Offer a way to start the RealJenkinsRule instance with https only #858
Conversation
Co-authored-by: Jesse Glick <jglick@cloudbees.com>
| /** | ||
| * Creates a new instance using the default keystore type. | ||
| * @param path path of the keystore file. If it exists, it will be loaded automatically. | ||
| * @param password password for the keystore file. |
There was a problem hiding this comment.
Can this be optional, since for this kind of test we do not care about keystore passwords?
There was a problem hiding this comment.
Not for now; jenkinsci/winstone#417
is there a reason you need to access the RealJenkinsRule via the host name? if testing multiple RealJenkinsRules side by side and you want a nice jenkins-1 using some form of nip.io then would it not behove us to add a static SSL cert generated once and checked in (and skip generating on demand) that has subject altanmes for |
The point here is to test close to real life scenarios:
Each one using different https certificates (so external users must trust CA for the reverse proxy, then reverse proxy must trust CA from RJR instance). Checking in a static certificate would do if I had only one RealJenkinsRule instance, but I want guarantee that trust stores are setup appropriately so for test purpose, I think it is better to have a single certificate generated for each instance. |
This seems like a very specific setup useful for a very narrow set of plugins (one or two?). or employ shading in this project so that the library does not leak and will not affect plugins using the bouncycastle-api either regularly or in the PCT. |
| } | ||
|
|
||
| private static void log(JenkinsRule r) throws IOException { | ||
| LOGGER.info("Running on " + r.getURL().toExternalForm()); |
There was a problem hiding this comment.
Could strengthen this slightly to return the URL and show that it is https.
There was a problem hiding this comment.
Prints something like
[INFO] [stdout] 2024-10-10 12:53:16.687+0000 [id=94] INFO o.j.h.t.RealJenkinsRuleHttpsTest#log: Running on https://localhost:54912/jenkins/
There was a problem hiding this comment.
Yes, I just meant that the test JVM could assert that.
src/test/java/org/jvnet/hudson/test/RealJenkinsRuleHttpsTest.java
Outdated
Show resolved
Hide resolved
| var options = InboundAgentRule.Options | ||
| .newBuilder() | ||
| .name("remote") | ||
| .webSocket() |
There was a problem hiding this comment.
I guess either way this exercises the changes, since even a TCP agent would make an initial HTTP handshake by default. (InboundAgentRule does not support direct mode AFAIK.)
There was a problem hiding this comment.
TCP listener needs to be enabled explicitly on the controller side (otherwise the client gets <url> appears to be publishing an invalid X-Instance-Identity.) so I just went for the simplest option.
Co-authored-by: Jesse Glick <jglick@cloudbees.com>
| subjectKeyIdentifier = hash | ||
|
|
||
| [ alternate_names ] | ||
| DNS.1 = localhost |
There was a problem hiding this comment.
I thought we would include at least *.localtest.me?
Co-authored-by: Jesse Glick <jglick@cloudbees.com>
This allows to start
RealJenkinsRuleinstances listening on https instead of http.A self-signed certificate matching the given host name (or localhost if unspecified) is automatically generated (using bouncycastle)
Various methods are offered to allow callers to access the RealJenkinsRule clients to access the instance without disabling security.
Also added utilities related to key store and self-signed certificate management.
Testing done
Submitter checklist