Add core SSL trust store resolution and fallback logic (PR 2 of 3) #69

Workflow file for this run

.github/workflows/sslTesting.yml at 5a791aa

	name: SSL Certificate Validation Test with Squid Proxy

	on:
	workflow_dispatch:
	pull_request:

	jobs:
	ssl-test:
	runs-on:
	group: databricks-protected-runner-group
	labels: linux-ubuntu-latest

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Set Up Java
	uses: actions/setup-java@v4
	with:
	java-version: "21"
	distribution: "adopt"

	- name: Install Squid and SSL Tools
	run: \|
	sudo apt-get update
	sudo apt-get install -y squid openssl libnss3-tools ca-certificates

	- name: Create Root CA and Certificates
	run: \|
	mkdir -p /tmp/ssl-certs
	cd /tmp/ssl-certs

	# Root CA
	openssl genrsa -out rootCA.key 4096
	openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 365 \
	-subj "/C=US/ST=CA/L=SF/O=DB/OU=Test/CN=Root" \
	-out rootCA.crt

	# Intermediate CA
	openssl genrsa -out intermediateCA.key 4096
	openssl req -new -key intermediateCA.key \
	-subj "/C=US/ST=CA/L=SF/O=DB/OU=Test/CN=Intermediate" \
	-out intermediateCA.csr

	cat > intermediate_ext.cnf <<EOF
	[ v3_ca ]
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer
	basicConstraints = critical, CA:true, pathlen:0
	keyUsage = critical, digitalSignature, cRLSign, keyCertSign
	EOF

	openssl x509 -req -in intermediateCA.csr -CA rootCA.crt -CAkey rootCA.key \
	-CAcreateserial -out intermediateCA.crt -days 365 -sha256 \
	-extfile intermediate_ext.cnf -extensions v3_ca

	# CA database for revocation
	touch index.txt
	echo 1000 > serial
	echo 1000 > crlnumber

	cat > ca.cnf <<EOF
	[ ca ]
	default_ca = dca
	[ dca ]
	dir = /tmp/ssl-certs
	database = \$dir/index.txt
	new_certs_dir = \$dir
	certificate = \$dir/intermediateCA.crt
	private_key = \$dir/intermediateCA.key
	serial = \$dir/serial
	crlnumber = \$dir/crlnumber
	default_md = sha256
	policy = policy_any
	x509_extensions = v3_req
	crl_extensions = crl_ext
	default_days = 365
	default_crl_days = 365
	unique_subject = no
	[ policy_any ]
	commonName = supplied
	[ v3_req ]
	basicConstraints = CA:FALSE
	keyUsage = digitalSignature, keyEncipherment
	extendedKeyUsage = serverAuth
	subjectAltName = @alt_names
	authorityInfoAccess = OCSP;URI:http://ocsp.invalid/none
	crlDistributionPoints = URI:file:///tmp/ssl-certs/intermediateCA.crl
	[ alt_names ]
	DNS.1 = localhost
	IP.1 = 127.0.0.1
	[ crl_ext ]
	authorityKeyIdentifier = keyid,issuer
	EOF

	# Squid leaf cert
	openssl genrsa -out squid.key 2048
	openssl req -new -key squid.key \
	-subj "/C=US/ST=CA/L=SF/O=DB/OU=Test/CN=localhost" \
	-out squid.csr

	openssl ca -batch -config ca.cnf -in squid.csr -out squid.crt
	openssl ca -batch -config ca.cnf -revoke squid.crt
	openssl ca -batch -gencrl -config ca.cnf -out intermediateCA.crl

	cat squid.crt squid.key > squid.pem
	chmod 400 squid.pem
	sudo cp squid.pem /etc/squid/
	sudo chown proxy:proxy /etc/squid/squid.pem

