From f824fc1be889af8290b1772bd808d4df3f3aabc0 Mon Sep 17 00:00:00 2001
From: Tamir Duberstein <tamird@gmail.com>
Date: Thu, 3 Dec 2015 07:04:04 -0500
Subject: [PATCH 1/3] sql: use embedded certs

Fixes nightly sqllogictest.
---
 sql/logic_test.go  | 27 ++++++++++++---------------
 sql/main_test.go   | 32 ++++++++++++++++++++++++--------
 sql/pgwire_test.go | 35 ++++++++++-------------------------
 3 files changed, 46 insertions(+), 48 deletions(-)

diff --git a/sql/logic_test.go b/sql/logic_test.go
index 63fa5478b2d6..9fcd7f25c930 100644
--- a/sql/logic_test.go
+++ b/sql/logic_test.go
@@ -204,27 +204,25 @@ func (t *logicTest) setUser(tempDir, user string) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	dir, err := os.Getwd()
-	if err != nil {
-		t.Fatal(err)
-	}
-	certDir := filepath.Join(filepath.Dir(dir), "resource", security.EmbeddedCertsDir)
 
-	certPath := security.ClientCertPath(certDir, user)
-	keyPath := security.ClientKeyPath(certDir, user)
+	caPath := filepath.Join(security.EmbeddedCertsDir, "ca.crt")
+	certPath := security.ClientCertPath(security.EmbeddedCertsDir, user)
+	keyPath := security.ClientKeyPath(security.EmbeddedCertsDir, user)
 
-	// `github.com/lib/pq` requires that private key file permissions are
-	// "u=rw (0600) or less".
-	tmpKeyPath := tempRestrictedCopy(t.T, keyPath, tempDir)
+	// Copy these assets to disk from embedded strings, so this test can
+	// run from a standalone binary.
+	tempCAPath, _ := tempRestrictedCopy(t.T, tempDir, caPath, "TestLogic_ca")
+	tempCertPath, _ := tempRestrictedCopy(t.T, tempDir, certPath, "TestLogic_cert")
+	tempKeyPath, _ := tempRestrictedCopy(t.T, tempDir, keyPath, "TestLogic_key")
 
 	pgUrl := url.URL{
 		Scheme: "postgres",
 		User:   url.User(user),
 		Host:   net.JoinHostPort(host, port),
 		RawQuery: fmt.Sprintf("sslmode=verify-full&sslrootcert=%s&sslcert=%s&sslkey=%s",
-			url.QueryEscape(filepath.Join(certDir, "ca.crt")),
-			url.QueryEscape(certPath),
-			url.QueryEscape(tmpKeyPath),
+			url.QueryEscape(tempCAPath),
+			url.QueryEscape(tempCertPath),
+			url.QueryEscape(tempKeyPath),
 		),
 	}
 
@@ -254,8 +252,7 @@ func (t *logicTest) run(path string) {
 	// MySQL or Postgres instance.
 	t.srv = setupTestServer(t.T)
 
-	// `github.com/lib/pq` requires that private key file permissions are
-	// "u=rw (0600) or less".
+	// Make a temporary directory to hold all our on-disk crypto assets.
 	tempDir, err := ioutil.TempDir(os.TempDir(), "TestLogic")
 	if err != nil {
 		t.Fatal(err)
diff --git a/sql/main_test.go b/sql/main_test.go
index 7d7cea8ded67..7a38a499e901 100644
--- a/sql/main_test.go
+++ b/sql/main_test.go
@@ -22,7 +22,7 @@ import (
 	"database/sql"
 	"fmt"
 	"io/ioutil"
-	"path/filepath"
+	"os"
 	"testing"
 
 	"github.com/cockroachdb/cockroach/client"
@@ -123,16 +123,32 @@ func cleanup(s *server.TestServer, db *sql.DB) {
 	cleanupTestServer(s)
 }
 
