Merge branch 'master' into simple-http-5002

2015-10-17 11:01:43 -07:00 · 2015-10-17 11:01:43 -07:00 · caaa1248b6
parent 6c6687898c 98fea98f4f
commit caaa1248b6
20 changed files with 204 additions and 111 deletions
--- a/ca/certificate-authority_test.go
+++ b/ca/certificate-authority_test.go
@ -98,8 +98,8 @@ const caKeyFile = "../test/test-ca.key"
 const caCertFile = "../test/test-ca.pem"
 const (
-	paDBConnStr = "mysql+tcp://boulder@localhost:3306/boulder_policy_test"
+	paDBConnStr = "mysql+tcp://policy@localhost:3306/boulder_policy_test"
-	saDBConnStr = "mysql+tcp://boulder@localhost:3306/boulder_sa_test"
+	saDBConnStr = "mysql+tcp://sa@localhost:3306/boulder_sa_test"
 )
 func mustRead(path string) []byte {
@ -131,13 +131,13 @@ func setup(t *testing.T) *testCtx {
 	if err != nil {
 		t.Fatalf("Failed to create SA: %s", err)
 	}
-	saDBCleanUp := test.ResetTestDatabase(t, dbMap.Db)
+	saDBCleanUp := test.ResetSATestDatabase(t)
 	paDbMap, err := sa.NewDbMap(paDBConnStr)
 	test.AssertNotError(t, err, "Could not construct dbMap")
 	pa, err := policy.NewPolicyAuthorityImpl(paDbMap, false)
 	test.AssertNotError(t, err, "Couldn't create PADB")
-	paDBCleanUp := test.ResetTestDatabase(t, paDbMap.Db)
+	paDBCleanUp := test.ResetPolicyTestDatabase(t)
 	cleanUp := func() {
 		saDBCleanUp()
--- a/cmd/cert-checker/main_test.go
+++ b/cmd/cert-checker/main_test.go
@ -29,8 +29,8 @@ import (
 )
 var (
-	saDbConnStr = "mysql+tcp://boulder@localhost:3306/boulder_sa_test"
+	saDbConnStr = "mysql+tcp://sa@localhost:3306/boulder_sa_test"
-	paDbConnStr = "mysql+tcp://boulder@localhost:3306/boulder_policy_test"
+	paDbConnStr = "mysql+tcp://policy@localhost:3306/boulder_policy_test"
 )
 func BenchmarkCheckCert(b *testing.B) {
@ -80,10 +80,10 @@ func BenchmarkCheckCert(b *testing.B) {
 func TestCheckCert(t *testing.T) {
 	saDbMap, err := sa.NewDbMap(saDbConnStr)
 	test.AssertNotError(t, err, "Couldn't connect to database")
-	saCleanup := test.ResetTestDatabase(t, saDbMap.Db)
+	saCleanup := test.ResetSATestDatabase(t)
 	paDbMap, err := sa.NewDbMap(paDbConnStr)
 	test.AssertNotError(t, err, "Couldn't connect to policy database")
-	paCleanup := test.ResetTestDatabase(t, paDbMap.Db)
+	paCleanup := test.ResetPolicyTestDatabase(t)
 	defer func() {
 		saCleanup()
 		paCleanup()
@ -188,8 +188,8 @@ func TestGetAndProcessCerts(t *testing.T) {
 	checker := newChecker(saDbMap, paDbMap, fc, false)
 	sa, err := sa.NewSQLStorageAuthority(saDbMap, fc)
 	test.AssertNotError(t, err, "Couldn't create SA to insert certificates")
-	saCleanUp := test.ResetTestDatabase(t, saDbMap.Db)
+	saCleanUp := test.ResetSATestDatabase(t)
-	paCleanUp := test.ResetTestDatabase(t, paDbMap.Db)
+	paCleanUp := test.ResetPolicyTestDatabase(t)
 	defer func() {
 		saCleanUp()
 		paCleanUp()
--- a/cmd/expiration-mailer/main_test.go
+++ b/cmd/expiration-mailer/main_test.go
