fix(sdk): wait for streams to close before shutting down server

Author: joe0BAB

internal/ipc/ipc.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/yamux"
+	"github.com/sirupsen/logrus"
 )
 
 const (
@@ -56,7 +57,7 @@ type ipcServer struct {
 	err    error
 }
 
-func newIpcServer(l net.Listener, handler http.Handler, onClose func(error) error) *ipcServer {
+func newIpcServer(l net.Listener, handler http.Handler, afterClose func(error) error) *ipcServer {
 	result := &ipcServer{
 		done: make(chan struct{}),
 		server: &http.Server{
@@ -68,7 +69,7 @@ func newIpcServer(l net.Listener, handler http.Handler, onClose func(error) erro
 		if errors.Is(err, http.ErrServerClosed) { // not an error, client closed the connection
 			err = nil
 		}
-		result.err = errors.Join(filterEOF(err), onClose(err)) // EOF: only forward to the onClose handler, but filter out internal forwarding
+		result.err = errors.Join(filterEOF(err), afterClose(err)) // EOF: only forward to the afterClose handler, but filter out internal forwarding
 		close(result.done)
 	}()
 	return result
@@ -99,16 +100,36 @@ func newMuxedIPC(session *yamux.Session, handler http.Handler, onClose func(erro
 		}
 		return session.Close()
 	})
+	c := createYamuxedClient(session)
 	return &ipcImpl{
 		server: server,
 		teardown: sync.OnceValue(func() error {
-			ctx, cancel := context.WithTimeout(context.Background(), cfg.shutdownTimeout)
-			defer cancel()
-			err := server.server.Shutdown(ctx)
+			_ = session.GoAway()
+			c.CloseIdleConnections()
+			waitForClientToDisconnect(session, cfg.shutdownTimeout)
+			err := server.server.Close()
 			<-server.done
-			return errors.Join(err, session.Close(), server.err)
+			return errors.Join(err, server.err)
 		}),
-	}, createYamuxedClient(session)
+	}, c
+}
+
+func waitForClientToDisconnect(s *yamux.Session, t time.Duration) {
+	timeout := time.After(t)
+	for {
+		select {
+		case <-time.After(50 * time.Millisecond):
+		case <-timeout:
+			logrus.Debugf("Timeout expired but %d streams still open, shutting down server...", s.NumStreams())
+			return
+		}
+		streams := s.NumStreams()
+		// 1 stream is the control stream (todo: verify)
+		// TODO: https://github.com/docker/secrets-engine/issues/71
+		if streams <= 1 {
+			return
+		}
+	}
 }
 
 func (i *ipcImpl) Close() error {

pkg/adaptation/plugin_test.go

@@ -21,19 +21,37 @@ const (
 	mockSecretID    = secrets.ID("mockSecretID")
 )
 
-var (
-	mockPlugin = &mockedPlugin{
-		pattern: "*",
-		id:      mockSecretID,
-	}
-)
-
 type mockedPlugin struct {
 	pattern      string
 	id           secrets.ID
 	configureErr error
 }
 
