From 48c4fc470218419122e573faa49a436f78bd07fd Mon Sep 17 00:00:00 2001
From: SajinaKandy <sajina.kandy@ibm.com>
Date: Fri, 18 Aug 2023 11:27:47 -0700
Subject: [PATCH] Add tests to verify JITServer with SSL

Add tests to the existing criu and jitserver tests under cmdLineTests for checking/verifying SSL connections with JITServer.

Closes: ##17967
Signed-off-by:SajinaKandy <sajina.kandy@ibm.com>
---
 .../cmdLineTests/criu/criuJitServerScript.sh  | 44 +++++++---
 .../criu/criu_jitserverPostRestore.xml        | 83 +++++++++++++++++++
 .../cmdLineTests/criu/jitserversslconfig.sh   | 17 ++++
 3 files changed, 133 insertions(+), 11 deletions(-)
 create mode 100644 test/functional/cmdLineTests/criu/jitserversslconfig.sh

diff --git a/test/functional/cmdLineTests/criu/criuJitServerScript.sh b/test/functional/cmdLineTests/criu/criuJitServerScript.sh
index 420ad7231e3..758960033e7 100644
--- a/test/functional/cmdLineTests/criu/criuJitServerScript.sh
+++ b/test/functional/cmdLineTests/criu/criuJitServerScript.sh
@@ -33,7 +33,16 @@ echo "start running script";
 # $7 is the KEEP_CHECKPOINT
 # $8 is the KEEP_TEST_OUTPUT
 
-source $1/jitserverconfig.sh
+TEST_ROOT=$1
+TEST_JDK_BIN=$2
+JVM_OPTIONS="$3"
+MAINCLASS="$4"
+APP_ARGS="$5"
+NUM_CHECKPOINT="$6"
+KEEP_CHECKPOINT="$7"
+KEEP_TEST_OUTPUT="$8"
+
+source $TEST_ROOT/jitserverconfig.sh
 
 echo "export GLIBC_TUNABLES=glibc.cpu.hwcaps=-XSAVEC,-XSAVE,-AVX2,-ERMS,-AVX,-AVX_Fast_Unaligned_Load";
 export GLIBC_TUNABLES=glibc.pthread.rseq=0:glibc.cpu.hwcaps=-XSAVEC,-XSAVE,-AVX2,-ERMS,-AVX,-AVX_Fast_Unaligned_Load
@@ -41,10 +50,19 @@ echo "export LD_BIND_NOT=on";
 export LD_BIND_NOT=on
 
 JITSERVER_PORT=$(random_port)
-JITSERVER_OPTIONS="-XX:JITServerPort=$JITSERVER_PORT"
+JITSERVER_SSL="-XX:JITServerSSLRootCerts"
+if grep -q -- "$JITSERVER_SSL" <<< "$APP_ARGS"; then
+    echo "Generate SSL certificates"
+    source $TEST_ROOT/jitserversslconfig.sh
+    if ! grep -q "nosslserverCert.pem" <<< "$APP_ARGS"; then
+	SSL_OPTS="-XX:JITServerSSLKey=key.pem -XX:JITServerSSLCert=cert.pem -Xjit:verbose={JITServer}"
+    fi
+fi
+
+JITSERVER_OPTIONS="-XX:JITServerPort=$JITSERVER_PORT $SSL_OPTS"
 
-echo "Starting $2/jitserver $JITSERVER_OPTIONS"
-$2/jitserver $JITSERVER_OPTIONS &
+echo "Starting $TEST_JDK_BIN/jitserver $JITSERVER_OPTIONS"
+$TEST_JDK_BIN/jitserver $JITSERVER_OPTIONS &
 JITSERVER_PID=$!
 sleep 2
 
@@ -54,10 +72,9 @@ JITSERVER_EXISTS=$?
 if [ "$JITSERVER_EXISTS" == 0 ]; then
     echo "JITSERVER EXISTS"
 
