Rewrite TLS test for the rest-client and reactive-rest-client

- Remove the trust store maven plugin which has not be super reliable recently on CI - Use the cert generator instead - Make sure the tests are not tainted with a quarkus.tls.trust-all=true - did not use the certificate annotation as the certificates are required to start the test resources, and it would require annotating all the test cases (as the order is undefined)
quarkusio · Jul 23, 2024 · 8b15c3a · 8b15c3a
1 parent 1748f93
commit 8b15c3a
Show file tree

Hide file tree

Showing 22 changed files with 281 additions and 168 deletions.
diff --git a/build-parent/pom.xml b/build-parent/pom.xml
@@ -115,7 +115,6 @@
         <asciidoctor-maven-plugin.version>2.0.0</asciidoctor-maven-plugin.version>
         <docker-maven-plugin.version>0.44.0</docker-maven-plugin.version>
         <maven-invoker-plugin.version>3.7.0</maven-invoker-plugin.version>
-        <truststore-maven-plugin.version>3.0.0</truststore-maven-plugin.version>
 
         <!-- revapi API check -->
         <revapi-maven-plugin.version>0.14.7</revapi-maven-plugin.version>

diff --git a/integration-tests/rest-client-reactive/pom.xml b/integration-tests/rest-client-reactive/pom.xml
@@ -11,15 +11,6 @@
     <artifactId>quarkus-integration-test-rest-client-reactive</artifactId>
     <name>Quarkus - Integration Tests - REST Client Reactive</name>
 
-    <properties>
-        <self-signed.trust-store>${project.build.directory}/self-signed.p12</self-signed.trust-store>
-        <self-signed.trust-store-password>changeit</self-signed.trust-store-password>
-        <wrong-host.trust-store>${project.build.directory}/wrong-host.p12</wrong-host.trust-store>
-        <wrong-host.trust-store-password>changeit</wrong-host.trust-store-password>
-    </properties>
-
-    <!--todo add ssl tests-->
-
     <dependencies>
         <!-- Client dependencies -->
         <dependency>
@@ -84,6 +75,11 @@
             <artifactId>wiremock-standalone</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.smallrye.certs</groupId>
+            <artifactId>smallrye-certificate-generator</artifactId>
+            <scope>test</scope>
+        </dependency>
 
         <!-- Minimal test dependencies to *-deployment artifacts for consistent build order -->
         <dependency>
@@ -159,48 +155,6 @@
                     </execution>
                 </executions>
             </plugin>
-
-            <plugin>
-                <groupId>uk.co.automatictester</groupId>
-                <artifactId>truststore-maven-plugin</artifactId>
-                <version>${truststore-maven-plugin.version}</version>
-                <executions>
-                    <execution>
-                        <id>self-signed-truststore</id>
-                        <phase>generate-test-resources</phase>
-                        <goals>
-                            <goal>generate-truststore</goal>
-                        </goals>
-                        <configuration>
-                            <truststoreFormat>PKCS12</truststoreFormat>
-                            <truststoreFile>${self-signed.trust-store}</truststoreFile>
-                            <truststorePassword>${self-signed.trust-store-password}</truststorePassword>
-                            <servers>
-                                <server>self-signed.badssl.com:443</server>
-                            </servers>
-                            <trustAllCertificates>true</trustAllCertificates>
-                            <includeCertificates>LEAF</includeCertificates>
-                        </configuration>
-                    </execution>
-                    <execution>
-                        <id>wrong-host-truststore</id>
-                        <phase>generate-test-resources</phase>
-                        <goals>
-                            <goal>generate-truststore</goal>
-                        </goals>
-                        <configuration>
-                            <truststoreFormat>PKCS12</truststoreFormat>
-                            <truststoreFile>${wrong-host.trust-store}</truststoreFile>
-                            <truststorePassword>${wrong-host.trust-store-password}</truststorePassword>
-                            <servers>
-                                <server>wrong.host.badssl.com:443</server>
-                            </servers>
-                            <trustAllCertificates>true</trustAllCertificates>
-                            <includeCertificates>LEAF</includeCertificates>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
         </plugins>
     </build>
 

diff --git a/...ive/src/main/java/io/quarkus/it/rest/client/main/selfsigned/ExternalSelfSignedClient.java b/...ive/src/main/java/io/quarkus/it/rest/client/main/selfsigned/ExternalSelfSignedClient.java
@@ -6,7 +6,7 @@
 import org.eclipse.microprofile.faulttolerance.Retry;
 import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
 
-@RegisterRestClient(baseUri = "https://self-signed.badssl.com/", configKey = "self-signed")
+@RegisterRestClient(baseUri = "http://not-available", configKey = "self-signed")
 public interface ExternalSelfSignedClient {
 
