From 1f674a263c0f4968021ff0ab230126028640f288 Mon Sep 17 00:00:00 2001
From: Trevor Foster <trevor.foster@tulip.com>
Date: Fri, 1 Nov 2024 00:42:15 -0400
Subject: [PATCH 1/3] Bump conformance suite version

---
 test/conformance/Dockerfile         | 21 ++++++++++++---------
 test/conformance/docker-compose.yml | 16 ++++++++--------
 test/conformance/httpd/Dockerfile   |  6 +++---
 test/conformance/httpd/server.conf  | 16 +++++++++++++---
 4 files changed, 36 insertions(+), 23 deletions(-)

diff --git a/test/conformance/Dockerfile b/test/conformance/Dockerfile
index ea6f61052c2..d4f503c50bc 100644
--- a/test/conformance/Dockerfile
+++ b/test/conformance/Dockerfile
@@ -1,16 +1,19 @@
 FROM maven:3-jdk-11
 
 WORKDIR /usr/src/mymaven
+RUN apt-get update && apt-get install -y \
+    unzip \
+    wget \
+    redir \
+    ca-certificates
 
-RUN wget https://gitlab.com/openid/conformance-suite/-/archive/release-v4.1.4/conformance-suite-release-v4.1.4.zip && \
-  unzip conformance-suite-release-v4.1.4.zip -d . && \
-  rm conformance-suite-release-v4.1.4.zip && \
-  find conformance-suite-release-v4.1.4 -maxdepth 1 -mindepth 1 -exec mv {} . \; && \
-  rmdir conformance-suite-release-v4.1.4
-
-RUN mvn -B clean package -DskipTests && \
-    apt-get update && apt-get install -y \
-    redir ca-certificates
+ARG CONFORMANCE_SUITE_VERSION=v4.1.45
+RUN wget https://gitlab.com/openid/conformance-suite/-/archive/release-${CONFORMANCE_SUITE_VERSION}/conformance-suite-release-${CONFORMANCE_SUITE_VERSION}.zip && \
+  unzip conformance-suite-release-${CONFORMANCE_SUITE_VERSION}.zip -d . && \
+  rm conformance-suite-release-${CONFORMANCE_SUITE_VERSION}.zip && \
+  find conformance-suite-release-${CONFORMANCE_SUITE_VERSION} -maxdepth 1 -mindepth 1 -exec mv {} . \; && \
+  rmdir conformance-suite-release-${CONFORMANCE_SUITE_VERSION} && \
+  mvn -B -Dmaven.test.skip -Dpmd.skip clean package
 
 COPY ssl/ory-conformity.crt /etc/ssl/certs/
 COPY ssl/ory-conformity.key /etc/ssl/private/
diff --git a/test/conformance/docker-compose.yml b/test/conformance/docker-compose.yml
index e39c536b9ee..f81ac07be5a 100644
--- a/test/conformance/docker-compose.yml
+++ b/test/conformance/docker-compose.yml
@@ -33,10 +33,10 @@ services:
 
   httpd:
     image: oryd/hydra-oidc-httpd:latest
-    #    build:
-    #      # When running with `run.sh` the cwd is the project's root.
-    #      context: ./test/conformance
-    #      dockerfile: httpd/Dockerfile
+    build:
+      # When running with `run.sh` the cwd is the project's root.
+      context: ./test/conformance
+      dockerfile: httpd/Dockerfile
     ports:
       - "8443:8443"
     depends_on:
@@ -47,10 +47,10 @@ services:
 
   server:
     image: oryd/hydra-oidc-server:latest
-    #    build:
-    #      # When running with `run.sh` the cwd is the project's root.
-    #      context: ./test/conformance
-    #      dockerfile: Dockerfile
+    build:
+      # When running with `run.sh` the cwd is the project's root.
+      context: ./test/conformance
+      dockerfile: Dockerfile
     depends_on:
       - mongodb
     logging:
diff --git a/test/conformance/httpd/Dockerfile b/test/conformance/httpd/Dockerfile
index 35d9df0f9af..6ff8ac8150a 100644
--- a/test/conformance/httpd/Dockerfile
+++ b/test/conformance/httpd/Dockerfile
@@ -1,10 +1,10 @@
-FROM debian:stretch
+FROM debian:bookworm
 RUN apt-get update \
-	&& apt-get install -y apache2 ssl-cert ca-certificates \
+	&& apt-get install -y apache2 apache2 ssl-cert ca-certificates \
 	&& apt-get clean
 RUN \
 	echo 'Listen 8443' > /etc/apache2/ports.conf \
-	&& a2enmod headers proxy proxy_ajp proxy_http rewrite ssl \
+	&& a2enmod headers proxy proxy_http rewrite ssl \
 	&& a2dissite 000-default.conf
 