-    $2/java -XX:+EnableCRIUSupport -XX:JITServerPort=$JITSERVER_PORT $3 -cp "$1/criu.jar" $4 $5 -XX:JITServerPort=$JITSERVER_PORT $6 >testOutput 2>&1;
+    $TEST_JDK_BIN/java -XX:+EnableCRIUSupport -XX:JITServerPort=$JITSERVER_PORT $JVM_OPTIONS -cp "$TEST_ROOT/criu.jar" $MAINCLASS $APP_ARGS -XX:JITServerPort=$JITSERVER_PORT $NUM_CHECKPOINT>testOutput 2>&1;
 
-    if [ "$7" != true ]; then
-        NUM_CHECKPOINT=$6
+    if [ "$KEEP_CHECKPOINT" != true ]; then
         for ((i=0; i<$NUM_CHECKPOINT; i++)); do
             sleep 2;
             criu restore -D ./cpData --shell-job >criuOutput 2>&1;
@@ -66,8 +83,8 @@ if [ "$JITSERVER_EXISTS" == 0 ]; then
 
     cat testOutput criuOutput;
 
-    if  [ "$7" != true ]; then
-        if [ "$8" != true ]; then
+    if  [ "$KEEP_CHECKPOINT" != true ]; then
+        if [ "$KEEP_TEST_OUTPUT" != true ]; then
             rm -rf testOutput criuOutput
             echo "Removed test output files"
         fi
@@ -81,11 +98,16 @@ if [ "$JITSERVER_EXISTS" == 0 ]; then
         echo "JITSERVER NO LONGER EXISTS"
     fi
 
-    echo "Terminating $2/jitserver $JITSERVER_OPTIONS"
+    echo "Terminating $TEST_JDK_BIN/jitserver $JITSERVER_OPTIONS"
     kill -9 $JITSERVER_PID
     # For consistency with the jitserver cmdline tests, use kill
-    #pkill -9 -xf "$2/jitserver $JITSERVER_OPTIONS"
+    #pkill -9 -xf "$TEST_JDK_BIN/jitserver $JITSERVER_OPTIONS"
     sleep 2
+
+    if grep -q "nosslserverCert.pem" <<< "$APP_ARGS"; then
+        rm -f *.pem
+    fi
+
 else
     echo "JITSERVER DOES NOT EXIST"
 fi
diff --git a/test/functional/cmdLineTests/criu/criu_jitserverPostRestore.xml b/test/functional/cmdLineTests/criu/criu_jitserverPostRestore.xml
index 27cb5e5efa8..e25944c1fd7 100644
--- a/test/functional/cmdLineTests/criu/criu_jitserverPostRestore.xml
+++ b/test/functional/cmdLineTests/criu/criu_jitserverPostRestore.xml
@@ -27,6 +27,10 @@
 <suite id="J9 Criu Command-Line Post Restore JITServer Option Tests" timeout="300">
 	<variable name="MAINCLASS_OPTIONSFILE_TEST" value="org.openj9.criu.OptionsFileTest" />
 	<variable name="ENABLE_JITSERVER" value="-XX:+UseJITServer" />
+	<variable name="JITSERVER_SSL1" value="-XX:JITServerSSLRootCerts=cert.pem" />
+	<variable name="JITSERVER_SSL2" value="-XX:JITServerSSLRootCerts=wrongCert.pem" />
+	<variable name="JITSERVER_SSL3" value="-XX:JITServerSSLRootCerts=nosslserverCert.pem" />
+	<variable name="SSL_VERBOSE" value="-Xjit:verbose={compilePerformance},verbose={CheckpointRestore},verbose={JITServer},verbose={JITServerConns},vlog=sslVlog" />
 	<variable name="CRIU_VERBOSE" value="-Xjit:verbose={compilePerformance},verbose={CheckpointRestore},verbose={JITServer},verbose={JITServerConns},vlog=vlog" />
 
