def test_160_cert_viable(self):
"""Text the viability of a given certificate"""
# null cert
cert = QSslCertificate()
self.assertFalse(QgsAuthCertUtils.certIsCurrent(cert))
res = QgsAuthCertUtils.certViabilityErrors(cert)
self.assertTrue(len(res) == 0)
self.assertFalse(QgsAuthCertUtils.certIsViable(cert))
cert.clear()
res.clear()
# valid cert
cert = QgsAuthCertUtils.certFromFile(PKIDATA + '/gerardus_cert.pem')
self.assertTrue(QgsAuthCertUtils.certIsCurrent(cert))
res = QgsAuthCertUtils.certViabilityErrors(cert)
self.assertTrue(len(res) == 0)
self.assertTrue(QgsAuthCertUtils.certIsViable(cert))
cert.clear()
res.clear()
# expired cert
cert = QgsAuthCertUtils.certFromFile(PKIDATA + '/marinus_cert-EXPIRED.pem')
self.assertFalse(QgsAuthCertUtils.certIsCurrent(cert))
res = QgsAuthCertUtils.certViabilityErrors(cert)
self.assertTrue(len(res) > 0)
self.assertTrue(QSslError(QSslError.CertificateExpired, cert) in res)
self.assertFalse(QgsAuthCertUtils.certIsViable(cert))
def setUpAuth(cls):
"""Run before all tests and set up authentication"""
authm = QgsApplication.authManager()
assert (authm.setMasterPassword('masterpassword', True))
cls.sslrootcert_path = os.path.join(cls.certsdata_path, 'chains_subissuer-issuer-root_issuer2-root2.pem')
assert os.path.isfile(cls.sslrootcert_path)
os.chmod(cls.sslrootcert_path, stat.S_IRUSR)
cls.sslrootcert = QSslCertificate.fromPath(cls.sslrootcert_path)
assert cls.sslrootcert is not None
authm.storeCertAuthorities(cls.sslrootcert)
authm.rebuildCaCertsCache()
authm.rebuildTrustedCaCertsCache()
cls.server_cert = os.path.join(cls.certsdata_path, '127_0_0_1_ssl_cert.pem')
cls.server_key = os.path.join(cls.certsdata_path, '127_0_0_1_ssl_key.pem')
cls.server_rootcert = cls.sslrootcert_path
os.chmod(cls.server_cert, stat.S_IRUSR)
os.chmod(cls.server_key, stat.S_IRUSR)
os.chmod(cls.server_rootcert, stat.S_IRUSR)
os.environ['QGIS_SERVER_HOST'] = cls.hostname
os.environ['QGIS_SERVER_PORT'] = str(cls.port)
os.environ['QGIS_SERVER_OAUTH2_KEY'] = cls.server_key
os.environ['QGIS_SERVER_OAUTH2_CERTIFICATE'] = cls.server_cert
os.environ['QGIS_SERVER_OAUTH2_USERNAME'] = cls.username
os.environ['QGIS_SERVER_OAUTH2_PASSWORD'] = cls.password
os.environ['QGIS_SERVER_OAUTH2_AUTHORITY'] = cls.server_rootcert
# Set default token expiration to 2 seconds, note that this can be
# also controlled when issuing token requests by adding ttl=<int>
# to the query string
os.environ['QGIS_SERVER_OAUTH2_TOKEN_EXPIRES_IN'] = '2'
def setUpAuth(cls):
"""Run before all tests and set up authentication"""
authm = QgsAuthManager.instance()
assert authm.setMasterPassword("masterpassword", True)
cls.pg_conf = os.path.join(cls.tempfolder, "postgresql.conf")
cls.pg_hba = os.path.join(cls.tempfolder, "pg_hba.conf")
# Client side
cls.sslrootcert_path = os.path.join(cls.certsdata_path, "chains_subissuer-issuer-root_issuer2-root2.pem")
cls.sslcert = os.path.join(cls.certsdata_path, "gerardus_cert.pem")
cls.sslkey = os.path.join(cls.certsdata_path, "gerardus_key.pem")
assert os.path.isfile(cls.sslcert)
assert os.path.isfile(cls.sslkey)
assert os.path.isfile(cls.sslrootcert_path)
os.chmod(cls.sslcert, stat.S_IRUSR)
os.chmod(cls.sslkey, stat.S_IRUSR)
os.chmod(cls.sslrootcert_path, stat.S_IRUSR)
cls.auth_config = QgsAuthMethodConfig("PKI-Paths")
cls.auth_config.setConfig("certpath", cls.sslcert)