+type MockedPluginOption func(*mockedPlugin)
+
+func newMockedPlugin(options ...MockedPluginOption) *mockedPlugin {
+	m := &mockedPlugin{
+		pattern: "*",
+		id:      mockSecretID,
+	}
+	for _, opt := range options {
+		opt(m)
+	}
+	return m
+}
+
+func WithPattern(pattern string) MockedPluginOption {
+	return func(mp *mockedPlugin) {
+		mp.pattern = pattern
+	}
+}
+
+func WithID(id secrets.ID) MockedPluginOption {
+	return func(mp *mockedPlugin) {
+		mp.id = id
+	}
+}
+
 func (m mockedPlugin) GetSecret(context.Context, secrets.Request) (secrets.Envelope, error) {
 	return secrets.Envelope{ID: m.id, Value: []byte(mockSecretValue)}, nil
 }
@@ -59,27 +77,90 @@ func Test_newExternalPlugin(t *testing.T) {
 	}{
 		{
 			name: "create external plugin",
+			test: func(t *testing.T, l net.Listener, conn net.Conn) {
+				doneRuntime := make(chan struct{})
+				go func() {
+					p := mockExternalPluginRuntime(t, l)
+					e, err := p.GetSecret(t.Context(), secrets.Request{ID: mockSecretID})
+					assert.NoError(t, err)
+					assert.Equal(t, mockSecretValue, string(e.Value))
+					assert.NoError(t, p.close())
+					close(doneRuntime)
+				}()
+
+				s, err := p.New(newMockedPlugin(), p.WithPluginName("my-plugin"), p.WithConnection(conn))
+				require.NoError(t, err)
+				assert.NoError(t, s.Run(context.Background()))
+				<-doneRuntime
+			},
+		},
+		{
+			name: "plugin returns error on GetSecret",
+			test: func(t *testing.T, l net.Listener, conn net.Conn) {
+				doneRuntime := make(chan struct{})
+				go func() {
+					p := mockExternalPluginRuntime(t, l)
+					_, err := p.GetSecret(t.Context(), secrets.Request{ID: mockSecretID})
+					assert.ErrorContains(t, err, "id mismatch")
+					assert.NoError(t, p.close())
+					close(doneRuntime)
+				}()
+
+				s, err := p.New(newMockedPlugin(WithID("rewrite-id")), p.WithPluginName("my-plugin"), p.WithConnection(conn))
+				require.NoError(t, err)
+				assert.NoError(t, s.Run(context.Background()))
+				<-doneRuntime
+			},
+		},
+		{
+			name: "cancelling plugin.run() shuts down the runtime",
+			test: func(t *testing.T, l net.Listener, conn net.Conn) {
+				doneRuntime := make(chan struct{})
+				donePlugin := make(chan struct{})
+				downRuntime := make(chan struct{})
+				go func() {
+					p := mockExternalPluginRuntime(t, l)
+					e, err := p.GetSecret(t.Context(), secrets.Request{ID: mockSecretID})
+					assert.NoError(t, err)
+					assert.Equal(t, mockSecretValue, string(e.Value))
+					close(doneRuntime)
+					<-donePlugin
+					assert.NoError(t, p.close())
+					close(downRuntime)
+				}()
+
+				s, err := p.New(newMockedPlugin(), p.WithPluginName("my-plugin"), p.WithConnection(conn))
+				require.NoError(t, err)
+				ctx, cancel := context.WithCancel(t.Context())
+
+				go func() {
+					assert.NoError(t, s.Run(ctx))
+					close(donePlugin)
+				}()
+				<-doneRuntime
+				cancel()
+				<-downRuntime
+			},
+		},
+		{
+			name: "plugins with invalid patterns are rejected",
 			test: func(t *testing.T, l net.Listener, conn net.Conn) {
 				doneRuntime := make(chan struct{})
 				go func() {
 					conn, err := l.Accept()
 					require.NoError(t, err)
 
-					p, err := newExternalPlugin(conn, setupValidator{
+					_, err = newExternalPlugin(conn, setupValidator{
 						out:           pluginCfgOut{engineName: "test-engine", engineVersion: "1.0.0", requestTimeout: 30 * time.Second},
 						acceptPattern: func(secrets.Pattern) error { return nil },
 					})
-					require.NoError(t, err)
-					e, err := p.GetSecret(t.Context(), secrets.Request{ID: mockSecretID})
-					assert.NoError(t, err)
-					assert.Equal(t, mockSecretValue, string(e.Value))
-					assert.NoError(t, p.close())
+					assert.ErrorContains(t, err, "invalid pattern")
 					close(doneRuntime)
 				}()
 
