webhook: add test for https in test_webhook_delivery.py and fix the failure

[weizhouapache]

Description

This PR

• add test for https server
• fix the test failure

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.

Project coverage is 16.15%. Comparing base (5790091) to head (913099d).
Report is 10 commits behind head on 4.20.

Files with missing lines	Patch %	Lines
.../cloudstack/mom/webhook/WebhookDeliveryThread.java	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##               4.20   #11132   +/-   ##
=========================================
  Coverage     16.15%   16.15%           
- Complexity    13274    13278    +4     
=========================================
  Files          5657     5657           
  Lines        497898   497969   +71     
  Branches      60374    60388   +14     
=========================================
+ Hits          80441    80464   +23     
- Misses       408496   408541   +45     
- Partials       8961     8964    +3     

Flag	Coverage Δ
uitests	4.00% <ø> (-0.01%)	⬇️
unittests	17.01% <0.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sureshanaparti]

@blueorangutan package

[blueorangutan]

@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 14035

[weizhouapache]

@blueorangutan test

[blueorangutan]

@weizhouapache a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-13686)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 54503 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11132-t13686-kvm-ol8.zip
Smoke tests completed. 141 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[DaanHoogland]

clgtm

[weizhouapache]

@shwstppr
can you review if this change makes sense or not ? thanks

[shwstppr]

@weizhouapache I'm not entirely sure about these changes (we discussed this earlier!?).
My understanding of the sslverification flag is that when set to true, it should enforce certificate validation—i.e., the webhook delivery service should validate the server's certificate using the trusted certificates available in the JRE.

However, with the current change, it seems we're using a "trust all" approach even when sslverification is set to true.

In my understanding, the correct way to test this would be to set up a server using self-signed certificates, explicitly add those certificates to the trusted store on the management server, and then verify that delivery works as expected when sslverification is set to true.

[weizhouapache]

@weizhouapache I'm not entirely sure about these changes (we discussed this earlier!?).
My understanding of the sslverification flag is that when set to true, it should enforce certificate validation—i.e., the webhook delivery service should validate the server's certificate using the trusted certificates available in the JRE.

However, with the current change, it seems we're using a "trust all" approach even when sslverification is set to true.

In my understanding, the correct way to test this would be to set up a server using self-signed certificates, explicitly add those certificates to the trusted store on the management server, and then verify that delivery works as expected when sslverification is set to true.

@shwstppr thanks for the reply.
agree with your last paragraph, I think the best way is to implement the same behaviour as direct download , refer to #11113
However, then we have to manage the certificates (similar to direct download, but not on kvm host). I think trust all is the workaround , and it is the expected behavior currently. Without the change, the new test (https server) will fail.

[shwstppr]

@weizhouapache upto you. Without any change in Java code I feel the new test would fail because it is using a self-signed certificate and SSL verification is set to true. For the test or a user's use-case sslverification can be set to false which should allow delivery to work fine.