     @GET

diff --git a/integration-tests/rest-client-reactive/src/main/resources/application.properties b/integration-tests/rest-client-reactive/src/main/resources/application.properties
@@ -5,16 +5,6 @@ correlation/mp-rest/url=${test.url}
 io.quarkus.it.rest.client.main.ParamClient/mp-rest/url=${test.url}
 # global client logging scope
 quarkus.rest-client.logging.scope=request-response
-# Self-Signed client
-quarkus.rest-client.self-signed.trust-store=${self-signed.trust-store}
-quarkus.rest-client.self-signed.trust-store-password=${self-signed.trust-store-password}
-# Wrong Host client (connection accepted, as host verification is turned off)
-quarkus.rest-client.wrong-host.trust-store=${wrong-host.trust-store}
-quarkus.rest-client.wrong-host.trust-store-password=${wrong-host.trust-store-password}
-quarkus.rest-client.wrong-host.verify-host=false
-# Wrong Host client verified (connection rejected, as host verification is turned on by default)
-quarkus.rest-client.wrong-host-rejected.trust-store=${wrong-host.trust-store}
-quarkus.rest-client.wrong-host-rejected.trust-store-password=${wrong-host.trust-store-password}
 
 # speed up build
 quarkus.otel.bsp.schedule.delay=100
diff --git a/...active/src/test/java/io/quarkus/it/rest/client/selfsigned/ExternalSelfSignedTestCase.java b/...active/src/test/java/io/quarkus/it/rest/client/selfsigned/ExternalSelfSignedTestCase.java
@@ -5,9 +5,13 @@
 
 import org.junit.jupiter.api.Test;
 
+import io.quarkus.it.rest.client.wronghost.BadHostServiceTestResource;
+import io.quarkus.test.common.WithTestResource;
 import io.quarkus.test.junit.QuarkusTest;
 
 @QuarkusTest
+@WithTestResource(SelfSignedServiceTestResource.class)
+@WithTestResource(BadHostServiceTestResource.class)
 public class ExternalSelfSignedTestCase {
 
