def test_ocsp_with_bogus_cache_files(tmpdir):
"""
Attempt to use bogus OCSP response data
"""
cache_file_name, target_hosts = _store_cache_in_file(tmpdir)
ocsp = SFOCSP(
ocsp_response_cache_uri='file://' + cache_file_name)
OCSPCache.read_ocsp_response_cache_file(ocsp, cache_file_name)
cache_data = OCSPCache.CACHE
assert cache_data, "more than one cache entries should be stored."
# setting bogus data
current_time = int(time.time())
for k, _ in cache_data.items():
cache_data[k] = (current_time, b'bogus')
# write back the cache file
OCSPCache.CACHE = cache_data
OCSPCache.write_ocsp_response_cache_file(ocsp, cache_file_name)
# forces to use the bogus cache file but it should raise errors
SnowflakeOCSP.clear_cache()
ocsp = SFOCSP(
ocsp_response_cache_uri='file://' + cache_file_name)
for hostname in target_hosts:
connection = _openssl_connect(hostname)
assert ocsp.validate(hostname, connection), \
'Failed to validate: {}'.format(hostname)
def _validate_certs_using_ocsp(url, cache_file_name):
"""Validate OCSP response. Deleting memory cache and file cache randomly."""
logger = logging.getLogger('test')
import time
import random
time.sleep(random.randint(0, 3))
if random.random() < 0.2:
logger.info('clearing up cache: OCSP_VALIDATION_CACHE')
SnowflakeOCSP.clear_cache()
if random.random() < 0.05:
logger.info('deleting a cache file: %s', cache_file_name)
SnowflakeOCSP.delete_cache_file()
connection = _openssl_connect(url)
ocsp = SFOCSP(ocsp_response_cache_uri='file://' + cache_file_name)
ocsp.validate(url, connection)
def test_ocsp_wo_cache_server():
"""OCSP Tests with Cache Server Disabled."""
SnowflakeOCSP.clear_cache()
ocsp = SFOCSP(use_ocsp_cache_server=False)
for url in TARGET_HOSTS:
connection = _openssl_connect(url)
assert ocsp.validate(url, connection), f"Failed to validate: {url}"
def test_ocsp_with_invalid_cache_file():
"""OCSP tests with an invalid cache file."""
SnowflakeOCSP.clear_cache() # reset the memory cache
ocsp = SFOCSP(ocsp_response_cache_uri="NEVER_EXISTS")
for url in TARGET_HOSTS[0:1]:
connection = _openssl_connect(url)
assert ocsp.validate(url, connection), f"Failed to validate: {url}"
def test_ocsp():
"""OCSP tests."""
# reset the memory cache
SnowflakeOCSP.clear_cache()
ocsp = SFOCSP()
for url in TARGET_HOSTS:
connection = _openssl_connect(url, timeout=5)
assert ocsp.validate(url, connection), f"Failed to validate: {url}"
def test_ocsp_by_post_method():
"""OCSP tests."""
# reset the memory cache
SnowflakeOCSP.clear_cache()
ocsp = SFOCSP(use_post_method=True)
for url in TARGET_HOSTS:
connection = _openssl_connect(url)
assert ocsp.validate(url, connection), f"Failed to validate: {url}"
def test_ocsp():
"""
OCSP tests
"""
# reset the memory cache
SnowflakeOCSP.clear_cache()
ocsp = SFOCSP()
for url in TARGET_HOSTS:
connection = _openssl_connect(url)
assert ocsp.validate(url, connection), \
'Failed to validate: {}'.format(url)
def test_ocsp_single_endpoint():
environ['SF_OCSP_ACTIVATE_NEW_ENDPOINT'] = 'True'
SnowflakeOCSP.clear_cache()
ocsp = SFOCSP()
ocsp.OCSP_CACHE_SERVER.NEW_DEFAULT_CACHE_SERVER_BASE_URL = \
"https://snowflake.preprod3.us-west-2-dev.external-zone.snowflakecomputing.com:8085/ocsp/"
connection = _openssl_connect("snowflake.okta.com")
assert ocsp.validate("snowflake.okta.com", connection), \
'Failed to validate: {}'.format("snowflake.okta.com")
del environ['SF_OCSP_ACTIVATE_NEW_ENDPOINT']
def test_ocsp_with_file_cache(tmpdir):
"""OCSP tests and the cache server and file."""