cls.auth_config.setConfig("keypath", cls.sslkey)
cls.auth_config.setName("test_pki_auth_config")
cls.username = "******"
cls.sslrootcert = QSslCertificate.fromPath(cls.sslrootcert_path)
assert cls.sslrootcert is not None
authm.storeCertAuthorities(cls.sslrootcert)
authm.rebuildCaCertsCache()
authm.rebuildTrustedCaCertsCache()
authm.rebuildCertTrustCache()
assert authm.storeAuthenticationConfig(cls.auth_config)[0]
assert cls.auth_config.isValid()
# Server side
cls.server_cert = os.path.join(cls.certsdata_path, "localhost_ssl_cert.pem")
cls.server_key = os.path.join(cls.certsdata_path, "localhost_ssl_key.pem")
cls.server_rootcert = cls.sslrootcert_path
os.chmod(cls.server_cert, stat.S_IRUSR)
os.chmod(cls.server_key, stat.S_IRUSR)
os.chmod(cls.server_rootcert, stat.S_IRUSR)
# Place conf in the data folder
with open(cls.pg_conf, "w+") as f:
f.write(
QGIS_POSTGRES_CONF_TEMPLATE
% {
"port": cls.port,
"tempfolder": cls.tempfolder,
"server_cert": cls.server_cert,
"server_key": cls.server_key,
"sslrootcert_path": cls.sslrootcert_path,
}
)
with open(cls.pg_hba, "w+") as f:
f.write(QGIS_POSTGRES_HBA_TEMPLATE)
def setUpAuth(cls):
"""Run before all tests and set up authentication"""
authm = QgsApplication.authManager()
assert (authm.setMasterPassword('masterpassword', True))
cls.pg_conf = os.path.join(cls.tempfolder, 'postgresql.conf')
cls.pg_hba = os.path.join(cls.tempfolder, 'pg_hba.conf')
# Client side
cls.sslrootcert_path = os.path.join(cls.certsdata_path, 'chains_subissuer-issuer-root_issuer2-root2.pem')
cls.sslcert = os.path.join(cls.certsdata_path, 'gerardus_cert.pem')
cls.sslkey = os.path.join(cls.certsdata_path, 'gerardus_key.pem')
assert os.path.isfile(cls.sslcert)
assert os.path.isfile(cls.sslkey)
assert os.path.isfile(cls.sslrootcert_path)
os.chmod(cls.sslcert, stat.S_IRUSR)
os.chmod(cls.sslkey, stat.S_IRUSR)
os.chmod(cls.sslrootcert_path, stat.S_IRUSR)
cls.auth_config = QgsAuthMethodConfig("PKI-Paths")
cls.auth_config.setConfig('certpath', cls.sslcert)
cls.auth_config.setConfig('keypath', cls.sslkey)
cls.auth_config.setName('test_pki_auth_config')
cls.username = '******'
cls.sslrootcert = QSslCertificate.fromPath(cls.sslrootcert_path)
assert cls.sslrootcert is not None
authm.storeCertAuthorities(cls.sslrootcert)
authm.rebuildCaCertsCache()
authm.rebuildTrustedCaCertsCache()
authm.rebuildCertTrustCache()
assert (authm.storeAuthenticationConfig(cls.auth_config)[0])
assert cls.auth_config.isValid()
# Server side
cls.server_cert = os.path.join(cls.certsdata_path, 'localhost_ssl_cert.pem')
cls.server_key = os.path.join(cls.certsdata_path, 'localhost_ssl_key.pem')
cls.server_rootcert = cls.sslrootcert_path
os.chmod(cls.server_cert, stat.S_IRUSR)
os.chmod(cls.server_key, stat.S_IRUSR)
os.chmod(cls.server_rootcert, stat.S_IRUSR)
# Place conf in the data folder
with open(cls.pg_conf, 'w+') as f:
f.write(QGIS_POSTGRES_CONF_TEMPLATE % {
'port': cls.port,
'tempfolder': cls.tempfolder,
'server_cert': cls.server_cert,
'server_key': cls.server_key,
'sslrootcert_path': cls.sslrootcert_path,
})
with open(cls.pg_hba, 'w+') as f:
f.write(QGIS_POSTGRES_HBA_TEMPLATE)
def setUpAuth(cls):
"""Run before all tests and set up authentication"""
authm = QgsApplication.authManager()
assert (authm.setMasterPassword('masterpassword', True))