     @Test

diff --git a/...ive/src/test/java/io/quarkus/it/rest/client/selfsigned/SelfSignedServiceTestResource.java b/...ive/src/test/java/io/quarkus/it/rest/client/selfsigned/SelfSignedServiceTestResource.java
@@ -0,0 +1,58 @@
+package io.quarkus.it.rest.client.selfsigned;
+
+import java.io.File;
+import java.time.Duration;
+import java.util.Map;
+
+import io.quarkus.test.common.QuarkusTestResourceLifecycleManager;
+import io.smallrye.certs.CertificateGenerator;
+import io.smallrye.certs.CertificateRequest;
+import io.smallrye.certs.Format;
+import io.vertx.core.Vertx;
+import io.vertx.core.http.HttpServerOptions;
+import io.vertx.core.net.PfxOptions;
+
+public class SelfSignedServiceTestResource implements QuarkusTestResourceLifecycleManager {
+
+    Vertx vertx = Vertx.vertx();
+
+    @Override
+    public Map<String, String> start() {
+        File file = new File("target/certs");
+        file.mkdirs();
+        // Generate self-signed certificate
+        // We do not use the junit 5 plugin to avoid having to annotate all the tests to make sure the certs are
+        // generated before the tests are run
+        CertificateGenerator generator = new CertificateGenerator(file.toPath(), false);
+        CertificateRequest cr = new CertificateRequest()
+                .withName("self-signed")
+                .withFormat(Format.PKCS12)
+                .withPassword("changeit")
+                .withDuration(Duration.ofDays(2))
+                .withCN("localhost");
+        try {
+            generator.generate(cr);
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+
+        HttpServerOptions options = new HttpServerOptions()
+                .setSsl(true)
+                .setKeyCertOptions(new PfxOptions()
+                        .setPath("target/certs/self-signed-keystore.p12")
+                        .setPassword("changeit"));
+        var server = vertx.createHttpServer(options)
+                .requestHandler(req -> req.response().end("OK"))
+                .listen(-2).toCompletionStage().toCompletableFuture().join();
+
+        return Map.of(
+                "quarkus.rest-client.self-signed.url", "https://localhost:" + server.actualPort() + "/",
+                "quarkus.rest-client.self-signed.trust-store", "target/certs/self-signed-truststore.p12",
+                "quarkus.rest-client.self-signed.trust-store-password", "changeit");
+    }
+
+    @Override
+    public void stop() {
+        vertx.close().toCompletionStage().toCompletableFuture().join();
+    }
+}
diff --git a/...eactive/src/test/java/io/quarkus/it/rest/client/wronghost/BadHostServiceTestResource.java b/...eactive/src/test/java/io/quarkus/it/rest/client/wronghost/BadHostServiceTestResource.java
@@ -0,0 +1,68 @@
+package io.quarkus.it.rest.client.wronghost;
+
+import java.io.File;
+import java.time.Duration;
+import java.util.Map;
+
+import io.quarkus.test.common.QuarkusTestResourceLifecycleManager;
+import io.smallrye.certs.CertificateGenerator;
+import io.smallrye.certs.CertificateRequest;
+import io.smallrye.certs.Format;
+import io.vertx.core.Vertx;
+import io.vertx.core.http.HttpServerOptions;
+import io.vertx.core.net.PfxOptions;
+
+public class BadHostServiceTestResource implements QuarkusTestResourceLifecycleManager {
+
+    Vertx vertx = Vertx.vertx();
+
+    @Override
+    public Map<String, String> start() {
+        File file = new File("target/certs");
+        file.mkdirs();
+        // Generate self-signed certificate
+        // We do not use the junit 5 plugin to avoid having to annotate all the tests to make sure the certs are
+        // generated before the tests are run
+        CertificateGenerator generator = new CertificateGenerator(file.toPath(), false);
+        CertificateRequest cr = new CertificateRequest()
+                .withName("bad-host")
+                .withFormat(Format.PKCS12)
+                .withPassword("changeit")
+                .withDuration(Duration.ofDays(2))
+                .withCN("bad-host.com")
+                .withSubjectAlternativeName("DNS:bad-host.com");
+        try {
+            generator.generate(cr);
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+
+        File f = new File("target/certs/bad-host-keystore.p12");
+        System.out.println(f.getAbsolutePath() + " / " + f.exists());
+        HttpServerOptions options = new HttpServerOptions()
+                .setSsl(true)
+                .setKeyCertOptions(new PfxOptions()
+                        .setPath("target/certs/bad-host-keystore.p12")
+                        .setPassword("changeit"));
+        var server = vertx.createHttpServer(options)
+                .requestHandler(req -> req.response().end("OK"))
+                .listen(-1).toCompletionStage().toCompletableFuture().join();
+
+        return Map.of(
+                // Wrong Host client (connection accepted, as host verification is turned off)
+                "quarkus.rest-client.wrong-host.url", "https://localhost:" + server.actualPort() + "/",
+                "quarkus.rest-client.wrong-host.trust-store", "target/certs/bad-host-truststore.p12",
+                "quarkus.rest-client.wrong-host.trust-store-password", "changeit",
+                "quarkus.rest-client.wrong-host.verify-host", "false",
+
+                // Wrong Host client verified (connection rejected, as host verification is turned on by default)
+                "quarkus.rest-client.wrong-host-rejected.url", "https://localhost:" + server.actualPort() + "/",
+                "quarkus.rest-client.wrong-host-rejected.trust-store", "target/certs/bad-host-truststore.p12",
+                "quarkus.rest-client.wrong-host-rejected.trust-store-password", "changeit");
+    }
+
+    @Override
+    public void stop() {
+        vertx.close().toCompletionStage().toCompletableFuture().join();
+    }
+}
diff --git a/...reactive/src/test/java/io/quarkus/it/rest/client/wronghost/ExternalWrongHostTestCase.java b/...reactive/src/test/java/io/quarkus/it/rest/client/wronghost/ExternalWrongHostTestCase.java
@@ -6,9 +6,13 @@
 
 import org.junit.jupiter.api.Test;
 
+import io.quarkus.it.rest.client.selfsigned.SelfSignedServiceTestResource;
+import io.quarkus.test.common.WithTestResource;
 import io.quarkus.test.junit.QuarkusTest;
 
 @QuarkusTest
+@WithTestResource(SelfSignedServiceTestResource.class)
+@WithTestResource(BadHostServiceTestResource.class)
 public class ExternalWrongHostTestCase {
     @Test
     public void restClient() {

diff --git a/integration-tests/rest-client/pom.xml b/integration-tests/rest-client/pom.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
     <parent>
         <artifactId>quarkus-integration-tests-parent</artifactId>
         <groupId>io.quarkus</groupId>
@@ -12,10 +12,8 @@
     <name>Quarkus - Integration Tests - REST client</name>
 
     <properties>
-        <self-signed.trust-store>${project.build.directory}/self-signed.p12</self-signed.trust-store>
+        <self-signed.trust-store>${project.build.directory}/certs/self-signed-keystore.p12</self-signed.trust-store>
         <self-signed.trust-store-password>changeit</self-signed.trust-store-password>
-        <wrong-host.trust-store>${project.build.directory}/wrong-host.p12</wrong-host.trust-store>
-        <wrong-host.trust-store-password>changeit</wrong-host.trust-store-password>
     </properties>
 