 COPY httpd/server.conf /etc/apache2/sites-enabled
diff --git a/test/conformance/httpd/server.conf b/test/conformance/httpd/server.conf
index 6d509cf7684..986fb651ae6 100644
--- a/test/conformance/httpd/server.conf
+++ b/test/conformance/httpd/server.conf
@@ -5,19 +5,29 @@
 	ProxyPreserveHost on
 	RewriteEngine on
 	SSLEngine on
+	SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
 	SSLCertificateFile /etc/ssl/certs/ory-conformity.crt
-	SSLCertificateKeyFile /etc/ssl/private/ory-conformity.key
+  	SSLCertificateKeyFile /etc/ssl/private/ory-conformity.key
 	RequestHeader set X-Ssl-Cipher "%{SSL_CIPHER}s"
 	RequestHeader set X-Ssl-Protocol "%{SSL_PROTOCOL}s"
-	ProxyPass "/" "ajp://server:9090/"
+	RequestHeader set X-Forwarded-Proto https
+	RequestHeader set X-Forwarded-Port 8443
+	ProxyPass "/" "http://server:8080/"
 	# RewriteRule "^/(.*)$" "http://server:8080/$1" [P]
-	ProxyPassReverse "/" "ajp://server:9090/"
+	ProxyPassReverse "/" "http://server:8080/"
 	<Location "/">
 		Require all granted
 	</Location>
 	<Location "/test-mtls/">
 		SSLVerifyClient optional_no_ca
+		SSLVerifyDepth 5
 		RequestHeader set X-Ssl-Cert "%{SSL_CLIENT_CERT}s"
 		RequestHeader set X-Ssl-Verify "%{SSL_CLIENT_VERIFY}s"
+		RequestHeader set X-Ssl-Cert-Chain-0 "%{SSL_CLIENT_CERT_CHAIN_0}s"
+		RequestHeader set X-Ssl-Cert-Chain-1 "%{SSL_CLIENT_CERT_CHAIN_1}s"
+		RequestHeader set X-Ssl-Cert-Chain-2 "%{SSL_CLIENT_CERT_CHAIN_2}s"
+		RequestHeader set X-Ssl-Cert-Chain-3 "%{SSL_CLIENT_CERT_CHAIN_3}s"
+		RequestHeader set X-Ssl-Cert-Chain-4 "%{SSL_CLIENT_CERT_CHAIN_4}s"
+		RequestHeader set X-Ssl-Cert-Chain-5 "%{SSL_CLIENT_CERT_CHAIN_5}s"
 	</Location>
 </VirtualHost>

From 0961164562a7c43d639ba91799077fb707ae182a Mon Sep 17 00:00:00 2001
From: Trevor Foster <trevorfoster19@gmail.com>
Date: Fri, 1 Nov 2024 14:36:43 -0400
Subject: [PATCH 2/3] Remove dup apache2 install

---
 test/conformance/httpd/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/conformance/httpd/Dockerfile b/test/conformance/httpd/Dockerfile
index 6ff8ac8150a..ac379bc1486 100644
--- a/test/conformance/httpd/Dockerfile
+++ b/test/conformance/httpd/Dockerfile
@@ -1,6 +1,6 @@
 FROM debian:bookworm
 RUN apt-get update \
-	&& apt-get install -y apache2 apache2 ssl-cert ca-certificates \
+	&& apt-get install -y apache2 ssl-cert ca-certificates \
 	&& apt-get clean
 RUN \
 	echo 'Listen 8443' > /etc/apache2/ports.conf \

