-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Offer a way to start the RealJenkinsRule instance with https only #858
Conversation
Co-authored-by: Jesse Glick <[email protected]>
/** | ||
* Creates a new instance using the default keystore type. | ||
* @param path path of the keystore file. If it exists, it will be loaded automatically. | ||
* @param password password for the keystore file. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can this be optional, since for this kind of test we do not care about keystore passwords?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not for now; jenkinsci/winstone#417
is there a reason you need to access the RealJenkinsRule via the host name? if testing multiple RealJenkinsRules side by side and you want a nice jenkins-1 using some form of nip.io then would it not behove us to add a static SSL cert generated once and checked in (and skip generating on demand) that has subject altanmes for |
The point here is to test close to real life scenarios:
Each one using different https certificates (so external users must trust CA for the reverse proxy, then reverse proxy must trust CA from RJR instance). Checking in a static certificate would do if I had only one RealJenkinsRule instance, but I want guarantee that trust stores are setup appropriately so for test purpose, I think it is better to have a single certificate generated for each instance. |
This seems like a very specific setup useful for a very narrow set of plugins (one or two?). or employ shading in this project so that the library does not leak and will not affect plugins using the bouncycastle-api either regularly or in the PCT. |
} | ||
|
||
private static void log(JenkinsRule r) throws IOException { | ||
LOGGER.info("Running on " + r.getURL().toExternalForm()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could strengthen this slightly to return the URL and show that it is https
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Prints something like
[INFO] [stdout] 2024-10-10 12:53:16.687+0000 [id=94] INFO o.j.h.t.RealJenkinsRuleHttpsTest#log: Running on https://localhost:54912/jenkins/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I just meant that the test JVM could assert that.
src/test/java/org/jvnet/hudson/test/RealJenkinsRuleHttpsTest.java
Outdated
Show resolved
Hide resolved
var options = InboundAgentRule.Options | ||
.newBuilder() | ||
.name("remote") | ||
.webSocket() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess either way this exercises the changes, since even a TCP agent would make an initial HTTP handshake by default. (InboundAgentRule
does not support direct mode AFAIK.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TCP listener needs to be enabled explicitly on the controller side (otherwise the client gets <url> appears to be publishing an invalid X-Instance-Identity.
) so I just went for the simplest option.
Co-authored-by: Jesse Glick <[email protected]>
subjectKeyIdentifier = hash | ||
|
||
[ alternate_names ] | ||
DNS.1 = localhost |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought we would include at least *.localtest.me
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not needed for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good AFAICT
This allows to start
RealJenkinsRule
instances listening on https instead of http.A self-signed certificate matching the given host name (or localhost if unspecified) is automatically generated (using bouncycastle)
Various methods are offered to allow callers to access the RealJenkinsRule clients to access the instance without disabling security.
Also added utilities related to key store and self-signed certificate management.
Testing done
Submitter checklist