 	<test id="Generate Verbose Log">
@@ -117,4 +121,83 @@
 		<output type="failure" caseSensitive="yes" regex="no">JITSERVER NO LONGER EXISTS</output>
 		<output type="failure" caseSensitive="yes" regex="no">User requested Java dump using</output>
 	</test>
+
+	<test id="Test SSL Success Case">
+		<command>bash $SCRIPPATH$ $TEST_RESROOT$ $TEST_JDK_BIN$ "$JVM_OPTIONS$" $MAINCLASS_OPTIONSFILE_TEST$ "JitOptionsTest $ENABLE_JITSERVER$ $JITSERVER_SSL1$ $SSL_VERBOSE$1" 1 false true</command>
+		<output type="success" caseSensitive="no" regex="no">Killed</output>
+		<output type="required" caseSensitive="yes" regex="no">Pre-checkpoint</output>
+		<output type="success" caseSensitive="yes" regex="no">Post-checkpoint</output>
+		<output type="failure" caseSensitive="yes" regex="no">CRIU is not enabled</output>
+		<output type="failure" caseSensitive="yes" regex="no">Operation not permitted</output>
+		<output type="required" caseSensitive="yes" regex="no">Successfully initialized SSL context</output>
+		<!-- If CRIU can't acquire the original thread IDs, this test will fail. Nothing can be done about this failure. -->
+		<output type="success" caseSensitive="yes" regex="no">Thread pid mismatch</output>
+		<output type="success" caseSensitive="yes" regex="no">do not match expected</output>
+		<output type="success" caseSensitive="yes" regex="no">Unable to create a thread:</output>
+		<output type="success" caseSensitive="yes" regex="no">JITSERVER EXISTS</output>
+		<output type="success" caseSensitive="yes" regex="no">JITSERVER STILL EXISTS</output>
+		<output type="failure" caseSensitive="yes" regex="no">JITSERVER DOES NOT EXIST</output>
+		<output type="failure" caseSensitive="yes" regex="no">JITSERVER NO LONGER EXISTS</output>
+	</test>
+
+	<test id="Check SSL Verbose Log for successful connection">
+		<command>bash $CATSCRIPPATH$ sslVlog1 true true</command>
+		<output regex="no" type="success">CHECKPOINT RESTORE: Ready for restore</output>
+		<output regex="no" type="success">SSL connection on socket</output>
+		<output regex="no" type="required">Connected to a server</output>
+		<output regex="no" type="success">CAT VLOG FORCE PASS</output>
+	</test>
+
+	<test id="Test SSL Failure Case with mismatched certificate">
+		<command>bash $SCRIPPATH$ $TEST_RESROOT$ $TEST_JDK_BIN$ "$JVM_OPTIONS$" $MAINCLASS_OPTIONSFILE_TEST$ "JitOptionsTest $ENABLE_JITSERVER$ $JITSERVER_SSL2$ $SSL_VERBOSE$2" 1 false true</command>
+		<output type="success" caseSensitive="no" regex="no">Killed</output>
+		<output type="required" caseSensitive="yes" regex="no">Pre-checkpoint</output>
+		<output type="success" caseSensitive="yes" regex="no">Post-checkpoint</output>
+		<output type="failure" caseSensitive="yes" regex="no">CRIU is not enabled</output>
+		<output type="failure" caseSensitive="yes" regex="no">Operation not permitted</output>
+		<output type="required" caseSensitive="yes" regex="no">Successfully initialized SSL context</output>
+		<output type="required" caseSensitive="yes" regex="no">certificate verify failed</output>
+		<!-- If CRIU can't acquire the original thread IDs, this test will fail. Nothing can be done about this failure. -->
+		<output type="success" caseSensitive="yes" regex="no">Thread pid mismatch</output>
+		<output type="success" caseSensitive="yes" regex="no">do not match expected</output>
+		<output type="success" caseSensitive="yes" regex="no">Unable to create a thread:</output>
+		<output type="success" caseSensitive="yes" regex="no">JITSERVER EXISTS</output>
+		<output type="success" caseSensitive="yes" regex="no">JITSERVER STILL EXISTS</output>