-// `github.com/lib/pq` requires that private key file permissions are
-// "u=rw (0600) or less".
-func tempRestrictedCopy(t *testing.T, keyPath, tempDir string) string {
-	key, err := ioutil.ReadFile(keyPath)
+func tempRestrictedCopy(t *testing.T, tempdir, path, prefix string) (string, func()) {
+	contents, err := securitytest.Asset(path)
 	if err != nil {
 		t.Fatal(err)
 	}
-	tmpKeyPath := filepath.Join(tempDir, "tempRestrictedCopy")
-	if err := ioutil.WriteFile(tmpKeyPath, key, 0600); err != nil {
+
+	tempFile, err := ioutil.TempFile(tempdir, prefix)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := tempFile.Close(); err != nil {
+		t.Fatal(err)
+	}
+	tempPath := tempFile.Name()
+	if err := os.Remove(tempPath); err != nil {
+		t.Fatal(err)
+	}
+	// `github.com/lib/pq` requires that private key file permissions are
+	// "u=rw (0600) or less".
+	if err := ioutil.WriteFile(tempPath, contents, 0600); err != nil {
 		t.Fatal(err)
 	}
-	return tmpKeyPath
+	return tempPath, func() {
+		if err := os.Remove(tempPath); err != nil {
+			// Not Fatal() because we might already be panicking.
+			t.Error(err)
+		}
+	}
 }
diff --git a/sql/pgwire_test.go b/sql/pgwire_test.go
index cc13f1568c7e..aaa4cfe066d7 100644
--- a/sql/pgwire_test.go
+++ b/sql/pgwire_test.go
@@ -20,11 +20,9 @@ package sql_test
 import (
 	"database/sql"
 	"fmt"
-	"io/ioutil"
 	"net"
 	"net/url"
 	"os"
-	"path/filepath"
 	"testing"
 
 	"github.com/lib/pq"
@@ -51,29 +49,16 @@ func trivialQuery(datasource string) error {
 func TestPGWire(t *testing.T) {
 	defer leaktest.AfterTest(t)
 
-	dir, err := os.Getwd()
-	if err != nil {
-		t.Fatal(err)
-	}
-	certDir := filepath.Join(filepath.Dir(dir), "resource", security.EmbeddedCertsDir)
-
 	certUser := server.TestUser
-	certPath := security.ClientCertPath(certDir, certUser)
-	keyPath := security.ClientKeyPath(certDir, certUser)
+	certPath := security.ClientCertPath(security.EmbeddedCertsDir, certUser)
+	keyPath := security.ClientKeyPath(security.EmbeddedCertsDir, certUser)
 
-	// `github.com/lib/pq` requires that private key file permissions are
-	// "u=rw (0600) or less".
-	tempDir, err := ioutil.TempDir(os.TempDir(), "TestPGWire")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer func() {
-		if err := os.RemoveAll(tempDir); err != nil {
-			// Not Fatal() because we might already be panicking.
-			t.Error(err)
-		}
-	}()
-	tmpKeyPath := tempRestrictedCopy(t, keyPath, tempDir)
+	// Copy these assets to disk from embedded strings, so this test can
+	// run from a standalone binary.
+	tempCertPath, tempCertCleanup := tempRestrictedCopy(t, os.TempDir(), certPath, "TestPGWire_cert")
+	defer tempCertCleanup()
+	tempKeyPath, tempKeyCleanup := tempRestrictedCopy(t, os.TempDir(), keyPath, "TestPGWire_key")
+	defer tempKeyCleanup()
 
 	for _, insecure := range [...]bool{true, false} {
 		ctx := server.NewTestContext()
@@ -136,8 +121,8 @@ func TestPGWire(t *testing.T) {
 				requirePgUrlWithCert := basePgUrl
 				requirePgUrlWithCert.User = url.User(optUser)
 				requirePgUrlWithCert.RawQuery = fmt.Sprintf("sslmode=require&sslcert=%s&sslkey=%s",
-					url.QueryEscape(certPath),
-					url.QueryEscape(tmpKeyPath),
+					url.QueryEscape(tempCertPath),
+					url.QueryEscape(tempKeyPath),
 				)
 				err := trivialQuery(requirePgUrlWithCert.String())
 				if insecure {

From 14eee40ce2e557c3c69d460e8bb9618c9b8842b3 Mon Sep 17 00:00:00 2001
From: Tamir Duberstein <tamird@gmail.com>
Date: Thu, 3 Dec 2015 11:58:34 -0500
Subject: [PATCH 2/3] Makefile: remove detritus