tmp_dir = str(tmpdir.mkdir("ocsp_response_cache"))
cache_file_name = path.join(tmp_dir, "cache_file.txt")
# reset the memory cache
SnowflakeOCSP.clear_cache()
ocsp = SFOCSP(ocsp_response_cache_uri="file://" + cache_file_name)
for url in TARGET_HOSTS:
connection = _openssl_connect(url)
assert ocsp.validate(url, connection), f"Failed to validate: {url}"
def test_ocsp_fail_close_w_single_endpoint():
SnowflakeOCSP.clear_cache()
environ["SF_OCSP_TEST_MODE"] = "true"
environ["SF_TEST_OCSP_URL"] = "http://httpbin.org/delay/10"
environ["SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT"] = "5"
OCSPCache.del_cache_file()
ocsp = SFOCSP(use_ocsp_cache_server=False, use_fail_open=False)
connection = _openssl_connect("snowflake.okta.com")
with pytest.raises(RevocationCheckError) as ex:
ocsp.validate("snowflake.okta.com", connection)
try:
assert ex.value.errno == ER_INVALID_OCSP_RESPONSE_CODE, "Connection should have failed"
finally:
del environ['SF_OCSP_TEST_MODE']
del environ['SF_TEST_OCSP_URL']
del environ['SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT']
def test_ocsp_bad_validity():
SnowflakeOCSP.clear_cache()
environ["SF_OCSP_TEST_MODE"] = "true"
environ["SF_TEST_OCSP_FORCE_BAD_RESPONSE_VALIDITY"] = "true"
OCSPCache.del_cache_file()
ocsp = SFOCSP(use_ocsp_cache_server=False)
connection = _openssl_connect("snowflake.okta.com")
assert ocsp.validate("snowflake.okta.com", connection), "Connection should have passed with fail open"
del environ['SF_OCSP_TEST_MODE']
del environ['SF_TEST_OCSP_FORCE_BAD_RESPONSE_VALIDITY']
def _store_cache_in_file(tmpdir, target_hosts=None, filename=None):
if target_hosts is None:
target_hosts = TARGET_HOSTS
if filename is None:
filename = path.join(str(tmpdir), 'cache_file.txt')
# cache OCSP response
SnowflakeOCSP.clear_cache()
ocsp = SFOCSP(ocsp_response_cache_uri='file://' + filename,
use_ocsp_cache_server=False)
for hostname in target_hosts:
connection = _openssl_connect(hostname)
assert ocsp.validate(hostname, connection), \
'Failed to validate: {}'.format(hostname)
assert path.exists(filename), "OCSP response cache file"
return filename, target_hosts
def _store_cache_in_file(tmpdir, target_hosts=None):
if target_hosts is None:
target_hosts = TARGET_HOSTS
os.environ['SF_OCSP_RESPONSE_CACHE_DIR'] = str(tmpdir)
OCSPCache.reset_cache_dir()
filename = path.join(str(tmpdir), 'ocsp_response_cache.json')
# cache OCSP response
SnowflakeOCSP.clear_cache()
ocsp = SFOCSP(ocsp_response_cache_uri='file://' + filename,
use_ocsp_cache_server=False)
for hostname in target_hosts:
connection = _openssl_connect(hostname)
assert ocsp.validate(hostname, connection), \
'Failed to validate: {}'.format(hostname)
assert path.exists(filename), "OCSP response cache file"
return filename, target_hosts
def test_ocsp_fail_open_w_single_endpoint():
SnowflakeOCSP.clear_cache()
OCSPCache.del_cache_file()
environ["SF_OCSP_TEST_MODE"] = "true"
environ["SF_TEST_OCSP_URL"] = "http://httpbin.org/delay/10"
environ["SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT"] = "5"
ocsp = SFOCSP(use_ocsp_cache_server=False)
connection = _openssl_connect("snowflake.okta.com")
try:
assert ocsp.validate("snowflake.okta.com", connection), \
'Failed to validate: {}'.format("snowflake.okta.com")
finally:
del environ['SF_OCSP_TEST_MODE']
del environ['SF_TEST_OCSP_URL']
del environ['SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT']
def test_ocsp_wo_cache_file():
"""
OCSP tests without File cache.
NOTE: Use /etc as a readonly directory such that no cache file is used.
"""
# reset the memory cache
SnowflakeOCSP.clear_cache()
OCSPCache.del_cache_file()
environ['SF_OCSP_RESPONSE_CACHE_DIR'] = '/etc'
OCSPCache.reset_cache_dir()
try:
ocsp = SFOCSP()
for url in TARGET_HOSTS:
connection = _openssl_connect(url)
assert ocsp.validate(url, connection), \
'Failed to validate: {}'.format(url)
finally:
del environ['SF_OCSP_RESPONSE_CACHE_DIR']
OCSPCache.reset_cache_dir()