modify yaml

madhav-db · madhav-db · commit f919802c6e1b · 2025-04-21T17:53:25.000+05:30
diff --git a/.github/workflows/sslTesting.yml b/.github/workflows/sslTesting.yml
@@ -29,161 +29,174 @@ jobs:
         run: |
           mkdir -p /tmp/ssl-certs
           cd /tmp/ssl-certs
-
-          # Root CA
+          
+          # Generate Root CA
           openssl genrsa -out rootCA.key 4096
-          openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 365 \
-            -subj "/C=US/ST=CA/L=SF/O=DB/OU=Test/CN=Root" \
-            -out rootCA.crt
-
-          # Intermediate CA
+          openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 365 -out rootCA.crt \
+            -subj "/C=US/ST=California/L=San Francisco/O=Databricks Test/OU=Testing/CN=Databricks Test Root CA"
+          
+          # Generate Intermediate CA
           openssl genrsa -out intermediateCA.key 4096
-          openssl req -new -key intermediateCA.key \
-            -subj "/C=US/ST=CA/L=SF/O=DB/OU=Test/CN=Intermediate" \
-            -out intermediateCA.csr
-
-          cat > intermediate_ext.cnf <<EOF
+          openssl req -new -key intermediateCA.key -out intermediateCA.csr \
+            -subj "/C=US/ST=California/L=San Francisco/O=Databricks Test/OU=Testing/CN=Databricks Test Intermediate CA"
+          
+          # Create extension file for intermediate CA
+          cat > intermediate_ext.cnf << EOF
           [ v3_ca ]
           subjectKeyIdentifier = hash
           authorityKeyIdentifier = keyid:always,issuer
           basicConstraints = critical, CA:true, pathlen:0
           keyUsage = critical, digitalSignature, cRLSign, keyCertSign
           EOF
           
+          # Sign Intermediate CA with Root CA
           openssl x509 -req -in intermediateCA.csr -CA rootCA.crt -CAkey rootCA.key \
-          -CAcreateserial -out intermediateCA.crt -days 365 -sha256 \
-          -extfile intermediate_ext.cnf -extensions v3_ca
-          
-          # CA database for revocation
-          touch index.txt
-          echo 1000 > serial
-          echo 1000 > crlnumber
-          
-          cat > ca.cnf <<EOF
-          [ ca ]
-          default_ca = dca
-          [ dca ]
-          dir               = /tmp/ssl-certs
-          database          = \$dir/index.txt
-          new_certs_dir     = \$dir
-          certificate       = \$dir/intermediateCA.crt
-          private_key       = \$dir/intermediateCA.key
-          serial            = \$dir/serial
-          crlnumber         = \$dir/crlnumber
-          default_md        = sha256
-          policy            = policy_any
-          x509_extensions   = v3_req
-          crl_extensions    = crl_ext
-          default_days      = 365
-          default_crl_days  = 365
-          unique_subject    = no
-          [ policy_any ]
-          commonName = supplied
+            -CAcreateserial -out intermediateCA.crt -days 365 -sha256 \
+            -extfile intermediate_ext.cnf -extensions v3_ca
+          
+          # Generate Squid Proxy Certificate
+          openssl genrsa -out squid.key 2048
+          openssl req -new -key squid.key -out squid.csr \
+            -subj "/C=US/ST=California/L=San Francisco/O=Databricks Test/OU=Testing/CN=localhost"
+          
+          # Create extension file for Squid certificate
+          cat > squid_ext.cnf << EOF
           [ v3_req ]
-          basicConstraints       = CA:FALSE
-          keyUsage               = digitalSignature, keyEncipherment
-          extendedKeyUsage       = serverAuth
-          subjectAltName         = @alt_names
-          authorityInfoAccess    = OCSP;URI:http://ocsp.invalid/none
-          crlDistributionPoints  = URI:file:///tmp/ssl-certs/intermediateCA.crl
-          [ alt_names ]
+          basicConstraints = CA:FALSE
+          keyUsage = digitalSignature, keyEncipherment
+          extendedKeyUsage = serverAuth
+          subjectAltName = @alt_names
+          
+          [alt_names]
           DNS.1 = localhost
-          IP.1  = 127.0.0.1
-          [ crl_ext ]
-          authorityKeyIdentifier = keyid,issuer
+          IP.1 = 127.0.0.1
           EOF
           
-          # Squid leaf cert
-          openssl genrsa -out squid.key 2048
-          openssl req -new -key squid.key \
-          -subj "/C=US/ST=CA/L=SF/O=DB/OU=Test/CN=localhost" \
-          -out squid.csr
-          
-          openssl ca -batch -config ca.cnf -in squid.csr -out squid.crt
-          openssl ca -batch -config ca.cnf -revoke squid.crt
-          openssl ca -batch -gencrl -config ca.cnf -out intermediateCA.crl
+          # Sign Squid certificate with Intermediate CA
+          openssl x509 -req -in squid.csr -CA intermediateCA.crt -CAkey intermediateCA.key \
+            -CAcreateserial -out squid.crt -days 365 -sha256 \
+            -extfile squid_ext.cnf -extensions v3_req
           
