diff --git a/ca/certificates_test.go b/ca/certificates_test.go index dc34141dd7..842ced23d3 100644 --- a/ca/certificates_test.go +++ b/ca/certificates_test.go @@ -340,8 +340,6 @@ func TestGetRemoteCAInvalidHash(t *testing.T) { // returns the issuer as well as all the parsed certs returned from the request func testRequestAndSaveNewCertificates(t *testing.T, tc *cautils.TestCA) (*ca.IssuerInfo, []*x509.Certificate) { - defer tc.Stop() - // Copy the current RootCA without the signer rca := ca.RootCA{Certs: tc.RootCA.Certs, Pool: tc.RootCA.Pool} tlsCert, issuerInfo, err := rca.RequestAndSaveNewCertificates(tc.Context, tc.KeyReadWriter, @@ -371,6 +369,7 @@ func TestRequestAndSaveNewCertificatesNoIntermediate(t *testing.T) { t.Parallel() tc := cautils.NewTestCA(t) + defer tc.Stop() issuerInfo, parsedCerts := testRequestAndSaveNewCertificates(t, tc) require.Len(t, parsedCerts, 1) @@ -397,6 +396,7 @@ func TestRequestAndSaveNewCertificatesWithIntermediates(t *testing.T) { defer os.RemoveAll(tempdir) tc := cautils.NewTestCAFromAPIRootCA(t, tempdir, apiRootCA, nil) + defer tc.Stop() issuerInfo, parsedCerts := testRequestAndSaveNewCertificates(t, tc) require.Len(t, parsedCerts, 2) @@ -541,7 +541,7 @@ func TestGetRemoteSignedCertificate(t *testing.T) { csr, _, err := ca.GenerateNewCSR() assert.NoError(t, err) - certs, err := ca.GetRemoteSignedCertificate(context.Background(), csr, tc.RootCA.Pool, + certs, err := ca.GetRemoteSignedCertificate(tc.Context, csr, tc.RootCA.Pool, ca.CertificateRequestConfig{ Token: tc.ManagerToken, ConnBroker: tc.ConnBroker, @@ -581,7 +581,7 @@ func TestGetRemoteSignedCertificateNodeInfo(t *testing.T) { csr, _, err := ca.GenerateNewCSR() assert.NoError(t, err) - cert, err := ca.GetRemoteSignedCertificate(context.Background(), csr, tc.RootCA.Pool, + cert, err := ca.GetRemoteSignedCertificate(tc.Context, csr, tc.RootCA.Pool, ca.CertificateRequestConfig{ Token: tc.WorkerToken, ConnBroker: tc.ConnBroker, @@ -705,11 +705,12 @@ func TestGetRemoteSignedCertificateWithPending(t *testing.T) { defer cancel() fakeCAServer := newNonSigningCAServer(t, tc) + defer fakeCAServer.stop(t) completed := make(chan error) defer close(completed) go func() { - _, err := ca.GetRemoteSignedCertificate(context.Background(), csr, tc.RootCA.Pool, + _, err := ca.GetRemoteSignedCertificate(tc.Context, csr, tc.RootCA.Pool, ca.CertificateRequestConfig{ Token: tc.WorkerToken, ConnBroker: fakeCAServer.getConnBroker(), @@ -764,7 +765,7 @@ func TestGetRemoteSignedCertificateWithPending(t *testing.T) { // make sure if we time out the GetRemoteSignedCertificate call, it cancels immediately and doesn't keep // polling the status go func() { - ctx, _ := context.WithTimeout(context.Background(), 1*time.Second) + ctx, _ := context.WithTimeout(tc.Context, 1*time.Second) _, err := ca.GetRemoteSignedCertificate(ctx, csr, tc.RootCA.Pool, ca.CertificateRequestConfig{ Token: tc.WorkerToken, @@ -860,7 +861,7 @@ func TestGetRemoteSignedCertificateConnectionErrors(t *testing.T) { defer close(completed) defer close(done) go func() { - _, err := ca.GetRemoteSignedCertificate(context.Background(), csr, tc.RootCA.Pool, + _, err := ca.GetRemoteSignedCertificate(tc.Context, csr, tc.RootCA.Pool, ca.CertificateRequestConfig{ Token: tc.WorkerToken, ConnBroker: multiBroker, @@ -917,7 +918,7 @@ func TestGetRemoteSignedCertificateConnectionErrors(t *testing.T) { {Addr: fakeSigningServers[1].addr}, }, }) - _, err = ca.GetRemoteSignedCertificate(context.Background(), csr, tc.RootCA.Pool, + _, err = ca.GetRemoteSignedCertificate(tc.Context, csr, tc.RootCA.Pool, ca.CertificateRequestConfig{ Token: tc.WorkerToken, ConnBroker: multiBroker, @@ -1289,7 +1290,7 @@ func TestRootCAWithCrossSignedIntermediates(t *testing.T) { connectToExternalRootCA, err := ca.NewRootCA(append(cautils.ECDSACertChain[2], fauxRootCert...), cautils.ECDSACertChain[1], cautils.ECDSACertChainKeys[1], ca.DefaultNodeCertExpiration, cautils.ECDSACertChain[1]) require.NoError(t, err) - secConfig, err := connectToExternalRootCA.CreateSecurityConfig(context.Background(), krw, ca.CertificateRequestConfig{}) + secConfig, err := connectToExternalRootCA.CreateSecurityConfig(tc.Context, krw, ca.CertificateRequestConfig{}) require.NoError(t, err) externalCA := secConfig.ExternalCA() @@ -1298,7 +1299,7 @@ func TestRootCAWithCrossSignedIntermediates(t *testing.T) { newCSR, _, err := ca.GenerateNewCSR() require.NoError(t, err) - tlsCert, err = externalCA.Sign(context.Background(), ca.PrepareCSR(newCSR, "cn", ca.ManagerRole, secConfig.ClientTLSCreds.Organization())) + tlsCert, err = externalCA.Sign(tc.Context, ca.PrepareCSR(newCSR, "cn", ca.ManagerRole, secConfig.ClientTLSCreds.Organization())) require.NoError(t, err) checkValidateAgainstAllRoots(tlsCert) diff --git a/ca/config_test.go b/ca/config_test.go index 67b4d626b5..9a4f7c02e4 100644 --- a/ca/config_test.go +++ b/ca/config_test.go @@ -15,11 +15,13 @@ import ( "golang.org/x/net/context" + "github.com/Sirupsen/logrus" cfconfig "github.com/cloudflare/cfssl/config" "github.com/cloudflare/cfssl/helpers" "github.com/docker/swarmkit/api" "github.com/docker/swarmkit/ca" "github.com/docker/swarmkit/ca/testutils" + "github.com/docker/swarmkit/log" "github.com/docker/swarmkit/manager/state/store" "github.com/docker/swarmkit/watch" "github.com/pkg/errors" @@ -264,9 +266,14 @@ func TestLoadSecurityConfigIntermediates(t *testing.T) { rootCA, err := ca.NewRootCA(testutils.ECDSACertChain[2], nil, nil, ca.DefaultNodeCertExpiration, nil) require.NoError(t, err) + ctx := log.WithLogger(context.Background(), log.L.WithFields(logrus.Fields{ + "testname": t.Name(), + "testHasExternalCA": false, + })) + // loading the incomplete chain fails require.NoError(t, krw.Write(testutils.ECDSACertChain[0], testutils.ECDSACertChainKeys[0], nil)) - _, err = ca.LoadSecurityConfig(context.Background(), rootCA, krw, false) + _, err = ca.LoadSecurityConfig(ctx, rootCA, krw, false) require.Error(t, err) intermediate, err := helpers.ParseCertificatePEM(testutils.ECDSACertChain[1]) @@ -274,7 +281,7 @@ func TestLoadSecurityConfigIntermediates(t *testing.T) { // loading the complete chain succeeds require.NoError(t, krw.Write(append(testutils.ECDSACertChain[0], testutils.ECDSACertChain[1]...), testutils.ECDSACertChainKeys[0], nil)) - secConfig, err := ca.LoadSecurityConfig(context.Background(), rootCA, krw, false) + secConfig, err := ca.LoadSecurityConfig(ctx, rootCA, krw, false) require.NoError(t, err) require.NotNil(t, secConfig) issuerInfo := secConfig.IssuerInfo() @@ -322,7 +329,7 @@ func TestSecurityConfigUpdateRootCA(t *testing.T) { defer os.RemoveAll(tempdir) configPaths := ca.NewConfigPaths(tempdir) - secConfig, err := rootCA.CreateSecurityConfig(context.Background(), + secConfig, err := rootCA.CreateSecurityConfig(tc.Context, ca.NewKeyReadWriter(configPaths.Node, nil, nil), ca.CertificateRequestConfig{}) require.NoError(t, err) // update the server TLS to require certificates, otherwise this will all pass @@ -370,7 +377,7 @@ func TestSecurityConfigUpdateRootCA(t *testing.T) { defer