Generate gRPC test TLS material at runtime instead of committing it#878
Open
ahmedmuhsin wants to merge 2 commits into
Open
Generate gRPC test TLS material at runtime instead of committing it#878ahmedmuhsin wants to merge 2 commits into
ahmedmuhsin wants to merge 2 commits into
Conversation
The gRPC transport tests shipped a self-signed localhost certificate, its private key, and a PKCS12 truststore under src/test/resources/grpc-tls/. Committing a PEM private key + PKCS12 bundle trips secret scanning (SEC101/013 PemPrivateKey, SEC101/055 Pkcs12CertificatePrivateKeyBundle) and hard-blocks the internal ADO mirror push (VS403654 NonbypassableBlock). Replace the committed files with TestTlsMaterial, which generates an ephemeral CN=localhost keypair, certificate, and matching truststore at test runtime using the JDK's keytool. keytool ships with every JDK (8-25), so this stays portable across the CI Java matrix without adding a certificate-generation dependency (e.g. Bouncy Castle) and without needing --add-exports for sun.security internals. - TestTlsMaterial: keytool-driven generator, lazily initialized once per JVM, writing to a temp dir that is deleted on exit. - FunctionsTestHost: builds the server SslContext from the generated PKCS12 keystore (PrivateKey + X509Certificate) rather than PEM resource files. - GrpcTransportTest: points the client truststore at the generated PKCS12 truststore instead of the committed resource. - Delete src/test/resources/grpc-tls/* and add .gitignore guards so keys and keystores cannot be re-committed. Note: this removes the files from the branch tip only. Purging them from the history that the mirror replays (commit 079a4d4) still requires a separate history rewrite or a 1ES exception. Verified: mvn test -Dtest=GrpcTransportTest -> 3 passed (plaintext, trusted HTTPS/TLS, and HTTPS-no-plaintext-downgrade).
ahmedmuhsin
requested review from
TsuyoshiUshio,
gavin-aguiar,
hallvictoria,
swapnil-nagar and
vrdmr
as code owners
- Replace wildcard imports introduced by this PR with explicit imports (FunctionsTestHost, GrpcTransportTest); drop a now-unused java.net import. - Make buildServerSslContext an instance method. - Narrow initializeServer/buildServerSslContext throws to GeneralSecurityException and IOException instead of Exception. - Reduce the generated cert validity from 7300 days to 2; it only needs to outlive a single test run. - Throw IOException (not IllegalStateException) on keytool timeout/non-zero exit so the constructor's catch wraps all failures in one message. - Validate keytool is present and executable before invoking it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The gRPC transport tests shipped a self-signed
localhostcertificate, its private key, and a PKCS12 truststore undersrc/test/resources/grpc-tls/. Committing a PEM private key + PKCS12 bundle trips secret scanning and hard-blocks the internal ADO mirror push:This replaces the committed key material with runtime generation, so no private keys live in the repo.
What changed
TestTlsMaterial— generates an ephemeralCN=localhostkeypair, certificate, and matching PKCS12 truststore at test runtime using the JDK'skeytool.keytoolships with every JDK (8–25), so this stays portable across the CI Java matrix without adding a certificate-generation dependency (e.g. Bouncy Castle) and without--add-exportsforsun.securityinternals. Material is written to a temp dir deleted on JVM exit, generated once per JVM.FunctionsTestHost— builds the serverSslContextfrom the generated PKCS12 keystore (PrivateKey+X509Certificate[]) instead of PEM resource files.GrpcTransportTest— points the client truststore at the generated PKCS12 truststore instead of the committed resource.src/test/resources/grpc-tls/{localhost-cert.pem,localhost-key.pem,localhost-truststore.p12}..gitignoreguards (src/test/resources/grpc-tls/,*.p12,*.pfx,*-key.pem) so keys/keystores can't be re-committed. Verified no currently-tracked files match these patterns.Testing
Covers all three existing cases against the runtime-generated cert:
Important caveat
This removes the files from the branch tip and prevents recurrence, but it does not on its own unblock the mirror. The hard-block is reported at the commit that introduced the key (
079a4d40), which still exists in the history the mirror replays. Fully clearing the mirror still requires either:dev,release/*, etc.) + force-push, orThis PR is the clean forward-fix that makes the eventual history purge final and stops new keys from landing.