+          # Create PEM file for Squid
           cat squid.crt squid.key > squid.pem
           chmod 400 squid.pem
+          
+          # Copy to appropriate locations
           sudo cp squid.pem /etc/squid/
           sudo chown proxy:proxy /etc/squid/squid.pem
           
-          # Java trust‑store
+          # Create Java Keystore from Root CA - with proper trust anchors
           rm -f test-truststore.jks
+          
+          # Create a truststore with the root CA as a trusted certificate entry
           keytool -importcert -noprompt -trustcacerts -alias rootca -file rootCA.crt \
-          -keystore test-truststore.jks -storepass changeit
+            -keystore test-truststore.jks -storepass changeit
+          
+          # Also add the intermediate CA to the trust store
           keytool -importcert -noprompt -trustcacerts -alias intermediateca -file intermediateCA.crt \
-          -keystore test-truststore.jks -storepass changeit
+            -keystore test-truststore.jks -storepass changeit
+          
           chmod 644 test-truststore.jks
 
-      - name: Configure Squid
+      - name: Configure Squid with Standard SSL
         run: |
           sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.orig
-          sudo tee /etc/squid/squid.conf >/dev/null <<'SQ'
+          
+          echo "
+          # Basic Configuration
           http_port 3128
+          
+          # Plain HTTPS port with certificate
           https_port 3129 tls-cert=/etc/squid/squid.pem
+          
+          # Access Control - very permissive for testing
           http_access allow all
           always_direct allow all
+          
+          # Avoid DNS issues in test environment
           dns_v4_first on
+          
+          # Disable caching for testing
           cache deny all
+          
+          # Logging
           debug_options ALL,1
           logfile_rotate 0
           cache_log /var/log/squid/cache.log
           access_log /var/log/squid/access.log squid
-          SQ
+          " | sudo tee /etc/squid/squid.conf
+          
           sudo mkdir -p /var/log/squid
           sudo chown -R proxy:proxy /var/log/squid
-          sudo squid -k parse || true
+          sudo chmod 755 /var/log/squid
+          
+          sudo squid -k parse || echo "Configuration has issues but we'll try to run it anyway"
 
       - name: Start Squid Proxy
         run: |
           sudo systemctl stop squid || true
           sudo pkill squid || true
+          
           sudo squid -N -d 3 -f /etc/squid/squid.conf &
+          
           sleep 5
+          ps aux | grep squid
 
       - name: Wait for Squid to be Ready
         run: |
           for i in {1..5}; do
-            curl -s -x http://localhost:3128 http://example.com -m 10 -o /dev/null && exit 0
+            if curl -v -x http://localhost:3128 http://example.com -m 10 -o /dev/null; then
+              echo "HTTP proxy on 3128 is working!"
+              break
+            fi
+          
             sleep 3
           done
-          exit 1
+          
+          if ps aux | grep -v grep | grep squid > /dev/null; then
+            echo "Squid is running"
+          else
+            echo "Squid is not running! Attempting restart..."
+            sudo squid -N -d 3 -f /etc/squid/squid.conf &
+            sleep 5
+          fi
 
       - name: Install Root CA in System Trust Store
         run: |
-          sudo cp /tmp/ssl-certs/rootCA.crt /usr/local/share/ca-certificates/db-root.crt
+          sudo cp /tmp/ssl-certs/rootCA.crt /usr/local/share/ca-certificates/databricks-test-rootca.crt
           sudo update-ca-certificates
 
       - name: Maven Build
-        run: mvn -q clean package -DskipTests
+        run: |
+          mvn clean package -DskipTests
 
       - name: Set Environment Variables
         env:
-          DATABRICKS_TOKEN:      ${{ secrets.DATABRICKS_TOKEN }}
-          DATABRICKS_HOST:       ${{ secrets.DATABRICKS_HOST }}
-          DATABRICKS_HTTP_PATH:  ${{ secrets.DATABRICKS_HTTP_PATH }}
-          HTTP_PROXY_URL:        http://localhost:3128
-          HTTPS_PROXY_URL:       https://localhost:3129
-          TRUSTSTORE_PATH:       /tmp/ssl-certs/test-truststore.jks
-          TRUSTSTORE_PASSWORD:   changeit
-          MAVEN_OPTS: "-Docsp.enable=true -Dcom.sun.security.enableCRLDP=true"
+          DATABRICKS_TOKEN: ${{ secrets.DATABRICKS_TOKEN }}
+          DATABRICKS_HOST: ${{ secrets.DATABRICKS_HOST }}
+          DATABRICKS_HTTP_PATH: ${{ secrets.DATABRICKS_HTTP_PATH }}
+          HTTP_PROXY_URL: "http://localhost:3128"
+          HTTPS_PROXY_URL: "https://localhost:3129"
+          TRUSTSTORE_PATH: "/tmp/ssl-certs/test-truststore.jks"
+          TRUSTSTORE_PASSWORD: "changeit"
         run: |
-          echo "DATABRICKS_TOKEN=${DATABRICKS_TOKEN}"      >> $GITHUB_ENV
-          echo "DATABRICKS_HOST=${DATABRICKS_HOST}"        >> $GITHUB_ENV
+          echo "DATABRICKS_TOKEN=${DATABRICKS_TOKEN}" >> $GITHUB_ENV
+          echo "DATABRICKS_HOST=${DATABRICKS_HOST}" >> $GITHUB_ENV
           echo "DATABRICKS_HTTP_PATH=${DATABRICKS_HTTP_PATH}" >> $GITHUB_ENV
-          echo "HTTP_PROXY_URL=${HTTP_PROXY_URL}"          >> $GITHUB_ENV
-          echo "HTTPS_PROXY_URL=${HTTPS_PROXY_URL}"        >> $GITHUB_ENV
-          echo "TRUSTSTORE_PATH=${TRUSTSTORE_PATH}"        >> $GITHUB_ENV
+          echo "HTTP_PROXY_URL=${HTTP_PROXY_URL}" >> $GITHUB_ENV
+          echo "HTTPS_PROXY_URL=${HTTPS_PROXY_URL}" >> $GITHUB_ENV
+          echo "TRUSTSTORE_PATH=${TRUSTSTORE_PATH}" >> $GITHUB_ENV
           echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> $GITHUB_ENV
-          echo "MAVEN_OPTS=${MAVEN_OPTS}"                  >> $GITHUB_ENV
 
