mod_md v2.4.19 from github sync

*) mod_md: a new directive `MDStoreLocks` can be used on cluster setups with a shared file system for `MDStoreDir` to order activation of renewed certificates when several cluster nodes are restarted at the same time. Store locks are not enabled by default. Restored curl_easy cleanup behaviour from v2.4.14 and refactored the use of curl_multi for OCSP requests to work with that. Fixes <https://github.com/icing/mod_md/issues/293>. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1903677 13f79535-47bb-0310-9956-ffa450edef68
author: Stefan Eissing <icing@apache.org> 2022-08-25 14:00:13 +0000
committer: Stefan Eissing <icing@apache.org> 2022-08-25 14:00:13 +0000
commit: f2b7303efa8c3a12d3f119ba100e633f685943b2 (patch)
tree: 8b789558fc52d2e51039474a8ec3179fc1a1b2df /test
parent: d0b4a30216b5c97ca493e657681af36dc79ecf98 (diff)
download: httpd-f2b7303efa8c3a12d3f119ba100e633f685943b2.tar.gz
2 files changed, 74 insertions, 0 deletions
diff --git a/test/modules/md/conftest.py b/test/modules/md/conftest.py
index 146d0316b9..04165a2dfc 100755
--- a/test/modules/md/conftest.py
+++ b/test/modules/md/conftest.py
@@ -51,6 +51,7 @@ def _session_scope(env):
         'AH10170',  # mod_md, wrong config, tested
         'AH10171',  # mod_md, wrong config, tested
         'AH10373',  # SSL errors on uncompleted handshakes
+        'AH10398',  # test on global store lock
     ])
 
     env.httpd_error_log.add_ignored_patterns([
@@ -61,6 +62,7 @@ def _session_scope(env):
         re.compile(r'.*problem\[urn:org:apache:httpd:log:AH\d+:].*'),
         re.compile(r'.*Unsuccessful in contacting ACME server at :*'),
         re.compile(r'.*test-md-720-002-\S+.org: dns-01 setup command failed .*'),
+        re.compile(r'.*AH\d*: unable to obtain global registry lock, .*'),
     ])
     if env.lacks_ocsp():
         env.httpd_error_log.add_ignored_patterns([
diff --git a/test/modules/md/test_820_locks.py b/test/modules/md/test_820_locks.py
new file mode 100644
index 0000000000..f7dde6a1cc
--- /dev/null
+++ b/test/modules/md/test_820_locks.py
@@ -0,0 +1,72 @@
+import os
+
+import pytest
+from filelock import Timeout, FileLock
+
+from .md_cert_util import MDCertUtil
+from .md_conf import MDConf
+from .md_env import MDTestEnv
+
+
+@pytest.mark.skipif(condition=not MDTestEnv.has_acme_server(),
+                    reason="no ACME test server configured")
+class TestLocks:
+
+    @pytest.fixture(autouse=True, scope='class')
+    def _class_scope(self, env, acme):
+        env.APACHE_CONF_SRC = "data/test_auto"
+        acme.start(config='default')
+        env.check_acme()
+        env.clear_store()
+
+    @pytest.fixture(autouse=True, scope='function')
+    def _method_scope(self, env, request):
+        env.clear_store()
+        self.test_domain = env.get_request_domain(request)
+
+    def configure_httpd(self, env, domains, add_lines=""):
+        conf = MDConf(env)
+        conf.add(add_lines)
+        conf.add_md(domains)
+        conf.add_vhost(domains)
+        conf.install()
+
+    # normal renewal with store locks activated
+    def test_md_820_001(self, env):
+        domain = self.test_domain
+        self.configure_httpd(env, [domain], add_lines=[
+            "MDStoreLocks 1s"
+        ])
+        assert env.apache_restart() == 0
+        assert env.await_completion([domain])
+
+    # renewal, with global lock held during restert
+    def test_md_820_002(self, env):
+        domain = self.test_domain
+        self.configure_httpd(env, [domain], add_lines=[
+            "MDStoreLocks 1s"
+        ])
+        assert env.apache_restart() == 0
+        assert env.await_completion([domain])
+        # we have a cert now, add a dns name to force renewal
+        certa = MDCertUtil(env.store_domain_file(domain, 'pubcert.pem'))
+        self.configure_httpd(env, [domain, f"x.{domain}"], add_lines=[
+            "MDStoreLocks 1s"
+        ])
+        assert env.apache_restart() == 0
+        # await new cert, but do not restart, keeps the cert in staging
+        assert env.await_completion([domain], restart=False)
+        # obtain global lock and restart
+        lockfile = os.path.join(env.store_dir, "store.lock")
+        with FileLock(lockfile):
+            assert env.apache_restart() == 0
+        # lock should have prevented staging from being activated,
+        # meaning we will have the same cert
+        certb = MDCertUtil(env.store_domain_file(domain, 'pubcert.pem'))
+        assert certa.same_serial_as(certb)
+        # now restart without lock
+        assert env.apache_restart() == 0
+        certc = MDCertUtil(env.store_domain_file(domain, 'pubcert.pem'))
+        assert not certa.same_serial_as(certc)
+
+
author	Stefan Eissing <icing@apache.org>	2022-08-25 14:00:13 +0000
committer	Stefan Eissing <icing@apache.org>	2022-08-25 14:00:13 +0000
commit	f2b7303efa8c3a12d3f119ba100e633f685943b2 (patch)
tree	8b789558fc52d2e51039474a8ec3179fc1a1b2df /test
parent	d0b4a30216b5c97ca493e657681af36dc79ecf98 (diff)
download	httpd-f2b7303efa8c3a12d3f119ba100e633f685943b2.tar.gz