+		<output type="failure" caseSensitive="yes" regex="no">JITSERVER DOES NOT EXIST</output>
+		<output type="failure" caseSensitive="yes" regex="no">JITSERVER NO LONGER EXISTS</output>
+	</test>
+
+	<test id="Check SSL Verbose Log for connection failure with mismatched certificate">
+		<command>bash $CATSCRIPPATH$ sslVlog2 true true</command>
+		<output regex="no" type="success">CHECKPOINT RESTORE: Ready for restore</output>
+		<output regex="no" type="success">JITServer::StreamFailure: Failed to SSL_connect</output>
+		<output regex="no" type="required">Could not connect to a server</output>
+		<output regex="no" type="success">CAT VLOG FORCE PASS</output>
+	</test>
+
+	<test id="Test SSL Failure Case with connection to Non-SSL Server">
+		<command>bash $SCRIPPATH$ $TEST_RESROOT$ $TEST_JDK_BIN$ "$JVM_OPTIONS$" $MAINCLASS_OPTIONSFILE_TEST$ "JitOptionsTest $ENABLE_JITSERVER$ $JITSERVER_SSL3$ $SSL_VERBOSE$3" 1 false true</command>
+		<output type="success" caseSensitive="no" regex="no">Killed</output>
+		<output type="required" caseSensitive="yes" regex="no">Pre-checkpoint</output>
+		<output type="success" caseSensitive="yes" regex="no">Post-checkpoint</output>
+		<output type="failure" caseSensitive="yes" regex="no">CRIU is not enabled</output>
+		<output type="failure" caseSensitive="yes" regex="no">Operation not permitted</output>
+		<output type="failure" caseSensitive="yes" regex="no">Successfully initialized SSL context</output>
+		<!-- If CRIU can't acquire the original thread IDs, this test will fail. Nothing can be done about this failure. -->
+		<output type="success" caseSensitive="yes" regex="no">Thread pid mismatch</output>
+		<output type="success" caseSensitive="yes" regex="no">do not match expected</output>
+		<output type="success" caseSensitive="yes" regex="no">Unable to create a thread:</output>
+		<output type="success" caseSensitive="yes" regex="no">JITSERVER EXISTS</output>
+		<output type="success" caseSensitive="yes" regex="no">JITSERVER STILL EXISTS</output>
+		<output type="failure" caseSensitive="yes" regex="no">JITSERVER DOES NOT EXIST</output>
+		<output type="failure" caseSensitive="yes" regex="no">JITSERVER NO LONGER EXISTS</output>
+	</test>
+
+	<test id="Check SSL Verbose Log for connection failure with Non SSL Server">
+		<command>bash $CATSCRIPPATH$ sslVlog3 true true</command>
+		<output regex="no" type="success">CHECKPOINT RESTORE: Ready for restore</output>
+		<output regex="no" type="success">JITServer::StreamFailure: Failed to SSL_connect</output>
+		<output regex="no" type="required">Could not connect to a server</output>
+		<output regex="no" type="success">CAT VLOG FORCE PASS</output>
+	</test>
 </suite>
diff --git a/test/functional/cmdLineTests/criu/jitserversslconfig.sh b/test/functional/cmdLineTests/criu/jitserversslconfig.sh
new file mode 100644
index 00000000000..98f417c59fc
--- /dev/null
+++ b/test/functional/cmdLineTests/criu/jitserversslconfig.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Set certificate details
+COMMON_NAME="localhost"
+VALID_DAYS=365
+
+# Generate private key
+openssl genrsa -out key.pem 2048
+
+# Generate self-signed certificate
+openssl req -new -x509 -sha256 -key key.pem -out cert.pem -days $VALID_DAYS -subj "/CN=$COMMON_NAME"
+
+# Generate another private key and self-signed certificate
+openssl req -nodes -newkey rsa:2048 -keyout wrongKey.pem -x509 -days 365 -out wrongCert.pem  -subj "/CN=localhost"
+
+# Generate another self-signed certificate
+openssl req -new -x509 -sha256 -key key.pem -out nosslserverCert.pem -days $VALID_DAYS -subj "/CN=$COMMON_NAME"
+echo "Certificates generated"