michaelklishin
diff --git a/‎.github/scripts/free_disk_space.sh‎
Lines changed: 32 additions & 0 deletions b/‎.github/scripts/free_disk_space.sh‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yaml‎
Lines changed: 142 additions & 1 deletion b/‎.github/workflows/ci.yaml‎
Lines changed: 142 additions & 1 deletion
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 28 additions & 1 deletion b/‎CONTRIBUTING.md‎
Lines changed: 28 additions & 1 deletion
diff --git a/‎Cargo.toml‎
Lines changed: 5 additions & 0 deletions b/‎Cargo.toml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎bin/ci/before_build_tls.sh‎
Lines changed: 140 additions & 0 deletions b/‎bin/ci/before_build_tls.sh‎
Lines changed: 140 additions & 0 deletions
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+# Based on https://github.com/apache/flink/blob/02d30ace69dc18555a5085eccf70ee884e73a16e/tools/azure-pipelines/free_disk_space.sh
+#
+# The GitHub Actions provided machines typically have the following disk allocation:
+# Total space: 85GB
+# Allocated: 67 GB
+# Free: 17 GB
+#
+# This script frees up disk space by deleting unneeded packages and large directories.
+
+echo "=============================================================================="
+echo "Freeing up disk space on CI system"
+echo "=============================================================================="
+
+echo "Listing 100 largest packages"
+dpkg-query -Wf '${Installed-Size}\t${Package}\n' | sort -n | tail -n 100
+df -h
+
+echo "Removing large packages"
+sudo apt-get remove -y '^ghc-8.*'
+sudo apt-get remove -y '^dotnet-.*'
+sudo apt-get remove -y '^llvm-.*'
+sudo apt-get remove -y 'php.*'
+sudo apt-get remove -y azure-cli google-cloud-sdk hhvm google-chrome-stable firefox powershell mono-devel
+sudo apt-get autoremove -y
+sudo apt-get clean
+df -h
+
+echo "Removing large directories"
+rm -rf /usr/share/dotnet/
+df -h
@@ -12,6 +12,7 @@ on:
       - 'src/**'
       - "tests/**"
       - "bin/ci/before_build.sh"
+      - "bin/ci/before_build_tls.sh"
   pull_request: {}
 
 env:
@@ -35,6 +36,10 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+
+      - name: Free up disk space
+        run: .github/scripts/free_disk_space.sh
+
       - uses: dtolnay/rust-toolchain@stable
         with:
           toolchain: ${{ matrix.rust-version }}
@@ -71,6 +76,10 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+
+      - name: Free up disk space
+        run: .github/scripts/free_disk_space.sh
+
       - name: Set up Rust toolchain
         uses: dtolnay/rust-toolchain@stable
         with:
@@ -88,4 +97,136 @@ jobs:
         run: sleep 10
 
       - name: Run all tests
-        run: RUST_BACKTRACE=1 TEST_STATS_DELAY=1500 cargo nextest run --workspace --no-fail-fast --all-features
+        run: RUST_BACKTRACE=1 TEST_STATS_DELAY=1500 cargo nextest run --cargo-profile ci --workspace --no-fail-fast --all-features
+
+  tls-tests:
+    name: TLS tests
+    strategy:
+      matrix:
+        rabbitmq-series:
+          - "4.0"
+          - "4.1"
+        rust-version:
+          - stable
+        runner:
+          - "ubuntu-22.04"
+          - "ubuntu-24.04"
+          - "ubuntu-24.04-arm"
+    runs-on: ${{ matrix.runner }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Free up disk space
+        run: .github/scripts/free_disk_space.sh
+
+      - name: Setup Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: ${{ matrix.rust-version }}
+
+      - uses: taiki-e/install-action@nextest
+
+      - name: Clone tls-gen
+        run: git clone --depth 1 https://github.com/rabbitmq/tls-gen.git target/tls-gen
+
+      - name: Generate TLS certificates
+        run: |
+          cd target/tls-gen/basic
+          make CN=localhost
+
+      - name: Create certs directory
+        run: mkdir -p tests/tls/certs
+
+      - name: Copy certificates
+        run: |
+          cp target/tls-gen/basic/result/ca_certificate.pem tests/tls/certs/
+          cp target/tls-gen/basic/result/server_localhost_certificate.pem tests/tls/certs/server_certificate.pem
+          cp target/tls-gen/basic/result/server_localhost_key.pem tests/tls/certs/server_key.pem
+          cp target/tls-gen/basic/result/client_localhost_certificate.pem tests/tls/certs/client_certificate.pem
+          cp target/tls-gen/basic/result/client_localhost_key.pem tests/tls/certs/client_key.pem
