Java: Add integration test for autobuild truststore merging #21262
Conversation
redsun82
added
the
depends on internal PR
There was a problem hiding this comment.
Pull request overview
Adds/extends Java integration coverage around HTTPS truststore handling to validate truststore inheritance (buildless) and truststore merging behavior (autobuild) related to CODEQL_PROXY_CA_CERTIFICATE.
Changes:
- Refactors the existing test into
test_buildlessand addstest_autobuild_merge_trust_store, sharing an_https_serverhelper. - Introduces per-test expected output suffixes so multiple test functions can coexist in the same directory.
- Adds new
.expectedbaseline files for buildless vs autobuild modes (including diagnostics/buildless-fetches).
Reviewed changes
Copilot reviewed 2 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| java/ql/integration-tests/java/buildless-inherit-trust-store/test.py | Splits the test into buildless + autobuild cases and adds shared HTTPS server helper; configures per-test expected suffixes. |
| java/ql/integration-tests/java/buildless-inherit-trust-store/test.buildless.expected | Expected query output for the buildless case. |
| java/ql/integration-tests/java/buildless-inherit-trust-store/test.autobuild.expected | Expected query output for the autobuild case (includes a diagnostic line). |
| java/ql/integration-tests/java/buildless-inherit-trust-store/diagnostics.buildless.expected | Expected exported diagnostics for the buildless run. |
| java/ql/integration-tests/java/buildless-inherit-trust-store/diagnostics.autobuild.expected | Expected exported diagnostics for the autobuild run (currently empty). |
| java/ql/integration-tests/java/buildless-inherit-trust-store/buildless-fetches.buildless.expected | Expected buildless fetch URL(s) for the buildless run. |
Comments suppressed due to low confidence (1)
java/ql/integration-tests/java/buildless-inherit-trust-store/test.py:84
- This test reads
cert.pemand passes it asCODEQL_PROXY_CA_CERTIFICATE, butcert.pemis also the certificate presented by the local HTTPS server (server.pyloads../cert.pem). If autobuild regressed back to replacing the truststore with one that contains onlyCODEQL_PROXY_CA_CERTIFICATE, Maven would still trust https://localhost:4443 and the test could still pass. To specifically validate “merge, don’t replace”, use a proxy CA certificate that is different from the server’s cert/CA (or add an additional HTTPS fetch that requires theJAVA_TOOL_OPTIONStruststore to remain in effect).
# Read the certificate to use as CODEQL_PROXY_CA_CERTIFICATE
with open(cwd / "cert.pem", "r") as f:
proxy_ca_cert = f.read()
# Set JAVA_TOOL_OPTIONS to use our custom truststore
# This is the key setting that was being overridden before the fix
java_tool_options = f"-Djavax.net.ssl.trustStore={certspath}"
# Run autobuild with the truststore configured
# Before the fix: autobuild would create a new truststore with ONLY the proxy CA,
# losing the custom CA from JAVA_TOOL_OPTIONS, causing PKIX failures
# After the fix: autobuild merges the system truststore + proxy CA
codeql.database.create(
build_mode="autobuild",
_env={
"JAVA_TOOL_OPTIONS": java_tool_options,
"CODEQL_PROXY_CA_CERTIFICATE": proxy_ca_cert,
},
| @contextmanager | ||
| def _https_server(cwd): | ||
| """Start an HTTPS server serving the repo/ directory on https://localhost:4443.""" |
There was a problem hiding this comment.
_https_server takes a cwd parameter but never uses it (the server is started with cwd="repo" relative to the current working directory). Either drop the parameter, or use it to build the repo path (e.g., based on cwd / "repo") so the helper is self-contained and less dependent on ambient CWD.
| """ | ||
| Test that autobuild merges system truststore with CODEQL_PROXY_CA_CERTIFICATE. | ||
|
|
||
| This tests the fix for github/codeql-team#4482 where autobuild was overriding | ||
| JAVA_TOOL_OPTIONS truststore with a new one containing only the proxy CA, | ||
| causing PKIX failures when connecting to internal HTTPS servers. |
There was a problem hiding this comment.
