Use EventFilter to assert SSL validation errors in multi-actor system tests

Aaronontheweb · Aaronontheweb · commit 2022d63a34c8 · 2025-10-23T13:49:29.000-05:00
Updated SSL integration tests to use EventFilter for asserting specific validation
errors instead of just checking connection failure. This provides better test
precision by verifying the exact reason for connection failure.

With mTLS enabled, validation errors occur on the server side (_sys2) when it
validates the client certificate, since the client (Sys) has suppressValidation
enabled. The EventFilter assertions are correctly targeted to the system where
the validation errors occur.

Changes:
- Added EventFilter assertions to PinnedCertificate rejection test
- Added EventFilter assertions to CustomValidator rejection test
- Added EventFilter assertions to ValidateSubject rejection test
- Modified custom validator to log error for EventFilter detection
- Added comments explaining the mTLS validation flow
diff --git a/src/core/Akka.Remote.Tests/Transport/DotNettySslSetupSpec.cs b/src/core/Akka.Remote.Tests/Transport/DotNettySslSetupSpec.cs
@@ -305,6 +305,7 @@ public async Task CustomValidator_that_rejects_should_prevent_connection()
             {
                 validatorCalled = true;
                 Output.WriteLine($"CustomValidator called for peer: {peer}, rejecting certificate");
+                log.Error("CustomValidator rejecting certificate for peer: {0}", peer);
                 return false; // Reject all certificates
             };
 
@@ -334,9 +335,13 @@ public async Task CustomValidator_that_rejects_should_prevent_connection()
 
             var probe = CreateTestProbe();
 
-            // Connection should fail due to custom validator rejection - TLS handshake fails, so message never arrives
-            Sys.ActorSelection(_echoPath).Tell("hello", probe.Ref);
-            await probe.ExpectNoMsgAsync(TimeSpan.FromSeconds(3));
+            // Connection should fail due to custom validator rejection
+            // With mTLS enabled, _sys2 (server) validates Sys's (client) certificate
+            await EventFilter.Error(contains: "CustomValidator rejecting certificate").ExpectAsync(1, async () =>
+            {
+                Sys.ActorSelection(_echoPath).Tell("hello", probe.Ref);
+                await probe.ExpectNoMsgAsync(TimeSpan.FromSeconds(3));
+            }, _sys2);
 
             // Verify that CustomValidator was actually called
             Assert.True(validatorCalled, "CustomValidator should have been invoked during TLS handshake");
@@ -486,8 +491,13 @@ public async Task PinnedCertificate_should_reject_non_matching_thumbprint()
             var probe = CreateTestProbe();
 
             // Connection should fail due to thumbprint mismatch
-            Sys.ActorSelection(_echoPath).Tell("hello", probe.Ref);
-            await probe.ExpectNoMsgAsync(TimeSpan.FromSeconds(3));
+            // With mTLS enabled, _sys2 (server) validates Sys's (client) certificate
+            // The validation error occurs on _sys2's side when it rejects the client certificate
+            await EventFilter.Error(contains: "not in allowed list").ExpectAsync(1, async () =>
+            {
+                Sys.ActorSelection(_echoPath).Tell("hello", probe.Ref);
+                await probe.ExpectNoMsgAsync(TimeSpan.FromSeconds(3));
+            }, _sys2);
         }
 
         [Fact(DisplayName = "CertificateValidation.ValidateSubject should accept certificates with matching subject")]
@@ -565,8 +575,12 @@ public async Task ValidateSubject_should_reject_non_matching_subject()
             var probe = CreateTestProbe();
 
             // Connection should fail due to subject mismatch
-            Sys.ActorSelection(_echoPath).Tell("hello", probe.Ref);
-            await probe.ExpectNoMsgAsync(TimeSpan.FromSeconds(3));
+            // With mTLS enabled, _sys2 (server) validates Sys's (client) certificate
+            await EventFilter.Error(contains: "does not match pattern").ExpectAsync(1, async () =>
+            {
+                Sys.ActorSelection(_echoPath).Tell("hello", probe.Ref);
+                await probe.ExpectNoMsgAsync(TimeSpan.FromSeconds(3));
+            }, _sys2);
         }
 
         [Fact(DisplayName = "CertificateValidation.ValidateSubject should support wildcard patterns")]
