Make custom keystore compatible with real-world HTTPS server (gradle#…

…14383) Previously we were using custom keystore/truststore for embedded HTTPS server, which is not compatible with real-world HTTPS server. Now we merge JDK cacerts into the custom keystore.
MainOliver22 · Sep 2, 2020 · eba295e · eba295e
1 parent 2f75b03
commit eba295e
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 23 deletions.
diff --git a/.gitattributes b/.gitattributes
@@ -42,3 +42,4 @@
 *.ttf           binary
 *.pyc           binary
 *.gpg           binary
+*.bin           binary
diff --git a/...ernal-integ-testing/src/main/groovy/org/gradle/test/fixtures/keystore/TestKeyStore.groovy b/...ernal-integ-testing/src/main/groovy/org/gradle/test/fixtures/keystore/TestKeyStore.groovy
@@ -32,12 +32,25 @@ class TestKeyStore {
         new TestKeyStore(rootDir)
     }
 
+    /*
+     clientStore/serverStore only contains self-signed certificates for embedded HTTPS server.
+     To make the client work with both embedded HTTPS server and real-world HTTPS server (e.g. Maven Central),
+     we need to merge JDK's cacerts into the custom truststore via:
+
+     keytool -importkeystore -srckeystore <JDK cacerts file location> -destkeystore <resource>/test-key-store/trustStore
+
+     Note:
+      1. Use JDK8 keytool command to make sure compatibility.
+      2. Default password for JDK cacerts is "changeit".
+
+     The current trustStore-adoptopenjdk-8 is created from AdoptOpenJDK8 cacerts.
+     */
     private TestKeyStore(TestFile rootDir) {
         keyStore = rootDir.file("clientStore")
         trustStore = rootDir.file("serverStore")
 
         copyCertFile("test-key-store/keyStore", keyStore)
-        copyCertFile("test-key-store/trustStore", trustStore)
+        copyCertFile("test-key-store/trustStore-adoptopenjdk-8.bin", trustStore)
     }
 
     private static void copyCertFile(String s, TestFile clientStore) {

diff --git a/...ts/internal-integ-testing/src/main/resources/test-key-store/trustStore-adoptopenjdk-8.bin b/...ts/internal-integ-testing/src/main/resources/test-key-store/trustStore-adoptopenjdk-8.bin
diff --git a/.../org/gradle/performance/regression/buildcache/TaskOutputCachingJavaPerformanceTest.groovy b/.../org/gradle/performance/regression/buildcache/TaskOutputCachingJavaPerformanceTest.groovy
@@ -21,9 +21,6 @@ import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream
 import org.gradle.internal.hash.Hashing
 import org.gradle.performance.fixture.BuildExperimentInvocationInfo
 import org.gradle.performance.fixture.BuildExperimentListenerAdapter
-import org.gradle.performance.fixture.GradleInvocationSpec
-import org.gradle.performance.fixture.InvocationCustomizer
-import org.gradle.performance.fixture.InvocationSpec
 import org.gradle.performance.generator.JavaTestProject
 import org.gradle.performance.mutator.ApplyAbiChangeToJavaSourceFileMutator
 import org.gradle.performance.mutator.ApplyNonAbiChangeToJavaSourceFileMutator
@@ -65,7 +62,6 @@ class TaskOutputCachingJavaPerformanceTest extends AbstractTaskOutputCachingPerf
 
     def "clean #tasks on #testProject with remote https cache"() {
         setupTestProject(testProject, tasks)
-        firstWarmupWithCache = 2 // Do one run without the cache to populate the dependency cache from maven central
         protocol = "https"
         pushToRemote = true
         runner.addBuildExperimentListener(cleanLocalCache())
@@ -74,24 +70,7 @@ class TaskOutputCachingJavaPerformanceTest extends AbstractTaskOutputCachingPerf
         def keyStore = TestKeyStore.init(temporaryFolder.file('ssl-keystore'))
         keyStore.enableSslWithServerCert(buildCacheServer)
 
-        runner.addInvocationCustomizer(new InvocationCustomizer() {
-            @Override
-            <T extends InvocationSpec> T customize(BuildExperimentInvocationInfo invocationInfo, T invocationSpec) {
-                GradleInvocationSpec gradleInvocation = invocationSpec as GradleInvocationSpec
-                if (isRunWithCache(invocationInfo)) {
-                    gradleInvocation.withBuilder().gradleOpts(*keyStore.serverAndClientCertArgs).build() as T
-                } else {
-                    gradleInvocation.withBuilder()
-                    // We need a different daemon for the other runs because of the certificate Gradle JVM args
-                    // so we disable the daemon completely in order not to confuse the performance test
-                        .useDaemon(false)
-                    // We run one iteration without the cache to download artifacts from Maven central.
-                    // We can't download with the cache since we set the trust store and Maven central uses https.
-                        .args("--no-build-cache")
-                        .build() as T
-                }
-            }
-        })
+        runner.gradleOpts.addAll(keyStore.serverAndClientCertArgs)
 
         when:
         def result = runner.run()