cls.pg_conf = os.path.join(cls.tempfolder, 'postgresql.conf')
cls.pg_hba = os.path.join(cls.tempfolder, 'pg_hba.conf')
# Client side
cls.sslrootcert_path = os.path.join(cls.certsdata_path, 'chains_subissuer-issuer-root_issuer2-root2.pem')
cls.sslcert = os.path.join(cls.certsdata_path, 'gerardus_cert.pem')
cls.sslkey = os.path.join(cls.certsdata_path, 'gerardus_key.pem')
assert os.path.isfile(cls.sslcert)
assert os.path.isfile(cls.sslkey)
assert os.path.isfile(cls.sslrootcert_path)
os.chmod(cls.sslcert, stat.S_IRUSR)
os.chmod(cls.sslkey, stat.S_IRUSR)
os.chmod(cls.sslrootcert_path, stat.S_IRUSR)
cls.auth_config = QgsAuthMethodConfig("PKI-Paths")
cls.auth_config.setConfig('certpath', cls.sslcert)
cls.auth_config.setConfig('keypath', cls.sslkey)
cls.auth_config.setName('test_pki_auth_config')
cls.username = '******'
cls.sslrootcert = QSslCertificate.fromPath(cls.sslrootcert_path)
assert cls.sslrootcert is not None
authm.storeCertAuthorities(cls.sslrootcert)
authm.rebuildCaCertsCache()
authm.rebuildTrustedCaCertsCache()
authm.rebuildCertTrustCache()
assert (authm.storeAuthenticationConfig(cls.auth_config)[0])
assert cls.auth_config.isValid()
# Server side
cls.server_cert = os.path.join(cls.certsdata_path, 'localhost_ssl_cert.pem')
cls.server_key = os.path.join(cls.certsdata_path, 'localhost_ssl_key.pem')
cls.server_rootcert = cls.sslrootcert_path
os.chmod(cls.server_cert, stat.S_IRUSR)
os.chmod(cls.server_key, stat.S_IRUSR)
os.chmod(cls.server_rootcert, stat.S_IRUSR)
# Place conf in the data folder
with open(cls.pg_conf, 'w+') as f:
f.write(QGIS_POSTGRES_CONF_TEMPLATE % {
'port': cls.port,
'tempfolder': cls.tempfolder,
'server_cert': cls.server_cert,
'server_key': cls.server_key,
'sslrootcert_path': cls.sslrootcert_path,
})
with open(cls.pg_hba, 'w+') as f:
f.write(QGIS_POSTGRES_HBA_TEMPLATE)
def setUpAuth(cls):
"""Run before all tests and set up authentication"""
authm = QgsApplication.authManager()
assert (authm.setMasterPassword('masterpassword', True))
cls.sslrootcert_path = os.path.join(
cls.certsdata_path,
'chains_subissuer-issuer-root_issuer2-root2.pem')
cls.sslcert = os.path.join(cls.certsdata_path, 'gerardus_cert.pem')
cls.sslkey = os.path.join(cls.certsdata_path, 'gerardus_key.pem')
assert os.path.isfile(cls.sslcert)
assert os.path.isfile(cls.sslkey)
assert os.path.isfile(cls.sslrootcert_path)
os.chmod(cls.sslcert, stat.S_IRUSR)
os.chmod(cls.sslkey, stat.S_IRUSR)
os.chmod(cls.sslrootcert_path, stat.S_IRUSR)
cls.auth_config = QgsAuthMethodConfig("PKI-Paths")
cls.auth_config.setConfig('certpath', cls.sslcert)
cls.auth_config.setConfig('keypath', cls.sslkey)
cls.auth_config.setName('test_pki_auth_config')
cls.username = '******'
cls.sslrootcert = QSslCertificate.fromPath(cls.sslrootcert_path)
assert cls.sslrootcert is not None
authm.storeCertAuthorities(cls.sslrootcert)
authm.rebuildCaCertsCache()
authm.rebuildTrustedCaCertsCache()
assert (authm.storeAuthenticationConfig(cls.auth_config)[0])
assert cls.auth_config.isValid()
# cls.server_cert = os.path.join(cls.certsdata_path, 'localhost_ssl_cert.pem')
cls.server_cert = os.path.join(cls.certsdata_path,
'127_0_0_1_ssl_cert.pem')
# cls.server_key = os.path.join(cls.certsdata_path, 'localhost_ssl_key.pem')
cls.server_key = os.path.join(cls.certsdata_path,
'127_0_0_1_ssl_key.pem')
cls.server_rootcert = cls.sslrootcert_path
