test: add Java and .NET chroot integration tests (#569)

Mossaka · claude · web-flow · commit 71c996b2b437 · 2026-02-09T08:56:09.000-08:00
* test: add Java and .NET chroot integration tests Validates the procfs fix (dda7c67) that replaced the static /proc/self bind mount with a dynamic `mount -t proc`, unblocking .NET CLR and JVM runtimes that read /proc/self/exe for binary introspection. Changes: - Add DOTNET_ROOT to criticalEnvVars in awf-runner.ts so it survives sudo - Add actions/setup-java and actions/setup-dotnet to test-chroot.yml - Add Java language tests: version check, compile+run Hello World, stdlib - Add .NET language tests: version check, dotnet --info, create+run app - Add .NET package manager tests: list SDKs/runtimes, NuGet restore, blocked-domain test Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * test: add /proc filesystem correctness tests for chroot mode Adds a dedicated test suite validating the dynamic procfs mount: - /proc/self/exe resolves differently for different binaries - /proc/cpuinfo, /proc/meminfo, /proc/self/status are accessible - Java program reads /proc/self/exe and verifies it contains "java" - JVM Runtime.availableProcessors() returns correct CPU count These are the core regression tests for the procfs fix (dda7c67), sourced from independent TDD test design. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: relax procfs test assertion to handle debug output in stdout The stdout from awf includes [entrypoint] debug log lines when logLevel is 'debug'. The /proc/self/exe test was asserting the entire trimmed stdout starts with '/', but it starts with debug output. Match for known binary paths instead. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add external package to NuGet blocked-domain test A bare 'dotnet restore' on a default console project succeeds from the local SDK cache without hitting NuGet. Adding Newtonsoft.Json as an external dependency forces a network fetch, which correctly fails when NuGet domains are not whitelisted. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/test-chroot.yml b/.github/workflows/test-chroot.yml
@@ -36,16 +36,38 @@ jobs:
         with:
           go-version: '1.22'
 
-      - name: Capture GOROOT for chroot tests
-        id: go-env
+      - name: Setup Java
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4
+        with:
+          distribution: 'temurin'
+          java-version: '21'
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4
+        with:
+          dotnet-version: '8.0'
+
+      - name: Capture tool paths for chroot tests
+        id: tool-paths
         run: |
           # Go on GitHub Actions uses trimmed binaries that require GOROOT
-          # Capture it here so we can pass it to chroot tests
           GOROOT_VALUE=$(go env GOROOT)
           echo "GOROOT=${GOROOT_VALUE}" >> $GITHUB_OUTPUT
           echo "GOROOT=${GOROOT_VALUE}" >> $GITHUB_ENV
           echo "Captured GOROOT: ${GOROOT_VALUE}"
 
+          # Java: JAVA_HOME is needed so entrypoint can add $JAVA_HOME/bin to PATH
+          if [ -n "$JAVA_HOME" ]; then
+            echo "JAVA_HOME=${JAVA_HOME}" >> $GITHUB_ENV
+            echo "Captured JAVA_HOME: ${JAVA_HOME}"
+          fi
+
+          # .NET: DOTNET_ROOT is needed so entrypoint can add to PATH and set DOTNET_ROOT
+          if [ -n "$DOTNET_ROOT" ]; then
+            echo "DOTNET_ROOT=${DOTNET_ROOT}" >> $GITHUB_ENV
+            echo "Captured DOTNET_ROOT: ${DOTNET_ROOT}"
+          fi
+
       - name: Verify host tools are available
         run: |
           echo "=== Verifying host tools ==="
@@ -55,6 +77,10 @@ jobs:
           echo "pip: $(pip3 --version)"
           echo "Go: $(go version)"
           echo "GOROOT: $GOROOT"
+          echo "Java: $(java --version 2>&1 | head -1)"
+          echo "JAVA_HOME: $JAVA_HOME"
+          echo "dotnet: $(dotnet --version 2>&1)"
+          echo "DOTNET_ROOT: $DOTNET_ROOT"
           echo "Git: $(git --version)"
           echo "curl: $(curl --version | head -1)"
 
