own database. +-- + +-- Create users for each component with the appropriate permissions. We want to +-- drop each user and recreate them, but if the user doesn't already exist, the +-- drop command will fail. So we grant the dummy `USAGE` privilege to make sure +-- the user exists and then drop the user. + +-- Storage Authority +GRANT SELECT,INSERT,UPDATE ON authz TO 'sa'@'localhost'; +GRANT SELECT,INSERT,UPDATE,DELETE ON pendingAuthorizations TO 'sa'@'localhost'; +GRANT SELECT(id,Lockcol) ON pendingAuthorizations TO 'sa'@'localhost'; +GRANT SELECT,INSERT ON certificates TO 'sa'@'localhost'; +GRANT SELECT,INSERT,UPDATE ON certificateStatus TO 'sa'@'localhost'; +GRANT SELECT,INSERT ON issuedNames TO 'sa'@'localhost'; +GRANT SELECT,INSERT ON sctReceipts TO 'sa'@'localhost'; +GRANT SELECT,INSERT ON deniedCSRs TO 'sa'@'localhost'; +GRANT INSERT ON ocspResponses TO 'sa'@'localhost'; +GRANT SELECT,INSERT,UPDATE ON registrations TO 'sa'@'localhost'; +GRANT SELECT,INSERT,UPDATE ON challenges TO 'sa'@'localhost'; + +-- OCSP Responder +GRANT SELECT ON certificateStatus TO 'ocsp_resp'@'localhost'; +GRANT SELECT ON ocspResponses TO 'ocsp_resp'@'localhost'; + +-- OCSP Generator Tool (Updater) +GRANT INSERT ON ocspResponses TO 'ocsp_update'@'localhost'; +GRANT SELECT ON certificates TO 'ocsp_update'@'localhost'; +GRANT SELECT,UPDATE ON certificateStatus TO 'ocsp_update'@'localhost'; + +-- Revoker Tool +GRANT SELECT ON registrations TO 'revoker'@'localhost'; +GRANT SELECT ON certificates TO 'revoker'@'localhost'; +GRANT SELECT,INSERT ON deniedCSRs TO 'revoker'@'localhost'; + +-- External Cert Importer +GRANT SELECT,INSERT,UPDATE,DELETE ON identifierData TO 'importer'@'localhost'; +GRANT SELECT,INSERT,UPDATE,DELETE ON externalCerts TO 'importer'@'localhost'; + +-- Expiration mailer +GRANT SELECT ON certificates TO 'mailer'@'localhost'; +GRANT SELECT,UPDATE ON certificateStatus TO 'mailer'@'localhost'; + +-- Cert checker +GRANT SELECT ON certificates TO 'cert_checker'@'localhost'; + +-- Test setup and teardown +GRANT ALL PRIVILEGES ON * to 'test_setup'@'localhost';