Merge pull request #17065 from github/aibaars/proxy-tests

Java: integration tests with proxy server

Author: aibaars

java/integration-tests-lib/mitm_proxy.py

@@ -0,0 +1,173 @@
+import http.server
+import sys
+import os
+import socket
+import ssl
+import random
+from datetime import datetime, timedelta, timezone
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography import utils, x509
+from cryptography.hazmat.primitives.asymmetric import rsa, dsa
+
+import select
+
+
+def generateCA(ca_cert_file, ca_key_file):
+    ca_key = dsa.generate_private_key(4096)
+    name = x509.Name([
+        x509.NameAttribute(x509.NameOID.COUNTRY_NAME, "US"),
+        x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, "GitHub"),
+        x509.NameAttribute(x509.NameOID.COMMON_NAME, "GitHub CodeQL Proxy")])
+    ca_cert = x509.CertificateBuilder().subject_name(name).issuer_name(name)
+    ca_cert = ca_cert.public_key(ca_key.public_key())
+    ca_cert = ca_cert.serial_number(random.randint(50000000, 100000000))
+    ca_cert = ca_cert.not_valid_before(datetime.now(timezone.utc))
+    ca_cert = ca_cert.not_valid_after(
+        datetime.now(timezone.utc) + timedelta(days=3650))
+    ca_cert = ca_cert.add_extension(x509.BasicConstraints(
+        ca=True, path_length=None), critical=True)
+    ca_cert = ca_cert.add_extension(
+        x509.SubjectKeyIdentifier.from_public_key(ca_key.public_key()), critical=False)
+    ca_cert = ca_cert.sign(ca_key, hashes.SHA256())
+    with open(ca_cert_file, 'wb') as f:
+        f.write(ca_cert.public_bytes(encoding=serialization.Encoding.PEM))
+    with open(ca_key_file, 'wb') as f:
+        f.write(ca_key.private_bytes(encoding=serialization.Encoding.PEM,
+                format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption()))
+
+
+def create_certificate(hostname):
+    pkey = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+    subject = x509.Name(
+        [x509.NameAttribute(x509.NameOID.COMMON_NAME, hostname)])
+
+    cert = x509.CertificateBuilder()
+    cert = cert.subject_name(subject).issuer_name(ca_certificate.subject)
+    cert = cert.public_key(pkey.public_key())
+    cert = cert.serial_number(random.randint(50000000, 100000000))
+    cert = cert.not_valid_before(datetime.now(timezone.utc)).not_valid_after(
+        datetime.now(timezone.utc) + timedelta(days=3650))
+    cert = cert.add_extension(x509.BasicConstraints(
+        ca=False, path_length=None), critical=True)
+    cert = cert.add_extension(
+        x509.SubjectAlternativeName([x509.DNSName(hostname), x509.DNSName(f"*.{hostname}")]), critical=False)
+
+    cert = cert.sign(ca_key, hashes.SHA256())
+
+    return (cert, pkey)
+
+
+class Handler(http.server.SimpleHTTPRequestHandler):
+    def check_auth(self):
+        username = os.getenv('PROXY_USER')
+        password = os.getenv('PROXY_PASSWORD')
+        if username is None or password is None:
+            return True
+
+        authorization = self.headers.get(
+            'Proxy-Authorization', self.headers.get('Authorization', ''))
+        authorization = authorization.split()
+        if len(authorization) == 2:
+            import base64
+            import binascii
+            auth_type = authorization[0]
+            if auth_type.lower() == "basic":
+                try:
+                    authorization = authorization[1].encode('ascii')
+                    authorization = base64.decodebytes(
+                        authorization).decode('ascii')
+                except (binascii.Error, UnicodeError):
+                    pass
+                else:
+                    authorization = authorization.split(':')
+                    if len(authorization) == 2:
+                        return username == authorization[0] and password == authorization[1]
+        return False
+
+    def do_CONNECT(self):
+        if not self.check_auth():
+            self.send_response(
+                http.HTTPStatus.PROXY_AUTHENTICATION_REQUIRED)
+            self.send_header('Proxy-Authenticate', 'Basic realm="Proxy"')
+            self.end_headers()
+            return
+        # split self.path into host and port
+        host, port = self.path.split(':')
+        port = int(port)
+        self.send_response(http.HTTPStatus.OK, 'Connection established')
+        self.send_header('Connection', 'close')
+        self.end_headers()
+        self.mitm(host, port)
+
+    # man in the middle SSL connection
+    def mitm(self, host, port):
+        ssl_client_context = ssl.create_default_context(
+            purpose=ssl.Purpose.CLIENT_AUTH)
+        if not os.path.exists("certs/" + host + '.pem'):
+            cert, pkey = create_certificate(host)
+            with open("certs/" + host + '.pem', 'wb') as f:
+                f.write(pkey.private_bytes(encoding=serialization.Encoding.PEM,
+                        format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption()))
+                f.write(cert.public_bytes(encoding=serialization.Encoding.PEM))
+
+        ssl_client_context.load_cert_chain("certs/" + host + '.pem')
+        ssl_client_context.load_verify_locations(ca_certificate_path)
+        # wrap self.connection in SSL
+        client = ssl_client_context.wrap_socket(
+            self.connection, server_side=True)
+
+        # create socket to host:port
+        remote = socket.create_connection(
+            (host, port))
+        # wrap socket in SSL
+        ssl_server_context = ssl.create_default_context(
+            purpose=ssl.Purpose.SERVER_AUTH)
+        remote = ssl_server_context.wrap_socket(remote, server_hostname=host)
+
+        try:
+            while True:
+                ready, _, _ = select.select(
+                    [client, remote], [], [], 2.0)
+                if not ready:
+                    break
+                for src in ready:
+                    if src is client:
+                        dst = remote
+                    else:
+                        dst = client
+                    src.setblocking(False)
+                    dst.setblocking(True)
+                    pending = 8192
+                    while pending:
+                        try:
+                            data = src.recv(pending)
+                        except ssl.SSLWantReadError:
+                            break
+                        if not data:
+                            return
+                        pending = src.pending()
+                        dst.sendall(data)
+        finally:
+            remote.close()
+            client.close()
+
+    def do_GET(self):
+        raise NotImplementedError()
+
+
+if __name__ == '__main__':
+    port = int(sys.argv[1])
+    ca_certificate = None
+    ca_certificate_path = None
+    ca_key = None
+    if len(sys.argv) > 2:
+        ca_certificate_path = sys.argv[2]
+        with open(ca_certificate_path, 'rb') as f:
+            ca_certificate = x509.load_pem_x509_certificate(f.read())
+        with open(sys.argv[3], 'rb') as f:
+            ca_key = serialization.load_pem_private_key(
+                f.read(), password=None)
+
+    server_address = ('localhost', port)
+    httpd = http.server.HTTPServer(server_address, Handler)
+    httpd.serve_forever()

