def test_scenario_2(self, mock_read_global_bundle, mock_read_bundle, mock_read_listings): """ Setup - Global auth disabled - Individual repo auth enabled for repo X - Client cert signed by different CA than repo X - Client cert has entitlements Expected - Denied to repo X, permitted for repo Y """ mock_read_global_bundle.return_value = None repo_x_bundle = {'ca': OTHER_CA, 'key': KEY, 'cert': CERT, } mock_read_listings.return_value = {'/pulp/pulp/fedora-14/x86_64': 'repo-x'} mock_read_bundle.return_value = repo_x_bundle # Test request_x = mock_environ(E_FULL, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/') request_y = mock_environ(E_FULL, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/') response_x = oid_validation.authenticate(request_x, config=self.config) response_y = oid_validation.authenticate(request_y, config=self.config) # Verify self.assertTrue(not response_x) self.assertTrue(response_y)
def __test_scenario_9(self): """ Setup - Global auth enabled - Individual auth enabled for repo X - Different CA certificates for global and repo X configurations - Client cert signed by global CA certificate - Client cert has entitlements for both repos Excepted - Denied for repo X, passes for repo Y """ # Setup global_bundle = {'ca': VALID_CA, 'key': KEY, 'cert': CERT, } self.auth_api.enable_global_repo_auth(global_bundle) repo_x_bundle = {'ca': OTHER_CA, 'key': KEY, 'cert': CERT, } self.repo_api.create('repo-x', 'Repo X', 'noarch', consumer_cert_data=repo_x_bundle, feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64') self.repo_api.create('repo-y', 'Repo Y', 'noarch', feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64') # Test request_x = mock_environ(E_FULL, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/') request_y = mock_environ(E_FULL, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/') response_x = oid_validation.authenticate(request_x, config=self.config) response_y = oid_validation.authenticate(request_y, config=self.config) # Verify self.assertTrue(not response_x) self.assertTrue(response_y)
def test_scenario_3(self, mock_read_global_bundle, mock_read_bundle, mock_read_listings): """ Setup - Global auth disabled - Individual repo auth enabled for repo X - Client cert signed by repo Y CA - Client cert does not have entitlements for requested URL Expected - Permitted to repo X, denied from repo Y """ mock_read_global_bundle.return_value = None repo_y_bundle = {'ca': VALID_CA, 'key': KEY, 'cert': CERT, } mock_read_listings.return_value = {'/pulp/pulp/fedora-13/x86_64': 'repo-x'} mock_read_bundle.return_value = repo_y_bundle # Test request_x = mock_environ(E_LIMITED, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/') request_y = mock_environ(E_LIMITED, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/') response_x = oid_validation.authenticate(request_x, config=self.config) response_y = oid_validation.authenticate(request_y, config=self.config) # Verify self.assertTrue(response_x) self.assertTrue(not response_y)
def __test_scenario_13(self): repo_x_bundle = {'ca': OTHER_CA, 'key': OTHER_CERT_KEY, 'cert': OTHER_CERT, } self.repo_api.create('repo-x', 'Repo X', 'noarch', consumer_cert_data=repo_x_bundle, feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64') self.repo_api.create('repo-y', 'Repo Y', 'noarch', consumer_cert_data=repo_x_bundle, feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64') # Test request_x = mock_environ(E_WILDCARD, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/os') request_y = mock_environ(E_WILDCARD, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/os') response_x = oid_validation.authenticate(request_x, config=self.config) response_y = oid_validation.authenticate(request_y, config=self.config) # Verify self.assertTrue(response_x) self.assertTrue(response_y) # Try to hit something that should be denied request_z = mock_environ(E_WILDCARD, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64' '/mrg-g/2.0/os') response_z = oid_validation.authenticate(request_z, config=self.config) self.assertTrue(not response_z)
def __test_scenario_6(self): """ Setup - Global auth enabled - Individual auth disabled - Client cert signed by non-global CA - Client cert has entitlements for both repos Expected - Denied to both repo X and Y """ # Setup global_bundle = {'ca': OTHER_CA, 'key': KEY, 'cert': CERT, } self.auth_api.enable_global_repo_auth(global_bundle) self.repo_api.create('repo-x', 'Repo X', 'noarch', feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64') self.repo_api.create('repo-y', 'Repo Y', 'noarch', feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64') # Test request_x = mock_environ(E_FULL, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/') request_y = mock_environ(E_FULL, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/') response_x = oid_validation.authenticate(request_x, config=self.config) response_y = oid_validation.authenticate(request_y, config=self.config) # Verify self.assertTrue(not response_x) self.assertTrue(not response_y)