os.chmod(cls.server_cert, stat.S_IRUSR)
os.chmod(cls.server_key, stat.S_IRUSR)
os.chmod(cls.server_rootcert, stat.S_IRUSR)
os.environ['QGIS_SERVER_HOST'] = cls.hostname
os.environ['QGIS_SERVER_PORT'] = str(cls.port)
os.environ['QGIS_SERVER_PKI_KEY'] = cls.server_key
os.environ['QGIS_SERVER_PKI_CERTIFICATE'] = cls.server_cert
os.environ['QGIS_SERVER_PKI_USERNAME'] = cls.username
os.environ['QGIS_SERVER_PKI_AUTHORITY'] = cls.server_rootcert
def setUpAuth(cls):
"""Run before all tests and set up authentication"""
authm = QgsApplication.authManager()
assert (authm.setMasterPassword('masterpassword', True))
cls.sslrootcert_path = os.path.join(cls.certsdata_path, 'chains_subissuer-issuer-root_issuer2-root2.pem')
cls.sslcert = os.path.join(cls.certsdata_path, 'gerardus_cert.pem')
cls.sslkey = os.path.join(cls.certsdata_path, 'gerardus_key.pem')
assert os.path.isfile(cls.sslcert)
assert os.path.isfile(cls.sslkey)
assert os.path.isfile(cls.sslrootcert_path)
os.chmod(cls.sslcert, stat.S_IRUSR)
os.chmod(cls.sslkey, stat.S_IRUSR)
os.chmod(cls.sslrootcert_path, stat.S_IRUSR)
cls.auth_config = QgsAuthMethodConfig("PKI-Paths")
cls.auth_config.setConfig('certpath', cls.sslcert)
cls.auth_config.setConfig('keypath', cls.sslkey)
cls.auth_config.setName('test_pki_auth_config')
cls.username = '******'
cls.sslrootcert = QSslCertificate.fromPath(cls.sslrootcert_path)
assert cls.sslrootcert is not None
authm.storeCertAuthorities(cls.sslrootcert)
authm.rebuildCaCertsCache()
authm.rebuildTrustedCaCertsCache()
assert (authm.storeAuthenticationConfig(cls.auth_config)[0])
assert cls.auth_config.isValid()
# cls.server_cert = os.path.join(cls.certsdata_path, 'localhost_ssl_cert.pem')
cls.server_cert = os.path.join(cls.certsdata_path, '127_0_0_1_ssl_cert.pem')
# cls.server_key = os.path.join(cls.certsdata_path, 'localhost_ssl_key.pem')
cls.server_key = os.path.join(cls.certsdata_path, '127_0_0_1_ssl_key.pem')
cls.server_rootcert = cls.sslrootcert_path
os.chmod(cls.server_cert, stat.S_IRUSR)
os.chmod(cls.server_key, stat.S_IRUSR)
os.chmod(cls.server_rootcert, stat.S_IRUSR)
os.environ['QGIS_SERVER_HOST'] = cls.hostname
os.environ['QGIS_SERVER_PORT'] = str(cls.port)
os.environ['QGIS_SERVER_PKI_KEY'] = cls.server_key
os.environ['QGIS_SERVER_PKI_CERTIFICATE'] = cls.server_cert
os.environ['QGIS_SERVER_PKI_USERNAME'] = cls.username
os.environ['QGIS_SERVER_PKI_AUTHORITY'] = cls.server_rootcert
def setUpAuth(cls):
"""Run before all tests and set up authentication"""
authm = QgsApplication.authManager()
assert (authm.setMasterPassword('masterpassword', True))
cls.sslrootcert_path = os.path.join(
cls.certsdata_path,
'chains_subissuer-issuer-root_issuer2-root2.pem')
assert os.path.isfile(cls.sslrootcert_path)
os.chmod(cls.sslrootcert_path, stat.S_IRUSR)
cls.sslrootcert = QSslCertificate.fromPath(cls.sslrootcert_path)
assert cls.sslrootcert is not None
authm.storeCertAuthorities(cls.sslrootcert)
authm.rebuildCaCertsCache()
authm.rebuildTrustedCaCertsCache()
cls.server_cert = os.path.join(cls.certsdata_path,
'127_0_0_1_ssl_cert.pem')
cls.server_key = os.path.join(cls.certsdata_path,
'127_0_0_1_ssl_key.pem')
cls.server_rootcert = cls.sslrootcert_path
os.chmod(cls.server_cert, stat.S_IRUSR)
os.chmod(cls.server_key, stat.S_IRUSR)
os.chmod(cls.server_rootcert, stat.S_IRUSR)