From a14294c596f8c72b40bfaa549557f8bf5408ca5b Mon Sep 17 00:00:00 2001
From: Trevor Foster <trevorfoster19@gmail.com>
Date: Fri, 1 Nov 2024 23:48:10 -0400
Subject: [PATCH 3/3] Bump conformance suite version

---
 test/conformance/Dockerfile         |  4 +-
 test/conformance/docker-compose.yml |  3 +-
 test/conformance/httpd/Dockerfile   |  2 +-
 test/conformance/httpd/server.conf  | 87 +++++++++++++++++++----------
 4 files changed, 61 insertions(+), 35 deletions(-)

diff --git a/test/conformance/Dockerfile b/test/conformance/Dockerfile
index d4f503c50bc..db31936874e 100644
--- a/test/conformance/Dockerfile
+++ b/test/conformance/Dockerfile
@@ -1,4 +1,4 @@
-FROM maven:3-jdk-11
+FROM maven:3-openjdk-17-slim
 
 WORKDIR /usr/src/mymaven
 RUN apt-get update && apt-get install -y \
@@ -7,7 +7,7 @@ RUN apt-get update && apt-get install -y \
     redir \
     ca-certificates
 
-ARG CONFORMANCE_SUITE_VERSION=v4.1.45
+ARG CONFORMANCE_SUITE_VERSION=v5.1.24
 RUN wget https://gitlab.com/openid/conformance-suite/-/archive/release-${CONFORMANCE_SUITE_VERSION}/conformance-suite-release-${CONFORMANCE_SUITE_VERSION}.zip && \
   unzip conformance-suite-release-${CONFORMANCE_SUITE_VERSION}.zip -d . && \
   rm conformance-suite-release-${CONFORMANCE_SUITE_VERSION}.zip && \
diff --git a/test/conformance/docker-compose.yml b/test/conformance/docker-compose.yml
index f81ac07be5a..4b442ff0a89 100644
--- a/test/conformance/docker-compose.yml
+++ b/test/conformance/docker-compose.yml
@@ -21,7 +21,7 @@ services:
         target: /etc/config/hydra
 