@ -146,7 +146,7 @@ var testKey = rsa.PrivateKey{
 	Primes:    []*big.Int{p, q},
 }
-const dbConnStr = "mysql+tcp://boulder@localhost:3306/boulder_sa_test"
+const dbConnStr = "mysql+tcp://mailer@localhost:3306/boulder_sa_test"
 func TestFindExpiringCertificates(t *testing.T) {
 	ctx := setup(t, []time.Duration{time.Hour * 24, time.Hour * 24 * 4, time.Hour * 24 * 7})
@ -256,17 +256,18 @@ func TestFindExpiringCertificates(t *testing.T) {
 		Status: core.OCSPStatusGood,
 	}
-	err = ctx.dbMap.Insert(certA)
+	setupDBMap, err := sa.NewDbMap("mysql+tcp://test_setup@localhost:3306/boulder_sa_test")
 	err = setupDBMap.Insert(certA)
 	test.AssertNotError(t, err, "Couldn't add certA")
-	err = ctx.dbMap.Insert(certB)
+	err = setupDBMap.Insert(certB)
 	test.AssertNotError(t, err, "Couldn't add certB")
-	err = ctx.dbMap.Insert(certC)
+	err = setupDBMap.Insert(certC)
 	test.AssertNotError(t, err, "Couldn't add certC")
-	err = ctx.dbMap.Insert(certStatusA)
+	err = setupDBMap.Insert(certStatusA)
 	test.AssertNotError(t, err, "Couldn't add certStatusA")
-	err = ctx.dbMap.Insert(certStatusB)
+	err = setupDBMap.Insert(certStatusB)
 	test.AssertNotError(t, err, "Couldn't add certStatusB")
-	err = ctx.dbMap.Insert(certStatusC)
+	err = setupDBMap.Insert(certStatusC)
 	test.AssertNotError(t, err, "Couldn't add certStatusC")
 	log.Clear()
@ -330,9 +331,10 @@ func TestLifetimeOfACert(t *testing.T) {
 		Status: core.OCSPStatusGood,
 	}
-	err = ctx.dbMap.Insert(certA)
+	setupDBMap, err := sa.NewDbMap("mysql+tcp://test_setup@localhost:3306/boulder_sa_test")
 	err = setupDBMap.Insert(certA)
 	test.AssertNotError(t, err, "unable to insert Certificate")
-	err = ctx.dbMap.Insert(certStatusA)
+	err = setupDBMap.Insert(certStatusA)
 	test.AssertNotError(t, err, "unable to insert CertificateStatus")
 	type lifeTest struct {
@ -434,9 +436,10 @@ func TestDontFindRevokedCert(t *testing.T) {
 		Status: core.OCSPStatusRevoked,
 	}
-	err = ctx.dbMap.Insert(certA)
+	setupDBMap, err := sa.NewDbMap("mysql+tcp://test_setup@localhost:3306/boulder_sa_test")
 	err = setupDBMap.Insert(certA)
 	test.AssertNotError(t, err, "unable to insert Certificate")
-	err = ctx.dbMap.Insert(certStatusA)
+	err = setupDBMap.Insert(certStatusA)
 	test.AssertNotError(t, err, "unable to insert CertificateStatus")
 	err = ctx.m.findExpiringCertificates()
@ -449,7 +452,7 @@ func TestDontFindRevokedCert(t *testing.T) {
 type testCtx struct {
 	dbMap   *gorp.DbMap
-	ssa     *sa.SQLStorageAuthority
+	ssa     core.StorageAdder
 	mc      *mockMail
 	fc      clock.FakeClock
 	m       *mailer
@ -457,7 +460,9 @@ type testCtx struct {
 }
 func setup(t *testing.T, nagTimes []time.Duration) *testCtx {
-	dbMap, err := sa.NewDbMap(dbConnStr)
+	// We use the test_setup user (which has full permissions to everything)
 	// because the SA we return is used for inserting data to set up the test.
