Add CI debugging improvements and increase test timeouts

ammario · ammario · commit ed32ecd8bb9e · 2025-09-04T14:21:54.000-05:00
- Add detailed error reporting for exit code propagation test
- Create certificate generation debug script for OpenSSL compatibility testing
- Increase test timeouts from 10s to 15s to handle CI load
- Add certificate debug script to CI pipeline

These changes will help diagnose:
1. macOS exit code propagation failures
2. Linux OpenSSL 3.0.13 certificate compatibility issues
3. Weak mode timeout failures in CI
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -79,7 +79,11 @@ jobs:
           chmod +x scripts/debug_tls_env.sh
           ./scripts/debug_tls_env.sh
           sudo ./scripts/debug_tls_env.sh
-          echo "=== End TLS Debug ==="
+          echo ""
+          echo "=== Testing Certificate Generation ==="
+          chmod +x scripts/debug_cert_generation.sh
+          ./scripts/debug_cert_generation.sh || true
+          echo "=== End Debug ==="
 
       - name: Run Linux jail integration tests (with sudo)
         run: |
diff --git a/scripts/debug_cert_generation.sh b/scripts/debug_cert_generation.sh
@@ -0,0 +1,66 @@
+#!/bin/bash
+# Debug script to test certificate generation and validation
+
+set -e
+
+echo "=== Certificate Generation Debug ==="
+echo "Date: $(date)"
+echo "OpenSSL version: $(openssl version)"
+
+# Create temp directory for testing
+TEMP_DIR=$(mktemp -d)
+trap "rm -rf $TEMP_DIR" EXIT
+
+echo ""
+echo "Testing certificate generation and validation..."
+
+# Generate a test certificate using OpenSSL directly
+cd "$TEMP_DIR"
+
+# Generate CA key
+openssl ecparam -genkey -name prime256v1 -out ca-key.pem 2>/dev/null
+
+# Generate CA certificate
+openssl req -new -x509 -key ca-key.pem -out ca-cert.pem -days 365 \
+  -subj "/C=US/O=httpjail/CN=httpjail CA" 2>/dev/null
+
+# Generate server key
+openssl ecparam -genkey -name prime256v1 -out server-key.pem 2>/dev/null
+
+# Generate server CSR
+openssl req -new -key server-key.pem -out server.csr \
+  -subj "/CN=test.example.com" 2>/dev/null
+
+# Sign server certificate
+openssl x509 -req -in server.csr -CA ca-cert.pem -CAkey ca-key.pem \
+  -CAcreateserial -out server-cert.pem -days 365 \
+  -extfile <(echo "subjectAltName=DNS:test.example.com") 2>/dev/null
+
+echo "Certificates generated successfully"
+
+# Verify the certificate chain
+echo ""
+echo "Verifying certificate chain..."
+openssl verify -CAfile ca-cert.pem server-cert.pem
+
+# Check certificate details
+echo ""
+echo "Server certificate details:"
+openssl x509 -in server-cert.pem -text -noout | grep -E "Subject:|Issuer:|Not Before:|Not After:|Signature Algorithm:" || true
+
+# Test with curl
+echo ""
+echo "Testing with curl..."
+# Create a simple HTTPS server response file
+cat > server-chain.pem <<EOF
+$(cat server-cert.pem)
+$(cat ca-cert.pem)
+EOF
+
+# Try to parse with OpenSSL 3.0
+echo ""
+echo "Parsing certificate with OpenSSL..."
+openssl x509 -in server-cert.pem -noout -dates
+
+echo ""
+echo "=== Certificate generation test completed successfully ==="
diff --git a/tests/common/mod.rs b/tests/common/mod.rs
@@ -75,9 +75,9 @@ impl HttpjailCommand {
         // Ensure httpjail is built
         let httpjail_path = build_httpjail()?;
 
-        // Always add timeout for tests (10 seconds default)
+        // Always add timeout for tests (15 seconds default for CI environment)
         self.args.insert(0, "--timeout".to_string());
-        self.args.insert(1, "10".to_string());
+        self.args.insert(1, "15".to_string());
 
         // Add weak mode if requested
         if self.weak_mode {
diff --git a/tests/system_integration.rs b/tests/system_integration.rs
@@ -22,8 +22,8 @@ pub trait JailTestPlatform {
 /// Helper to create httpjail command with standard test settings
 pub fn httpjail_cmd() -> Command {
     let mut cmd = Command::cargo_bin("httpjail").unwrap();
-    // Add timeout for all tests
-    cmd.arg("--timeout").arg("10");
+    // Add timeout for all tests (15 seconds for CI environment)
+    cmd.arg("--timeout").arg("15");
     // No need to specify ports - they'll be auto-assigned
     cmd
 }
@@ -225,10 +225,24 @@ pub fn test_jail_exit_code_propagation<P: JailTestPlatform>() {
 
     let output = cmd.output().expect("Failed to execute httpjail");
 
+    let exit_code = output.status.code();
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    let stdout = String::from_utf8_lossy(&output.stdout);
+
+    // Add debugging output
+    if exit_code != Some(42) {
+        eprintln!("[{}] Exit code propagation failed", P::platform_name());
+        eprintln!("  Expected: 42, Got: {:?}", exit_code);
+        eprintln!("  Stdout: {}", stdout);
+        eprintln!("  Stderr: {}", stderr);
+    }
+
     assert_eq!(
-        output.status.code(),
+        exit_code,
         Some(42),
-        "Exit code should be propagated"
+        "Exit code should be propagated. Got {:?}, stderr: {}",
+        exit_code,
+        stderr
     );
 }
 
