Put features.Reset in unitest setup functions. (letsencrypt#4129)

jsha · Roland Bracewell Shoemaker · commit ff3129247dff · 2019-04-02T10:14:38.000-07:00
Previously we relied on each instance of `features.Set` to have a corresponding `defer features.Reset()`. If we forget that, we can wind up with unexpected behavior where features set in one test case leak into another test case. This led to the bug in letsencrypt#4118 going undetected. Fix letsencrypt#4120
diff --git a/cmd/ocsp-updater/main_test.go b/cmd/ocsp-updater/main_test.go
@@ -11,7 +11,6 @@ import (
 	caPB "github.com/letsencrypt/boulder/ca/proto"
 	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/core"
-	"github.com/letsencrypt/boulder/features"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
 	"github.com/letsencrypt/boulder/revocation"
@@ -312,12 +311,6 @@ func TestOldOCSPResponsesTick(t *testing.T) {
 // that are expired but whose certificate status rows do not have `IsExpired`
 // set.
 func TestOldOCSPResponsesTickIsExpired(t *testing.T) {
-	// Explicitly enable the CertStatusOptimizationsMigrated feature so the OCSP
-	// updater can use the `IsExpired` field. This must be done before `setup()`
-	// so the correct dbMap associations are used
-	_ = features.Set(map[string]bool{"CertStatusOptimizationsMigrated": true})
-	defer features.Reset()
-
 	updater, sa, dbMap, fc, cleanUp := setup(t)
 	defer cleanUp()
 
diff --git a/ra/ra_test.go b/ra/ra_test.go
@@ -218,6 +218,8 @@ func (r *dummyRateLimitConfig) LoadPolicies(contents []byte) error {
 }
 
 func initAuthorities(t *testing.T) (*DummyValidationAuthority, *sa.SQLStorageAuthority, *RegistrationAuthorityImpl, clock.FakeClock, func()) {
+	features.Reset()
+
 	err := json.Unmarshal(AccountKeyJSONA, &AccountKeyA)
 	test.AssertNotError(t, err, "Failed to unmarshal public JWK")
 	err = json.Unmarshal(AccountKeyJSONB, &AccountKeyB)
@@ -1207,7 +1209,6 @@ func TestEarlyOrderRateLimiting(t *testing.T) {
 	// Start with the feature flag enabled.
 	err := features.Set(map[string]bool{"EarlyOrderRateLimit": true})
 	test.AssertNotError(t, err, "Failed to set EarlyOrderRateLimit feature flag")
-	defer features.Reset()
 
 	// Request an order for the test domain
 	newOrder := &rapb.NewOrderRequest{
diff --git a/sa/sa_test.go b/sa/sa_test.go
@@ -41,6 +41,8 @@ var ctx = context.Background()
 // initSA constructs a SQLStorageAuthority and a clean up function
 // that should be defer'ed to the end of the test.
 func initSA(t *testing.T) (*SQLStorageAuthority, clock.FakeClock, func()) {
+	features.Reset()
+
 	dbMap, err := NewDbMap(vars.DBConnSA, 0)
 	if err != nil {
 		t.Fatalf("Failed to create dbMap: %s", err)
@@ -2313,7 +2315,6 @@ func TestAddCertificateRenewalBit(t *testing.T) {
 
 	err := features.Set(map[string]bool{"SetIssuedNamesRenewalBit": true})
 	test.AssertNotError(t, err, "Failed to enable SetIssuedNamesRenewalBit feature flag")
-	defer features.Reset()
 
 	reg := satest.CreateWorkingRegistration(t, sa)
 
@@ -2386,7 +2387,6 @@ func TestCountCertificatesRenewalBit(t *testing.T) {
 		"AllowRenewalFirstRL":      true,
 	})
 	test.AssertNotError(t, err, "Failed to enable required features flag")
-	defer features.Reset()
 