       - name: Run SSL Tests
-        run: mvn test -Dtest=**/SSLTest.java
+        run: |
+          mvn test -Dtest=**/SSLTest.java
 
       - name: Cleanup
         if: always()
         run: |
-          sudo pkill squid || true
-          sudo rm -f /usr/local/share/ca-certificates/db-root.crt
-          sudo update-ca-certificates --fresh
+          sudo systemctl stop squid
+          sudo systemctl disable squid
+          sudo pkill squid
+          sudo rm -f /usr/local/share/ca-certificates/databricks-test-rootca.crt
+          sudo update-ca-certificates --fresh
diff --git a/src/test/java/com/databricks/client/jdbc/SSLTest.java b/src/test/java/com/databricks/client/jdbc/SSLTest.java
@@ -175,27 +175,64 @@ public void testWithSystemTrustStore() {
     }
   }
 
-  /**
-   * Revocation checking ON + STRICT (undetermined status is rejected). Because none of the certs we
-   * generate in the workflow have a CRL/OCSP endpoint, the status ends up “undetermined”, so the
-   * driver **must fail**.
-   */
   @Test
-  public void testRevocationCheckStrictFail() {
-    System.out.println("Scenario: Revocation ON, undetermined NOT accepted – expect failure");
-    for (boolean thrift : new boolean[] {true, false}) {
+  public void testDirectConnectionSystemTrustStoreFallback() {
+    System.out.println(
+        "Scenario: UseSystemTrustStore=1 with no system property -> fallback to cacerts (direct)");
+
+    // ensure the property is *unset* for this test run
+    String savedProp = System.getProperty("javax.net.ssl.trustStore");
+    try {
+      System.clearProperty("javax.net.ssl.trustStore");
+
+      for (boolean thrift : new boolean[] {true, false}) {
+        String url = buildJdbcUrl(thrift, false, false, false, true, false);
+        try {
+          verifyConnect(url);
+        } catch (Exception e) {
+          fail(
+              "Fallback‑to‑cacerts direct connect failed (thrift="
+                  + thrift
+                  + "): "
+                  + e.getMessage());
+        }
+      }
+    } finally {
+      // restore original system state
+      if (savedProp != null) {
+        System.setProperty("javax.net.ssl.trustStore", savedProp);
+      }
+    }
+  }
 
-      String url =
-          buildJdbcUrl(thrift, true, false, false, true, false)
-              + "CheckCertificateRevocation=1;"
-              + "AcceptUndeterminedCertificateRevocation=0;";
-
-      assertThrows(
-          Exception.class,
-          () -> verifyConnect(url),
-          "Strict revocation check should fail when revocation status is undetermined (thrift="
-              + thrift
-              + ")");
+  @Test
+  public void testIgnoreSystemPropertyWhenUseSystemTrustStoreDisabled() {
+    System.out.println(
+        "Scenario: bogus javax.net.ssl.trustStore present but UseSystemTrustStore=0 (driver must ignore)");
+
+    String savedProp = System.getProperty("javax.net.ssl.trustStore");
+    try {
+      System.setProperty("javax.net.ssl.trustStore", "/path/that/does/not/exist.jks");
+
+      for (boolean thrift : new boolean[] {true, false}) {
+        String url = buildJdbcUrl(thrift, false, false, false, false, false);
+        try {
+          verifyConnect(url);
+        } catch (Exception e) {
+          fail(
+              "Driver failed to ignore bogus system trust store (thrift="
+                  + thrift
+                  + "): "
+                  + e.getMessage());
+        }
+      }
+    } finally {
+      // restore original value
+      if (savedProp != null) {
+        System.setProperty("javax.net.ssl.trustStore", savedProp);
+      } else {
+        System.clearProperty("javax.net.ssl.trustStore");
+      }
     }
   }
 }
