Add acceptance tests

Containerized test setup using Docker Compose with a proxy container
and two SSH targets. Tests make real HTTPS requests with certs.

Author: nmburgan

.github/workflows/ci.yml

@@ -0,0 +1,46 @@
+---
+name: CI
+
+on:
+  pull_request: {}
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.ref_name }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    name: Ruby
+    uses: theforeman/actions/.github/workflows/smart_proxy_plugin.yml@v0
+
+  acceptance-ssh:
+    name: Acceptance (SSH)
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v6
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.2'
+          bundler-cache: true
+      - name: Start proxy and SSH targets
+        run: bundle exec rake test:acceptance:ssh:up
+      - name: Run SSH acceptance tests
+        run: bundle exec rake test:acceptance:ssh
+      - name: Stop containers
+        if: always()
+        run: bundle exec rake test:acceptance:ssh:down
+
+  tests:
+    needs:
+      - test
+      - acceptance-ssh
+    runs-on: ubuntu-latest
+    name: Test suite
+    steps:
+      - run: echo Test suite completed

.github/workflows/main.yml

@@ -1,10 +1,13 @@
 **/.DS_Store
 *.gem
-# Local testing files
-*.rpm
-*.sh
+# Local testing files (root-level only)
+/*.rpm
+/*.sh
 /vendor
 /.vendor
 /Gemfile.lock
 /.bundle
 /logs
+# Generated at runtime by acceptance tests
+/test/acceptance/fixtures/keys/
+/test/acceptance/docker/ssl-export/

.gitignore

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'ci/reporter/rake/test_unit'
+require 'fileutils'
 require 'rake'
 require 'rake/testtask'
 require 'rubocop/rake_task'
@@ -20,6 +21,64 @@ Rake::TestTask.new(:test) do |t|
   t.verbose = true
 end
 
+ACCEPTANCE_TEST_FILES = FileList['test/acceptance/tests/*_test.rb']
+DOCKER_COMPOSE = 'test/acceptance/docker/docker-compose.yml'
+SSH_KEY_PATH = 'test/acceptance/fixtures/keys/id_rsa'
+SSL_EXPORT_DIR = 'test/acceptance/docker/ssl-export'
+
+Rake::TestTask.new('test:acceptance') do |task|
+  task.libs << 'test'
+  task.test_files = ACCEPTANCE_TEST_FILES
+  task.options = '--verbose'
+  task.verbose = true
+end
+
+desc 'Run acceptance tests against SSH targets.'
+task 'test:acceptance:ssh' do
+  ENV['ACCEPTANCE_TRANSPORT'] = 'ssh'
+  Rake::Task['test:acceptance'].invoke
+end
+
+namespace :test do
+  namespace :acceptance do
+    namespace :ssh do
+      desc 'Start proxy and SSH target containers for acceptance tests.'
+      task :up do
+        unless File.exist?(SSH_KEY_PATH)
+          FileUtils.mkdir_p(File.dirname(SSH_KEY_PATH))
+          sh 'ssh-keygen', '-t', 'rsa', '-b', '2048', '-f', SSH_KEY_PATH, '-N', '', '-q'
+          File.chmod(0600, SSH_KEY_PATH)
+        end
+
+        FileUtils.mkdir_p(SSL_EXPORT_DIR)
+        sh "docker compose -f #{DOCKER_COMPOSE} up -d --build"
+
+        # Wait for the proxy to be healthy (healthcheck polls /openbolt/tasks)
+        puts 'Waiting for proxy to become healthy...'
+        ready = false
+        60.times do
+          output = `docker compose -f #{DOCKER_COMPOSE} ps proxy --format json 2>&1`
+          abort "docker compose failed: #{output.strip}" unless $?.success?
+          if output.include?('"healthy"')
+            ready = true
+            break
+          end
+          sleep 2
+        end
+        abort "Proxy did not become healthy within 120s. Check: docker compose -f #{DOCKER_COMPOSE} logs proxy" unless ready
+        puts 'Proxy is healthy and ready for acceptance tests.'
+      end
+
+      desc 'Stop containers and clean up generated keys and certs.'
+      task :down do
+        system("docker compose -f #{DOCKER_COMPOSE} down")
+        rm_rf File.dirname(SSH_KEY_PATH)
+        rm_rf SSL_EXPORT_DIR
+      end
+    end
+  end
+end
+
 begin
   require 'rubygems'
   require 'github_changelog_generator/task'