def __test_scenario_1(self): """ Setup - Global auth disabled - Individual repo auth enabled for repo X - Client cert signed by repo X CA - Client cert has entitlements Expected - Permitted for both repos """ # Setup self.auth_api.disable_global_repo_auth() repo_x_bundle = {'ca': VALID_CA, 'key': KEY, 'cert': CERT, } self.repo_api.create('repo-x', 'Repo X', 'noarch', consumer_cert_data=repo_x_bundle, feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64') self.repo_api.create('repo-y', 'Repo Y', 'noarch', feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64') # Test request_x = mock_environ(E_FULL, 'https://localhost//pulp/repos/repos/pulp/pulp/fedora-14/x86_64/') request_y = mock_environ(E_FULL, 'https://localhost//pulp/repos/repos/pulp/pulp/fedora-13/x86_64/') response_x = oid_validation.authenticate(request_x, config=self.config) response_y = oid_validation.authenticate(request_y, config=self.config) # Verify self.assertTrue(response_x) self.assertTrue(response_y)
def __test_scenario_12(self): """ Setup - Global auth enabled - Individual auth enabled on repo X - Both global and individual auth use the same CA - No client cert in request Expected - Denied for both repo X and Y - No exceptions thrown """ # Setup global_bundle = {'ca': VALID_CA, 'key': KEY, 'cert': CERT, } self.auth_api.enable_global_repo_auth(global_bundle) repo_x_bundle = {'ca': VALID_CA, 'key': KEY, 'cert': CERT, } self.repo_api.create('repo-x', 'Repo X', 'noarch', consumer_cert_data=repo_x_bundle, feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64') self.repo_api.create('repo-y', 'Repo Y', 'noarch', feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64') # Test request_x = mock_environ('', 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/') request_y = mock_environ('', 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/') response_x = oid_validation.authenticate(request_x, config=self.config) response_y = oid_validation.authenticate(request_y, config=self.config) # Verify self.assertTrue(not response_x) self.assertTrue(not response_y)
def __test_scenario_14(self): """ Setup - Global auth disabled - Individual repo auth enabled for repo X - Client cert signed by repo X CA - Client cert has an OID entitlement that ends with a yum variable. e.g., repos/pulp/pulp/fedora-14/$basearch/ Expected - Permitted for both repos """ # Setup self.auth_api.disable_global_repo_auth() repo_x_bundle = { 'ca': OTHER_CA, 'key': OTHER_CA_KEY, 'cert': CERT, } self.repo_api.create( 'repo-x', 'Repo X', 'noarch', consumer_cert_data=repo_x_bundle, feed= 'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64') self.repo_api.create( 'repo-y', 'Repo Y', 'noarch', feed= 'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64') # Test request_x = mock_environ( E_VARIABLE_CERT + E_VARIABLE_KEY, 'https://localhost//pulp/repos/repos/pulp/pulp/fedora-14/x86_64' '/os/repodata/repomd.xml') request_xx = mock_environ( E_VARIABLE_CERT + E_VARIABLE_KEY, 'https://localhost//pulp/repos/repos/pulp/pulp/fedora-14/i386' '/os/repodata/repomd.xml') request_y = mock_environ( E_VARIABLE_CERT + E_VARIABLE_KEY, 'https://localhost//pulp/repos/repos/pulp/pulp/fedora-13/x86_64' '/os/repodata/repomd.xml') response_x = oid_validation.authenticate(request_x, config=self.config) response_xx = oid_validation.authenticate(request_xx, config=self.config) response_y = oid_validation.authenticate(request_y, config=self.config) # Verify self.assertTrue(response_x) self.assertTrue(response_y) self.assertTrue(response_xx)
def __test_scenario_12(self): """ Setup - Global auth enabled - Individual auth enabled on repo X - Both global and individual auth use the same CA - No client cert in request Expected - Denied for both repo X and Y - No exceptions thrown """ # Setup global_bundle = { 'ca': VALID_CA, 'key': KEY, 'cert': CERT, } self.auth_api.enable_global_repo_auth(global_bundle) repo_x_bundle = { 'ca': VALID_CA, 'key': KEY, 'cert': CERT, } self.repo_api.create( 'repo-x', 'Repo X', 'noarch', consumer_cert_data=repo_x_bundle, feed= 'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64') self.repo_api.create( 'repo-y', 'Repo Y', 'noarch', feed= 'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64') # Test request_x = mock_environ( '', 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/') request_y = mock_environ( '', 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/') response_x = oid_validation.authenticate(request_x, config=self.config) response_y = oid_validation.authenticate(request_y, config=self.config) # Verify self.assertTrue(not response_x) self.assertTrue(not response_y)