   mongodb:
-    image: mongo:4.2
+    image: mongo:5.0
     networks:
       - intranet
     volumes:
@@ -39,6 +39,7 @@ services:
       dockerfile: httpd/Dockerfile
     ports:
       - "8443:8443"
+      - "8444:8444"
     depends_on:
       - server
     networks:
diff --git a/test/conformance/httpd/Dockerfile b/test/conformance/httpd/Dockerfile
index ac379bc1486..a01fcd74eb8 100644
--- a/test/conformance/httpd/Dockerfile
+++ b/test/conformance/httpd/Dockerfile
@@ -1,4 +1,4 @@
-FROM debian:bookworm
+FROM debian:buster
 RUN apt-get update \
 	&& apt-get install -y apache2 ssl-cert ca-certificates \
 	&& apt-get clean
diff --git a/test/conformance/httpd/server.conf b/test/conformance/httpd/server.conf
index 986fb651ae6..9f32b74789e 100644
--- a/test/conformance/httpd/server.conf
+++ b/test/conformance/httpd/server.conf
@@ -1,33 +1,58 @@
+LimitRequestLine 32768
+
 <VirtualHost *:8443>
-	ServerName localhost
-	ErrorLog /dev/stderr
-	CustomLog /dev/stdout combined
-	ProxyPreserveHost on
-	RewriteEngine on
-	SSLEngine on
-	SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
-	SSLCertificateFile /etc/ssl/certs/ory-conformity.crt
-  	SSLCertificateKeyFile /etc/ssl/private/ory-conformity.key
-	RequestHeader set X-Ssl-Cipher "%{SSL_CIPHER}s"
-	RequestHeader set X-Ssl-Protocol "%{SSL_PROTOCOL}s"
-	RequestHeader set X-Forwarded-Proto https
-	RequestHeader set X-Forwarded-Port 8443
-	ProxyPass "/" "http://server:8080/"
-	# RewriteRule "^/(.*)$" "http://server:8080/$1" [P]
-	ProxyPassReverse "/" "http://server:8080/"
-	<Location "/">
-		Require all granted
-	</Location>
-	<Location "/test-mtls/">
-		SSLVerifyClient optional_no_ca
-		SSLVerifyDepth 5
-		RequestHeader set X-Ssl-Cert "%{SSL_CLIENT_CERT}s"
-		RequestHeader set X-Ssl-Verify "%{SSL_CLIENT_VERIFY}s"
-		RequestHeader set X-Ssl-Cert-Chain-0 "%{SSL_CLIENT_CERT_CHAIN_0}s"
-		RequestHeader set X-Ssl-Cert-Chain-1 "%{SSL_CLIENT_CERT_CHAIN_1}s"
-		RequestHeader set X-Ssl-Cert-Chain-2 "%{SSL_CLIENT_CERT_CHAIN_2}s"
-		RequestHeader set X-Ssl-Cert-Chain-3 "%{SSL_CLIENT_CERT_CHAIN_3}s"
-		RequestHeader set X-Ssl-Cert-Chain-4 "%{SSL_CLIENT_CERT_CHAIN_4}s"
-		RequestHeader set X-Ssl-Cert-Chain-5 "%{SSL_CLIENT_CERT_CHAIN_5}s"
-	</Location>
+  ServerName localhost
+  ErrorLog /dev/stderr
+  CustomLog /dev/stdout combined
+  ProxyPreserveHost on
+  RewriteEngine on
+  SSLEngine on
+  SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
+  SSLCertificateFile /etc/ssl/certs/ory-conformity.crt
+  SSLCertificateKeyFile /etc/ssl/private/ory-conformity.key
+  RequestHeader set X-Ssl-Cipher "%{SSL_CIPHER}s"
+  RequestHeader set X-Ssl-Protocol "%{SSL_PROTOCOL}s"
+  RequestHeader set X-Forwarded-Proto https
+  RequestHeader set X-Forwarded-Port 8443
+  ProxyPass "/" "http://server:8080/"
+  # RewriteRule "^/(.*)$" "http://server:8080/$1" [P]
+  ProxyPassReverse "/" "http://server:8080/"
+  <Location "/">
+    Require all granted
+  </Location>
+  <Location "/test-mtls">
+    RequestHeader set X-Test-Mtls-Called-On-Wrong-Host "true"
+  </Location>
+</VirtualHost>
+<VirtualHost *:8444>
+  ServerName localhost
+  ErrorLog /dev/stderr
+  CustomLog /dev/stdout combined
+  ProxyPreserveHost on
+  RewriteEngine on
+  SSLEngine on
+  SSLProtocol +TLSv1.2 +TLSv1.3
+  Protocols http/1.1
+  SSLCertificateFile /etc/ssl/certs/ory-conformity.crt
+  SSLCertificateKeyFile /etc/ssl/private/ory-conformity.key
+  RequestHeader set X-Ssl-Cipher "%{SSL_CIPHER}s"
+  RequestHeader set X-Ssl-Protocol "%{SSL_PROTOCOL}s"
+  RequestHeader set X-Forwarded-Proto https
+  RequestHeader set X-Forwarded-Port 8444
+  ProxyPass "/" "http://server:8080/"
+  ProxyPassReverse "/" "http://server:8080/"
+  <Location "/">
+    Require all granted
+  </Location>
+
+  SSLVerifyClient optional_no_ca
+  SSLVerifyDepth 5
+  RequestHeader set X-Ssl-Cert "%{SSL_CLIENT_CERT}s"
+  RequestHeader set X-Ssl-Verify "%{SSL_CLIENT_VERIFY}s"
+  RequestHeader set X-Ssl-Cert-Chain-0 "%{SSL_CLIENT_CERT_CHAIN_0}s"
+  RequestHeader set X-Ssl-Cert-Chain-1 "%{SSL_CLIENT_CERT_CHAIN_1}s"
+  RequestHeader set X-Ssl-Cert-Chain-2 "%{SSL_CLIENT_CERT_CHAIN_2}s"
+  RequestHeader set X-Ssl-Cert-Chain-3 "%{SSL_CLIENT_CERT_CHAIN_3}s"
+  RequestHeader set X-Ssl-Cert-Chain-4 "%{SSL_CLIENT_CERT_CHAIN_4}s"
+  RequestHeader set X-Ssl-Cert-Chain-5 "%{SSL_CLIENT_CERT_CHAIN_5}s"
 </VirtualHost>