def test_works_when_client_auth_succeeded(self):
# Given a server that requires client authentication
with VulnerableOpenSslServer(
client_auth_config=ClientAuthenticationServerConfigurationEnum.
REQUIRED) as server:
# And the client provides a client certificate
client_creds = ClientAuthenticationCredentials(
client_certificate_chain_path=server.
get_client_certificate_path(),
client_key_path=server.get_client_key_path(),
)
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port,
client_auth_credentials=client_creds,
)
server_info = server_test.perform()
# The plugin works fine
plugin = HttpHeadersPlugin()
plugin_result = plugin.process_task(server_info,
HttpHeadersScanCommand())
self.assertIsNone(plugin_result.expect_ct_header)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_expect_ct_disabled(self):
server_test = ServerConnectivityTester(hostname='hsts.badssl.com')
server_info = server_test.perform()
plugin = HttpHeadersPlugin()
plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand())
assert not plugin_result.expect_ct_header
assert plugin_result.as_text()
assert plugin_result.as_xml()
assert pickle.dumps(plugin_result)
def test_expect_ct_disabled(self):
server_info = ServerConnectivityInfo(hostname='hsts.badssl.com')
server_info.test_connectivity_to_server()
plugin = HttpHeadersPlugin()
plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand())
self.assertFalse(plugin_result.expect_ct_header)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
self.assertTrue(pickle.dumps(plugin_result))
def test_legacy_ssl_client_missing_verified_chain(self):
# Given a tls1.0 server
server_test = ServerConnectivityTester(hostname='tls-v1-0.badssl.com',
port=1010)
server_info = server_test.perform()
# The plugin does not throw an exception trying to access LegacySslClient.get_verified_chain()
plugin = HttpHeadersPlugin()
plugin_result = plugin.process_task(server_info,
HttpHeadersScanCommand())
assert plugin_result.as_text()
assert plugin_result.as_xml()
def test_hsts_enabled(self):
server_info = ServerConnectivityInfo(hostname=u'hsts.badssl.com')
server_info.test_connectivity_to_server()
plugin = HttpHeadersPlugin()
plugin_result = plugin.process_task(server_info, 'http_headers')
self.assertTrue(plugin_result.hsts_header)
self.assertFalse(plugin_result.hpkp_header)
self.assertIsNone(plugin_result.is_valid_pin_configured)
self.assertIsNone(plugin_result.is_backup_pin_configured)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_hpkp_enabled(self):
server_info = ServerConnectivityInfo(hostname=u'github.com')
server_info.test_connectivity_to_server()
plugin = HttpHeadersPlugin()
plugin_result = plugin.process_task(server_info, 'http_headers')
self.assertTrue(plugin_result.hpkp_header)
self.assertTrue(plugin_result.is_valid_pin_configured)
self.assertTrue(plugin_result.is_backup_pin_configured)
self.assertTrue(plugin_result.verified_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_expect_ct_disabled(self):
server_test = ServerConnectivityTester(hostname='hsts.badssl.com')
server_info = server_test.perform()
plugin = HttpHeadersPlugin()
plugin_result = plugin.process_task(server_info,
HttpHeadersScanCommand())
assert not plugin_result.expect_ct_header
assert plugin_result.as_text()
assert plugin_result.as_xml()
assert pickle.dumps(plugin_result)
def test_hpkp_enabled(self):
server_info = ServerConnectivityInfo(hostname='github.com')
server_info.test_connectivity_to_server()
plugin = HttpHeadersPlugin()
plugin_result = plugin.process_task(server_info, 'http_headers')
self.assertTrue(plugin_result.hpkp_header)
self.assertTrue(plugin_result.is_valid_pin_configured)
self.assertTrue(plugin_result.is_backup_pin_configured)
self.assertTrue(plugin_result.verified_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_hsts_enabled(self):
server_info = ServerConnectivityInfo(hostname='hsts.badssl.com')
server_info.test_connectivity_to_server()
plugin = HttpHeadersPlugin()
plugin_result = plugin.process_task(server_info, 'http_headers')
self.assertTrue(plugin_result.hsts_header)
self.assertFalse(plugin_result.hpkp_header)
self.assertIsNone(plugin_result.is_valid_pin_configured)
self.assertIsNone(plugin_result.is_backup_pin_configured)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
def test_expect_ct_enabled(self):
# Github was the only server I could find with expect-ct header set
server_test = ServerConnectivityTester(hostname='github.com')
server_info = server_test.perform()
plugin = HttpHeadersPlugin()
plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand())
assert plugin_result.expect_ct_header
assert plugin_result.expect_ct_header.max_age >= 0
assert plugin_result.as_text()
assert plugin_result.as_xml()
assert pickle.dumps(plugin_result)
def test_fails_when_client_auth_failed(self):
# Given a server that requires client authentication
with ModernOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And the client does NOT provide a client certificate
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = server_test.perform()
# The plugin fails when a client cert was not supplied
plugin = HttpHeadersPlugin()
with self.assertRaises(ClientCertificateRequested):
plugin.process_task(server_info, HttpHeadersScanCommand())
def test_fails_when_client_auth_failed_tls_1_2(self):
# Given a server with TLS 1.2 that requires client authentication
with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And the client does NOT provide a client certificate
