class TestHTTPS(tservers.HTTPProxTest, CommonMixin, TcpMixin):
ssl = True
ssloptions = pathod.SSLOptions(request_client_cert=True)
def test_clientcert_file(self):
try:
self.config.clientcerts = os.path.join(
tutils.test_data.path("data/clientcert"), "client.pem")
f = self.pathod("304")
assert f.status_code == 304
assert self.server.last_log()["request"]["clientcert"]["keyinfo"]
finally:
self.config.clientcerts = None
def test_clientcert_dir(self):
try:
self.config.clientcerts = tutils.test_data.path("data/clientcert")
f = self.pathod("304")
assert f.status_code == 304
assert self.server.last_log()["request"]["clientcert"]["keyinfo"]
finally:
self.config.clientcerts = None
def test_error_post_connect(self):
p = self.pathoc()
assert p.request("get:/:i0,'invalid\r\n\r\n'").status_code == 400
class TestHTTPSUpstreamServerVerificationWBadCert(tservers.HTTPProxTest):
"""
Test upstream server certificate verification with an untrusted server cert.
"""
ssl = True
ssloptions = pathod.SSLOptions(
cn="untrusted-cert",
certs=[("untrusted-cert",
tutils.test_data.path("data/untrusted-server.crt"))])
def _request(self):
p = self.pathoc()
# We need to make an actual request because the upstream connection is lazy-loaded.
return p.request("get:/p/242")
def test_default_verification_w_bad_cert(self):
"""Should use no verification."""
self.config.openssl_trusted_ca_server = tutils.test_data.path(
"data/trusted-cadir/trusted-ca.pem")
assert self._request().status_code == 242
def test_no_verification_w_bad_cert(self):
self.config.openssl_verification_mode_server = SSL.VERIFY_NONE
self.config.openssl_trusted_ca_server = tutils.test_data.path(
"data/trusted-cadir/trusted-ca.pem")
assert self._request().status_code == 242
def test_verification_w_bad_cert(self):
self.config.openssl_verification_mode_server = SSL.VERIFY_PEER
self.config.openssl_trusted_ca_server = tutils.test_data.path(
"data/trusted-cadir/trusted-ca.pem")
assert self._request().status_code == 502
class TestHTTPSUpstreamServerVerificationWBadCert(tservers.HTTPProxTest):
"""
Test upstream server certificate verification with an untrusted server cert.
"""
ssl = True
ssloptions = pathod.SSLOptions(
cn="untrusted-cert",
certs=[("untrusted-cert",
tutils.test_data.path("data/untrusted-server.crt"))])
def test_default_verification_w_bad_cert(self):
"""Should use no verification."""
self.config.openssl_trusted_ca_server = tutils.test_data.path(
"data/trusted-cadir/trusted-ca.pem")
self.pathoc()
def test_no_verification_w_bad_cert(self):
self.config.openssl_verification_mode_server = SSL.VERIFY_NONE
self.config.openssl_trusted_ca_server = tutils.test_data.path(
"data/trusted-cadir/trusted-ca.pem")
self.pathoc()
def test_verification_w_bad_cert(self):
self.config.openssl_verification_mode_server = SSL.VERIFY_PEER
self.config.openssl_trusted_ca_server = tutils.test_data.path(
"data/trusted-cadir/trusted-ca.pem")
tutils.raises("SSL handshake error", self.pathoc)
class TestHTTPSNoCommonName(tservers.HTTPProxTest, CommonMixin):
"""
Test what happens if we get a cert without common name back.
