From e5949dc5f76141242cd81c2cad8265086070aa66 Mon Sep 17 00:00:00 2001 From: Schneems Date: Tue, 12 Nov 2024 11:33:22 -0600 Subject: [PATCH 1/5] Add config.strict_ssl value to config --- ruby/lib/ci/queue/configuration.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ruby/lib/ci/queue/configuration.rb b/ruby/lib/ci/queue/configuration.rb index 1941b81e..f3d694d4 100644 --- a/ruby/lib/ci/queue/configuration.rb +++ b/ruby/lib/ci/queue/configuration.rb @@ -3,7 +3,7 @@ module CI module Queue class Configuration attr_accessor :timeout, :worker_id, :max_requeues, :grind_count, :failure_file, :export_flaky_tests_file - attr_accessor :requeue_tolerance, :namespace, :failing_test, :statsd_endpoint + attr_accessor :requeue_tolerance, :namespace, :failing_test, :statsd_endpoint, :strict_ssl attr_accessor :max_test_duration, :max_test_duration_percentile, :track_test_duration attr_accessor :max_test_failed, :redis_ttl, :warnings_file, :debug_log, :max_missed_heartbeat_seconds attr_reader :circuit_breakers @@ -37,7 +37,8 @@ def initialize( grind_count: nil, max_duration: nil, failure_file: nil, max_test_duration: nil, max_test_duration_percentile: 0.5, track_test_duration: false, max_test_failed: nil, queue_init_timeout: nil, redis_ttl: 8 * 60 * 60, report_timeout: nil, inactive_workers_timeout: nil, - export_flaky_tests_file: nil, warnings_file: nil, debug_log: nil, max_missed_heartbeat_seconds: nil) + export_flaky_tests_file: nil, warnings_file: nil, debug_log: nil, max_missed_heartbeat_seconds: nil, + strict_ssl: false) @build_id = build_id @circuit_breakers = [CircuitBreaker::Disabled] @failure_file = failure_file @@ -51,6 +52,7 @@ def initialize( @requeue_tolerance = requeue_tolerance @seed = seed @statsd_endpoint = statsd_endpoint + @strict_ssl = strict_ssl @timeout = timeout @queue_init_timeout = queue_init_timeout @track_test_duration = track_test_duration From 3bf22cc94ac69e28fcf8a9a95d1b55d4c6522150 Mon Sep 17 00:00:00 2001 From: Schneems Date: Tue, 12 Nov 2024 11:34:31 -0600 Subject: [PATCH 2/5] Add --strict-ssl flag to rspec --- ruby/lib/rspec/queue.rb | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ruby/lib/rspec/queue.rb b/ruby/lib/rspec/queue.rb index 43073921..b2470b21 100644 --- a/ruby/lib/rspec/queue.rb +++ b/ruby/lib/rspec/queue.rb @@ -76,6 +76,15 @@ def parser(options) options[:queue_url] = url end + help = <<~EOS + Force strict SSL checks on the Redis connection. + The default connection behavior is to set SSL verification to `OpenSSL::SSL::VERIFY_NONE` because hosted Redis services may use self-signed certificates. + When this flag is activated, the full TLS check will be performed. + EOS + parser.on('--strict-ssl', *help) do + queue_config.strict_ssl = true + end + help = <<~EOS Wait for all workers to complete and summarize the test failures. EOS From dd4d4acb6eb495c147118a1c86b7a16663164294 Mon Sep 17 00:00:00 2001 From: Schneems Date: Tue, 12 Nov 2024 11:35:35 -0600 Subject: [PATCH 3/5] Move connection options to a hash --- ruby/lib/ci/queue/redis/base.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ruby/lib/ci/queue/redis/base.rb b/ruby/lib/ci/queue/redis/base.rb index 7ec7ce1f..4b3ef5ad 100644 --- a/ruby/lib/ci/queue/redis/base.rb +++ b/ruby/lib/ci/queue/redis/base.rb @@ -33,14 +33,15 @@ def initialize(redis_url, config) @redis_url = redis_url @config = config if ::Redis::VERSION > "5.0.0" - @redis = ::Redis.new( + connection_options = { url: redis_url, # Booting a CI worker is costly, so in case of a Redis blip, # it makes sense to retry for a while before giving up. reconnect_attempts: reconnect_attempts, middlewares: custom_middlewares, custom: custom_config, - ) + } + @redis = ::Redis.new(**connection_options) else @redis = ::Redis.new(url: redis_url) end From 0cadbec6771965595196b4a96d5ff2399ce885ad Mon Sep 17 00:00:00 2001 From: Schneems Date: Tue, 12 Nov 2024 11:36:20 -0600 Subject: [PATCH 4/5] Verify none when strict ssl not enabled --- ruby/lib/ci/queue/redis/base.rb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ruby/lib/ci/queue/redis/base.rb b/ruby/lib/ci/queue/redis/base.rb index 4b3ef5ad..5c805c91 100644 --- a/ruby/lib/ci/queue/redis/base.rb +++ b/ruby/lib/ci/queue/redis/base.rb @@ -41,6 +41,11 @@ def initialize(redis_url, config) middlewares: custom_middlewares, custom: custom_config, } + + if !config.strict_ssl + connection_options[:ssl_params] = { verify_mode: OpenSSL::SSL::VERIFY_NONE } + end + @redis = ::Redis.new(**connection_options) else @redis = ::Redis.new(url: redis_url) From 285353ba8bc58e1b2ed02dedf55730400c27e32b Mon Sep 17 00:00:00 2001 From: Schneems Date: Tue, 12 Nov 2024 11:46:24 -0600 Subject: [PATCH 5/5] Add --strict-ssl flag to minitest --- ruby/lib/minitest/queue/runner.rb | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ruby/lib/minitest/queue/runner.rb b/ruby/lib/minitest/queue/runner.rb index 282b9e14..c0a69142 100644 --- a/ruby/lib/minitest/queue/runner.rb +++ b/ruby/lib/minitest/queue/runner.rb @@ -443,6 +443,15 @@ def parser queue_config.timeout = timeout end + help = <<~EOS + Force strict SSL checks on the Redis connection. + The default connection behavior is to set SSL verification to `OpenSSL::SSL::VERIFY_NONE` because hosted Redis services may use self-signed certificates. + When this flag is activated, the full TLS check will be performed. + EOS + parser.on('--strict-ssl', *help) do + queue_config.strict_ssl = true + end + help = <<~EOS Specify a timeout after which the report command will fail if not all tests have been processed. Defaults to the value set for --timeout.