     <dependencies>
@@ -67,6 +65,11 @@
             <artifactId>rest-assured</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.smallrye.certs</groupId>
+            <artifactId>smallrye-certificate-generator</artifactId>
+            <scope>test</scope>
+        </dependency>
 
         <!-- Minimal test dependencies to *-deployment artifacts for consistent build order -->
         <dependency>
@@ -142,49 +145,6 @@
                     </execution>
                 </executions>
             </plugin>
-
-            <plugin>
-                <groupId>uk.co.automatictester</groupId>
-                <artifactId>truststore-maven-plugin</artifactId>
-                <version>${truststore-maven-plugin.version}</version>
-                <executions>
-                    <execution>
-                        <id>self-signed-truststore</id>
-                        <phase>generate-test-resources</phase>
-                        <goals>
-                            <goal>generate-truststore</goal>
-                        </goals>
-                        <configuration>
-                            <truststoreFormat>PKCS12</truststoreFormat>
-                            <truststoreFile>${self-signed.trust-store}</truststoreFile>
-                            <truststorePassword>${self-signed.trust-store-password}</truststorePassword>
-                            <servers>
-                                <server>self-signed.badssl.com:443</server>
-                            </servers>
-                            <trustAllCertificates>true</trustAllCertificates>
-                            <includeCertificates>LEAF</includeCertificates>
-                        </configuration>
-                    </execution>
-                    <execution>
-                        <id>wrong-host-truststore</id>
-                        <phase>generate-test-resources</phase>
-                        <goals>
-                            <goal>generate-truststore</goal>
-                        </goals>
-                        <configuration>
-                            <truststoreFormat>PKCS12</truststoreFormat>
-                            <truststoreFile>${wrong-host.trust-store}</truststoreFile>
-                            <truststorePassword>${wrong-host.trust-store-password}</truststorePassword>
-                            <servers>
-                                <server>wrong.host.badssl.com:443</server>
-                            </servers>
-                            <trustAllCertificates>true</trustAllCertificates>
-                            <includeCertificates>LEAF</includeCertificates>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
-
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
@@ -193,9 +153,8 @@
                         <!-- force the locale as we want to explicitly test message interpolation -->
                         <user.language>en</user.language>
                         <javax.net.ssl.trustStore>${self-signed.trust-store}</javax.net.ssl.trustStore>
-                        <javax.net.ssl.trustStorePassword>${self-signed.trust-store-password}</javax.net.ssl.trustStorePassword>
-                        <rest-client.trustStore>${wrong-host.trust-store}</rest-client.trustStore>
-                        <rest-client.trustStorePassword>${wrong-host.trust-store-password}</rest-client.trustStorePassword>
+                        <javax.net.ssl.trustStorePassword>${self-signed.trust-store-password}
+                        </javax.net.ssl.trustStorePassword>
                     </systemPropertyVariables>
                 </configuration>
             </plugin>
@@ -213,8 +172,6 @@
             <!-- add some custom config, the rest comes from parent -->
             <properties>
                 <quarkus.native.enable-https-url-handler>true</quarkus.native.enable-https-url-handler>
-                <quarkus.native.additional-build-args>-J-Djavax.net.ssl.trustStore=${self-signed.trust-store},
-                    -J-Djavax.net.ssl.trustStorePassword=${self-signed.trust-store-password}</quarkus.native.additional-build-args>
             </properties>
             <build>
                 <plugins>
@@ -225,8 +182,6 @@
                             <systemPropertyVariables>
                                 <!-- force the locale as we want to explicitly test message interpolation -->
                                 <user.language>en</user.language>
-                                <rest-client.trustStore>${wrong-host.trust-store}</rest-client.trustStore>
-                                <rest-client.trustStorePassword>${wrong-host.trust-store-password}</rest-client.trustStorePassword>
                             </systemPropertyVariables>
                         </configuration>
                     </plugin>

diff --git a/...t-client/src/main/java/io/quarkus/it/rest/client/selfsigned/ExternalSelfSignedClient.java b/...t-client/src/main/java/io/quarkus/it/rest/client/selfsigned/ExternalSelfSignedClient.java
@@ -6,7 +6,7 @@
 import org.eclipse.microprofile.faulttolerance.Retry;
 import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
 
-@RegisterRestClient(baseUri = "https://self-signed.badssl.com/", configKey = "self-signed")
+@RegisterRestClient(configKey = "self-signed")
 public interface ExternalSelfSignedClient {
 
     @GET