 	dbMap, err := sa.NewDbMap("mysql+tcp://test_setup@localhost:3306/boulder_sa_test")
 	if err != nil {
 		t.Fatalf("Couldn't connect the database: %s", err)
 	}
@ -466,7 +471,7 @@ func setup(t *testing.T, nagTimes []time.Duration) *testCtx {
 	if err != nil {
 		t.Fatalf("unable to create SQLStorageAuthority: %s", err)
 	}
-	cleanUp := test.ResetTestDatabase(t, dbMap.Db)
+	cleanUp := test.ResetSATestDatabase(t)
 	stats, _ := statsd.NewNoopClient(nil)
 	mc := &mockMail{}
--- a/cmd/ocsp-responder/main_test.go
+++ b/cmd/ocsp-responder/main_test.go
@ -13,6 +13,7 @@ import (
 	cfocsp "github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cloudflare/cfssl/ocsp"
 	"github.com/letsencrypt/boulder/Godeps/_workspace/src/golang.org/x/crypto/ocsp"
 	"github.com/letsencrypt/boulder/core"
 	"github.com/letsencrypt/boulder/sa"
 	"github.com/letsencrypt/boulder/test"
 )
@ -61,11 +62,11 @@ func TestHandler(t *testing.T) {
 }
 func TestDBHandler(t *testing.T) {
-	src, err := makeDBSource("mysql+tcp://boulder@localhost:3306/boulder_sa_test", "./testdata/test-ca.der.pem", false)
+	src, err := makeDBSource("mysql+tcp://ocsp_resp@localhost:3306/boulder_sa_test", "./testdata/test-ca.der.pem", false)
 	if err != nil {
 		t.Fatalf("makeDBSource: %s", err)
 	}
-	defer test.ResetTestDatabase(t, src.dbMap.Db)
+	defer test.ResetSATestDatabase(t)
 	ocspResp, err := ocsp.ParseResponse(resp, nil)
 	if err != nil {
 		t.Fatalf("ocsp.ParseResponse: %s", err)
@ -76,7 +77,11 @@ func TestDBHandler(t *testing.T) {
 		OCSPLastUpdated: time.Now(),
 		OCSPResponse:    resp,
 	}
-	err = src.dbMap.Insert(status)
+	setupDBMap, err := sa.NewDbMap("mysql+tcp://test_setup@localhost:3306/boulder_sa_test")
 	if err != nil {
 		t.Fatal(err)
 	}
 	err = setupDBMap.Insert(status)
 	if err != nil {
 		t.Fatalf("unable to insert response: %s", err)
 	}
--- a/cmd/ocsp-updater/main_test.go
+++ b/cmd/ocsp-updater/main_test.go
@ -47,7 +47,7 @@ func (p *mockPub) SubmitToCT(_ []byte) error {
 	})
 }
-const dbConnStr = "mysql+tcp://boulder@localhost:3306/boulder_sa_test"
+const dbConnStr = "mysql+tcp://sa@localhost:3306/boulder_sa_test"
 var log = mocks.UseMockLog()
@ -61,7 +61,7 @@ func setup(t *testing.T) (OCSPUpdater, core.StorageAuthority, *gorp.DbMap, clock
 	sa, err := sa.NewSQLStorageAuthority(dbMap, fc)
 	test.AssertNotError(t, err, "Failed to create SA")
-	cleanUp := test.ResetTestDatabase(t, dbMap.Db)
+	cleanUp := test.ResetSATestDatabase(t)
 	stats, _ := statsd.NewNoopClient(nil)
--- a/docs/database/db_users-main.sql
+++ b/docs/database/db_users-main.sql
@ -1,42 +0,0 @@
 --
 -- Copyright 2015 ISRG.  All rights reserved
 -- This Source Code Form is subject to the terms of the Mozilla Public
 -- License, v. 2.0. If a copy of the MPL was not distributed with this
 -- file, You can obtain one at http://mozilla.org/MPL/2.0/.
 --
 -- This file defines the default users for the primary database, used by
 -- all the parts of Boulder except the Certificate Authority module, which
 -- utilizes its own database.