def __test_scenario_9(self): """ Setup - Global auth enabled - Individual auth enabled for repo X - Different CA certificates for global and repo X configurations - Client cert signed by global CA certificate - Client cert has entitlements for both repos Excepted - Denied for repo X, passes for repo Y """ # Setup global_bundle = { 'ca': VALID_CA, 'key': KEY, 'cert': CERT, } self.auth_api.enable_global_repo_auth(global_bundle) repo_x_bundle = { 'ca': OTHER_CA, 'key': KEY, 'cert': CERT, } self.repo_api.create( 'repo-x', 'Repo X', 'noarch', consumer_cert_data=repo_x_bundle, feed= 'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64') self.repo_api.create( 'repo-y', 'Repo Y', 'noarch', feed= 'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64') # Test request_x = mock_environ( E_FULL, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/') request_y = mock_environ( E_FULL, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/') response_x = oid_validation.authenticate(request_x, config=self.config) response_y = oid_validation.authenticate(request_y, config=self.config) # Verify self.assertTrue(not response_x) self.assertTrue(response_y)
def __test_scenario_1(self): """ Setup - Global auth disabled - Individual repo auth enabled for repo X - Client cert signed by repo X CA - Client cert has entitlements Expected - Permitted for both repos """ # Setup self.auth_api.disable_global_repo_auth() repo_x_bundle = { 'ca': VALID_CA, 'key': KEY, 'cert': CERT, } self.repo_api.create( 'repo-x', 'Repo X', 'noarch', consumer_cert_data=repo_x_bundle, feed= 'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64') self.repo_api.create( 'repo-y', 'Repo Y', 'noarch', feed= 'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64') # Test request_x = mock_environ( E_FULL, 'https://localhost//pulp/repos/repos/pulp/pulp/fedora-14/x86_64/') request_y = mock_environ( E_FULL, 'https://localhost//pulp/repos/repos/pulp/pulp/fedora-13/x86_64/') response_x = oid_validation.authenticate(request_x, config=self.config) response_y = oid_validation.authenticate(request_y, config=self.config) # Verify self.assertTrue(response_x) self.assertTrue(response_y)
def test_is_valid_verify_ssl_undefined(self, mock_read_bundle, mock_read_listings, validate_certificate_pem, _check_extensions): """ Test is_valid when verify_ssl is undefined. """ self.config.remove_option('main', 'verify_ssl') repo_x_bundle = { 'ca': OTHER_CA, 'key': KEY, 'cert': CERT, } mock_read_listings.return_value = { '/pulp/pulp/fedora-14/x86_64': 'repo-x' } mock_read_bundle.return_value = repo_x_bundle request_x = mock_environ( E_FULL, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/') valid = oid_validation.authenticate(request_x, config=self.config) # Make sure we didn't call into the cert validation code self.assertEqual(validate_certificate_pem.call_count, 1) # It should be other because we mocked validate_certificate_pem to return False self.assertEqual(valid, False) # _check_extensions shouldn't have been called self.assertEqual(_check_extensions.call_count, 0)
def test_is_valid_verify_ssl_false(self, mock_read_bundle, mock_read_listings, validate_certificate_pem, _check_extensions): """ Test is_valid when verify_ssl is false. """ self.config.set('main', 'verify_ssl', 'false') repo_x_bundle = { 'ca': OTHER_CA, 'key': KEY, 'cert': CERT, } mock_read_listings.return_value = { '/pulp/pulp/fedora-14/x86_64': 'repo-x' } mock_read_bundle.return_value = repo_x_bundle request_x = mock_environ( E_FULL, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/') valid = oid_validation.authenticate(request_x, config=self.config) # Make sure we didn't call into the cert validation code self.assertEqual(validate_certificate_pem.call_count, 0) # It should be valid because we mocked _check_extensions to return True self.assertEqual(valid, True)