@@ -138,6 +164,11 @@ jobs:
           distribution: 'temurin'
           java-version: '21'
 
+      - name: Setup .NET
+        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4
+        with:
+          dotnet-version: '8.0'
+
       - name: Capture tool paths for chroot tests
         id: tool-paths
         run: |
@@ -162,6 +193,12 @@ jobs:
             echo "Captured JAVA_HOME: ${JAVA_HOME}"
           fi
 
+          # .NET: DOTNET_ROOT is needed so entrypoint can add to PATH and set DOTNET_ROOT
+          if [ -n "$DOTNET_ROOT" ]; then
+            echo "DOTNET_ROOT=${DOTNET_ROOT}" >> $GITHUB_ENV
+            echo "Captured DOTNET_ROOT: ${DOTNET_ROOT}"
+          fi
+
       - name: Verify host tools are available
         run: |
           echo "=== Verifying host tools ==="
@@ -178,6 +215,8 @@ jobs:
           echo "CARGO_HOME: $CARGO_HOME"
           echo "Java: $(java --version 2>&1 | head -1)"
           echo "JAVA_HOME: $JAVA_HOME"
+          echo "dotnet: $(dotnet --version 2>&1)"
+          echo "DOTNET_ROOT: $DOTNET_ROOT"
 
       - name: Install dependencies
         run: npm ci
@@ -219,6 +258,80 @@ jobs:
           ls -la /tmp/awf-* 2>/dev/null || true
           sudo cat /tmp/awf-*/squid-logs/access.log 2>/dev/null || true
 
+  test-chroot-procfs:
+    name: Test Chroot /proc Filesystem
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    needs: test-chroot-languages  # Run after language tests pass
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: '22'
+          cache: 'npm'
+
+      - name: Setup Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
+          python-version: '3.12'
+
+      - name: Setup Java
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4
+        with:
+          distribution: 'temurin'
+          java-version: '21'
+
+      - name: Capture tool paths for chroot tests
+        run: |
+          if [ -n "$JAVA_HOME" ]; then
+            echo "JAVA_HOME=${JAVA_HOME}" >> $GITHUB_ENV
+            echo "Captured JAVA_HOME: ${JAVA_HOME}"
+          fi
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build project
+        run: npm run build
+
+      - name: Build local containers
+        run: |
+          echo "=== Building local containers ==="
+          docker build -t ghcr.io/github/gh-aw-firewall/squid:latest containers/squid/
+          docker build -t ghcr.io/github/gh-aw-firewall/agent:latest containers/agent/
+
+      - name: Pre-test cleanup
+        run: |
+          echo "=== Pre-test cleanup ==="
+          ./scripts/ci/cleanup.sh || true
+
+      - name: Run chroot procfs tests
+        run: |
+          echo "=== Running chroot procfs tests ==="
+          npm run test:integration -- --testPathPattern="chroot-procfs" --verbose
+        env:
+          JEST_TIMEOUT: 180000
+
+      - name: Post-test cleanup
+        if: always()
+        run: |
+          echo "=== Post-test cleanup ==="
+          ./scripts/ci/cleanup.sh || true
+
+      - name: Collect logs on failure
+        if: failure()
+        run: |
+          echo "=== Collecting failure logs ==="
+          docker ps -a || true
+          docker logs awf-squid 2>&1 || true
+          docker logs awf-agent 2>&1 || true
+          ls -la /tmp/awf-* 2>/dev/null || true
+          sudo cat /tmp/awf-*/squid-logs/access.log 2>/dev/null || true
+
   test-chroot-edge-cases:
     name: Test Chroot Edge Cases
     runs-on: ubuntu-latest
diff --git a/tests/fixtures/awf-runner.ts b/tests/fixtures/awf-runner.ts
@@ -182,6 +182,7 @@ export class AwfRunner {
       'GOROOT',
       'CARGO_HOME',
       'JAVA_HOME',
+      'DOTNET_ROOT',
     ].filter(v => process.env[v]);
 
     if (criticalEnvVars.length > 0) {
diff --git a/tests/integration/chroot-languages.test.ts b/tests/integration/chroot-languages.test.ts
@@ -177,6 +177,117 @@ describe('Chroot Language Support', () => {
     }, 120000);
   });
 
