def test_allow_request_when_cert_is_trusted(self):
"""
Assert a correctly configured client can fetch content.
1. Configure the distribution with an X.509 CertGuard.
2. Attempt to download content.
"""
set_distribution_base_path_and_download_a_content_unit_with_cert(
self.distribution.pulp_href, self.DENIALS_BASE_PATH,
self.repo.pulp_href, X509_CLIENT_CERT_FILE_PATH)
def test_allow_request_when_cert_matches_two_var_path(self):
"""
Assert a correctly configured client can fetch content from a two-variable path.
1. Configure the distribution with a two-variable path in the RHSM Cert.
2. Attempt to download content.
"""
set_distribution_base_path_and_download_a_content_unit_with_cert(
self.distribution.pulp_href, RHSM_V3_TWO_VAR_BASE_PATH,
self.repo.pulp_href, RHSM_V3_ONE_AND_TWO_VAR_CLIENT_CERT)
def test_denial_when_client_cert_is_trusted_but_expired(self):
"""
Assert denial when a client sends a trusted but expired cert that has a valid subpath.
1. Configure the distribution with valid path contained in the cert.
2. Attempt to download content with a trusted but expired cert.
3. Assert a 403 Unauthorized is returned.
"""
with self.assertRaises(HTTPError) as raised_exception:
set_distribution_base_path_and_download_a_content_unit_with_cert(
self.distribution.pulp_href, RHSM_V1_ONE_VAR_BASE_PATH,
self.repo.pulp_href, RHSM_CLIENT_CERT_TRUSTED_BUT_EXPIRED)
self.assertEqual(raised_exception.exception.response.status_code, 403)
def test_denial_when_client_cert_does_not_contain_subpath_of_distribution_base_path(
self):
"""
Assert denial when a client with a cert that does not contain a subpath of the distribution.
1. Configure the distribution with path that is not a subpath contained in the cert.
2. Attempt to download content.
3. Assert a 403 Unauthorized is returned.
"""
with self.assertRaises(HTTPError) as raised_exception:
set_distribution_base_path_and_download_a_content_unit_with_cert(
self.distribution.pulp_href, RHSM_V3_INVALID_BASE_PATH,
self.repo.pulp_href, RHSM_V3_ZERO_VAR_CLIENT_CERT)
self.assertEqual(raised_exception.exception.response.status_code, 403)
def test_allow_request_when_apache_un_urlencoded_cert_is_trusted(self):
"""
Assert a correctly configured client can fetch content with reverse proxy Apache < 2.6.10.
1. Configure the distribution with an X.509 CertGuard.
2. Attempt to download content with an un-urlencoded certificate (Apache < 2.6.10 style)
"""
set_distribution_base_path_and_download_a_content_unit_with_cert(
self.distribution.pulp_href,
X509_BASE_PATH,
self.repo.pulp_href,
X509_UN_URLENCODED_CLIENT_CERT_FILE_PATH,
url_encode=False,
)
def test_allow_request_when_requesting_the_distribution_root(self):
"""
Assert a correctly configured client can fetch content from the root of a distribution.
1. Configure the distribution with a zero-variable path in the RHSM Cert.
2. Attempt to fetch the url of the distribution itself (its root).
"""
content_path = "" # This causes the root to be fetched
set_distribution_base_path_and_download_a_content_unit_with_cert(
self.distribution.pulp_href,
RHSM_V3_ZERO_VAR_BASE_PATH,
self.repo.pulp_href,
RHSM_V3_ZERO_VAR_CLIENT_CERT,
content_path,
)
def test_allow_request_with_uber_cert_for_any_subpath(self):
"""
Assert a client with an uber cert can fetch any subpath.
1. Configure the distribution with a subpath of the uber cert.
2. Attempt to download content.
3. Configure the distribution with a different subpath of the uber cert.
4. Attempt to download content.
"""
set_distribution_base_path_and_download_a_content_unit_with_cert(
self.distribution.pulp_href, RHSM_UBER_CERT_BASE_PATH_ONE,
self.repo.pulp_href, RHSM_UBER_CLIENT_CERT)
set_distribution_base_path_and_download_a_content_unit_with_cert(
self.distribution.pulp_href, RHSM_UBER_CERT_BASE_PATH_TWO,
self.repo.pulp_href, RHSM_UBER_CLIENT_CERT)
def test_denial_when_client_header_contains_an_untrusted_certificate(self):
"""
Assert denial when a client submits a valid but rhsm certificate but not for the trusted CA.
1. Configure the distribution with a valid base path.
2. Attempt to download content with an untrusted client certificate.
3. Assert a 403 Unauthorized is returned.
"""
with self.assertRaises(HTTPError) as raised_exception:
set_distribution_base_path_and_download_a_content_unit_with_cert(
self.distribution.pulp_href,
self.DENIALS_BASE_PATH,
self.repo.pulp_href,
self.UNTRUSTED_CLIENT_CERT_PATH
)
self.assertEqual(raised_exception.exception.response.status_code, 403)
def test_allow_request_to_subdir_of_path(self):
"""
Assert a correctly configured client can fetch content from a subdir of a distribution.
1. Configure the distribution with a zero-variable path in the RHSM Cert.
2. Attempt to download a content url with a subdir in it.
3. Assert a 404 was received.
"""
content_path = "somedir/made_up_content.iso"
with self.assertRaises(HTTPError) as raised_exception:
set_distribution_base_path_and_download_a_content_unit_with_cert(
self.distribution.pulp_href,
RHSM_V1_ZERO_VAR_BASE_PATH,
self.repo.pulp_href,
RHSM_V1_ZERO_VAR_CLIENT_CERT,
content_path,
)
# The path doesn't exist so we expect a 404, but the authorization part we are testing works
self.assertEqual(raised_exception.exception.response.status_code, 404)