def __test_scenario_6(self): """ Setup - Global auth enabled - Individual auth disabled - Client cert signed by non-global CA - Client cert has entitlements for both repos Expected - Denied to both repo X and Y """ # Setup global_bundle = { 'ca': OTHER_CA, 'key': KEY, 'cert': CERT, } self.auth_api.enable_global_repo_auth(global_bundle) self.repo_api.create( 'repo-x', 'Repo X', 'noarch', feed= 'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64') self.repo_api.create( 'repo-y', 'Repo Y', 'noarch', feed= 'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64') # Test request_x = mock_environ( E_FULL, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/') request_y = mock_environ( E_FULL, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/') response_x = oid_validation.authenticate(request_x, config=self.config) response_y = oid_validation.authenticate(request_y, config=self.config) # Verify self.assertTrue(not response_x) self.assertTrue(not response_y)
def __test_scenario_14(self): """ Setup - Global auth disabled - Individual repo auth enabled for repo X - Client cert signed by repo X CA - Client cert has an OID entitlement that ends with a yum variable. e.g., repos/pulp/pulp/fedora-14/$basearch/ Expected - Permitted for both repos """ # Setup self.auth_api.disable_global_repo_auth() repo_x_bundle = {'ca': OTHER_CA, 'key': OTHER_CA_KEY, 'cert': CERT, } self.repo_api.create('repo-x', 'Repo X', 'noarch', consumer_cert_data=repo_x_bundle, feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64') self.repo_api.create('repo-y', 'Repo Y', 'noarch', feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64') # Test request_x = mock_environ(E_VARIABLE_CERT + E_VARIABLE_KEY, 'https://localhost//pulp/repos/repos/pulp/pulp/fedora-14/x86_64' '/os/repodata/repomd.xml') request_xx = mock_environ(E_VARIABLE_CERT + E_VARIABLE_KEY, 'https://localhost//pulp/repos/repos/pulp/pulp/fedora-14/i386' '/os/repodata/repomd.xml') request_y = mock_environ(E_VARIABLE_CERT + E_VARIABLE_KEY, 'https://localhost//pulp/repos/repos/pulp/pulp/fedora-13/x86_64' '/os/repodata/repomd.xml') response_x = oid_validation.authenticate(request_x, config=self.config) response_xx = oid_validation.authenticate(request_xx, config=self.config) response_y = oid_validation.authenticate(request_y, config=self.config) # Verify self.assertTrue(response_x) self.assertTrue(response_y) self.assertTrue(response_xx)
def __test_scenario_13(self): repo_x_bundle = { 'ca': OTHER_CA, 'key': OTHER_CERT_KEY, 'cert': OTHER_CERT, } self.repo_api.create( 'repo-x', 'Repo X', 'noarch', consumer_cert_data=repo_x_bundle, feed= 'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64') self.repo_api.create( 'repo-y', 'Repo Y', 'noarch', consumer_cert_data=repo_x_bundle, feed= 'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64') # Test request_x = mock_environ( E_WILDCARD, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/os') request_y = mock_environ( E_WILDCARD, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/os') response_x = oid_validation.authenticate(request_x, config=self.config) response_y = oid_validation.authenticate(request_y, config=self.config) # Verify self.assertTrue(response_x) self.assertTrue(response_y) # Try to hit something that should be denied request_z = mock_environ( E_WILDCARD, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64' '/mrg-g/2.0/os') response_z = oid_validation.authenticate(request_z, config=self.config) self.assertTrue(not response_z)
def test_no_mod_ssl_vars(self): """ Test that if 'mod_ssl.var_lookup' is missing, it is handled gracefully. """ environ = mock_environ(E_FULL, 'https://localhost/some/repo/package.rpm') environ.pop('mod_ssl.var_lookup') self.assertFalse(oid_validation.authenticate(environ)) environ['wsgi.errors'].write.assert_called_once_with( 'Authentication failed; no client certificate provided in request.\n' )
def test_scenario_3(self, mock_read_global_bundle, mock_read_bundle, mock_read_listings): """ Setup - Global auth disabled - Individual repo auth enabled for repo X - Client cert signed by repo Y CA - Client cert does not have entitlements for requested URL Expected - Permitted to repo X, denied from repo Y """ mock_read_global_bundle.return_value = None repo_y_bundle = { 'ca': VALID_CA, 'key': KEY, 'cert': CERT, } mock_read_listings.return_value = { '/pulp/pulp/fedora-13/x86_64': 'repo-x' } mock_read_bundle.return_value = repo_y_bundle # Test request_x = mock_environ( E_LIMITED, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/') request_y = mock_environ( E_LIMITED, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/') response_x = oid_validation.authenticate(request_x, config=self.config) response_y = oid_validation.authenticate(request_y, config=self.config) # Verify self.assertTrue(response_x) self.assertTrue(not response_y)
