From 4c19d19cf5b3fcecd5ca6a0c1b3d68c254efe379 Mon Sep 17 00:00:00 2001
From: Brad Warren <bmw@eff.org>
Date: Fri, 30 Jun 2017 11:30:21 -0400
Subject: [PATCH] Test that deploy and renew hooks are saved right

It is important that both renew and deploy hooks are saved as renew_hook in
renewal configuration files to preserve forwards compatibility.
---
 tests/boulder-integration.sh | 59 +++++++++++++++++++++++++++---------
 tests/integration/_common.sh |  5 +--
 2 files changed, 47 insertions(+), 17 deletions(-)

diff --git a/tests/boulder-integration.sh b/tests/boulder-integration.sh
index a356da884..181dcc5fb 100755
--- a/tests/boulder-integration.sh
+++ b/tests/boulder-integration.sh
@@ -78,25 +78,47 @@ CheckHooks() {
     rm "$HOOK_TEST"
 }
 
-# Checks if deploy was run and deletes the hook file
-CheckDeployHook() {
+# Checks if deploy is in the hook output and deletes the file
+DeployInHookOutput() {
     CONTENTS=$(cat "$HOOK_TEST")
     rm "$HOOK_TEST"
     grep deploy <(echo "$CONTENTS")
 }
 
-# Asserts the deploy hook was run and deletes the hook file
-AssertDeployHook() {
-    if ! CheckDeployHook; then
-        echo "The deploy hook wasn't run" >&2
+# Asserts that there is a saved renew_hook for a lineage.
+#
+# Arguments:
+#     Name of lineage to check
+CheckSavedRenewHook() {
+    if ! grep renew_hook "$config_dir/renewal/$1.conf"; then
+        echo "Hook wasn't saved as renew_hook" >&2
+        exit 1
     fi
 }
 
-# Asserts the deploy hook wasn't run and deletes the hook file
-AssertNoDeployHook() {
-    if CheckDeployHook; then
-        echo "The deploy hook was incorrectly run" >&2
+# Asserts the deploy hook was properly run and saved and deletes the hook file
+#
+# Arguments:
+#   Lineage name of the issued cert
+CheckDeployHook() {
+    if ! DeployInHookOutput; then
+        echo "The deploy hook wasn't run" >&2
+        exit 1
     fi
+    CheckSavedRenewHook $1
+}
+
+# Asserts the renew hook wasn't run but was saved and deletes the hook file
+#
+# Arguments:
+#   Lineage name of the issued cert
+# Asserts the deploy hook wasn't run and deletes the hook file
+CheckRenewHook() {
+    if DeployInHookOutput; then
+        echo "The renew hook was incorrectly run" >&2
+        exit 1
+    fi
+    CheckSavedRenewHook $1
 }
 
 # Cleanup coverage data
@@ -126,36 +148,43 @@ common plugins --init --prepare | grep webroot
 python ./tests/run_http_server.py $http_01_port &
 python_server_pid=$!
 
+certname="le1.wtf"
 common --domains le1.wtf --preferred-challenges tls-sni-01 auth \
+       --cert-name $certname \
        --pre-hook 'echo wtf.pre >> "$HOOK_TEST"' \
        --post-hook 'echo wtf.post >> "$HOOK_TEST"'\
        --deploy-hook 'echo deploy >> "$HOOK_TEST"'
 kill $python_server_pid
-AssertDeployHook
+CheckDeployHook $certname
 
 python ./tests/run_http_server.py $tls_sni_01_port &
 python_server_pid=$!
+certname="le2.wtf"
 common --domains le2.wtf --preferred-challenges http-01 run \
+       --cert-name $certname \
        --pre-hook 'echo wtf.pre >> "$HOOK_TEST"' \
        --post-hook 'echo wtf.post >> "$HOOK_TEST"'\
        --deploy-hook 'echo deploy >> "$HOOK_TEST"'
 kill $python_server_pid
-AssertDeployHook
+CheckDeployHook $certname
 
-common certonly -a manual -d le.wtf --rsa-key-size 4096 \
+certname="le.wtf"
+common certonly -a manual -d le.wtf --rsa-key-size 4096 --cert-name $certname \
     --manual-auth-hook ./tests/manual-http-auth.sh \
     --manual-cleanup-hook ./tests/manual-http-cleanup.sh \
     --pre-hook 'echo wtf2.pre >> "$HOOK_TEST"' \
     --post-hook 'echo wtf2.post >> "$HOOK_TEST"' \
     --renew-hook 'echo deploy >> "$HOOK_TEST"'
-AssertNoDeployHook
+CheckRenewHook $certname
 
+certname="dns.le.wtf"
 common -a manual -d dns.le.wtf --preferred-challenges dns,tls-sni run \
+    --cert-name $certname \
     --manual-auth-hook ./tests/manual-dns-auth.sh \
     --pre-hook 'echo wtf2.pre >> "$HOOK_TEST"' \
     --post-hook 'echo wtf2.post >> "$HOOK_TEST"' \
     --renew-hook 'echo deploy >> "$HOOK_TEST"'
-AssertNoDeployHook
+CheckRenewHook $certname
 
 common certonly --cert-name newname -d newname.le.wtf
 
diff --git a/tests/integration/_common.sh b/tests/integration/_common.sh
index 48d20eb3b..d151bdc3f 100755
--- a/tests/integration/_common.sh
+++ b/tests/integration/_common.sh
@@ -2,12 +2,13 @@
 # the kernel to use.
 root=${root:-$(mktemp -d -t leitXXXX)}
 echo "Root integration tests directory: $root"
-store_flags="--config-dir $root/conf --work-dir $root/work"
+config_dir="$root/conf"
+store_flags="--config-dir $config_dir --work-dir $root/work"
 store_flags="$store_flags --logs-dir $root/logs"
 tls_sni_01_port=5001
 http_01_port=5002
 sources="acme/,$(ls -dm certbot*/ | tr -d ' \n')"
-export root store_flags tls_sni_01_port http_01_port sources
+export root config_dir store_flags tls_sni_01_port http_01_port sources
 
 certbot_test () {
     certbot_test_no_force_renew \