 --
 -- Storage Authority
 CREATE USER `sa`@`%` IDENTIFIED BY 'password';
 GRANT SELECT,INSERT,UPDATE ON authz TO 'sa'@'%';
 GRANT SELECT,INSERT,UPDATE,DELETE ON pendingAuthorizations TO 'sa'@'%';
 GRANT SELECT,INSERT ON certificates TO 'sa'@'%';
 GRANT SELECT,INSERT,UPDATE ON certificateStatus TO 'sa'@'%';
 GRANT SELECT,INSERT ON deniedCSRs TO 'sa'@'%';
 GRANT INSERT ON ocspResponses TO 'sa'@'%';
 GRANT SELECT,INSERT,UPDATE ON registrations TO 'sa'@'%';
 GRANT SELECT,INSERT,UPDATE ON challenges TO 'sa'@'%';
 -- OCSP Responder
 CREATE USER `ocsp_resp`@`%` IDENTIFIED BY 'password';
 GRANT SELECT ON ocspResponses TO 'ocsp_resp'@'%';
 -- OCSP Generator Tool (Updater)
 CREATE USER `ocsp_update`@`%` IDENTIFIED BY 'password';
 GRANT INSERT ON ocspResponses TO 'ocsp_update'@'%';
 GRANT SELECT ON certificates TO 'ocsp_update'@'%';
 GRANT SELECT,UPDATE ON certificateStatus TO 'ocsp_update'@'%';
 -- Revoker Tool
 CREATE USER `revoker`@`%` IDENTIFIED BY 'password';
 GRANT SELECT ON registrations TO 'revoker'@'%';
 GRANT SELECT ON certificates TO 'revoker'@'%';
 GRANT SELECT,INSERT ON deniedCSRs TO 'revoker'@'%';
 -- External Cert Importer
 CREATE USER `importer`@`%` IDENTIFIED BY 'password';
 GRANT SELECT,INSERT,UPDATE,DELETE ON identifierData TO 'importer'@'%';
 GRANT SELECT,INSERT,UPDATE,DELETE ON externalCerts TO 'importer'@'%';
--- a/policy/_db/dbconf.yml
+++ b/policy/_db/dbconf.yml
@ -1,9 +1,6 @@
 development:
  driver: mysql
  open: boulder@tcp(localhost:3306)/boulder_policy_development
 test:
  driver: mysql
-  open: boulder@tcp(localhost:3306)/boulder_policy_test
+  open: root@tcp(localhost:3306)/boulder_policy_test
 integration:
  driver: mysql
-  open: boulder@tcp(localhost:3306)/boulder_policy_integration
+  open: root@tcp(localhost:3306)/boulder_policy_integration
--- a/policy/policy-authority-data_test.go
+++ b/policy/policy-authority-data_test.go
@ -19,7 +19,7 @@ func padbImpl(t *testing.T) (*PolicyAuthorityDatabaseImpl, func()) {
 	padb, err := NewPolicyAuthorityDatabaseImpl(dbMap)
 	test.AssertNotError(t, err, "Couldn't create PADB")
-	cleanUp := test.ResetTestDatabase(t, dbMap.Db)
+	cleanUp := test.ResetPolicyTestDatabase(t)
 	return padb, cleanUp
 }
--- a/policy/policy-authority_test.go
+++ b/policy/policy-authority_test.go
@ -19,7 +19,7 @@ import (
 )
 var log = mocks.UseMockLog()
-var dbConnStr = "mysql+tcp://boulder@localhost:3306/boulder_policy_test"
+var dbConnStr = "mysql+tcp://policy@localhost:3306/boulder_policy_test"
 func paImpl(t *testing.T) (*PolicyAuthorityImpl, func()) {
 	dbMap, cleanUp := paDBMap(t)
@ -34,7 +34,7 @@ func paImpl(t *testing.T) (*PolicyAuthorityImpl, func()) {
 func paDBMap(t *testing.T) (*gorp.DbMap, func()) {
 	dbMap, err := sa.NewDbMap(dbConnStr)
 	test.AssertNotError(t, err, "Could not construct dbMap")
-	cleanUp := test.ResetTestDatabase(t, dbMap.Db)
+	cleanUp := test.ResetPolicyTestDatabase(t)
 	return dbMap, cleanUp
 }
--- a/ra/registration-authority_test.go
+++ b/ra/registration-authority_test.go
@ -122,8 +122,8 @@ var (
 )
 const (