def test_no_mod_ssl_vars(self): """ Test that if 'mod_ssl.var_lookup' is missing, it is handled gracefully. """ environ = mock_environ( E_FULL, 'https://localhost/some/repo/package.rpm' ) environ.pop('mod_ssl.var_lookup') self.assertFalse(oid_validation.authenticate(environ)) environ['wsgi.errors'].write.assert_called_once_with( 'Authentication failed; no client certificate provided in request.\n' )
def test_scenario_2(self, mock_read_global_bundle, mock_read_bundle, mock_read_listings): """ Setup - Global auth disabled - Individual repo auth enabled for repo X - Client cert signed by different CA than repo X - Client cert has entitlements Expected - Denied to repo X, permitted for repo Y """ mock_read_global_bundle.return_value = None repo_x_bundle = { 'ca': OTHER_CA, 'key': KEY, 'cert': CERT, } mock_read_listings.return_value = { '/pulp/pulp/fedora-14/x86_64': 'repo-x' } mock_read_bundle.return_value = repo_x_bundle # Test request_x = mock_environ( E_FULL, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/') request_y = mock_environ( E_FULL, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/') response_x = oid_validation.authenticate(request_x, config=self.config) response_y = oid_validation.authenticate(request_y, config=self.config) # Verify self.assertTrue(not response_x) self.assertTrue(response_y)
def test_ssl_client_cert_set(self, mock_oid_validation): """ Test that if the client cert is in SSL_CLIENT_CERT, that certificate is used. It may be the case that 'SSL_CLIENT_CERT' is set in the 'environ' dictionary. It might also be the case that 'mod_ssl.var_lookup' is not set, and we should handle that case. """ environ = mock_environ(E_FULL, 'https://localhost/some/repo/package.rpm') environ['SSL_CLIENT_CERT'] = E_FULL environ.pop('mod_ssl.var_lookup') mock_oid_validation.return_value.is_valid.return_value = True self.assertTrue(oid_validation.authenticate(environ)) mock_oid_validation.return_value.is_valid.assert_called_once_with( '/some/repo/package.rpm', E_FULL, environ['wsgi.errors'].write)
def test_is_valid_verify_ssl_false(self, mock_read_bundle, mock_read_listings, validate_certificate_pem, _check_extensions): """ Test is_valid when verify_ssl is false. """ self.config.set('main', 'verify_ssl', 'false') repo_x_bundle = {'ca': OTHER_CA, 'key': KEY, 'cert': CERT, } mock_read_listings.return_value = {'/pulp/pulp/fedora-14/x86_64': 'repo-x'} mock_read_bundle.return_value = repo_x_bundle request_x = mock_environ(E_FULL, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/') valid = oid_validation.authenticate(request_x, config=self.config) # Make sure we didn't call into the cert validation code self.assertEqual(validate_certificate_pem.call_count, 0) # It should be valid because we mocked _check_extensions to return True self.assertEqual(valid, True)
def test_ssl_client_cert_set(self, mock_oid_validation): """ Test that if the client cert is in SSL_CLIENT_CERT, that certificate is used. It may be the case that 'SSL_CLIENT_CERT' is set in the 'environ' dictionary. It might also be the case that 'mod_ssl.var_lookup' is not set, and we should handle that case. """ environ = mock_environ( E_FULL, 'https://localhost/some/repo/package.rpm' ) environ['SSL_CLIENT_CERT'] = E_FULL environ.pop('mod_ssl.var_lookup') mock_oid_validation.return_value.is_valid.return_value = True self.assertTrue(oid_validation.authenticate(environ)) mock_oid_validation.return_value.is_valid.assert_called_once_with( '/some/repo/package.rpm', E_FULL, environ['wsgi.errors'].write)
def test_is_valid_verify_ssl_undefined(self, mock_read_bundle, mock_read_listings, validate_certificate_pem, _check_extensions): """ Test is_valid when verify_ssl is undefined. """ self.config.remove_option('main', 'verify_ssl') repo_x_bundle = {'ca': OTHER_CA, 'key': KEY, 'cert': CERT, } mock_read_listings.return_value = {'/pulp/pulp/fedora-14/x86_64': 'repo-x'} mock_read_bundle.return_value = repo_x_bundle request_x = mock_environ(E_FULL, 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/') valid = oid_validation.authenticate(request_x, config=self.config) # Make sure we didn't call into the cert validation code self.assertEqual(validate_certificate_pem.call_count, 1) # It should be other because we mocked validate_certificate_pem to return False self.assertEqual(valid, False) # _check_extensions shouldn't have been called self.assertEqual(_check_extensions.call_count, 0)
def test_authenticate_loads_config(self, mock_validator, mock_config): environ = mock_environ(E_FULL, 'https://nowhere/path/to') oid_validation.authenticate(environ) mock_config.assert_called_once_with()