java/ql/integration-tests/all-platforms/java/buildless-proxy-gradle/.gitattributes

@@ -0,0 +1,9 @@
+#
+# https://help.github.com/articles/dealing-with-line-endings/
+#
+# Linux start script should use lf
+/gradlew        text eol=lf
+
+# These are Windows script files and should use crlf
+*.bat           text eol=crlf
+

java/ql/integration-tests/all-platforms/java/buildless-proxy-gradle/.gitignore

@@ -0,0 +1,5 @@
+# Ignore Gradle project-specific cache directory
+.gradle
+
+# Ignore Gradle build output directory
+build

java/ql/integration-tests/all-platforms/java/buildless-proxy-gradle/build.gradle

@@ -0,0 +1,16 @@
+/*
+ * This file was generated by the Gradle 'init' task.
+ *
+ * This is a general purpose Gradle build.
+ * To learn more about Gradle by exploring our Samples at https://docs.gradle.org/8.3/samples
+ */
+
+apply plugin: 'java-library'
+
+repositories {
+  mavenCentral()
+}
+
+dependencies {
+  api 'org.apache.commons:commons-math3:3.6.1'
+}

java/ql/integration-tests/all-platforms/java/buildless-proxy-gradle/buildless-fetches.expected

@@ -0,0 +1 @@
+https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar

java/ql/integration-tests/all-platforms/java/buildless-proxy-gradle/diagnostics.expected

@@ -0,0 +1,70 @@
+{
+  "markdownMessage": "Java analysis used build tool Gradle to pick a JDK version and/or to recommend external dependencies.",
+  "severity": "unknown",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/using-build-tool-advice",
+    "name": "Java analysis used build tool Gradle to pick a JDK version and/or to recommend external dependencies"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": false,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Java analysis used the system default JDK.",
+  "severity": "unknown",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/jdk-system-default",
+    "name": "Java analysis used the system default JDK"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": false,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Java analysis with build-mode 'none' completed.",
+  "severity": "unknown",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/complete",
+    "name": "Java analysis with build-mode 'none' completed"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": false,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Java was extracted with build-mode set to 'none'. This means that all Java source in the working directory will be scanned, with build tools such as Maven and Gradle only contributing information about external dependencies.",
+  "severity": "note",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/mode-active",
+    "name": "Java was extracted with build-mode set to 'none'"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": true,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Reading the dependency graph from build files provided 1 classpath entries",
+  "severity": "unknown",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/depgraph-provided-by-gradle",
+    "name": "Java analysis extracted precise dependency graph information from tool Gradle"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": false,
+    "telemetry": true
+  }
+}

java/ql/integration-tests/all-platforms/java/buildless-proxy-gradle/force_sequential_test_execution

@@ -0,0 +1,3 @@
+# We currently have a bug where gradle tests become flaky when executed in parallel
+# - sometimes, gradle fails to connect to the gradle daemon.
+# Therefore, force this test to run sequentially.

java/ql/integration-tests/all-platforms/java/buildless-proxy-gradle/gradle/wrapper/gradle-wrapper.jar

@@ -0,0 +1,7 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.3-bin.zip
+networkTimeout=10000
+validateDistributionUrl=true
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists