Move tests over to new CA root
Description
Environment
Activity
Scott CantorDecember 27, 2018 at 5:27 PM
Long road, but I think I've bottomed out. The branch has the necessary changes, but Java 7's public end of road updates don't include the CA we need so it didn't buy us much to switch CA, apart from just getting off the renewal treadmill.
So it was necessary to update the Jenkins jobs after all and build a new cacert file to use. I created it with the Let's Encrypt CA but I had to use JKS format, 7 appears to be too old to handle PKCS12 in the JSSE layer. I installed it to /home/jenkins/etc/cacerts
The Jenkins jobs are all a bit different in how they run Maven, so at least for some, it should be possible to set this via MAVEN_OPTS but for the nightlies I tried with JAVA_OPTS containing -Djavax.net.ssl.trustStore=/home/jenkins/etc/cacerts and that mostly works.
However that doesn't get passed into the Maven command, and that prevents the tests from running with that option. So any projects with HttpClient testing don't work, and for that the best option appeared to be move the setting to the Properties box in Jenkins and just adding javax.net.ssl.trustStore=/home/jenkins/etc/cacerts to that. It gets added with a -D to the Maven command, which is what we needed.
The nice thing is this intrinsically limits our build and test env to just that root, which prevents accidental acceptance of another CA, and if we had tests for issues involving accidental system trust fallback this will catch them. So I think we should add this to all the projects with all JDKs, but I'll leave that for Tom to look at and open an issue for that.
Scott CantorDecember 20, 2018 at 1:26 AM
Unit test changed on master, I went ahead and just installed the no-trust feature for now. I think the test's point is just to exercise the URL handling.
Scott CantorDecember 20, 2018 at 1:21 AM
I've added a https://test.shibboleth.net/shibboleth resource but I don't think that's going to work since the unit test appears to depend on system trust. I'm not sure what the test is meant to be checking, or if changing it to ignore the TLS layer would be the same test or not. But I guess that would be the fix.
Rod WiddowsonDecember 14, 2018 at 3:12 PM
D'oh
Scott CantorDecember 14, 2018 at 3:02 PM
(And no, we can't jusr redirect it. At least that shouldn't work. If it asks for an entity with the name test, and gets metadata for issues, that better break.)
So as to avoid the pain every time we get a new certificate (and, even more fun a new CA) there is a new site
https://test.shibboleth.net/gitwhich is kinda the same ashttps://git.shibboleth.netbut with a LLSS (and sign by another LLSS) cert.Move test over to use this,starting with
RepositorySupport.buildHTTPSResourceURLand working up.In some cases it is aposite to move over to the
http:url, in other we needed to inject the right sort of trust engine.In preparation for V4 we should also remove the explicit setting of the trust engine on the metadatprovider and instead use the approved mechanism.
Although targetted at the IDP this also involves saml tests