+          # Create PKCS#12 client identity for native-tls compatibility
+          openssl pkcs12 -export \
+            -out tests/tls/certs/client_identity.p12 \
+            -inkey tests/tls/certs/client_key.pem \
+            -in tests/tls/certs/client_certificate.pem \
+            -certfile tests/tls/certs/ca_certificate.pem \
+            -passout pass:
+          chmod o+r tests/tls/certs/*
+          chmod g+r tests/tls/certs/*
+
+      - name: Create RabbitMQ TLS configuration
+        run: |
+          cat > tests/tls/certs/rabbitmq.conf << 'EOF'
+          management.ssl.port       = 15671
+          management.ssl.cacertfile = /certs/ca_certificate.pem
+          management.ssl.certfile   = /certs/server_certificate.pem
+          management.ssl.keyfile    = /certs/server_key.pem
+          management.tcp.port       = 15672
+          loopback_users            = none
+          EOF
+          sed -i 's/^[[:space:]]*//' tests/tls/certs/rabbitmq.conf
+          echo "Generated config:"
+          cat tests/tls/certs/rabbitmq.conf
+          echo -n "rabbitmq-test-cookie" > tests/tls/certs/.erlang.cookie
+          chmod 600 tests/tls/certs/.erlang.cookie
+
+      - name: Start RabbitMQ with TLS
+        run: |
+          docker run -d --name rabbitmq-tls \
+            -p 15671:15671 \
+            -p 15672:15672 \
+            -p 5672:5672 \
+            -v ${{ github.workspace }}/tests/tls/certs/.erlang.cookie:/var/lib/rabbitmq/.erlang.cookie \
+            -v ${{ github.workspace }}/tests/tls/certs:/certs:ro \
+            -v ${{ github.workspace }}/tests/tls/certs/rabbitmq.conf:/etc/rabbitmq/conf.d/10-tls.conf:ro \
+            rabbitmq:${{ matrix.rabbitmq-series }}-management
+
+      - name: Wait for RabbitMQ to start
+        run: |
+          for i in $(seq 1 30); do
+            if docker exec rabbitmq-tls rabbitmqctl await_startup --timeout 60; then
+              echo "RabbitMQ is ready"
+              exit 0
+            fi
+            echo "Waiting for container... ($i/30)"
+            sleep 2
+          done
+          echo "RabbitMQ failed to start. Container logs:"
+          docker logs rabbitmq-tls
+          exit 1
+
+      - name: Verify TLS listener
+        run: |
+          docker exec rabbitmq-tls rabbitmq-diagnostics listeners
+          echo "Checking if TLS port 15671 is listening..."
+          docker exec rabbitmq-tls rabbitmq-diagnostics listeners | grep -E "15671|ssl" || echo "Note: TLS listener output"
+
+      - name: Debug TLS certificates
+        run: |
+          echo "=== CA Certificate ==="
+          openssl x509 -in tests/tls/certs/ca_certificate.pem -noout -subject -issuer
+          echo "=== Server Certificate ==="
+          openssl x509 -in tests/tls/certs/server_certificate.pem -noout -subject -issuer
+          echo "=== Verify server cert against CA ==="
+          openssl verify -CAfile tests/tls/certs/ca_certificate.pem tests/tls/certs/server_certificate.pem
+          echo "=== Test TLS connection with curl ==="
+          curl -v --cacert tests/tls/certs/ca_certificate.pem https://localhost:15671/api/overview -u guest:guest 2>&1 | head -30 || true
+          echo "=== Certificate file permissions ==="
+          ls -la tests/tls/certs/
+
+      - name: Configure broker
+        run: |
+          docker exec rabbitmq-tls rabbitmqctl add_vhost / || true
+          docker exec rabbitmq-tls rabbitmqctl add_user guest guest || true
+          docker exec rabbitmq-tls rabbitmqctl set_permissions -p / guest ".*" ".*" ".*"
+
+      - name: Run TLS tests
+        run: |
+          TLS_CERTS_DIR=${{ github.workspace }}/tests/tls/certs \
+          RUST_BACKTRACE=1 \
+          cargo nextest run --cargo-profile ci -E 'binary(async_tls_tests) | binary(blocking_tls_tests)' --run-ignored=only --no-fail-fast --all-features
+
+      - name: Stop RabbitMQ container
+        if: always()
+        run: docker stop rabbitmq-tls && docker rm rabbitmq-tls || true
@@ -27,4 +27,31 @@ cargo test blocking --all-features
 
 ``` bash
 NEXTEST_RETRIES=3 cargo nextest run -E "test(test_list_all_vhost_limits)"
-```
+```
+
+## Running TLS Integration Tests
+
+TLS-enabled tests require a set of certificate and private key pairs, plus
+a preconfigured RabbitMQ node. As such, they are excluded from standard `cargo nextest` runs.
