BUG/MEDIUM: runtime: ensure heredoc payloads have a blank-line terminator

When connected to HAProxy in master-worker mode,
runtime_single_client.go appends ";quit\n" after the inner command.
For "<command> <<\n%s\n" heredocs (set ssl cert, add ssl ca-file,
set ssl crl-file, etc.) the resulting bytes on the wire are:

    <command> <<\n<payload>\n;quit\n

HAProxy's `<<` heredoc terminates only on a blank line, so when the
caller-supplied payload does not end with "\n" there is no blank
line between payload and ";quit". HAProxy stalls reading the socket
until the deadline fires, callers fall back to reload, and any layer
with a tighter HTTP timeout above sees `context deadline exceeded`
on the request.

Normalize each heredoc payload via a new terminateHeredocPayload
helper so the inner command always ends with "\n\n". Apply at every
site that builds a `<<` heredoc: set ssl cert, set/add ssl ca-file,
set ssl crl-file, set ssl ocsp-response, add map (versioned and
not), and add ssl crt-list extended-form.

Also fix the missing trailing "\n" in the SetCAFile format string
so the new payload "\n" plus the format "\n" produce the blank line.

Add TestHeredocPayloadAlwaysTerminated, which captures the bytes
written to a Unix socket for each affected command in both
master-worker and single-process modes and asserts a blank-line
terminator appears before any ";" character. Reverting any single
fix in this commit makes the corresponding subtest fail.

Reproducible on HAProxy 3.2 in master-worker mode by speaking the
master socket directly with the byte sequence this code previously
produced.

Author: aiharos

.aspell.yml

@@ -102,6 +102,8 @@ allowed:
   - gptstr
   - hapee
   - haproxy
+  - heredoc
+  - heredocs
   - healthcheck
   - healthz
   - hostname
@@ -191,6 +193,7 @@ allowed:
   - subnet
   - subresource
   - subresources
+  - subtest
   - sudo
   - symlinks
   - syslog

runtime/ca_files.go

@@ -111,7 +111,7 @@ func (s *SingleRuntime) SetCAFile(caFile, payload string) error {
 	if payload == "" {
 		return fmt.Errorf("%s %w", "Argument payload empty", native_errors.ErrGeneral)
 	}
-	cmd := fmt.Sprintf("set ssl ca-file %s <<\n%s", caFile, payload)
+	cmd := fmt.Sprintf("set ssl ca-file %s <<\n%s\n", caFile, terminateHeredocPayload(payload))
 	response, err := s.ExecuteWithResponse(cmd)
 	if err != nil {
 		return fmt.Errorf("%s %w", err.Error(), native_errors.ErrGeneral)
@@ -172,7 +172,7 @@ func (s *SingleRuntime) DeleteCAFile(caFile string) error {
 
 // AddCAFileEntry adds an entry into the CA file
 func (s *SingleRuntime) AddCAFileEntry(caFile, payload string) error {
-	cmd := fmt.Sprintf("add ssl ca-file %s <<\n%s\n", caFile, payload)
+	cmd := fmt.Sprintf("add ssl ca-file %s <<\n%s\n", caFile, terminateHeredocPayload(payload))
 	response, err := s.ExecuteWithResponse(cmd)
 	if err != nil {
 		return fmt.Errorf("%s %w", err.Error(), native_errors.ErrGeneral)

runtime/certs.go

@@ -209,7 +209,7 @@ func (s *SingleRuntime) SetCertificate(storageName string, payload string) error
 	if payload == "" {
 		return fmt.Errorf("%s %w", "Argument payload empty", native_errors.ErrGeneral)
 	}
-	cmd := fmt.Sprintf("set ssl cert %s <<\n%s\n", storageName, payload)
+	cmd := fmt.Sprintf("set ssl cert %s <<\n%s\n", storageName, terminateHeredocPayload(payload))
 	response, err := s.ExecuteWithResponse(cmd)
 	if err != nil {
 		return fmt.Errorf("%s %w", err.Error(), native_errors.ErrGeneral)