Rakefile

@@ -0,0 +1,189 @@
+require 'test/unit'
+require 'net/http'
+require 'openssl'
+require 'json'
+require 'uri'
+
+# Base class for acceptance tests that make real HTTPS requests to a
+# smart-proxy instance running in a Docker container.
+class AcceptanceTestCase < Test::Unit::TestCase
+  PROXY_HOST = ENV.fetch('PROXY_HOST', 'localhost')
+  PROXY_PORT = ENV.fetch('PROXY_PORT', '8443').to_i
+  SSL_DIR = ENV.fetch('SSL_DIR', File.expand_path('docker/ssl-export', __dir__))
+
+  def setup
+    skip_unless_proxy
+  end
+
+  # --- HTTP client ---
+
+  def http_client
+    @http_client ||= build_http_client
+  end
+
+  def api_get(path)
+    response = http_client.get("/openbolt#{path}")
+    [response, parse_body(response)]
+  end
+
+  def api_post(path, body)
+    request = Net::HTTP::Post.new("/openbolt#{path}")
+    request['Content-Type'] = 'application/json'
+    request.body = body.to_json
+    response = http_client.request(request)
+    [response, parse_body(response)]
+  end
+
+  def api_delete(path)
+    response = http_client.delete("/openbolt#{path}")
+    [response, parse_body(response)]
+  end
+
+  # --- Job lifecycle helpers ---
+
+  def poll_job_status(job_id)
+    response, parsed = api_get("/job/#{job_id}/status")
+    assert response.is_a?(Net::HTTPSuccess),
+           "GET /job/#{job_id}/status returned #{response.code}: #{response.body}"
+    assert parsed.key?('status'),
+           "Expected 'status' key in response, got: #{parsed}"
+    parsed['status']
+  end
+
+  def wait_for_job(job_id, timeout: 60)
+    deadline = Time.now + timeout
+    loop do
+      status = poll_job_status(job_id)
+      return status unless %w[pending running].include?(status)
+      raise "Job #{job_id} did not complete within #{timeout}s" if Time.now > deadline
+      sleep 0.5
+    end
+  end
+
+  def wait_for_jobs(job_ids, timeout: 60)
+    deadline = Time.now + timeout
+    results = {}
+    remaining = job_ids.dup
+    until remaining.empty?
+      raise "Jobs #{remaining} did not complete within #{timeout}s" if Time.now > deadline
+      remaining.each do |job_id|
+        next if results.key?(job_id)
+        status = poll_job_status(job_id)
+        results[job_id] = status unless %w[pending running].include?(status)
+      end
+      remaining -= results.keys
+      sleep 0.5 unless remaining.empty?
+    end
+    job_ids.map { |job_id| results[job_id] }
+  end
+
+  def launch_task(name:, targets:, parameters: {}, options: {})
+    payload = {
+      'name' => name,
+      'parameters' => parameters,
+      'targets' => targets,
+      'options' => options,
+    }
+    response, parsed = api_post('/launch/task', payload)
+    assert response.is_a?(Net::HTTPSuccess),
+           "launch_task failed (#{response.code}): #{response.body}"
+    assert parsed.key?('id'), "Expected 'id' in launch response, got: #{parsed}"
+    parsed['id']
+  end
+
+  # --- Transport configuration ---
+  # Bolt runs inside the proxy container and connects to targets by Docker
+  # service name on port 22 (the container's internal port).
+
+  def self.transport
+    ENV['ACCEPTANCE_TRANSPORT']
+  end
+
+  def transport_targets
+    case self.class.transport
+    when 'ssh' then ssh_targets
+    else raise "Unknown transport '#{self.class.transport}'. Supported: ssh"
+    end
+  end
+
+  def transport_options
+    case self.class.transport
+    when 'ssh' then ssh_options
+    else raise "Unknown transport '#{self.class.transport}'. Supported: ssh"
+    end
+  end
+
+  def ssh_targets
+    %w[target1:22 target2:22]
+  end
+
+  def ssh_options
+    {
+      'transport' => 'ssh',
+      'user' => 'openbolt',
+      'host-key-check' => false,
+      'private-key' => '/opt/foreman-proxy/.ssh/id_rsa',
+    }
+  end
+
+  # --- Skip logic ---
+
+  def self.proxy_available?
+    return @proxy_available if instance_variable_defined?(:@proxy_available)
+    require 'socket'
+    TCPSocket.new(PROXY_HOST, PROXY_PORT).close
+    @proxy_available = true
+  rescue SystemCallError, SocketError => error
+    @proxy_check_error = error
+    @proxy_available = false
+  end
+
+  def skip_unless_proxy
+    unless self.class.proxy_available?
+      error = self.class.instance_variable_get(:@proxy_check_error)
+      detail = " (#{error.class}: #{error.message})" if error
+      omit("Proxy not reachable at #{PROXY_HOST}:#{PROXY_PORT}#{detail}")
+    end
+    omit('ACCEPTANCE_TRANSPORT not set') unless self.class.transport
+  end
+
+  private
+
+  def build_http_client
+    client = Net::HTTP.new(PROXY_HOST, PROXY_PORT)
+    client.use_ssl = true
+    client.open_timeout = 5
+    client.read_timeout = 60
+
+    # WEBrick is configured with SSLVerifyClient => VERIFY_PEER, which requests
+    # a client certificate. Provide one to match production behavior.
+    client_cert = File.join(SSL_DIR, 'client.pem')
+    client_key = File.join(SSL_DIR, 'client-key.pem')
+    ca_cert = File.join(SSL_DIR, 'ca.pem')
+    raise "Client certs not found in #{SSL_DIR}. Are the containers running?" \
+      unless File.exist?(client_cert) && File.exist?(client_key)
+
+    client.cert = OpenSSL::X509::Certificate.new(File.read(client_cert))
+    client.key = OpenSSL::PKey.read(File.read(client_key))
+
+    # Verify the proxy's certificate against the test CA when available,
+    # otherwise fall back to no verification for self-signed certs.
+    if File.exist?(ca_cert)
+      client.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      client.ca_file = ca_cert
+    else
+      client.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    end
+
+    client
+  end
+
+  def parse_body(response)
+    JSON.parse(response.body)
+  rescue JSON::ParserError => error
+    flunk "Expected JSON response but got non-JSON body " \
+          "(HTTP #{response.code} #{response.message}): " \
+          "#{response.body.to_s.slice(0, 500)}\n" \
+          "Parse error: #{error.message}"
+  end
+end