---
 Makefile | 19 +++++--------------
 1 file changed, 5 insertions(+), 14 deletions(-)

diff --git a/Makefile b/Makefile
index c8948af2f374..e9185d4b33ed 100644
--- a/Makefile
+++ b/Makefile
@@ -23,12 +23,6 @@ GO ?= go
 GOFLAGS :=
 # Set to 1 to use static linking for all builds (including tests).
 STATIC :=
-# The cockroach image to be used for starting Docker containers
-# during acceptance tests. Usually cockroachdb/cockroach{,-dev}
-# depending on the context.
-COCKROACH_IMAGE :=
-
-RUN := run
 
 # Variables to be overridden on the command line, e.g.
 #   make test PKG=./storage TESTFLAGS=--vmodule=multiraft=1
@@ -43,20 +37,17 @@ DUPLFLAGS    := -t 100
 
 ifeq ($(STATIC),1)
 # The netgo build tag instructs the net package to try to build a
-# Go-only resolver.
+# Go-only resolver. As of Go 1.5, netgo is the default...but apparently
+# not when using cgo (???).
 TAGS += netgo
-# The installsuffix makes sure we actually get the netgo build, see
-# https://github.com/golang/go/issues/9369#issuecomment-69864440
-GOFLAGS += -installsuffix netgo
-LDFLAGS += -extldflags "-static"
+LDFLAGS += -extldflags '-static'
 endif
 
 .PHONY: all
 all: build test check
 
-# On a release build, rebuild everything (except stdlib)
-# to make sure that the 'release' build tag is taken
-# into account.
+# On a release build, rebuild everything to make sure that the
+# 'release' build tag is taken into account.
 .PHONY: release
 release: TAGS += release
 release: GOFLAGS += -a

From 971dac6f38205b08474762b8cb62eaeaf5e7763d Mon Sep 17 00:00:00 2001
From: Tamir Duberstein <tamird@gmail.com>
Date: Fri, 4 Dec 2015 08:07:19 -0500
Subject: [PATCH 3/3] DRY

---
 sql/pgwire_test.go | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/sql/pgwire_test.go b/sql/pgwire_test.go
index aaa4cfe066d7..fab3e845ce46 100644
--- a/sql/pgwire_test.go
+++ b/sql/pgwire_test.go
@@ -34,8 +34,8 @@ import (
 	"github.com/cockroachdb/cockroach/util/leaktest"
 )
 
-func trivialQuery(datasource string) error {
-	db, err := sql.Open("postgres", datasource)
+func trivialQuery(pgUrl url.URL) error {
+	db, err := sql.Open("postgres", pgUrl.String())
 	if err != nil {
 		return err
 	}
@@ -74,7 +74,7 @@ func TestPGWire(t *testing.T) {
 			Scheme: "postgres",
 			Host:   net.JoinHostPort(host, port),
 		}
-		if err := trivialQuery(basePgUrl.String()); err != nil {
+		if err := trivialQuery(basePgUrl); err != nil {
 			if insecure {
 				if err != pq.ErrSSLNotSupported {
 					t.Fatal(err)
@@ -89,7 +89,7 @@ func TestPGWire(t *testing.T) {
 		{
 			disablePgUrl := basePgUrl
 			disablePgUrl.RawQuery = "sslmode=disable"
-			err := trivialQuery(disablePgUrl.String())
+			err := trivialQuery(disablePgUrl)
 			if insecure {
 				if err != nil {
 					t.Fatal(err)
@@ -104,7 +104,7 @@ func TestPGWire(t *testing.T) {
 		{
 			requirePgUrlNoCert := basePgUrl
 			requirePgUrlNoCert.RawQuery = "sslmode=require"
-			err := trivialQuery(requirePgUrlNoCert.String())
+			err := trivialQuery(requirePgUrlNoCert)
 			if insecure {
 				if err != pq.ErrSSLNotSupported {
 					t.Fatal(err)
@@ -124,7 +124,7 @@ func TestPGWire(t *testing.T) {
 					url.QueryEscape(tempCertPath),
 					url.QueryEscape(tempKeyPath),
 				)
-				err := trivialQuery(requirePgUrlWithCert.String())
+				err := trivialQuery(requirePgUrlWithCert)
 				if insecure {
 					if err != pq.ErrSSLNotSupported {
 						t.Fatal(err)