consul/agent/routine-leak-checker/leak_test.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package leakcheck

import (
	"crypto/x509"
	"os"
	"path/filepath"
	"testing"

	"github.com/stretchr/testify/require"
	"go.uber.org/goleak"

	"github.com/hashicorp/consul/agent"
	"github.com/hashicorp/consul/sdk/testutil"
	"github.com/hashicorp/consul/testrpc"
	"github.com/hashicorp/consul/tlsutil"
)

func testTLSCertificates(serverName string) (cert string, key string, cacert string, err error) {
	signer, _, err := tlsutil.GeneratePrivateKey()
	if err != nil {
		return "", "", "", err
	}

	ca, _, err := tlsutil.GenerateCA(tlsutil.CAOpts{Signer: signer})
	if err != nil {
		return "", "", "", err
	}

	cert, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{
		Signer:      signer,
		CA:          ca,
		Name:        "Test Cert Name",
		Days:        365,
		DNSNames:    []string{serverName},
		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
	})
	if err != nil {
		return "", "", "", err
	}

	return cert, privateKey, ca, nil
}

func setupPrimaryServer(t *testing.T) *agent.TestAgent {
	d := testutil.TempDir(t, "leaks-primary-server")

	certPEM, keyPEM, caPEM, err := testTLSCertificates("server.primary.consul")
	require.NoError(t, err)

	certPath := filepath.Join(d, "cert.pem")
	keyPath := filepath.Join(d, "key.pem")
	caPath := filepath.Join(d, "cacert.pem")

	require.NoError(t, os.WriteFile(certPath, []byte(certPEM), 0600))
	require.NoError(t, os.WriteFile(keyPath, []byte(keyPEM), 0600))
	require.NoError(t, os.WriteFile(caPath, []byte(caPEM), 0600))

	aclParams := agent.DefaultTestACLConfigParams()
	aclParams.PrimaryDatacenter = "primary"
	aclParams.EnableTokenReplication = true

	config := `
	   server = true
		datacenter = "primary"
		primary_datacenter = "primary"
		
		connect {
			enabled = true
		}
		
		auto_encrypt {
			allow_tls = true
		}
	` + agent.TestACLConfigWithParams(aclParams)

	a := agent.NewTestAgent(t, config)
	t.Cleanup(func() { a.Shutdown() })

	testrpc.WaitForTestAgent(t, a.RPC, "primary", testrpc.WithToken(agent.TestDefaultInitialManagementToken))

	return a
}

func TestAgentLeaks_Server(t *testing.T) {
	if testing.Short() {
		t.Skip("too slow for testing.Short")
	}

	/*
		Eventually go routine leak checking should be moved into other packages such as the agent
		and agent/consul packages. However there are too many leaks for the test to run properly.

		Many of the leaks are due to blocking queries from clients to servers being uncancellable.
		Until we can move away from net/rpc and fix some of the other issues we don't want a
		completely unbounded test which is guaranteed to fail 100% of the time. For now this
		test will do. When we do update it we should add this in a *_test.go file in the packages
		that we want to enable leak checking within:

		import (
			"testing"

			"go.uber.org/goleak"
		)

		func TestMain(m *testing.M) {
			goleak.VerifyTestMain(m,
				goleak.IgnoreTopFunction("k8s.io/klog.(*loggingT).flushDaemon"),
				goleak.IgnoreTopFunction("go.opencensus.io/stats/view.(*worker).start"),
				goleak.IgnoreTopFunction("github.com/hashicorp/consul/sdk/freeport.checkFreedPorts"),
			)
		}
	*/

	defer goleak.VerifyNone(t,
		goleak.IgnoreTopFunction("k8s.io/klog.(*loggingT).flushDaemon"),
		goleak.IgnoreTopFunction("go.opencensus.io/stats/view.(*worker).start"),
		goleak.IgnoreTopFunction("github.com/hashicorp/consul/sdk/freeport.checkFreedPorts"),
	)

	primaryServer := setupPrimaryServer(t)
	primaryServer.Shutdown()
}
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files 2023-03-28 18:39:22 +00:00			`// Copyright (c) HashiCorp, Inc.`
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> 2023-08-11 13:12:13 +00:00			`// SPDX-License-Identifier: BUSL-1.1`
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files 2023-03-28 18:39:22 +00:00
Add a test for go routine leaks This is in its own separate package so that it will be a separate test binary that runs thus isolating the go runtime from other tests and allowing accurate go routine leak checking. This test would ideally use goleak.VerifyTestMain but that will fail 100% of the time due to some architectural things (blocking queries and net/rpc uncancellability). This test is not comprehensive. We should enable/exercise more features and more cluster configurations. However its a start. 2020-06-24 16:40:16 +00:00			`package leakcheck`

