diff --git a/backend/tests/integration/conftest.py b/backend/tests/integration/conftest.py index 4661c067..7108bb83 100644 --- a/backend/tests/integration/conftest.py +++ b/backend/tests/integration/conftest.py @@ -278,6 +278,18 @@ def ca_chain(): x509.SubjectAlternativeName(sans), critical=False, ) + # Subject Key Identifier — required for OpenSSL 3.x capath chain building + builder = builder.add_extension( + x509.SubjectKeyIdentifier.from_public_key(subject_key.public_key()), + critical=False, + ) + # Authority Key Identifier — identifies the issuer's key (needed for non-root certs) + if subject_name != issuer_name: + builder = builder.add_extension( + x509.AuthorityKeyIdentifier.from_issuer_public_key(issuer_key.public_key()), + critical=False, + ) + cert = builder.sign(issuer_key, hashes.SHA256()) return cert.public_bytes(serialization.Encoding.PEM).decode() diff --git a/backend/tests/integration/test_superset_tls_custom_ca.py b/backend/tests/integration/test_superset_tls_custom_ca.py index b4c38244..efd3482d 100644 --- a/backend/tests/integration/test_superset_tls_custom_ca.py +++ b/backend/tests/integration/test_superset_tls_custom_ca.py @@ -153,7 +153,7 @@ class TestCustomCATrustChain: async def _test(): async with httpx.AsyncClient(verify=ctx, timeout=10) as client: - with pytest.raises((ssl.SSLCertVerificationError, httpx.RemoteProtocolError)): + with pytest.raises((ssl.SSLCertVerificationError, httpx.RemoteProtocolError, httpx.ConnectError)): await client.get(f"{superset_url}/health") asyncio.run(_test()) @@ -237,8 +237,12 @@ class TestCustomCATrustChain: query={"page": 0, "page_size": 10} ) - assert isinstance(result, dict), f"Expected dict, got {type(result)}" - assert "result" in result, f"No 'result' key: {list(result.keys())}" + # get_dashboards returns (count, items) tuple + assert isinstance(result, (dict, tuple)), f"Expected dict or tuple, got {type(result)}" + if isinstance(result, tuple): + assert len(result) == 2, f"Expected (count, items), got {result}" + else: + assert "result" in result, f"No 'result' key: {list(result.keys())}" finally: await client.aclose() @@ -252,7 +256,7 @@ class TestCustomCATrustChain: # @BRIEF Prove that certifi's CA bundle does NOT contain our custom Root CA. # This validates WHY the patches are needed: before our fix, httpx used # certifi by default, which would NOT trust corporate CA certificates. - def test_certifi_bundle_notrust(self, ca_chain): + def test_certifi_bundle_notrust(self, superset_container, ca_chain): """certifi.where() bundle must NOT contain our custom Root CA. This proves that default httpx.AsyncClient(verify=True) would reject corporate certificates installed via update-ca-certificates.