"""
ssl = True
ssloptions=pathod.SSLOptions(certfile=tutils.test_data.path("data/no_common_name.pem"),
keyfile=tutils.test_data.path("data/no_common_name.pem"))
class TestDaemonSSL(_TestDaemon):
ssl = True
ssloptions = pathod.SSLOptions(request_client_cert=True,
sans=["test1.com", "test2.com"])
def test_sni(self):
c = pathoc.Pathoc(("127.0.0.1", self.d.port),
ssl=True,
sni="foobar.com")
c.connect()
c.request("get:/p/200")
r = c.request("get:/api/log")
d = json.loads(r.content)
assert d["log"][0]["request"]["sni"] == "foobar.com"
def test_showssl(self):
assert "certificate chain" in self.tval(["get:/p/200"], showssl=True)
def test_clientcert(self):
c = pathoc.Pathoc(
("127.0.0.1", self.d.port),
ssl=True,
clientcert=tutils.test_data.path("data/clientcert/client.pem"))
c.connect()
c.request("get:/p/200")
r = c.request("get:/api/log")
d = json.loads(r.content)
assert d["log"][0]["request"]["clientcert"]["keyinfo"]
class _TestDaemon:
ssloptions = pathod.SSLOptions()
@classmethod
def setUpAll(self):
self.d = test.Daemon(ssl=self.ssl,
ssloptions=self.ssloptions,
staticdir=tutils.test_data.path("data"),
anchors=[(re.compile("/anchor/.*"),
language.parse_response("202"))])
@classmethod
def tearDownAll(self):
self.d.shutdown()
def setUp(self):
self.d.clear_log()
def test_info(self):
c = pathoc.Pathoc(("127.0.0.1", self.d.port), ssl=self.ssl)
c.connect()
resp = c.request("get:/api/info")
assert tuple(json.loads(resp.content)["version"]) == version.IVERSION
def tval(self,
requests,
showreq=False,
showresp=False,
explain=False,
showssl=False,
hexdump=False,
timeout=None,
ignorecodes=(),
ignoretimeout=None,
showsummary=True):
s = cStringIO.StringIO()
c = pathoc.Pathoc(("127.0.0.1", self.d.port),
ssl=self.ssl,
showreq=showreq,
showresp=showresp,
explain=explain,
hexdump=hexdump,
ignorecodes=ignorecodes,
ignoretimeout=ignoretimeout,
showsummary=showsummary,
fp=s)
c.connect(showssl=showssl, fp=s)
if timeout:
c.settimeout(timeout)
for i in requests:
r = language.parse_requests(i)[0]
if explain:
r = r.freeze(language.Settings())
try:
c.request(r)
except (http.HttpError, tcp.NetLibError), v:
pass
return s.getvalue()
class TestHTTPSNoCommonName(tservers.HTTPProxTest):
"""
Test what happens if we get a cert without common name back.
"""
ssl = True
ssloptions = pathod.SSLOptions(
certs=[("*", tutils.test_data.path("data/no_common_name.pem"))])
def test_http(self):
f = self.pathod("202")
assert f.sslinfo.certchain[0].get_subject().CN == "127.0.0.1"
class TestHTTPS(tservers.HTTPProxTest, CommonMixin, TcpMixin):
ssl = True
ssloptions = pathod.SSLOptions(request_client_cert=True)
clientcerts = True
def test_clientcert(self):
f = self.pathod("304")
assert f.status_code == 304
assert self.server.last_log()["request"]["clientcert"]["keyinfo"]
def test_error_post_connect(self):
p = self.pathoc()
assert p.request("get:/:i0,'invalid\r\n\r\n'").status_code == 400
class _TestDaemon:
ssloptions = pathod.SSLOptions()
@classmethod
def setUpAll(self):
self.d = test.Daemon(ssl=self.ssl,
ssloptions=self.ssloptions,
staticdir=tutils.test_data.path("data"),
anchors=[("/anchor/.*", "202")])
@classmethod
def tearDownAll(self):
self.d.shutdown()
def setUp(self):
self.d.clear_log()
def test_info(self):
c = pathoc.Pathoc(("127.0.0.1", self.d.port), ssl=self.ssl)
c.connect()
r = c.request("get:/api/info")
assert tuple(json.loads(r.content)["version"]) == version.IVERSION
def tval(self,
requests,
showreq=False,
showresp=False,
explain=False,
showssl=False,
hexdump=False,
timeout=None,
ignorecodes=None,
ignoretimeout=None):
c = pathoc.Pathoc(("127.0.0.1", self.d.port), ssl=self.ssl)
c.connect()
if timeout:
c.settimeout(timeout)
s = cStringIO.StringIO()
for i in requests:
c.print_request(i,
showreq=showreq,
showresp=showresp,
explain=explain,
showssl=showssl,
hexdump=hexdump,
ignorecodes=ignorecodes,
ignoretimeout=ignoretimeout,
fp=s)
return s.getvalue()
def setUpAll(self):
so = pathod.SSLOptions(not_after_connect=self.not_after_connect)