+  describe('Java', () => {
+    test('should execute java --version from host via chroot', async () => {
+      // Validates JVM starts correctly - before procfs fix, JVM would fail
+      // because /proc/self/exe resolved to bash instead of the java binary
+      const result = await runner.runWithSudo('java --version 2>&1 || java -version 2>&1', {
+        allowDomains: ['github.com'],
+        logLevel: 'debug',
+        timeout: 60000,
+        enableChroot: true,
+      });
+
+      expect(result).toSucceed();
+      expect(result.stdout + result.stderr).toMatch(/openjdk|java|version/i);
+    }, 120000);
+
+    test('should compile and run Java Hello World', async () => {
+      // Full javac + java toolchain validation through chroot
+      const result = await runner.runWithSudo(
+        'TESTDIR=$(mktemp -d) && ' +
+        'echo \'public class Hello { public static void main(String[] args) { System.out.println("Hello from Java"); } }\' > $TESTDIR/Hello.java && ' +
+        'cd $TESTDIR && javac Hello.java && java Hello && rm -rf $TESTDIR',
+        {
+          allowDomains: ['github.com'],
+          logLevel: 'debug',
+          timeout: 120000,
+          enableChroot: true,
+        }
+      );
+
+      expect(result).toSucceed();
+      expect(result.stdout).toContain('Hello from Java');
+    }, 180000);
+
+    test('should access Java standard library (java.util)', async () => {
+      // Validates JVM class loading works beyond trivial hello world
+      const result = await runner.runWithSudo(
+        'TESTDIR=$(mktemp -d) && ' +
+        'cat > $TESTDIR/TestUtil.java << \'EOF\'\n' +
+        'import java.util.Arrays;\n' +
+        'import java.util.List;\n' +
+        'public class TestUtil {\n' +
+        '  public static void main(String[] args) {\n' +
+        '    List<String> items = Arrays.asList("a", "b", "c");\n' +
+        '    System.out.println("List size: " + items.size());\n' +
+        '  }\n' +
+        '}\n' +
+        'EOF\n' +
+        'cd $TESTDIR && javac TestUtil.java && java TestUtil && rm -rf $TESTDIR',
+        {
+          allowDomains: ['github.com'],
+          logLevel: 'debug',
+          timeout: 120000,
+          enableChroot: true,
+        }
+      );
+
+      if (result.success) {
+        expect(result.stdout).toContain('List size: 3');
+      }
+    }, 180000);
+  });
+
+  describe('.NET', () => {
+    test('should execute dotnet --version from host via chroot', async () => {
+      // Primary regression test for the /proc/self/exe fix.
+      // Before the fix, .NET CLR failed with "Cannot execute dotnet when renamed to bash"
+      const result = await runner.runWithSudo('dotnet --version', {
+        allowDomains: ['github.com'],
+        logLevel: 'debug',
+        timeout: 60000,
+        enableChroot: true,
+      });
+
+      expect(result).toSucceed();
+      expect(result.stdout).toMatch(/\d+\.\d+\.\d+/);
+    }, 120000);
+
+    test('should show dotnet runtime information', async () => {
+      const result = await runner.runWithSudo('dotnet --info 2>&1 | head -30', {
+        allowDomains: ['github.com'],
+        logLevel: 'debug',
+        timeout: 60000,
+        enableChroot: true,
+      });
+
+      expect(result).toSucceed();
+      expect(result.stdout + result.stderr).toMatch(/\.NET|SDK|Runtime/i);
+    }, 120000);
+
+    test('should create and run a .NET console app', async () => {
+      // Full toolchain test: project creation, NuGet restore, build, and run
+      const result = await runner.runWithSudo(
+        'TESTDIR=$(mktemp -d) && cd $TESTDIR && ' +
+        'dotnet new console -o testapp --no-restore && ' +
+        'cd testapp && dotnet restore && dotnet run && ' +
+        'rm -rf $TESTDIR',
+        {
+          allowDomains: ['api.nuget.org', 'nuget.org', 'dotnetcli.azureedge.net'],
+          logLevel: 'debug',
+          timeout: 180000,
+          enableChroot: true,
+        }
+      );
+
+      // May fail if NuGet connectivity varies in CI
+      if (result.success) {
+        expect(result.stdout).toContain('Hello, World!');
+      }
+    }, 240000);
+  });
+
   describe('Basic System Binaries', () => {
     test('should access standard Unix utilities', async () => {
       const result = await runner.runWithSudo(
diff --git a/tests/integration/chroot-package-managers.test.ts b/tests/integration/chroot-package-managers.test.ts
@@ -185,6 +185,74 @@ describe('Chroot Package Manager Support', () => {
     }, 120000);
   });
 