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port
)
server_info = server_test.perform()
# The plugin fails when a client cert was not supplied
plugin = HttpHeadersPlugin()
with pytest.raises(ClientCertificateRequested):
plugin.process_task(server_info, HttpHeadersScanCommand())
def test_expect_ct_enabled(self):
# Github was the only server I could find with expect-ct header set
server_info = ServerConnectivityInfo(hostname='github.com')
server_info.test_connectivity_to_server()
plugin = HttpHeadersPlugin()
plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand())
self.assertTrue(plugin_result.expect_ct_header)
self.assertTrue(plugin_result.expect_ct_header.max_age >= 0)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
self.assertTrue(pickle.dumps(plugin_result))
def test_expect_ct_enabled(self):
# Github was the only server I could find with expect-ct header set
server_test = ServerConnectivityTester(hostname='github.com')
server_info = server_test.perform()
plugin = HttpHeadersPlugin()
plugin_result = plugin.process_task(server_info,
HttpHeadersScanCommand())
assert plugin_result.expect_ct_header
assert plugin_result.expect_ct_header.max_age >= 0
assert plugin_result.as_text()
assert plugin_result.as_xml()
assert pickle.dumps(plugin_result)
def test_hsts_and_hpkp_disabled(self):
server_test = ServerConnectivityTester(hostname='expired.badssl.com')
server_info = server_test.perform()
plugin = HttpHeadersPlugin()
plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand())
self.assertFalse(plugin_result.hsts_header)
self.assertFalse(plugin_result.hpkp_header)
self.assertIsNone(plugin_result.is_valid_pin_configured)
self.assertIsNone(plugin_result.is_backup_pin_configured)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_hsts_and_hpkp_disabled(self):
server_info = ServerConnectivityInfo(hostname='expired.badssl.com')
server_info.test_connectivity_to_server()
plugin = HttpHeadersPlugin()
plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand())
self.assertFalse(plugin_result.hsts_header)
self.assertFalse(plugin_result.hpkp_header)
self.assertIsNone(plugin_result.is_valid_pin_configured)
self.assertIsNone(plugin_result.is_backup_pin_configured)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_hsts_and_hpkp_disabled(self):
server_test = ServerConnectivityTester(hostname='expired.badssl.com')
server_info = server_test.perform()
plugin = HttpHeadersPlugin()
plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand())
assert not plugin_result.strict_transport_security_header
assert not plugin_result.public_key_pins_header
assert plugin_result.is_valid_pin_configured is None
assert plugin_result.is_backup_pin_configured is None
assert plugin_result.as_text()
assert plugin_result.as_xml()
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
assert pickle.dumps(plugin_result)
def test_hpkp_enabled(self):
server_info = ServerConnectivityInfo(hostname='github.com')
server_info.test_connectivity_to_server()
plugin = HttpHeadersPlugin()
plugin_result = plugin.process_task(server_info,
HttpHeadersScanCommand())
self.assertTrue(plugin_result.hpkp_header)
self.assertTrue(plugin_result.is_valid_pin_configured)
self.assertTrue(plugin_result.is_backup_pin_configured)
self.assertTrue(plugin_result.verified_certificate_chain)
self.assertTrue(plugin_result.as_text())
self.assertTrue(plugin_result.as_xml())
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
self.assertTrue(pickle.dumps(plugin_result))
def test_hsts_and_hpkp_disabled(self):
server_test = ServerConnectivityTester(hostname='expired.badssl.com')
server_info = server_test.perform()
plugin = HttpHeadersPlugin()
plugin_result = plugin.process_task(server_info,
HttpHeadersScanCommand())
assert not plugin_result.strict_transport_security_header
assert not plugin_result.public_key_pins_header
assert plugin_result.is_valid_pin_configured is None
assert plugin_result.is_backup_pin_configured is None
assert plugin_result.as_text()
assert plugin_result.as_xml()
# Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue
assert pickle.dumps(plugin_result)
def test_fails_when_client_auth_failed(self):
# Given a server that requires client authentication
try:
with VulnerableOpenSslServer(
client_auth_config=
ClientAuthenticationServerConfigurationEnum.REQUIRED
) as server:
# And the client does NOT provide a client certificate
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = server_test.perform()
# The plugin fails when a client cert was not supplied
plugin = HttpHeadersPlugin()
with self.assertRaises(ClientCertificateRequested):
plugin.process_task(server_info, HttpHeadersScanCommand())
except NotOnLinux64Error:
logging.warning('WARNING: Not on Linux - skipping test')
return
def test_works_when_client_auth_succeeded(self):
# Given a server that requires client authentication
with ModernOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And the client provides a client certificate
client_creds = ClientAuthenticationCredentials(
client_certificate_chain_path=server.get_client_certificate_path(),
client_key_path=server.get_client_key_path(),
)
server_test = ServerConnectivityTester(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port,
client_auth_credentials=client_creds,
)
server_info = server_test.perform()
# The plugin works fine
plugin = HttpHeadersPlugin()
plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand())
assert plugin_result.expect_ct_header is None
assert plugin_result.as_text()
assert plugin_result.as_xml()