externalServer.Stop() secConfig.ExternalCA().UpdateURLs(externalServer.URL) - _, err = secConfig.ExternalCA().Sign(context.Background(), req) + _, err = secConfig.ExternalCA().Sign(tc.Context, req) require.Error(t, err) // the type is weird (it's wrapped in a bunch of other things in ctxhttp), so just compare strings require.Contains(t, err.Error(), x509.UnknownAuthorityError{}.Error()) @@ -408,7 +415,7 @@ func TestSecurityConfigUpdateRootCA(t *testing.T) { if testutils.External { // we can also now connect to the test CA's external signing server secConfig.ExternalCA().UpdateURLs(externalServer.URL) - generatedCert, err = secConfig.ExternalCA().Sign(context.Background(), req) + generatedCert, err = secConfig.ExternalCA().Sign(tc.Context, req) require.NoError(t, err) } else { krw := ca.NewKeyReadWriter(configPaths.Node, nil, nil) @@ -441,7 +448,7 @@ func TestSecurityConfigSetWatch(t *testing.T) { configWatch, configCancel := w.Watch() defer configCancel() - require.NoError(t, ca.RenewTLSConfigNow(context.Background(), secConfig, tc.ConnBroker)) + require.NoError(t, ca.RenewTLSConfigNow(tc.Context, secConfig, tc.ConnBroker)) select { case ev := <-configWatch: nodeTLSInfo, ok := ev.(*api.NodeTLSInfo) @@ -474,7 +481,7 @@ func TestSecurityConfigSetWatch(t *testing.T) { // ensure that we can still update tls certs and roots without error even though the watch is closed require.NoError(t, secConfig.UpdateRootCA(&tc.RootCA, tc.RootCA.Pool)) - require.NoError(t, ca.RenewTLSConfigNow(context.Background(), secConfig, tc.ConnBroker)) + require.NoError(t, ca.RenewTLSConfigNow(tc.Context, secConfig, tc.ConnBroker)) } // enforce that no matter what order updating the root CA and updating TLS credential happens, we @@ -511,7 +518,7 @@ func TestRenewTLSConfigUpdateRootCARace(t *testing.T) { cert, _, err := testutils.CreateRootCertAndKey(fmt.Sprintf("root %d", i+2)) require.NoError(t, err) - ctx, cancel := context.WithCancel(context.Background()) + ctx, cancel := context.WithCancel(tc.Context) defer cancel() done1, done2 := make(chan struct{}), make(chan struct{}) @@ -546,7 +553,7 @@ func TestRenewTLSConfigUpdateRootCARace(t *testing.T) { require.Len(t, secConfig.ClientTLSCreds.Config().RootCAs.Subjects(), i+2) require.Len(t, secConfig.ServerTLSCreds.Config().RootCAs.Subjects(), i+2) // no matter what, the external CA still has the extra external CA root cert - _, err = secConfig.ExternalCA().Sign(context.Background(), signReq) + _, err = secConfig.ExternalCA().Sign(tc.Context, signReq) require.NoError(t, err) } } @@ -581,7 +588,7 @@ func TestRenewTLSConfigWorker(t *testing.T) { tc := testutils.NewTestCA(t) defer tc.Stop() - ctx, cancel := context.WithCancel(context.Background()) + ctx, cancel := context.WithCancel(tc.Context) defer cancel() // Get a new nodeConfig with a TLS cert that has the default Cert duration, but overwrite @@ -617,7 +624,7 @@ func TestRenewTLSConfigManager(t *testing.T) { tc := testutils.NewTestCA(t) defer tc.Stop() - ctx, cancel := context.WithCancel(context.Background()) + ctx, cancel := context.WithCancel(tc.Context) defer cancel() // Get a new nodeConfig with a TLS cert that has the default Cert duration, but overwrite @@ -653,7 +660,7 @@ func TestRenewTLSConfigWithNoNode(t *testing.T) { tc := testutils.NewTestCA(t) defer tc.Stop() - ctx, cancel := context.WithCancel(context.Background()) + ctx, cancel := context.WithCancel(tc.Context) defer cancel() // Get a new nodeConfig with a TLS cert that has the default Cert duration, but overwrite diff --git a/ca/external.go b/ca/external.go index 11a6f87558..d6a9421e0d 100644 --- a/ca/external.go +++ b/ca/external.go @@ -18,6 +18,7 @@ import ( "github.com/cloudflare/cfssl/config" "github.com/cloudflare/cfssl/csr" "github.com/cloudflare/cfssl/signer" + "github.com/docker/swarmkit/log" "github.com/pkg/errors" "golang.org/x/net/context" "golang.org/x/net/context/ctxhttp" @@ -126,7 +127,7 @@ func (eca *ExternalCA) Sign(ctx context.Context, req signer.SignRequest) (cert [ if err == nil { return append(cert, intermediates...), err } - logrus.Debugf("unable to proxy certificate signing request to %s: %s", url, err) + log.G(ctx).Debugf("unable to proxy certificate signing request to %s: %s", url, err) } return nil, err diff --git a/ca/testutils/cautils.go b/ca/testutils/cautils.go index a1cce37f04..7c5ea6873d 100644 --- a/ca/testutils/cautils.go +++ b/ca/testutils/cautils.go @@ -12,6 +12,7 @@ import ( "testing" "time" + "github.com/Sirupsen/logrus" cfcsr "github.com/cloudflare/cfssl/csr" "github.com/cloudflare/cfssl/helpers" "github.com/cloudflare/cfssl/initca" @@ -49,12 +50,13 @@ type TestCA struct { ManagerToken string ConnBroker *connectionbroker.Broker KeyReadWriter *ca.KeyReadWriter - watchCancel func() + ctxCancel, watchCancel func() } // Stop cleans up after TestCA func (tc *TestCA) Stop() { tc.watchCancel() + tc.ctxCancel() os.RemoveAll(tc.TempDir) for _, conn := range tc.Conns { conn.Close() @@ -200,7 +202,11 @@ func NewTestCAFromAPIRootCA(t *testing.T, tempBaseDir string, apiRootCA api.Root api.RegisterCAServer(grpcServer, caServer) api.RegisterNodeCAServer(grpcServer, caServer) - ctx := context.Background() + fields := logrus.Fields{"testHasExternalCA": External} + if t != nil { + fields["testname"] = t.Name() + } + ctx, ctxCancel := context.WithCancel(log.WithLogger(context.Background(), log.L.WithFields(fields))) clusterWatch, clusterWatchCancel, err := store.ViewAndWatch( s, func(tx store.ReadTx) error { @@ -260,6 +266,7 @@ func NewTestCAFromAPIRootCA(t *testing.T, tempBaseDir string, apiRootCA api.Root ConnBroker: connectionbroker.New(remotes), KeyReadWriter: krw, watchCancel: clusterWatchCancel, + ctxCancel: ctxCancel, } } diff --git a/integration/integration_test.go b/integration/integration_test.go index ac650b095e..ab9f7b7c02 100644 --- a/integration/integration_test.go +++ b/integration/integration_test.go @@ -152,18 +152,7 @@ func pollServiceReady(t *testing.T, c *testCluster, sid string, replicas int) { } func newCluster(t *testing.T, numWorker, numManager int) *testCluster { - // Get name of caller - var testName string - pc, _, _, ok := runtime.Caller(1) - if ok { - funcName := runtime.FuncForPC(pc).Name() - splitted := strings.Split(funcName, ".") - if len(splitted) > 1 { - testName = splitted[len(splitted)-1] - } - } - - cl := newTestCluster(testName) + cl := newTestCluster(t.Name()) for i := 0; i < numManager; i++ { require.NoError(t, cl.AddManager(false, nil), "manager number %d", i+1) } @@ -190,7 +179,7 @@ func TestServiceCreateLateBind(t *testing.T) { numWorker, numManager := 3, 3 - cl := newTestCluster("TestServiceCreateLateBind") + cl := newTestCluster(t.Name()) for i := 0; i < numManager; i++ { require.NoError(t, cl.AddManager(true, nil), "manager number %d", i+1) } @@ -501,7 +490,7 @@ func TestForceNewCluster(t *testing.T) { // start a new cluster with the external CA bootstrapped numWorker, numManager := 0, 1 - cl := newTestCluster("TestForceNewCluster") + cl := newTestCluster(t.Name()) defer func() { require.NoError(t, cl.Stop()) }()