+  describe('.NET (dotnet/nuget)', () => {
+    test('should list installed .NET SDKs (offline)', async () => {
+      const result = await runner.runWithSudo('dotnet --list-sdks', {
+        allowDomains: ['localhost'],
+        logLevel: 'debug',
+        timeout: 60000,
+        enableChroot: true,
+      });
+
+      expect(result).toSucceed();
+      expect(result.stdout).toMatch(/\d+\.\d+\.\d+/);
+    }, 120000);
+
+    test('should list installed .NET runtimes (offline)', async () => {
+      const result = await runner.runWithSudo('dotnet --list-runtimes', {
+        allowDomains: ['localhost'],
+        logLevel: 'debug',
+        timeout: 60000,
+        enableChroot: true,
+      });
+
+      expect(result).toSucceed();
+      expect(result.stdout).toMatch(/Microsoft\.\w+/);
+    }, 120000);
+
+    test('should create and build a .NET project with NuGet restore', async () => {
+      // Tests NuGet package restore through the firewall
+      const result = await runner.runWithSudo(
+        'TESTDIR=$(mktemp -d) && cd $TESTDIR && ' +
+        'dotnet new console -o buildtest --no-restore && ' +
+        'cd buildtest && dotnet restore && dotnet build --no-restore && ' +
+        'rm -rf $TESTDIR',
+        {
+          allowDomains: ['api.nuget.org', 'nuget.org', 'dotnetcli.azureedge.net'],
+          logLevel: 'debug',
+          timeout: 180000,
+          enableChroot: true,
+        }
+      );
+
+      if (result.success) {
+        expect(result.stdout + result.stderr).toMatch(/Build succeeded/i);
+      }
+    }, 240000);
+
+    test('should be blocked from NuGet without domain whitelisting', async () => {
+      // A bare 'dotnet restore' on a default console project may succeed from
+      // the local SDK cache. Adding an external package forces a network fetch.
+      const result = await runner.runWithSudo(
+        'TESTDIR=$(mktemp -d) && cd $TESTDIR && ' +
+        'dotnet new console -o blocktest --no-restore 2>&1 && ' +
+        'cd blocktest && ' +
+        'dotnet add package Newtonsoft.Json --no-restore 2>&1 && ' +
+        'dotnet restore 2>&1; ' +
+        'EXIT=$?; rm -rf $TESTDIR; exit $EXIT',
+        {
+          allowDomains: ['localhost'],
+          logLevel: 'debug',
+          timeout: 90000,
+          enableChroot: true,
+        }
+      );
+
+      // dotnet restore should fail because NuGet API is not allowed
+      expect(result).toFail();
+    }, 150000);
+  });
+
   describe('Ruby (gem/bundler)', () => {
     test('should execute ruby from host via chroot', async () => {
       const result = await runner.runWithSudo('ruby --version', {
diff --git a/tests/integration/chroot-procfs.test.ts b/tests/integration/chroot-procfs.test.ts
