[test] introduce SSLSocketTest (unit test)

- writeNonblockDataIntegrity: approximates the gem push scenario (#242)
  large payload via write_nonblock loop, then read server's byte count
  response, assert data integrity (no bytes lost)
- writeNonblockNetWriteDataState: saturates TCP buffer, then accesses
  the package-private netWriteData field directly to verify buffer
  consistency after the compact() fix

Author: kares

Mavenfile

@@ -82,9 +82,12 @@ plugin :clean do
                  'failOnError' =>  'false' )
 end
 
-jar 'org.jruby:jruby-core', '9.2.0.0', :scope => :provided
+jruby_compile_compat = '9.2.0.0'
+jar 'org.jruby:jruby-core', jruby_compile_compat, :scope => :provided
 # for invoker generated classes we need to add javax.annotation when on Java > 8
 jar 'javax.annotation:javax.annotation-api', '1.3.1', :scope => :compile
+# a test dependency to provide digest and other stdlib bits, needed when loading OpenSSL in Java unit tests
+jar 'org.jruby:jruby-stdlib', jruby_compile_compat, :scope => :test
 jar 'junit:junit', '[4.13.1,)', :scope => :test
 
 # NOTE: to build on Java 11 - installing gems fails (due old jossl) with:

pom.xml

@@ -107,6 +107,12 @@ DO NOT MODIFY - GENERATED CODE
       <version>1.3.1</version>
       <scope>compile</scope>
     </dependency>
+    <dependency>
+      <groupId>org.jruby</groupId>
+      <artifactId>jruby-stdlib</artifactId>
+      <version>9.2.0.0</version>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>junit</groupId>
       <artifactId>junit</artifactId>

src/main/java/org/jruby/ext/openssl/SSLSocket.java

@@ -145,9 +145,9 @@ private static CallSite callSite(final CallSite[] sites, final CallSiteIndex ind
     private SSLEngine engine;
     private RubyIO io;
 
-    private ByteBuffer appReadData;
-    private ByteBuffer netReadData;
-    private ByteBuffer netWriteData;
+    ByteBuffer appReadData;
+    ByteBuffer netReadData;
+    ByteBuffer netWriteData;
     private final ByteBuffer dummy = ByteBuffer.allocate(0); // could be static
 
     private boolean initialHandshake = false;

