fix(e2e): resolve TLS trust and policy issues in e2e tests

nnemirovsky · nnemirovsky · commit a35cfe08e286 · 2026-04-05T13:24:02.000+08:00
diff --git a/e2e/credential_test.go b/e2e/credential_test.go
@@ -745,6 +745,14 @@ template = "testuser"
 		t.Error("audit log should contain SSH connection entry")
 	}
 
+	// Close the SSH session and client connection before waiting for the
+	// server goroutine. The defers registered above won't run until the
+	// function returns, so we must close explicitly to unblock the test
+	// server's "for newChan := range chans" loop.
+	session.Close()
+	sshClientConn.Close()
+	conn.Close()
+
 	// Wait for SSH server goroutine to finish.
 	_ = sshListener.Close()
 
diff --git a/e2e/smoke_test.go b/e2e/smoke_test.go
@@ -22,7 +22,12 @@ func TestSmoke_HealthzReturns200(t *testing.T) {
 }
 
 func TestSmoke_SOCKS5Listening(t *testing.T) {
-	proc := startSluice(t, SluiceOpts{})
+	proc := startSluice(t, SluiceOpts{
+		ConfigTOML: `
+[policy]
+default = "allow"
+`,
+	})
 
 	// Verify we can actually dial through the SOCKS5 proxy to the health endpoint.
 	dialer := connectSOCKS5(t, proc.ProxyAddr)
diff --git a/internal/proxy/inject.go b/internal/proxy/inject.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"io"
@@ -110,6 +111,22 @@ func NewInjector(provider vault.Provider, resolver *atomic.Pointer[vault.Binding
 	proxy := goproxy.NewProxyHttpServer()
 	proxy.Verbose = false
 
+	// Build a root CA pool for the outbound transport. Start with system
+	// roots and add the sluice MITM CA cert. Adding the MITM CA is
+	// necessary because in containerized deployments, upstream test
+	// servers may present certificates signed by the same CA that sluice
+	// uses for interception. In production, no real server will present a
+	// cert signed by sluice's CA, so this addition is harmless.
+	rootCAs, _ := x509.SystemCertPool()
+	if rootCAs == nil {
+		rootCAs = x509.NewCertPool()
+	}
+	if len(caCert.Certificate) > 0 {
+		if parsed, err := x509.ParseCertificate(caCert.Certificate[0]); err == nil {
+			rootCAs.AddCert(parsed)
+		}
+	}
+
 	// Use a transport that dials pinned IPs (set by the SOCKS5 dial
 	// function) instead of re-resolving DNS. This prevents DNS rebinding
 	// attacks where the hostname resolves to a different IP between
@@ -138,6 +155,7 @@ func NewInjector(provider vault.Provider, resolver *atomic.Pointer[vault.Binding
 			}
 			return (&net.Dialer{Timeout: connectTimeout}).DialContext(ctx, network, addr)
 		},
+		TLSClientConfig:     &tls.Config{RootCAs: rootCAs},
 		ForceAttemptHTTP2:   true,
 		TLSHandshakeTimeout: 10 * time.Second,
 	}
