[Tests] Diagnose Windows cert creation failures #3237
Conversation
|
I think I introduced this in #3034, which used PowerShell to generate certificates more frequently. Apologies if so! The only difference in the PS invocation which I can see between my version and the preceding one is that we no longer load the user profile. Does setting |
We're having some ADO CI pipeline issues that are preventing me from running CI reliably right now, so I will circle back once the overall CI stuff settles down. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #3237 +/- ##
==========================================
+ Coverage 72.69% 72.82% +0.12%
==========================================
Files 303 298 -5
Lines 59718 59612 -106
==========================================
- Hits 43414 43412 -2
+ Misses 16304 16200 -104
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
paulmedynski
force-pushed
the
dev/paul/issue-3223-pwsh-test-failure
branch
from
11d4009 to
b1bb29f
Compare
- Added powershell script content to test error output for disgnostics. - Replaced #if NET9_0 with #if NET9_0_OR_GREATER to future-proof our directives. - Removed unnecessary NETFRAMEWORK symbol. - Updated download URL for .NET x86 installer for tests pipelines.
paulmedynski
force-pushed
the
dev/paul/issue-3223-pwsh-test-failure
branch
from
b65989c to
5a29f5b
Compare
- Added some retries to the PowerShell script execution to see if that helps avoid overall test failures.
|
The latest commit adds a retry within the There are no warnings or errors for the CI runs. |
There was a problem hiding this comment.
Pull Request Overview
This PR updates various preprocessor directives from NET9_0 to NET9_0_OR_GREATER and introduces enhanced diagnostics for Windows certificate creation failures via retry logic and additional output details. Key changes include updating build conditions in multiple certificate and SQL components, adding retry logic with delay and logging for PowerShell command execution in certificate creation, and updating a pipeline URL to a newer dotnet-install.ps1 script location.
Reviewed Changes
Copilot reviewed 9 out of 10 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| ColumnEncryptionCertificateFixture.cs | Updated preprocessor condition to reflect newer target frameworks |
| CertificateFixtureBase.cs | Replaced NET9_0 with NET9_0_OR_GREATER and added retry logic with delay and diagnostic output for certificate generation |
| CertificateTestWithTdsServer.cs | Updated preprocessor condition for certificate loading |
| CertificateUtility.cs | Updated preprocessor condition for certificate loading and RSA decryption/signature verification |
| SqlDbTypeExtensions.cs | Updated preprocessor condition for exposing the Json SqlDbType constant |
| VirtualSecureModeEnclaveProvider.cs | Updated preprocessor condition for loading a certificate from binary payload |
| SNICommon.cs | Updated preprocessor condition for validating SSL server certificates |
| ci-run-tests-job.yml | Updated the URL to the latest dotnet-install.ps1 script |
Files not reviewed (1)
- src/Microsoft.Data.SqlClient/netfx/src/Microsoft.Data.SqlClient.csproj: Language not supported
Comments suppressed due to low confidence (1)
src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.TestUtilities/Fixtures/CertificateFixtureBase.cs:173
- Consider adding tests to verify the retry logic and ensure correct behavior on repeated PowerShell failures.
for (int attempt = 1; attempt <= retries; ++attempt)
| @@ -236,7 +236,7 @@ jobs: | |||
| - powershell: | | |||
| dotnet --info | |||
|
|
|||
| Invoke-WebRequest https://dot.net/v1/dotnet-install.ps1 -OutFile dotnet-install.ps1 | |||
| Invoke-WebRequest https://builds.dotnet.microsoft.com/dotnet/scripts/v1/dotnet-install.ps1 -OutFile dotnet-install.ps1 | |||
There was a problem hiding this comment.
This avoids Invoke-WebRequest failures due to some dead IPs in the DNS results for dot.net, and is the proper canonical DNS name for the dotnet scripts.
| @@ -174,7 +174,7 @@ internal static bool ValidateSslServerCertificate(Guid connectionId, string targ | |||
| { | |||
| try | |||
| { | |||
| #if NET9_0 | |||
| #if NET9_0_OR_GREATER | |||
There was a problem hiding this comment.
Now we're future-proofed!
The docs for the preprocessor symbols were missing NET9_0_OR_GREATER, so I notified the owners and they will be updated accordingly. The symbol itself has been present since .NET 9.0 release though.
| @@ -16,7 +16,6 @@ | |||
| We should remove ResolveComReferenceSilent as soon as we can remove the dependency on mscoree. --> | |||
| <ResolveComReferenceSilent>True</ResolveComReferenceSilent> | |||
| <EnableDefaultCompileItems>false</EnableDefaultCompileItems> | |||
| <DefineConstants>$(DefineConstants);NETFRAMEWORK;</DefineConstants> | |||
There was a problem hiding this comment.
We don't need to explicitly define NETFRAMEWORK. It has been a built-in symbol for ages.
| // | ||
| // https://sqlclientdrivers.visualstudio.com/ADO.Net/_workitems/edit/34304 | ||
| // | ||
| const int delay = 5; |
There was a problem hiding this comment.
These seem like reasonable values. I observed 2 retries across all of the jobs, so it's not adding significant delay.
Diagnostic changes for #3223. We're now emitting the PowerShell script content used to generate a self-signed cert and add it to the Windows system cert store. This may help figure out why the cert operations fail intermittently.
Created this draft PR to run the CI pipelines where the failures sometimes occur and acquire the PowerShell content for further investigation.