	# Java trust‑store
	rm -f test-truststore.jks
	keytool -importcert -noprompt -trustcacerts -alias rootca -file rootCA.crt \
	-keystore test-truststore.jks -storepass changeit
	keytool -importcert -noprompt -trustcacerts -alias intermediateca -file intermediateCA.crt \
	-keystore test-truststore.jks -storepass changeit
	chmod 644 test-truststore.jks

	- name: Configure Squid
	run: \|
	sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.orig
	sudo tee /etc/squid/squid.conf >/dev/null <<'SQ'
	http_port 3128
Check failure on line 123 in .github/workflows/sslTesting.yml View workflow run for this annotation GitHub Actions / .github/workflows/sslTesting.yml Invalid workflow file `You have an error in your yaml syntax on line 123`
	https_port 3129 tls-cert=/etc/squid/squid.pem
	http_access allow all
	always_direct allow all
	dns_v4_first on
	cache deny all
	debug_options ALL,1
	logfile_rotate 0
	cache_log /var/log/squid/cache.log
	access_log /var/log/squid/access.log squid
	SQ
	sudo mkdir -p /var/log/squid
	sudo chown -R proxy:proxy /var/log/squid
	sudo squid -k parse \|\| true

	- name: Start Squid Proxy
	run: \|
	sudo systemctl stop squid \|\| true
	sudo pkill squid \|\| true
	sudo squid -N -d 3 -f /etc/squid/squid.conf &
	sleep 5

	- name: Wait for Squid to be Ready
	run: \|
	for i in {1..5}; do
	curl -s -x http://localhost:3128 http://example.com -m 10 -o /dev/null && exit 0
	sleep 3
	done
	exit 1

	- name: Install Root CA in System Trust Store
	run: \|
	sudo cp /tmp/ssl-certs/rootCA.crt /usr/local/share/ca-certificates/db-root.crt
	sudo update-ca-certificates

	- name: Maven Build
	run: mvn -q clean package -DskipTests

	- name: Set Environment Variables
	env:
	DATABRICKS_TOKEN: ${{ secrets.DATABRICKS_TOKEN }}
	DATABRICKS_HOST: ${{ secrets.DATABRICKS_HOST }}
	DATABRICKS_HTTP_PATH: ${{ secrets.DATABRICKS_HTTP_PATH }}
	HTTP_PROXY_URL: http://localhost:3128
	HTTPS_PROXY_URL: https://localhost:3129
	TRUSTSTORE_PATH: /tmp/ssl-certs/test-truststore.jks
	TRUSTSTORE_PASSWORD: changeit
	MAVEN_OPTS: "-Docsp.enable=true -Dcom.sun.security.enableCRLDP=true"
	run: \|
	echo "DATABRICKS_TOKEN=${DATABRICKS_TOKEN}" >> $GITHUB_ENV
	echo "DATABRICKS_HOST=${DATABRICKS_HOST}" >> $GITHUB_ENV
	echo "DATABRICKS_HTTP_PATH=${DATABRICKS_HTTP_PATH}" >> $GITHUB_ENV
	echo "HTTP_PROXY_URL=${HTTP_PROXY_URL}" >> $GITHUB_ENV
	echo "HTTPS_PROXY_URL=${HTTPS_PROXY_URL}" >> $GITHUB_ENV
	echo "TRUSTSTORE_PATH=${TRUSTSTORE_PATH}" >> $GITHUB_ENV
	echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> $GITHUB_ENV
	echo "MAVEN_OPTS=${MAVEN_OPTS}" >> $GITHUB_ENV

	- name: Run SSL Tests
	run: mvn test -Dtest=**/SSLTest.java

	- name: Cleanup
	if: always()
	run: \|
	sudo pkill squid \|\| true
	sudo rm -f /usr/local/share/ca-certificates/db-root.crt
	sudo update-ca-certificates --fresh

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add core SSL trust store resolution and fallback logic (PR 2 of 3) #69

Workflow file

Add core SSL trust store resolution and fallback logic (PR 2 of 3) #69

Uh oh!

Workflow file for this run

GitHub Actions / .github/workflows/sslTesting.yml