src/test/java/org/jruby/ext/openssl/SSLSocketTest.java

@@ -0,0 +1,176 @@
+package org.jruby.ext.openssl;
+
+import java.nio.ByteBuffer;
+
+import org.jruby.RubyArray;
+import org.jruby.RubyFixnum;
+import org.jruby.RubyInteger;
+import org.jruby.RubyString;
+import org.jruby.exceptions.RaiseException;
+import org.jruby.runtime.builtin.IRubyObject;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import static org.junit.Assert.*;
+
+public class SSLSocketTest extends OpenSSLHelper {
+
+    /** Loads the ssl_pair.rb script that creates a connected SSL socket pair. */
+    private String start_ssl_server_rb() { return readResource("/start_ssl_server.rb"); }
+
+    @Before
+    public void setUp() throws Exception {
+        setUpRuntime();
+    }
+
+    @After
+    public void tearDown() {
+        tearDownRuntime();
+    }
+
+    /**
+     * Real-world scenario: {@code gem push} sends a large POST body via {@code syswrite_nonblock},
+     * then reads the HTTP response via {@code sysread}.
+     *
+     * Approximates the {@code gem push} scenario:
+     * <ol>
+     *   <li>Write 256KB via {@code syswrite_nonblock} in a loop (the net/http POST pattern)</li>
+     *   <li>Server reads via {@code sysread} and counts bytes</li>
+     *   <li>Assert: server received exactly what client sent</li>
+     * </ol>
+     *
+     * With the old {@code clear()} bug, encrypted bytes were silently
+     * discarded during partial non-blocking writes, so the server would
+     * receive fewer bytes than sent.
+     */
+    @Test
+    public void syswriteNonblockDataIntegrity() throws Exception {
+        final RubyArray pair = (RubyArray) runtime.evalScriptlet(start_ssl_server_rb());
+        SSLSocket client = (SSLSocket) pair.entry(0).toJava(SSLSocket.class);
+        SSLSocket server = (SSLSocket) pair.entry(1).toJava(SSLSocket.class);
+
+        try {
+            // Server: read all data in a background thread, counting bytes
+            final long[] serverReceived = { 0 };
+            Thread serverReader = startServerReader(server, serverReceived);
+
+            // Client: write 256KB in 4KB chunks via syswrite_nonblock
+            byte[] chunk = new byte[4096];
+            java.util.Arrays.fill(chunk, (byte) 'P'); // P for POST body
+            RubyString payload = RubyString.newString(runtime, chunk);
+
+            long totalSent = 0;
+            for (int i = 0; i < 64; i++) { // 64 * 4KB = 256KB
+                try {
+                    IRubyObject written = client.syswrite_nonblock(currentContext(), payload);
+                    totalSent += ((RubyInteger) written).getLongValue();
+                } catch (RaiseException e) {
+                    if ("OpenSSL::SSL::SSLErrorWaitWritable".equals(e.getException().getMetaClass().getName())) {
+                        System.out.println("syswrite_nonblock expected: " + e.getMessage());
+                        // Expected: non-blocking write would block — retry as blocking
+                        IRubyObject written = client.syswrite(currentContext(), payload);
+                        totalSent += ((RubyInteger) written).getLongValue();
+                    } else {
+                        System.err.println("syswrite_nonblock unexpected: " + e.getMessage());
+                        throw e;
+                    }
+                }
+            }
+            assertTrue("should have sent data", totalSent > 0);
+
+            // Close client to signal EOF, let server finish reading
+            client.callMethod(currentContext(), "close");
+            serverReader.join(10_000);
+
+            assertEquals(
+                "server must receive exactly what client sent — mismatch means encrypted bytes were lost!",
+                totalSent, serverReceived[0]
+            );
+        } finally {
+            closeQuietly(pair);
+        }
+    }
+
+    private Thread startServerReader(final SSLSocket server, final long[] serverReceived) {
+        Thread serverReader = new Thread(() -> {
+            try {
+                RubyFixnum len = RubyFixnum.newFixnum(runtime, 8192);
+                while (true) {
+                    IRubyObject data = server.sysread(currentContext(), len);
+                    serverReceived[0] += ((RubyString) data).getByteList().getRealSize();
+                }
+            } catch (RaiseException e) {
+                String errorName = e.getException().getMetaClass().getName();
+                if ("EOFError".equals(errorName) || "IOError".equals(errorName)) { // client closes connection
+                    System.out.println("server-reader expected: " + e.getMessage());
+                } else {
+                    System.err.println("server-reader unexpected: " + e.getMessage());
+                    e.printStackTrace(System.err);
+                    throw e;
+                }
+            }
+        });
+        serverReader.start();
+        return serverReader;
+    }
+
+    /**
+     * After saturating the TCP send buffer with {@code syswrite_nonblock},
+     * inspect {@code netWriteData} to verify the buffer is consistent.
+     */
+    @Test
+    public void syswriteNonblockNetWriteDataConsistency() {
+        final RubyArray pair = (RubyArray) runtime.evalScriptlet(start_ssl_server_rb());
+        SSLSocket client = (SSLSocket) pair.entry(0).toJava(SSLSocket.class);
+
+        try {
+            assertNotNull("netWriteData initialized after handshake", client.netWriteData);
+
+            // Saturate: server is not reading yet, so backpressure builds
+            byte[] chunk = new byte[16384];
+            java.util.Arrays.fill(chunk, (byte) 'S');
+            RubyString payload = RubyString.newString(runtime, chunk);
+
+            int successWrites = 0;
+            for (int i = 0; i < 200; i++) {
+                try {
+                    client.syswrite_nonblock(currentContext(), payload);
+                    successWrites++;
+                } catch (RaiseException e) {
+                    if ("OpenSSL::SSL::SSLErrorWaitWritable".equals(e.getException().getMetaClass().getName())) {
+                        System.out.println("saturate-loop expected: " + e.getMessage());
+                        break; // buffer saturated — expected
+                    }
+                    System.err.println("saturate-loop unexpected: " + e.getMessage());
+                    throw e;
+                }
+            }
+            assertTrue("at least one write should succeed", successWrites > 0);
+
+            ByteBuffer netWriteData = client.netWriteData;
+            assertTrue("position <= limit", netWriteData.position() <= netWriteData.limit());
+            assertTrue("limit <= capacity", netWriteData.limit() <= netWriteData.capacity());
+
+            // If there are unflushed bytes, compact() preserved them
+            if (netWriteData.remaining() > 0) {
+                // The bytes should be valid TLS record data, not zeroed memory
+                byte b = netWriteData.get(netWriteData.position());
+                assertNotEquals("preserved bytes should be TLS data, not zeroed", 0, b);
+            }
+
+        } finally {
+            closeQuietly(pair);
+        }
+    }
+
+    private void closeQuietly(final RubyArray sslPair) {
+        for (int i = 0; i < sslPair.getLength(); i++) {
+            final IRubyObject elem = sslPair.entry(i);
+            try { elem.callMethod(currentContext(), "close"); }
+            catch (RaiseException e) { // already closed?
+                System.err.println("close raised (" + elem.inspect() + ") : " + e.getMessage());
+            }
+        }
+    }
+}

src/test/resources/start_ssl_server.rb

@@ -0,0 +1,37 @@
+# Creates a connected SSL socket pair for Java unit tests.
+# Returns [client_ssl, server_ssl]
+#
+# OpenSSL extension is loaded by SSLSocketTest.setUp via OpenSSL.load(runtime).
+
+require 'socket'
+
+key = OpenSSL::PKey::RSA.new(2048)
+cert = OpenSSL::X509::Certificate.new
+cert.version = 2
+cert.serial = 1
+cert.subject = cert.issuer = OpenSSL::X509::Name.parse('/CN=Test')
+cert.public_key = key.public_key
+cert.not_before = Time.now
+cert.not_after = Time.now + 3600
+cert.sign(key, OpenSSL::Digest::SHA256.new)
+
+tcp_server = TCPServer.new('127.0.0.1', 0)
+port = tcp_server.local_address.ip_port
+ctx = OpenSSL::SSL::SSLContext.new
+ctx.cert = cert
+ctx.key = key
+ssl_server = OpenSSL::SSL::SSLServer.new(tcp_server, ctx)
+ssl_server.start_immediately = true
+
+server_ssl = nil
+server_thread = Thread.new { server_ssl = ssl_server.accept }
+
+sock = TCPSocket.new('127.0.0.1', port)
+sock.setsockopt(Socket::SOL_SOCKET, Socket::SO_SNDBUF, 4096)
+sock.setsockopt(Socket::SOL_SOCKET, Socket::SO_RCVBUF, 4096)
+client_ssl = OpenSSL::SSL::SSLSocket.new(sock)
+client_ssl.sync_close = true
+client_ssl.connect
+server_thread.join(5)
+
+[client_ssl, server_ssl]