+
+To run these tests, generate certificates using [tls-gen](https://github.com/rabbitmq/tls-gen):
+
+```shell
+cd /path/to/tls-gen/basic && make CN=localhost && make alias-leaf-artifacts
+```
+
+Then [configure](https://www.rabbitmq.com/docs/management#single-listener-https) RabbitMQ management plugin to use TLS.
+
+Next, export the `TLS_CERTS_DIR` environment variable:
+
+```shell
+export TLS_CERTS_DIR=/path/to/tls-gen/basic/result
+```
+
+Finally, run the tests in question only:
+
+```shell
+cargo nextest run -E 'binary(async_tls_tests)' --run-ignored=only --all-features
+
+cargo nextest run -E 'binary(blocking_tls_tests)' --run-ignored=only --all-features
+```
@@ -66,5 +66,10 @@ native-tls = ["reqwest?/native-tls"]
 rustls-tls = ["reqwest?/rustls-tls"]
 hickory-dns = ["reqwest?/hickory-dns"]
 
+[profile.ci]
+inherits = "dev"
+opt-level = "s"
+strip = true
+
 [lints.clippy]
 uninlined_format_args = "allow"
@@ -0,0 +1,140 @@
+#!/bin/sh
+
+# TLS test setup script for CI and local development
+# Generates certificates using tls-gen and configures RabbitMQ with TLS-enabled management API
+
+set -e
+
+CTL=${RUST_HTTP_API_CLIENT_RABBITMQCTL:="sudo rabbitmqctl"}
+PLUGINS=${RUST_HTTP_API_CLIENT_RABBITMQ_PLUGINS:="sudo rabbitmq-plugins"}
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+CERTS_DIR="${REPO_ROOT}/tests/tls/certs"
+
+# Docker container ID (passed via environment or extracted from CTL)
+CONTAINER_ID=""
+
+case $CTL in
+    DOCKER*)
+        CONTAINER_ID="${CTL##*:}"
+        PLUGINS="docker exec ${CONTAINER_ID} rabbitmq-plugins"
+        CTL="docker exec ${CONTAINER_ID} rabbitmqctl"
+        ;;
+esac
+
+echo "Will use rabbitmqctl at ${CTL}"
+echo "Will use rabbitmq-plugins at ${PLUGINS}"
+
+# Create certs directory
+mkdir -p "${CERTS_DIR}"
+
+# Check if tls-gen is available
+TLSGEN_DIR="${TLSGEN_DIR:-}"
+if [ -z "$TLSGEN_DIR" ]; then
+    echo "TLSGEN_DIR not set, cloning tls-gen..."