runtime/crl_files.go

@@ -225,7 +225,7 @@ func (s *SingleRuntime) SetCrlFile(crlFile string, payload string) error {
 	if payload == "" {
 		return fmt.Errorf("%s %w", "Argument payload empty", native_errors.ErrGeneral)
 	}
-	cmd := fmt.Sprintf("set ssl crl-file %s <<\n%s\n", crlFile, payload)
+	cmd := fmt.Sprintf("set ssl crl-file %s <<\n%s\n", crlFile, terminateHeredocPayload(payload))
 	response, err := s.ExecuteWithResponse(cmd)
 	if err != nil {
 		return fmt.Errorf("%s %w", err.Error(), native_errors.ErrGeneral)

runtime/crt_lists.go

@@ -189,6 +189,13 @@ func (s *SingleRuntime) AddCrtListEntry(crtList string, entry models.SslCrtListE
 		sb.WriteString(strings.Join(entry.SNIFilter, " "))
 	}
 	sb.WriteByte('\n')
+	if extended {
+		// HAProxy's `<<` heredoc terminates on a blank line; once the
+		// outer framing in runtime_single_client.go appends `;quit\n`,
+		// the lone `\n` above is consumed as the entry-line terminator
+		// and there is no blank line left, so the heredoc never ends.
+		sb.WriteByte('\n')
+	}
 
 	response, err := s.ExecuteWithResponse(sb.String())
 	if err != nil {

runtime/heredoc.go

@@ -0,0 +1,36 @@
+// Copyright 2025 HAProxy Technologies
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package runtime
+
+import "strings"
+
+// terminateHeredocPayload returns payload guaranteed to end with "\n".
+//
+// HAProxy's `<<` heredoc terminates only on a blank line. The conventional
+// command shape used in this package is "<command> <<\n<payload>\n", so for
+// the heredoc to terminate, payload itself must end with "\n" (producing
+// "\n\n" — a blank line — at the end of the command).
+//
+// Without that, the outer framing in runtime_single_client.go that appends
+// ";quit\n" (master-socket / worker > 0 path) places ";quit" immediately
+// after the payload's lone trailing newline — turning what should be the
+// blank-line terminator into a non-empty command line — and HAProxy then
+// blocks reading the socket until the deadline fires.
+func terminateHeredocPayload(payload string) string {
+	if strings.HasSuffix(payload, "\n") {
+		return payload
+	}
+	return payload + "\n"
+}