 	// Create a test registration
 	reg := satest.CreateWorkingRegistration(t, sa)
diff --git a/va/caa_test.go b/va/caa_test.go
@@ -199,11 +199,6 @@ func TestCAATimeout(t *testing.T) {
 }
 
 func TestCAAChecking(t *testing.T) {
-	if err := features.Set(map[string]bool{"CAAValidationMethods": true, "CAAAccountURI": true}); err != nil {
-		t.Fatalf("Failed to enable feature: %v", err)
-	}
-	defer features.Reset()
-
 	testCases := []struct {
 		Name    string
 		Domain  string
@@ -403,6 +398,10 @@ func TestCAAChecking(t *testing.T) {
 	params := &caaParams{accountURIID: &accountURIID, validationMethod: &method}
 
 	va, _ := setup(nil, 0, "", nil)
+	if err := features.Set(map[string]bool{"CAAValidationMethods": true, "CAAAccountURI": true}); err != nil {
+		t.Fatalf("Failed to enable feature: %v", err)
+	}
+
 	va.dnsClient = caaMockDNS{}
 	va.accountURIPrefixes = []string{"https://letsencrypt.org/acct/reg/"}
 	for _, caaTest := range testCases {
diff --git a/va/va_test.go b/va/va_test.go
@@ -1195,6 +1195,8 @@ func setup(
 	maxRemoteFailures int,
 	userAgent string,
 	remoteVAs []RemoteVA) (*ValidationAuthorityImpl, *blog.Mock) {
+	features.Reset()
+
 	logger := blog.NewMock()
 
 	if userAgent == "" {
diff --git a/wfe/wfe_test.go b/wfe/wfe_test.go
@@ -374,6 +374,8 @@ var testKeyPolicy = goodkey.KeyPolicy{
 var ctx = context.Background()
 
 func setupWFE(t *testing.T) (WebFrontEndImpl, clock.FakeClock) {
+	features.Reset()
+
 	fc := clock.NewFake()
 	stats := metrics.NewNoopScope()
 
@@ -1748,7 +1750,6 @@ func TestAuthorization(t *testing.T) {
 	mux := wfe.Handler()
 
 	_ = features.Set(map[string]bool{"NewAuthorizationSchema": true})
-	defer features.Reset()
 
 	responseWriter := httptest.NewRecorder()
 
@@ -2558,7 +2559,6 @@ func TestPrepChallengeForDisplay(t *testing.T) {
 	test.AssertEquals(t, chall.URI, "http://example.com/acme/challenge/eyup/0")
 
 	_ = features.Set(map[string]bool{"NewAuthorizationSchema": true})
-	defer features.Reset()
 	authz.V2 = true
 	wfe.prepChallengeForDisplay(req, authz, chall)
 	test.AssertEquals(t, chall.URI, "http://example.com/acme/challenge/v2/eyup/iFVMwA==")
@@ -2630,9 +2630,8 @@ func TestNewRegistrationGetKeyBroken(t *testing.T) {
 }
 
 func TestChallengeNewIDScheme(t *testing.T) {
-	_ = features.Set(map[string]bool{"NewAuthorizationSchema": true})
-	defer features.Reset()
 	wfe, _ := setupWFE(t)
+	_ = features.Set(map[string]bool{"NewAuthorizationSchema": true})
 
 	for _, tc := range []struct {
 		path     string
diff --git a/wfe2/wfe_test.go b/wfe2/wfe_test.go
@@ -342,6 +342,8 @@ var testKeyPolicy = goodkey.KeyPolicy{
 var ctx = context.Background()
 
 func setupWFE(t *testing.T) (WebFrontEndImpl, clock.FakeClock) {
+	features.Reset()
+
 	fc := clock.NewFake()
 	stats := metrics.NewNoopScope()
 
@@ -1417,7 +1419,6 @@ func TestGetAuthorization(t *testing.T) {
 	wfe, _ := setupWFE(t)
 
 	_ = features.Set(map[string]bool{"NewAuthorizationSchema": true})
-	defer features.Reset()
 
 	// Expired authorizations should be inaccessible
 	authzURL := "expired"
@@ -2842,7 +2843,6 @@ func TestPrepAuthzForDisplay(t *testing.T) {
 	test.AssertEquals(t, chal.ProvidedKeyAuthorization, "")
 
 	_ = features.Set(map[string]bool{"NewAuthorizationSchema": true})
-	defer features.Reset()
 	authz.ID = "12345"
 	authz.V2 = true
 	wfe.prepAuthorizationForDisplay(&http.Request{Host: "localhost"}, authz)
@@ -2891,9 +2891,8 @@ func TestFinalizeSCTError(t *testing.T) {
 }
 
 func TestChallengeNewIDScheme(t *testing.T) {
-	_ = features.Set(map[string]bool{"NewAuthorizationSchema": true})
-	defer features.Reset()
 	wfe, _ := setupWFE(t)
+	_ = features.Set(map[string]bool{"NewAuthorizationSchema": true})
 
 	for _, tc := range []struct {
 		path     string