+    TLSGEN_DIR="${REPO_ROOT}/target/tls-gen"
+    if [ ! -d "$TLSGEN_DIR" ]; then
+        git clone --depth 1 https://github.com/rabbitmq/tls-gen.git "$TLSGEN_DIR"
+    fi
+fi
+
+echo "Using tls-gen at ${TLSGEN_DIR}"
+
+# Generate certificates using basic profile
+cd "${TLSGEN_DIR}/basic"
+make CN=localhost
+make alias-leaf-artifacts
+
+# Copy certificates to the test directory
+cp result/ca_certificate.pem "${CERTS_DIR}/"
+cp result/server_certificate.pem "${CERTS_DIR}/"
+cp result/server_key.pem "${CERTS_DIR}/"
+cp result/client_certificate.pem "${CERTS_DIR}/"
+cp result/client_key.pem "${CERTS_DIR}/"
+
+# Create PKCS#12 client identity for native-tls compatibility
+openssl pkcs12 -export \
+    -out "${CERTS_DIR}/client_identity.p12" \
+    -inkey "${CERTS_DIR}/client_key.pem" \
+    -in "${CERTS_DIR}/client_certificate.pem" \
+    -certfile "${CERTS_DIR}/ca_certificate.pem" \
+    -passout pass:
+
+echo "Certificates generated and copied to ${CERTS_DIR}"
+
+# Create RabbitMQ configuration for TLS
+RABBITMQ_CONF="${CERTS_DIR}/rabbitmq.conf"
+cat > "${RABBITMQ_CONF}" << 'EOF'
+# Enable TLS on management plugin
+management.ssl.port       = 15671
+management.ssl.cacertfile = /certs/ca_certificate.pem
+management.ssl.certfile   = /certs/server_certificate.pem
+management.ssl.keyfile    = /certs/server_key.pem
+
+# Keep HTTP enabled for other tests
+management.tcp.port = 15672
+loopback_users      = none
+EOF
+
+echo "RabbitMQ TLS configuration written to ${RABBITMQ_CONF}"
+
+# If using Docker, start a container with TLS configuration
+if [ -n "$CONTAINER_ID" ]; then
+    echo "Note: Docker service container ${CONTAINER_ID} detected."
+    echo "For TLS tests, use a standalone Docker container instead."
+    echo ""
+    echo "To start RabbitMQ with TLS manually:"
+    echo "  docker run -d --name rabbitmq-tls \\"
+    echo "    -p 15671:15671 -p 15672:15672 -p 5672:5672 \\"
+    echo "    -v ${CERTS_DIR}:/certs:ro \\"
+    echo "    -v ${RABBITMQ_CONF}:/etc/rabbitmq/conf.d/10-tls.conf:ro \\"
+    echo "    rabbitmq:4.0-management"
+fi
+
+# Enable management plugin (should already be enabled in the management image)
+$PLUGINS enable rabbitmq_management
+
+sleep 3
+
+# Configure vhosts and users (same as before_build.sh)
+$CTL add_vhost /
+$CTL add_user guest guest || true
+$CTL set_permissions -p / guest ".*" ".*" ".*"
+
+$CTL add_user rust3 rust3 || true
+$CTL set_permissions -p / rust3 ".*" ".*" ".*"
+
+# Reduce retention policy for faster publishing of stats
+$CTL eval 'supervisor2:terminate_child(rabbit_mgmt_sup_sup, rabbit_mgmt_sup), application:set_env(rabbitmq_management,       sample_retention_policies, [{global, [{605, 1}]}, {basic, [{605, 1}]}, {detailed, [{10, 1}]}]), rabbit_mgmt_sup_sup:start_child().'
+$CTL eval 'supervisor2:terminate_child(rabbit_mgmt_agent_sup_sup, rabbit_mgmt_agent_sup), application:set_env(rabbitmq_management_agent, sample_retention_policies, [{global, [{605, 1}]}, {basic, [{605, 1}]}, {detailed, [{10, 1}]}]), rabbit_mgmt_agent_sup_sup:start_child().'
+
+$CTL add_vhost "rust/http/api/client" || true
+$CTL set_permissions -p "rust/http/api/client" guest ".*" ".*" ".*"
+
+# Set cluster name
+$CTL set_cluster_name rabbitmq@localhost
+
+$CTL enable_feature_flag all
+
+# Enable additional plugins
+$PLUGINS enable rabbitmq_shovel
+$PLUGINS enable rabbitmq_shovel_management
+$PLUGINS enable rabbitmq_federation
+$PLUGINS enable rabbitmq_federation_management
+$PLUGINS enable rabbitmq_stream
+$PLUGINS enable rabbitmq_stream_management
+
+# Export certificate paths for tests
+echo ""
+echo "=== TLS Test Environment ==="
+echo "CA Certificate: ${CERTS_DIR}/ca_certificate.pem"
+echo "Client Certificate: ${CERTS_DIR}/client_certificate.pem"
+echo "Client Key: ${CERTS_DIR}/client_key.pem"
+echo "TLS Endpoint: https://localhost:15671/api"
+echo ""
+echo "To run TLS tests:"
+echo "  TLS_CERTS_DIR=${CERTS_DIR} cargo nextest run -E 'binary(async_tls_tests) | binary(blocking_tls_tests)' --run-ignored=only --all-features"
+echo ""
+
+true