			`import (`
			`"crypto/x509"`
removes ioutil usage everywhere which was deprecated in go1.16 (#15297) * update go version to 1.18 for api and sdk, go mod tidy * removes ioutil usage everywhere which was deprecated in go1.16 in favour of io and os packages. Also introduces a lint rule which forbids use of ioutil going forward. Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> 2022-11-10 16:26:01 +00:00			`"os"`
Add a test for go routine leaks This is in its own separate package so that it will be a separate test binary that runs thus isolating the go runtime from other tests and allowing accurate go routine leak checking. This test would ideally use goleak.VerifyTestMain but that will fail 100% of the time due to some architectural things (blocking queries and net/rpc uncancellability). This test is not comprehensive. We should enable/exercise more features and more cluster configurations. However its a start. 2020-06-24 16:40:16 +00:00			`"path/filepath"`
			`"testing"`

acl: call stop for the upgrade goroutine when done TestAgentLeaks_Server was reporting a goroutine leak without this. Not sure if it would actually be a leak in production or if this is due to the test setup, but seems easy enough to call it this way until we remove legacyACLTokenUpgrade. 2021-09-29 21:36:43 +00:00			`"github.com/stretchr/testify/require"`
			`"go.uber.org/goleak"`

Add a test for go routine leaks This is in its own separate package so that it will be a separate test binary that runs thus isolating the go runtime from other tests and allowing accurate go routine leak checking. This test would ideally use goleak.VerifyTestMain but that will fail 100% of the time due to some architectural things (blocking queries and net/rpc uncancellability). This test is not comprehensive. We should enable/exercise more features and more cluster configurations. However its a start. 2020-06-24 16:40:16 +00:00			`"github.com/hashicorp/consul/agent"`
			`"github.com/hashicorp/consul/sdk/testutil"`
			`"github.com/hashicorp/consul/testrpc"`
			`"github.com/hashicorp/consul/tlsutil"`
			`)`

			`func testTLSCertificates(serverName string) (cert string, key string, cacert string, err error) {`
introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 2021-03-22 09:16:41 +00:00			`signer, _, err := tlsutil.GeneratePrivateKey()`
Add a test for go routine leaks This is in its own separate package so that it will be a separate test binary that runs thus isolating the go runtime from other tests and allowing accurate go routine leak checking. This test would ideally use goleak.VerifyTestMain but that will fail 100% of the time due to some architectural things (blocking queries and net/rpc uncancellability). This test is not comprehensive. We should enable/exercise more features and more cluster configurations. However its a start. 2020-06-24 16:40:16 +00:00			`if err != nil {`
			`return "", "", "", err`
			`}`

introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 2021-03-22 09:16:41 +00:00			`ca, _, err := tlsutil.GenerateCA(tlsutil.CAOpts{Signer: signer})`
Add a test for go routine leaks This is in its own separate package so that it will be a separate test binary that runs thus isolating the go runtime from other tests and allowing accurate go routine leak checking. This test would ideally use goleak.VerifyTestMain but that will fail 100% of the time due to some architectural things (blocking queries and net/rpc uncancellability). This test is not comprehensive. We should enable/exercise more features and more cluster configurations. However its a start. 2020-06-24 16:40:16 +00:00			`if err != nil {`
			`return "", "", "", err`
			`}`

introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 2021-03-22 09:16:41 +00:00			`cert, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{`
			`Signer: signer,`
			`CA: ca,`
			`Name: "Test Cert Name",`
			`Days: 365,`
			`DNSNames: []string{serverName},`
			`ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},`
			`})`
Add a test for go routine leaks This is in its own separate package so that it will be a separate test binary that runs thus isolating the go runtime from other tests and allowing accurate go routine leak checking. This test would ideally use goleak.VerifyTestMain but that will fail 100% of the time due to some architectural things (blocking queries and net/rpc uncancellability). This test is not comprehensive. We should enable/exercise more features and more cluster configurations. However its a start. 2020-06-24 16:40:16 +00:00			`if err != nil {`
			`return "", "", "", err`
			`}`

			`return cert, privateKey, ca, nil`
			`}`

			`func setupPrimaryServer(t testing.T) agent.TestAgent {`
			`d := testutil.TempDir(t, "leaks-primary-server")`

			`certPEM, keyPEM, caPEM, err := testTLSCertificates("server.primary.consul")`
			`require.NoError(t, err)`

			`certPath := filepath.Join(d, "cert.pem")`
			`keyPath := filepath.Join(d, "key.pem")`
			`caPath := filepath.Join(d, "cacert.pem")`