The docstring/commentary says autobuild merges the system truststore with CODEQL_PROXY_CA_CERTIFICATE, but this test is explicitly setting a custom truststore via JAVA_TOOL_OPTIONS. To avoid confusion (and to accurately describe what’s being exercised), update the wording to reflect that autobuild should preserve/merge the truststore configured by JAVA_TOOL_OPTIONS (rather than replacing it) when adding the proxy CA.
mbg
left a comment
mbg
left a comment
There was a problem hiding this comment.
As already discussed elsewhere in-depth, I don't think this is the right place or approach to testing this. If we decide to implement trust store merging in the autobuilder, then there are better ways of testing this than to rely on abusing CODEQL_PROXY_CA_CERTIFICATE.
I'd suggest we close this.
|
|
||
| @pytest.mark.ql_test(expected=".buildless.expected") | ||
| def test_buildless(codeql, java, cwd, check_diagnostics, check_buildless_fetches): | ||
| """Test that buildless mode inherits truststore from MAVEN_OPTS.""" |
There was a problem hiding this comment.
That's not what this test tests. This test is about CODEQL_JAVA_EXTRACTOR_TRUST_STORE_PATH. Both maven_opts and CODEQL_JAVA_EXTRACTOR_TRUST_STORE_PATH are based on certspath. Both are used independently.
|
|
||
|
|
||
| @pytest.mark.ql_test(expected=".autobuild.expected") | ||
| def test_autobuild_merge_trust_store(codeql, java, cwd, check_diagnostics): |
There was a problem hiding this comment.
The existing test is about exercising a particular fallback mechanism in the BMN extractor. Why is there now a test for an unrelated change in the autobuilder here?
| build_mode="autobuild", | ||
| _env={ | ||
| "JAVA_TOOL_OPTIONS": java_tool_options, | ||
| "CODEQL_PROXY_CA_CERTIFICATE": proxy_ca_cert, |
There was a problem hiding this comment.
This test abuses CODEQL_PROXY_CA_CERTIFICATE to put the Maven autobuilder into a situation where (without trust store merging) it only has access to this one certificate, and therefore fails when Maven tries to perform any networking that requires it to validate other certificates.
| Tests that CodeQL can connect to HTTPS servers with custom CA certificates: | ||
| 1. test_buildless: Buildless mode inherits truststore from MAVEN_OPTS | ||
| 2. test_autobuild_merge_trust_store: Autobuild merges system truststore with | ||
| CODEQL_PROXY_CA_CERTIFICATE (fixes github/codeql-team#4482) |
| @@ -1,27 +1,85 @@ | |||
| """ | |||
| Integration tests for truststore inheritance and merging. | |||
There was a problem hiding this comment.
Only the new test_autobuild_merge_trust_store test is about this. The existing test is unrelated.
| """ | ||
| Integration tests for truststore inheritance and merging. | ||
|
|
||
| Tests that CodeQL can connect to HTTPS servers with custom CA certificates: |
There was a problem hiding this comment.
In the case of the first (existing) test, that's mostly true for particular versions of the JRE and build-mode: none.
It does not really test this in the second (new) test where it puts the autobuilder into a situation where it can only trust one certificate, unless trust store merging is supported.
Summary
Adds integration test for autobuild truststore merging fix.
Changes
Extended
buildless-inherit-trust-store/test.pywith a second testtest_autobuild_merge_trust_storethat:JAVA_TOOL_OPTIONSCODEQL_PROXY_CA_CERTIFICATEto the custom CAUsed
@pytest.mark.ql_test(expected=".autobuild.expected")andcheck_diagnostics.expected_suffixto allow different expected files per test function in the same directory.