-				s, err := p.New(mockPlugin, p.WithPluginName("my-plugin"), p.WithConnection(conn))
+				s, err := p.New(newMockedPlugin(WithPattern("a*a")), p.WithPluginName("my-plugin"), p.WithConnection(conn))
 				require.NoError(t, err)
-				assert.NoError(t, s.Run(context.Background()))
+				assert.ErrorContains(t, s.Run(t.Context()), "invalid pattern")
 				<-doneRuntime
 			},
 		},
@@ -101,3 +182,15 @@ func Test_newExternalPlugin(t *testing.T) {
 		})
 	}
 }
+
+func mockExternalPluginRuntime(t *testing.T, l net.Listener) *plugin {
+	conn, err := l.Accept()
+	require.NoError(t, err)
+
+	p, err := newExternalPlugin(conn, setupValidator{
+		out:           pluginCfgOut{engineName: "test-engine", engineVersion: "1.0.0", requestTimeout: 30 * time.Second},
+		acceptPattern: func(secrets.Pattern) error { return nil },
+	})
+	require.NoError(t, err)
+	return p
+}

pkg/adaptation/registration.go

@@ -42,16 +42,15 @@ type RegisterService struct {
 
 func (r *RegisterService) RegisterPlugin(ctx context.Context, c *connect.Request[resolverv1.RegisterPluginRequest]) (*connect.Response[resolverv1.RegisterPluginResponse], error) {
 	logrus.Infof("Reveived plugin registration request: %s@%s (pattern: %v)", c.Msg.GetName(), c.Msg.GetVersion(), c.Msg.GetPattern())
-	pattern, err := secrets.ParsePattern(c.Msg.GetPattern())
-	if err != nil {
-		return nil, connect.NewError(connect.CodeInvalidArgument, err)
-	}
 	in := pluginCfgIn{
 		name:    c.Msg.GetName(),
 		version: c.Msg.GetVersion(),
-		pattern: pattern,
+		pattern: secrets.Pattern(c.Msg.GetPattern()),
 	}
 	out, err := r.r.register(ctx, in)
+	if errors.Is(err, secrets.ErrInvalidPattern) {
+		return nil, connect.NewError(connect.CodeInvalidArgument, err)
+	}
 	if err != nil {
 		return nil, connect.NewError(connect.CodeInternal, err)
 	}

pkg/adaptation/registration_test.go

@@ -148,14 +148,6 @@ func Test_RegisterPlugin(t *testing.T) {
 		in   pluginCfgIn
 		test func(t *testing.T, resp *connect.Response[resolverv1.RegisterPluginResponse], err error)
 	}{
-		{
-			name: "invalid pattern",
-			r:    mockPluginRegistratorOK(t),
-			in:   pluginCfgIn{pattern: "*a*"},
-			test: func(t *testing.T, _ *connect.Response[resolverv1.RegisterPluginResponse], err error) {
-				assert.ErrorContains(t, err, "invalid pattern")
-			},
-		},
 		{
 			name: "registration fails",
 			r:    mockPluginRegistratorErr(t),

pkg/adaptation/setup.go

@@ -53,7 +53,7 @@ func setup(conn net.Conn, v setupValidator) (*setupResult, error) {
 	case r := <-chRegistrationResult:
 		if r.err != nil {
 			i.Close()
-			return nil, fmt.Errorf("failed to register plugin: %w", err)
+			return nil, fmt.Errorf("failed to register plugin: %w", r.err)
 		}
 		out = r.cfg
 	case err := <-chIpcErr:
@@ -72,6 +72,9 @@ func setup(conn net.Conn, v setupValidator) (*setupResult, error) {
 }
 
 func (p setupValidator) Validate(in pluginCfgIn) (*pluginCfgOut, error) {
+	if err := in.pattern.Valid(); err != nil {
+		return nil, err
+	}
 	if p.name != "" && in.name != p.name {
 		return nil, errors.New("plugin name cannot be changed when launched by engine")
 	}