-	paDBConnStr = "mysql+tcp://boulder@localhost:3306/boulder_policy_test"
+	paDBConnStr = "mysql+tcp://policy@localhost:3306/boulder_policy_test"
-	saDBConnStr = "mysql+tcp://boulder@localhost:3306/boulder_sa_test"
+	saDBConnStr = "mysql+tcp://sa@localhost:3306/boulder_sa_test"
 )
 func makeResponse(ch core.Challenge) (out core.Challenge, err error) {
@ -165,7 +165,7 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, *sa.SQLStorageAut
 		t.Fatalf("Failed to create SA: %s", err)
 	}
-	saDBCleanUp := test.ResetTestDatabase(t, dbMap.Db)
+	saDBCleanUp := test.ResetSATestDatabase(t)
 	va := &DummyValidationAuthority{}
@ -192,7 +192,7 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, *sa.SQLStorageAut
 	if err != nil {
 		t.Fatalf("Failed to create dbMap: %s", err)
 	}
-	policyDBCleanUp := test.ResetTestDatabase(t, paDbMap.Db)
+	policyDBCleanUp := test.ResetPolicyTestDatabase(t)
 	pa, err := policy.NewPolicyAuthorityImpl(paDbMap, false)
 	test.AssertNotError(t, err, "Couldn't create PA")
 	ca := ca.CertificateAuthorityImpl{
--- a/sa/_db/dbconf.yml
+++ b/sa/_db/dbconf.yml
@ -1,9 +1,6 @@
 development:
  driver: mysql
  open: boulder@tcp(localhost:3306)/boulder_sa_development
 test:
  driver: mysql
-  open: boulder@tcp(localhost:3306)/boulder_sa_test
+  open: root@tcp(localhost:3306)/boulder_sa_test
 integration:
  driver: mysql
-  open: boulder@tcp(localhost:3306)/boulder_sa_integration
+  open: root@tcp(localhost:3306)/boulder_sa_integration
--- a/sa/satest/satest.go
+++ b/sa/satest/satest.go
@ -50,7 +50,7 @@ func CreateWorkingRegistration(t *testing.T, sa core.StorageAuthority) core.Regi
 		CreatedAt: time.Date(2003, 5, 10, 0, 0, 0, 0, time.UTC),
 	})
 	if err != nil {
-		t.Fatalf("Unable to create new registration")
+		t.Fatalf("Unable to create new registration: %s", err)
 	}
 	return reg
 }
--- a/sa/storage-authority_test.go
+++ b/sa/storage-authority_test.go
@ -30,7 +30,7 @@ import (
 	"github.com/letsencrypt/boulder/test"
 )
-const dbConnStr = "mysql+tcp://boulder@localhost:3306/boulder_sa_test"
+const dbConnStr = "mysql+tcp://sa@localhost:3306/boulder_sa_test"
 var log = mocks.UseMockLog()
@ -50,7 +50,8 @@ func initSA(t *testing.T) (*SQLStorageAuthority, clock.FakeClock, func()) {
 	if err != nil {
 		t.Fatalf("Failed to create SA: %s", err)
 	}
-	cleanUp := test.ResetTestDatabase(t, dbMap.Db)
+
 	cleanUp := test.ResetSATestDatabase(t)
 	return sa, fc, cleanUp
 }
--- a/test/boulder-config.json
+++ b/test/boulder-config.json
@ -115,7 +115,7 @@
  },
  "pa": {
-    "dbConnect": "mysql+tcp://boulder@localhost:3306/boulder_policy_test"
+    "dbConnect": "mysql+tcp://policy@localhost:3306/boulder_policy_integration"
  },
  "ra": {
@ -126,7 +126,7 @@
  },
  "sa": {
-    "dbConnect": "mysql+tcp://boulder@localhost:3306/boulder_sa_integration",
+    "dbConnect": "mysql+tcp://sa@localhost:3306/boulder_sa_integration",
    "maxConcurrentRPCServerRequests": 16,
    "debugAddr": "localhost:8003"
  },
@ -147,11 +147,11 @@
  },
  "revoker": {
-    "dbConnect": "mysql+tcp://boulder@localhost:3306/boulder_sa_integration"