self.d = test.Daemon(staticdir=test_data.path("data"),
anchors=[("/anchor/.*", "202:da")],
ssl=self.ssl,
ssloptions=so,
sizelimit=1 * 1024 * 1024,
noweb=self.noweb,
noapi=self.noapi,
nohang=self.nohang,
timeout=self.timeout,
hexdump=self.hexdump,
logreq=True,
logresp=True,
explain=True)
def setup_class(cls):
opts = cls.ssloptions or {}
cls.confdir = tempfile.mkdtemp()
opts["confdir"] = cls.confdir
so = pathod.SSLOptions(**opts)
cls.d = test.Daemon(staticdir=test_data.path("data"),
anchors=[(re.compile("/anchor/.*"), "202:da")],
ssl=cls.ssl,
ssloptions=so,
sizelimit=1 * 1024 * 1024,
noweb=cls.noweb,
noapi=cls.noapi,
nohang=cls.nohang,
timeout=cls.timeout,
hexdump=cls.hexdump,
nocraft=cls.nocraft,
logreq=True,
logresp=True,
explain=True)
def setUpAll(self):
opts = self.ssloptions or {}
self.confdir = tempfile.mkdtemp()
opts["confdir"] = self.confdir
so = pathod.SSLOptions(**opts)
self.d = test.Daemon(
staticdir=test_data.path("data"),
anchors=[("/anchor/.*", "202:da")],
ssl = self.ssl,
ssloptions = so,
sizelimit=1*1024*1024,
noweb = self.noweb,
noapi = self.noapi,
nohang = self.nohang,
timeout = self.timeout,
hexdump = self.hexdump,
logreq = True,
logresp = True,
explain = True
)
class TestDaemonSSL(_TestDaemon):
ssl = True
ssloptions = pathod.SSLOptions(
request_client_cert=True,
sans=["test1.com", "test2.com"],
alpn_select=b'h2',
)
def test_sni(self):
c = pathoc.Pathoc(("127.0.0.1", self.d.port),
ssl=True,
sni="foobar.com",
fp=None)
c.connect()
c.request("get:/p/200")
r = c.request("get:/api/log")
d = json.loads(r.content)
assert d["log"][0]["request"]["sni"] == "foobar.com"
def test_showssl(self):
assert "certificate chain" in self.tval(["get:/p/200"], showssl=True)
def test_clientcert(self):
c = pathoc.Pathoc(
("127.0.0.1", self.d.port),
ssl=True,
clientcert=tutils.test_data.path("data/clientcert/client.pem"),
fp=None)
c.connect()
c.request("get:/p/200")
r = c.request("get:/api/log")
d = json.loads(r.content)
assert d["log"][0]["request"]["clientcert"]["keyinfo"]
def test_http2_without_ssl(self):
fp = cStringIO.StringIO()
c = pathoc.Pathoc(("127.0.0.1", self.d.port),
use_http2=True,
ssl=False,
fp=fp)
tutils.raises(NotImplementedError, c.connect)
class _TestDaemon:
ssloptions = pathod.SSLOptions()
@classmethod
def setUpAll(self):
self.d = test.Daemon(ssl=self.ssl,
ssloptions=self.ssloptions,
staticdir=tutils.test_data.path("data"),
anchors=[("/anchor/.*", "202")])
@classmethod
def tearDownAll(self):
self.d.shutdown()
def setUp(self):
self.d.clear_log()
def test_info(self):
c = pathoc.Pathoc(("127.0.0.1", self.d.port), ssl=self.ssl)
c.connect()
r = c.request("get:/api/info")
assert tuple(json.loads(r.content)["version"]) == version.IVERSION
def setUpAll(klass):
opts = klass.ssloptions or {}
klass.confdir = tempfile.mkdtemp()
opts["confdir"] = klass.confdir
so = pathod.SSLOptions(**opts)
klass.d = test.Daemon(
staticdir=test_data.path("data"),
anchors=[
(re.compile("/anchor/.*"), language.parse_response("202:da"))
],
ssl = klass.ssl,
ssloptions = so,
sizelimit = 1*1024*1024,
noweb = klass.noweb,
noapi = klass.noapi,
nohang = klass.nohang,
timeout = klass.timeout,
hexdump = klass.hexdump,
logreq = True,
logresp = True,
explain = True
)
class TestHTTPSUpstreamServerVerificationWTrustedCert(tservers.HTTPProxTest):
"""
Test upstream server certificate verification with a trusted server cert.
"""
ssl = True
ssloptions = pathod.SSLOptions(
cn="trusted-cert",
certs=[("trusted-cert",
tutils.test_data.path("data/trusted-server.crt"))])
def test_verification_w_cadir(self):
self.config.openssl_verification_mode_server = SSL.VERIFY_PEER
self.config.openssl_trusted_cadir_server = tutils.test_data.path(
"data/trusted-cadir/")
self.pathoc()
def test_verification_w_pemfile(self):
self.config.openssl_verification_mode_server = SSL.VERIFY_PEER
self.config.openssl_trusted_ca_server = tutils.test_data.path(
"data/trusted-cadir/trusted-ca.pem")
self.pathoc()