os.environ['QGIS_SERVER_HOST'] = cls.hostname
os.environ['QGIS_SERVER_PORT'] = str(cls.port)
os.environ['QGIS_SERVER_OAUTH2_KEY'] = cls.server_key
os.environ['QGIS_SERVER_OAUTH2_CERTIFICATE'] = cls.server_cert
os.environ['QGIS_SERVER_OAUTH2_USERNAME'] = cls.username
os.environ['QGIS_SERVER_OAUTH2_PASSWORD'] = cls.password
os.environ['QGIS_SERVER_OAUTH2_AUTHORITY'] = cls.server_rootcert
# Set default token expiration to 2 seconds, note that this can be
# also controlled when issuing token requests by adding ttl=<int>
# to the query string
os.environ['QGIS_SERVER_OAUTH2_TOKEN_EXPIRES_IN'] = '2'
def _populatePKITestCerts():
removePKITestCerts()
assert (AUTHCFGID is None)
# set alice PKI data
pkipath = os.path.join(os.path.dirname(__file__), 'data', 'certs', 'certs-keys')
p_config = QgsAuthMethodConfig()
p_config.setName("alice")
p_config.setMethod('PKI-PKCS#12')
p_config.setUri("http://example.com")
p_config.setConfig("certpath", os.path.join(pkipath, 'alice.p12'))
assert p_config.isValid()
# add authorities
cacerts = QSslCertificate.fromPath(os.path.join(pkipath, 'subissuer-issuer-root-ca_issuer-2-root-2-ca_chains.pem'))
assert cacerts is not None
authm.storeCertAuthorities(cacerts)
authm.rebuildCaCertsCache()
authm.rebuildTrustedCaCertsCache()
# register alice data in auth
authm.storeAuthenticationConfig(p_config)
authid = p_config.id()
assert (authid is not None)
assert (authid != '')
return authid
def run(plugin):
"""Import intermediate certs and return True on success"""
if QgsApplication.authManager().isDisabled():
plugin.log(QgsApplication.authManager().disabledMessage())
return False
ca_pems = dict()
with wincertstore.CertSystemStore("CA") as store:
for cert in store.itercerts(usage=None):
# plugin.log(cert.get_name())
# plugin.log(cert.enhanced_keyusage_names())
ca_pems[cert.get_name()] = cert.get_pem()
plugin.log(
plugin.tr("Number of possible CAs found: {0}").format(len(ca_pems)))
if not ca_pems:
return False
ca_certs = []
trusted_cas = QgsApplication.authManager().trustedCaCertsCache()
for ca_cn, ca_pem in ca_pems.items():
try:
ca_bytes = ca_pem.encode('ASCII')
except UnicodeEncodeError:
continue
pem_ba = QByteArray(ca_bytes)
cas = QSslCertificate.fromData(pem_ba)
# plugin.log("Converted PEM to QSslCertificate {0}: ".format(ca_cn))
if not cas:
plugin.log(
plugin.tr("Could not convert PEM to QSslCertificate: {0}").
format(ca_cn))
continue
ca = cas[0]
# noinspection PyArgumentList
if not QgsAuthCertUtils.certIsViable(cert=ca):
plugin.log(plugin.tr(" cert not viable: {0}").format(ca_cn))
continue
# noinspection PyArgumentList
if not QgsAuthCertUtils.certificateIsAuthority(cert=ca):
plugin.log(plugin.tr(" cert not a CA: {0}").format(ca_cn))
continue
if ca in trusted_cas:
plugin.log(
plugin.tr(" cert already in trusted CA cache: {0}").format(
ca_cn))
continue
plugin.log(plugin.tr(" found CA to add: {0}").format(ca_cn))
ca_certs.append(ca)
if ca_certs:
plugin.log(plugin.tr("Storing CAs in auth system db"))
if not QgsApplication.authManager().storeCertAuthorities(ca_certs):
plugin.log(plugin.tr(" FAILED"))
return False
plugin.log(plugin.tr(" SUCCESS"))
plugin.log(plugin.tr("Reinitializing auth system SSL caches"))
QgsApplication.authManager().initSslCaches()
return True
else:
plugin.log(plugin.tr("No CAs found to store in auth system db"))
return True
