def assert_ssl_error(virtual_server_setup): try: get_server_certificate_subject(virtual_server_setup.public_endpoint.public_ip, virtual_server_setup.vs_host, virtual_server_setup.public_endpoint.port_ssl) pytest.fail("We expected an SSLError here, but didn't get it or got another error. Exiting...") except SSLError: print("The expected error was caught. Continue.")
def assert_unrecognized_name_error(endpoint, host): try: get_server_certificate_subject(endpoint.public_ip, host, endpoint.port_ssl) pytest.fail( "We expected an SSLError here, but didn't get it or got another error. Exiting..." ) except SSLError as e: assert "SSL" in e.library assert "TLSV1_UNRECOGNIZED_NAME" in e.reason
def assert_gb_subject(endpoint, host): subject_dict = get_server_certificate_subject(endpoint.public_ip, host, endpoint.port_ssl) assert subject_dict[b'C'] == b'GB' assert subject_dict[b'ST'] == b'Cambridgeshire' assert subject_dict[b'O'] == b'nginx' assert subject_dict[b'CN'] == b'cafe.example.com'
def assert_us_subject(endpoint, host): subject_dict = get_server_certificate_subject(endpoint.public_ip, host, endpoint.port_ssl) assert subject_dict[b'C'] == b'US' assert subject_dict[b'ST'] == b'CA' assert subject_dict[b'O'] == b'Internet Widgits Pty Ltd' assert subject_dict[b'CN'] == b'cafe.example.com'
def assert_gb_subject(virtual_server_setup): subject_dict = get_server_certificate_subject(virtual_server_setup.public_endpoint.public_ip, virtual_server_setup.vs_host, virtual_server_setup.public_endpoint.port_ssl) assert subject_dict[b'C'] == b'GB' assert subject_dict[b'ST'] == b'Cambridgeshire' assert subject_dict[b'O'] == b'nginx' assert subject_dict[b'CN'] == b'cafe.example.com'
def assert_us_subject(virtual_server_setup): subject_dict = get_server_certificate_subject(virtual_server_setup.public_endpoint.public_ip, virtual_server_setup.vs_host, virtual_server_setup.public_endpoint.port_ssl) assert subject_dict[b'C'] == b'US' assert subject_dict[b'ST'] == b'CA' assert subject_dict[b'O'] == b'Internet Widgits Pty Ltd' assert subject_dict[b'CN'] == b'cafe.example.com'
def test_certificate_subject(self, wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup): subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip, wildcard_tls_secret_setup.ingress_host, wildcard_tls_secret_setup.public_endpoint.port_ssl) assert subject_dict[b'C'] == b'ES' assert subject_dict[b'ST'] == b'CanaryIslands' assert subject_dict[b'O'] == b'nginx' assert subject_dict[b'OU'] == b'example.com' assert subject_dict[b'CN'] == b'example.com'
def test_certificate_subject(self, wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup): subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip, wildcard_tls_secret_setup.ingress_host, wildcard_tls_secret_setup.public_endpoint.port_ssl) assert subject_dict[b'C'] == b'ES' assert subject_dict[b'ST'] == b'CanaryIslands' assert subject_dict[b'O'] == b'nginx' assert subject_dict[b'OU'] == b'example.com' assert subject_dict[b'CN'] == b'example.com'
def test_certificate_subject_updates_after_secret_update(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup): replace_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name, ingress_controller_prerequisites.namespace, f"{TEST_DATA}/wildcard-tls-secret/gb-wildcard-tls-secret.yaml") wait_before_test(1) subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip, wildcard_tls_secret_setup.ingress_host, wildcard_tls_secret_setup.public_endpoint.port_ssl) assert subject_dict[b'C'] == b'GB' assert subject_dict[b'ST'] == b'Cambridgeshire' assert subject_dict[b'CN'] == b'cafe.example.com'
def test_certificate_subject_remains_with_invalid_secret(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup): replace_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name, ingress_controller_prerequisites.namespace, f"{TEST_DATA}/wildcard-tls-secret/invalid-wildcard-tls-secret.yaml") wait_before_test(1) subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip, wildcard_tls_secret_setup.ingress_host, wildcard_tls_secret_setup.public_endpoint.port_ssl) assert subject_dict[b'C'] == b'ES' assert subject_dict[b'ST'] == b'CanaryIslands' assert subject_dict[b'CN'] == b'example.com'
def test_certificate_subject_remains_with_invalid_secret(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup): replace_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name, ingress_controller_prerequisites.namespace, f"{TEST_DATA}/wildcard-tls-secret/invalid-wildcard-tls-secret.yaml") wait_before_test(1) subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip, wildcard_tls_secret_setup.ingress_host, wildcard_tls_secret_setup.public_endpoint.port_ssl) assert subject_dict[b'C'] == b'ES' assert subject_dict[b'ST'] == b'CanaryIslands' assert subject_dict[b'CN'] == b'example.com'
def test_certificate_subject_updates_after_secret_update(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup): replace_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name, ingress_controller_prerequisites.namespace, f"{TEST_DATA}/wildcard-tls-secret/gb-wildcard-tls-secret.yaml") wait_before_test(1) subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip, wildcard_tls_secret_setup.ingress_host, wildcard_tls_secret_setup.public_endpoint.port_ssl) assert subject_dict[b'C'] == b'GB' assert subject_dict[b'ST'] == b'Cambridgeshire' assert subject_dict[b'CN'] == b'cafe.example.com'
def test_response_and_subject_remains_after_secret_delete(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup): delete_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name, ingress_controller_prerequisites.namespace) wait_before_test(1) req_url = f"https://{wildcard_tls_secret_setup.public_endpoint.public_ip}:{wildcard_tls_secret_setup.public_endpoint.port_ssl}/backend1" resp = requests.get(req_url, headers={"host": wildcard_tls_secret_setup.ingress_host}, verify=False) assert resp.status_code == 200 subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip, wildcard_tls_secret_setup.ingress_host, wildcard_tls_secret_setup.public_endpoint.port_ssl) assert subject_dict[b'C'] == b'GB' assert subject_dict[b'ST'] == b'Cambridgeshire' assert subject_dict[b'CN'] == b'cafe.example.com'
def test_response_and_subject_remains_after_secret_delete(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup): delete_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name, ingress_controller_prerequisites.namespace) wait_before_test(1) req_url = f"https://{wildcard_tls_secret_setup.public_endpoint.public_ip}:{wildcard_tls_secret_setup.public_endpoint.port_ssl}/backend1" resp = requests.get(req_url, headers={"host": wildcard_tls_secret_setup.ingress_host}, verify=False) assert resp.status_code == 200 subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip, wildcard_tls_secret_setup.ingress_host, wildcard_tls_secret_setup.public_endpoint.port_ssl) assert subject_dict[b'C'] == b'GB' assert subject_dict[b'ST'] == b'Cambridgeshire' assert subject_dict[b'CN'] == b'cafe.example.com'
def assert_cn(endpoint, cn): host = "random" # any host would work subject_dict = get_server_certificate_subject(endpoint.public_ip, host, endpoint.port_ssl) assert subject_dict[b'CN'] == cn.encode('ascii')