runtime/heredoc_test.go

@@ -0,0 +1,203 @@
+// Copyright 2025 HAProxy Technologies
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package runtime
+
+import (
+	"net"
+	"os"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/haproxytech/client-native/v6/models"
+	"github.com/haproxytech/client-native/v6/runtime/options"
+)
+
+// captureSocket is a minimal Unix-socket server that records every byte
+// a client writes after immediately sending a fixed reply. It exists so
+// these tests can assert the exact bytes client-native sends to HAProxy's
+// runtime API for heredoc commands.
+type captureSocket struct {
+	listener net.Listener
+	reply    string
+	mu       sync.Mutex
+	received []byte
+	addr     string
+}
+
+func newCaptureSocket(t *testing.T, reply string) *captureSocket {
+	t.Helper()
+	f, err := os.CreateTemp("", "client-native-cap-*")
+	if err != nil {
+		t.Fatalf("CreateTemp: %v", err)
+	}
+	addr := f.Name()
+	_ = f.Close()
+	_ = os.Remove(addr)
+	l, err := net.Listen("unix", addr)
+	if err != nil {
+		t.Fatalf("Listen: %v", err)
+	}
+	s := &captureSocket{listener: l, reply: reply, addr: addr}
+	go s.serve()
+	t.Cleanup(func() { _ = l.Close(); _ = os.Remove(addr) })
+	return s
+}
+
+func (s *captureSocket) serve() {
+	for {
+		conn, err := s.listener.Accept()
+		if err != nil {
+			return
+		}
+		go func(c net.Conn) {
+			defer c.Close()
+			// Send reply right away so the client's read loop sees data
+			// and unblocks; afterwards the client gets EOF when we close
+			// at the deferred Close, which lets readFromSocket return.
+			_, _ = c.Write([]byte(s.reply))
+			// Drain everything the client sends for up to 500ms.
+			_ = c.SetReadDeadline(time.Now().Add(500 * time.Millisecond))
+			buf := make([]byte, 4096)
+			var got []byte
+			for {
+				n, err := c.Read(buf)
+				if n > 0 {
+					got = append(got, buf[:n]...)
+				}
+				if err != nil {
+					break
+				}
+			}
+			s.mu.Lock()
+			s.received = append(s.received, got...)
+			s.mu.Unlock()
+		}(conn)
+	}
+}
+
+func (s *captureSocket) Received() string {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	return string(s.received)
+}
+
+// assertHeredocTerminated checks that the bytes sent by the runtime client
+// contain a `<<\n` heredoc start AND that the payload after it is followed
+// by a blank line (\n\n) BEFORE any `;` command separator (which would
+// otherwise be interpreted as part of the heredoc body and stall HAProxy).
+func assertHeredocTerminated(t *testing.T, sent string) {
+	t.Helper()
+	idx := strings.Index(sent, "<<\n")
+	if idx < 0 {
+		t.Fatalf("no `<<\\n` heredoc start in sent bytes:\n%s", quoted(sent))
+	}
+	tail := sent[idx+len("<<\n"):]
+	blankLine := strings.Index(tail, "\n\n")
+	if blankLine < 0 {
+		t.Fatalf("heredoc payload is never followed by a blank line; HAProxy will hang.\n  sent: %s", quoted(sent))
+	}
+	if semi := strings.Index(tail, ";"); semi >= 0 && semi < blankLine {
+		t.Fatalf("`;` appears before the blank-line terminator at offset %d (blank line at %d).\n  Once the framing in runtime_single_client.go appends `;quit\\n`, HAProxy will interpret `;quit` as part of the heredoc body and stall.\n  sent: %s",
+			semi, blankLine, quoted(sent))
+	}
+}
+
+func quoted(s string) string { return `"` + strings.ReplaceAll(s, "\n", `\n`) + `"` }
+
+// TestHeredocPayloadAlwaysTerminated drives each runtime command that
+// builds a `<<` heredoc with a payload that explicitly does NOT end in
+// "\n", in both master-worker and single-process framing modes, and
+// asserts the bytes actually written to the socket are properly
+// terminated. Catches the class of bug where a missing payload `\n`
+// combined with the master-worker `;quit\n` framing leaves the heredoc
+// without a blank-line terminator and HAProxy stalls until the socket
+// deadline fires.
+func TestHeredocPayloadAlwaysTerminated(t *testing.T) {
+	const noTrailingNewline = "-----BEGIN CERTIFICATE-----\nMIIB...\n-----END CERTIFICATE-----"
+
+	commands := []struct {
+		name string
+		call func(s *SingleRuntime) error
+	}{
+		{
+			name: "SetCertificate",
+			call: func(s *SingleRuntime) error { return s.SetCertificate("/etc/cert.pem", noTrailingNewline) },
+		},
+		{
+			name: "SetCAFile",
+			call: func(s *SingleRuntime) error { return s.SetCAFile("/etc/ca.pem", noTrailingNewline) },
+		},
+		{
+			name: "AddCAFileEntry",
+			call: func(s *SingleRuntime) error { return s.AddCAFileEntry("/etc/ca.pem", noTrailingNewline) },
+		},
+		{
+			name: "SetCrlFile",
+			call: func(s *SingleRuntime) error { return s.SetCrlFile("/etc/crl.pem", noTrailingNewline) },
+		},
+		{
+			name: "SetOcspResponse",
+			call: func(s *SingleRuntime) error { return s.SetOcspResponse(noTrailingNewline) },
+		},
+		{
+			name: "AddMapPayload",
+			call: func(s *SingleRuntime) error { return s.AddMapPayload("/etc/map", "k1 v1\nk2 v2") },
+		},
+		{
+			name: "AddMapPayloadVersioned",
+			call: func(s *SingleRuntime) error { return s.AddMapPayloadVersioned("1", "/etc/map", "k1 v1\nk2 v2") },
+		},
+		{
+			name: "AddCrtListEntry-extended",
+			call: func(s *SingleRuntime) error {
+				return s.AddCrtListEntry("/etc/crt-list", models.SslCrtListEntry{
+					File:          "/etc/cert.pem",
+					SSLBindConfig: "verify required",
+				})
+			},
+		},
+	}
+
+	for _, mode := range []struct {
+		name             string
+		masterWorkerMode bool
+	}{
+		{"master-worker", true},
+		{"single-process", false},
+	} {
+		for _, cmd := range commands {
+			t.Run(mode.name+"/"+cmd.name, func(t *testing.T) {
+				mock := newCaptureSocket(t, " Transaction created for certificate /etc/cert.pem!\n\n")
+
+				s := &SingleRuntime{}
+				if err := s.Init(mock.addr, mode.masterWorkerMode, options.RuntimeOptions{DoNotCheckRuntimeOnInit: true}); err != nil {
+					t.Fatalf("Init: %v", err)
+				}
+				// Return value of the call is not checked: the mock doesn't
+				// emit a real success response for every command shape, so
+				// some calls legitimately error. What we care about is the
+				// bytes that hit the wire before that.
+				_ = cmd.call(s)
+
+				// Give the serve goroutine a moment to drain.
+				time.Sleep(50 * time.Millisecond)
+
+				assertHeredocTerminated(t, mock.Received())
+			})
+		}
+	}
+}