removes ioutil usage everywhere which was deprecated in go1.16 (#15297) * update go version to 1.18 for api and sdk, go mod tidy * removes ioutil usage everywhere which was deprecated in go1.16 in favour of io and os packages. Also introduces a lint rule which forbids use of ioutil going forward. Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> 2022-11-10 16:26:01 +00:00			`require.NoError(t, os.WriteFile(certPath, []byte(certPEM), 0600))`
			`require.NoError(t, os.WriteFile(keyPath, []byte(keyPEM), 0600))`
			`require.NoError(t, os.WriteFile(caPath, []byte(caPEM), 0600))`
Add a test for go routine leaks This is in its own separate package so that it will be a separate test binary that runs thus isolating the go runtime from other tests and allowing accurate go routine leak checking. This test would ideally use goleak.VerifyTestMain but that will fail 100% of the time due to some architectural things (blocking queries and net/rpc uncancellability). This test is not comprehensive. We should enable/exercise more features and more cluster configurations. However its a start. 2020-06-24 16:40:16 +00:00
Remove references to "master" ACL tokens in tests (#11751) 2021-12-07 12:48:50 +00:00			`aclParams := agent.DefaultTestACLConfigParams()`
Add a test for go routine leaks This is in its own separate package so that it will be a separate test binary that runs thus isolating the go runtime from other tests and allowing accurate go routine leak checking. This test would ideally use goleak.VerifyTestMain but that will fail 100% of the time due to some architectural things (blocking queries and net/rpc uncancellability). This test is not comprehensive. We should enable/exercise more features and more cluster configurations. However its a start. 2020-06-24 16:40:16 +00:00			`aclParams.PrimaryDatacenter = "primary"`
			`aclParams.EnableTokenReplication = true`

			config := `
			`server = true`
			`datacenter = "primary"`
			`primary_datacenter = "primary"`

			`connect {`
			`enabled = true`
			`}`

			`auto_encrypt {`
			`allow_tls = true`
			`}`
			` + agent.TestACLConfigWithParams(aclParams)

			`a := agent.NewTestAgent(t, config)`
			`t.Cleanup(func() { a.Shutdown() })`

Remove references to "master" ACL tokens in tests (#11751) 2021-12-07 12:48:50 +00:00			`testrpc.WaitForTestAgent(t, a.RPC, "primary", testrpc.WithToken(agent.TestDefaultInitialManagementToken))`
Add a test for go routine leaks This is in its own separate package so that it will be a separate test binary that runs thus isolating the go runtime from other tests and allowing accurate go routine leak checking. This test would ideally use goleak.VerifyTestMain but that will fail 100% of the time due to some architectural things (blocking queries and net/rpc uncancellability). This test is not comprehensive. We should enable/exercise more features and more cluster configurations. However its a start. 2020-06-24 16:40:16 +00:00
			`return a`
			`}`

Preparation for changing where license management is done. 2021-05-11 14:50:03 +00:00			`func TestAgentLeaks_Server(t *testing.T) {`
testing: skip slow tests with -short Add a skip condition to all tests slower than 100ms. This change was made using `gotestsum tool slowest` with data from the last 3 CI runs of master. See https://github.com/gotestyourself/gotestsum#finding-and-skipping-slow-tests With this change: ``` $ time go test -count=1 -short ./agent ok github.com/hashicorp/consul/agent 0.743s real 0m4.791s $ time go test -count=1 -short ./agent/consul ok github.com/hashicorp/consul/agent/consul 4.229s real 0m8.769s ``` 2020-12-07 18:42:55 +00:00			`if testing.Short() {`
			`t.Skip("too slow for testing.Short")`
			`}`

Add a test for go routine leaks This is in its own separate package so that it will be a separate test binary that runs thus isolating the go runtime from other tests and allowing accurate go routine leak checking. This test would ideally use goleak.VerifyTestMain but that will fail 100% of the time due to some architectural things (blocking queries and net/rpc uncancellability). This test is not comprehensive. We should enable/exercise more features and more cluster configurations. However its a start. 2020-06-24 16:40:16 +00:00			`/*`
			`Eventually go routine leak checking should be moved into other packages such as the agent`
			`and agent/consul packages. However there are too many leaks for the test to run properly.`

			`Many of the leaks are due to blocking queries from clients to servers being uncancellable.`
			`Until we can move away from net/rpc and fix some of the other issues we don't want a`
			`completely unbounded test which is guaranteed to fail 100% of the time. For now this`
			`test will do. When we do update it we should add this in a *_test.go file in the packages`
			`that we want to enable leak checking within:`

			`import (`
			`"testing"`

			`"go.uber.org/goleak"`
			`)`

			`func TestMain(m *testing.M) {`
			`goleak.VerifyTestMain(m,`
			`goleak.IgnoreTopFunction("k8s.io/klog.(*loggingT).flushDaemon"),`
			`goleak.IgnoreTopFunction("go.opencensus.io/stats/view.(*worker).start"),`
			`goleak.IgnoreTopFunction("github.com/hashicorp/consul/sdk/freeport.checkFreedPorts"),`
			`)`
			`}`
			`*/`

			`defer goleak.VerifyNone(t,`
			`goleak.IgnoreTopFunction("k8s.io/klog.(*loggingT).flushDaemon"),`
			`goleak.IgnoreTopFunction("go.opencensus.io/stats/view.(*worker).start"),`
			`goleak.IgnoreTopFunction("github.com/hashicorp/consul/sdk/freeport.checkFreedPorts"),`
			`)`

			`primaryServer := setupPrimaryServer(t)`
			`primaryServer.Shutdown()`
			`}`