+    "dbConnect": "mysql+tcp://revoker@localhost:3306/boulder_sa_integration"
  },
  "ocspResponder": {
-    "source": "mysql+tcp://boulder@localhost:3306/boulder_sa_integration",
+    "source": "mysql+tcp://ocsp_resp@localhost:3306/boulder_sa_integration",
    "path": "/",
    "listenAddress": "localhost:4002",
    "maxAge": "10s",
@ -161,7 +161,7 @@
  },
  "ocspUpdater": {
-    "dbConnect": "mysql+tcp://boulder@localhost:3306/boulder_sa_integration",
+    "dbConnect": "mysql+tcp://ocsp_update@localhost:3306/boulder_sa_integration",
    "newCertificateWindow": "1s",
    "oldOCSPWindow": "2s",
    "missingSCTWindow": "1m",
@ -184,7 +184,7 @@
    "port": "25",
    "username": "cert-master@example.com",
    "password": "password",
-    "dbConnect": "mysql+tcp://boulder@localhost:3306/boulder_sa_integration",
+    "dbConnect": "mysql+tcp://mailer@localhost:3306/boulder_sa_integration",
    "messageLimit": 0,
    "nagTimes": ["24h", "72h", "168h", "336h"],
    "emailTemplate": "test/example-expiration-template",
@ -216,7 +216,7 @@
  },
  "certChecker": {
-    "dbConnect": "mysql+tcp://boulder@localhost:3306/boulder_sa_integration"
+    "dbConnect": "mysql+tcp://cert_checker@localhost:3306/boulder_sa_integration"
  },
  "subscriberAgreementURL": "http://localhost:4001/terms/v1"
--- a/test/create_db.sh
+++ b/test/create_db.sh
@ -1,16 +1,27 @@
 #!/bin/bash
 set -o errexit
 cd $(dirname $0)/..
 source test/db-common.sh
 # Drop all users to get a fresh start
 mysql -u root < test/drop_users.sql
 for svc in $SERVICES; do
  for dbenv in $DBENVS; do
    db="boulder_${svc}_${dbenv}"
-    mysql -u root -e "drop database if exists \`${db}\`; create database if not exists \`${db}\`; grant all privileges on ${db}.* to 'boulder'@'localhost'" || die "unable to create ${db}"
+    (mysql -u root -e "drop database if exists \`${db}\`; create database if not exists \`${db}\`;" || die "unable to create ${db}"
    echo "created empty ${db} database"
    goose -path=./$svc/_db/ -env=$dbenv up || die "unable to migrate ${db}"
    echo "migrated ${db} database"
    USERS_SQL=test/${svc}_db_users.sql
    if [ -f $USERS_SQL ] ; then
      mysql -u root -D boulder_${svc}_${dbenv} < $USERS_SQL
    fi) &
  done
 done
 wait
 echo "created all databases"
--- a/test/db-common.sh
+++ b/test/db-common.sh
@ -8,6 +8,5 @@ function die() {
 SERVICES="sa
 policy"
-DBENVS="development
+DBENVS="test
 test
 integration"
--- a/test/db.go
+++ b/test/db.go
@ -2,6 +2,7 @@ package test
 import (
 	"database/sql"
 	"fmt"
 	"io"
 	"testing"
 )
@ -20,15 +21,30 @@ type CleanUpDB interface {
 	io.Closer
 }
-// ResetTestDatabase deletes all rows in all tables available to the
+// ResetSATestDatabase deletes all rows in all tables in the SA DB.
-// passed in CleanUpDB, failing the tests if that errors and returning
+// If fails the tests if that errors and returns a clean up function
-// a clean up function that will attempt the same plus close the
+// that will delete all rows again and close the database.