runtime/maps.go

@@ -230,7 +230,7 @@ func (s *SingleRuntime) AddMapEntryVersioned(version, name, key, value string) e
 func (s *SingleRuntime) AddMapPayload(name, payload string) error {
 	prefix := "<<\n"
 	if len(payload) < len(prefix) || payload[0:len(prefix)] != prefix {
-		payload = "<<\n" + payload + "\n"
+		payload = "<<\n" + terminateHeredocPayload(payload) + "\n"
 	}
 	cmd := fmt.Sprintf("add map %s %s", name, payload)
 	if err := s.Execute(cmd); err != nil {
@@ -259,7 +259,7 @@ func (s *SingleRuntime) PrepareMap(name string) (string, error) {
 func (s *SingleRuntime) AddMapPayloadVersioned(version, name, payload string) error {
 	prefix := "<<\n"
 	if len(payload) < len(prefix) || payload[0:len(prefix)] != prefix {
-		payload = "<<\n" + payload + "\n"
+		payload = "<<\n" + terminateHeredocPayload(payload) + "\n"
 	}
 	cmd := fmt.Sprintf("add map @%s %s %s", version, name, payload)
 	if err := s.Execute(cmd); err != nil {

runtime/ocsp.go

@@ -241,7 +241,7 @@ func (s *SingleRuntime) SetOcspResponse(payload string) error {
 	if payload == "" {
 		return fmt.Errorf("%s %w", "Argument payload empty", native_errors.ErrGeneral)
 	}
-	cmd := fmt.Sprintf("set ssl ocsp-response <<\n%s\n", payload)
+	cmd := fmt.Sprintf("set ssl ocsp-response <<\n%s\n", terminateHeredocPayload(payload))
 	response, err := s.ExecuteWithResponse(cmd)
 	if err != nil {
 		return fmt.Errorf("%s %w", err.Error(), native_errors.ErrGeneral)