-// database.  "Tables available" means all tables that can be seen in
+// "Tables available" means all tables that can be seen in the MariaDB
-// the MariaDB configuration by the database user except for ones that
+// configuration by the database user except for ones that are
-// are configuration only like goose_db_version (for migrations) or
+// configuration only like goose_db_version (for migrations) or
-// the ones describing the internal configuration of the server.To be
+// the ones describing the internal configuration of the server. To be
 // used only in test code.
-func ResetTestDatabase(t *testing.T, db CleanUpDB) func() {
+func ResetSATestDatabase(t *testing.T) func() {
 	return resetTestDatabase(t, "sa")
 }
 // ResetPolicyTestDatabase deletes all rows in all tables in the Policy DB. It
 // acts the same as ResetSATestDatabase.
 func ResetPolicyTestDatabase(t *testing.T) func() {
 	return resetTestDatabase(t, "policy")
 }
 func resetTestDatabase(t *testing.T, dbType string) func() {
 	db, err := sql.Open("mysql", fmt.Sprintf("test_setup@tcp(localhost:3306)/boulder_%s_test", dbType))
 	if err != nil {
 		t.Fatalf("Couldn't create db: %s", err)
 	}
 	fmt.Printf("db %#v\n", db)
 	if err := deleteEverythingInAllTables(db); err != nil {
 		t.Fatalf("Failed to delete everything: %s", err)
 	}
@ -47,7 +63,7 @@ func ResetTestDatabase(t *testing.T, db CleanUpDB) func() {
 func deleteEverythingInAllTables(db CleanUpDB) error {
 	ts, err := allTableNamesInDB(db)
 	if err != nil {
-		return nil
+		return err
 	}
 	for _, tn := range ts {
 		// 1 = 1 here prevents the MariaDB i_am_a_dummy setting from
@ -57,7 +73,7 @@ func deleteEverythingInAllTables(db CleanUpDB) error {
 			return err
 		}
 	}
-	return nil
+	return err
 }
 // allTableNamesInDB returns the names of the tables available to the
--- a/test/drop_users.sql
+++ b/test/drop_users.sql
@ -0,0 +1,22 @@
 -- Before setting up any privileges, we revoke existing ones to make sure we
 -- start from a clean slate.
 -- Note that dropping a non-existing user produces an error that aborts the
 -- script, so we first grant a harmless privilege to each user to ensure it
 -- exists.
 GRANT USAGE ON *.* TO 'policy'@'localhost';
 DROP USER 'policy'@'localhost';
 GRANT USAGE ON *.* TO 'sa'@'localhost';
 DROP USER 'sa'@'localhost';
 GRANT USAGE ON *.* TO 'ocsp_resp'@'localhost';
 DROP USER 'ocsp_resp'@'localhost';
 GRANT USAGE ON *.* TO 'ocsp_update'@'localhost';
 DROP USER 'ocsp_update'@'localhost';
 GRANT USAGE ON *.* TO 'revoker'@'localhost';
 DROP USER 'revoker'@'localhost';
 GRANT USAGE ON *.* TO 'importer'@'localhost';
 DROP USER 'importer'@'localhost';
 GRANT USAGE ON *.* TO 'mailer'@'localhost';
 DROP USER 'mailer'@'localhost';
 GRANT USAGE ON *.* TO 'cert_checker'@'localhost';
 DROP USER 'cert_checker'@'localhost';
--- a/test/policy_db_users.sql
+++ b/test/policy_db_users.sql
@ -0,0 +1,26 @@
 --
 -- Copyright 2015 ISRG.  All rights reserved
 -- This Source Code Form is subject to the terms of the Mozilla Public
 -- License, v. 2.0. If a copy of the MPL was not distributed with this
 -- file, You can obtain one at http://mozilla.org/MPL/2.0/.
 --
 -- This file defines the default users for the primary database, used by
 -- all the parts of Boulder except the Certificate Authority module, which
 -- utilizes its own database.
 --
 -- Create users for each component with the appropriate permissions. We want to
 -- drop each user and recreate them, but if the user doesn't already exist, the
 -- drop command will fail. So we grant the dummy `USAGE` privilege to make sure
 -- the user exists and then drop the user.
 -- Policy loader, CA, RA
 -- Note: The same config section, "pa" is used by the policy loader (for writes)
 -- and the CA and RA (for reads). So right now we have the one user that has
 -- both read and write permission, even though it would be better to give only
 -- read permission to CA and RA.
 GRANT SELECT,INSERT,DELETE ON blacklist TO 'policy'@'localhost';
 GRANT SELECT,INSERT,DELETE ON whitelist TO 'policy'@'localhost';
 -- Test setup and teardown
 GRANT ALL PRIVILEGES ON * to 'test_setup'@'localhost';
--- a/test/sa_db_users.sql
+++ b/test/sa_db_users.sql
@ -0,0 +1,56 @@
 --
 -- Copyright 2015 ISRG.  All rights reserved
 -- This Source Code Form is subject to the terms of the Mozilla Public
 -- License, v. 2.0. If a copy of the MPL was not distributed with this
 -- file, You can obtain one at http://mozilla.org/MPL/2.0/.
 --
 -- This file defines the default users for the primary database, used by
 -- all the parts of Boulder except the Certificate Authority module, which
 -- utilizes its own database.
 --
 -- Create users for each component with the appropriate permissions. We want to
 -- drop each user and recreate them, but if the user doesn't already exist, the
 -- drop command will fail. So we grant the dummy `USAGE` privilege to make sure
 -- the user exists and then drop the user.
 -- Storage Authority
 GRANT SELECT,INSERT,UPDATE ON authz TO 'sa'@'localhost';
 GRANT SELECT,INSERT,UPDATE,DELETE ON pendingAuthorizations TO 'sa'@'localhost';
 GRANT SELECT(id,Lockcol) ON pendingAuthorizations TO 'sa'@'localhost';
 GRANT SELECT,INSERT ON certificates TO 'sa'@'localhost';
 GRANT SELECT,INSERT,UPDATE ON certificateStatus TO 'sa'@'localhost';
 GRANT SELECT,INSERT ON issuedNames TO 'sa'@'localhost';
 GRANT SELECT,INSERT ON sctReceipts TO 'sa'@'localhost';
 GRANT SELECT,INSERT ON deniedCSRs TO 'sa'@'localhost';
 GRANT INSERT ON ocspResponses TO 'sa'@'localhost';
 GRANT SELECT,INSERT,UPDATE ON registrations TO 'sa'@'localhost';
 GRANT SELECT,INSERT,UPDATE ON challenges TO 'sa'@'localhost';
 -- OCSP Responder
 GRANT SELECT ON certificateStatus TO 'ocsp_resp'@'localhost';
 GRANT SELECT ON ocspResponses TO 'ocsp_resp'@'localhost';
 -- OCSP Generator Tool (Updater)
 GRANT INSERT ON ocspResponses TO 'ocsp_update'@'localhost';
 GRANT SELECT ON certificates TO 'ocsp_update'@'localhost';
 GRANT SELECT,UPDATE ON certificateStatus TO 'ocsp_update'@'localhost';
 -- Revoker Tool
 GRANT SELECT ON registrations TO 'revoker'@'localhost';
 GRANT SELECT ON certificates TO 'revoker'@'localhost';
 GRANT SELECT,INSERT ON deniedCSRs TO 'revoker'@'localhost';
 -- External Cert Importer
 GRANT SELECT,INSERT,UPDATE,DELETE ON identifierData TO 'importer'@'localhost';
 GRANT SELECT,INSERT,UPDATE,DELETE ON externalCerts TO 'importer'@'localhost';
 -- Expiration mailer
 GRANT SELECT ON certificates TO 'mailer'@'localhost';
 GRANT SELECT,UPDATE ON certificateStatus TO 'mailer'@'localhost';
 -- Cert checker
 GRANT SELECT ON certificates TO 'cert_checker'@'localhost';
 -- Test setup and teardown
 GRANT ALL PRIVILEGES ON * to 'test_setup'@'localhost';