def test_custom_certificates(self):
# Upload a certificate.
cert_contents, _ = generate_test_cert(hostname="somecoolhost",
san_list=["DNS:bar", "DNS:baz"])
self.postResponse(
SuperUserCustomCertificate,
params=dict(certpath="testcert.crt"),
file=(StringIO(cert_contents), "testcert.crt"),
expected_code=204,
)
# Make sure it is present.
json = self.getJsonResponse(SuperUserCustomCertificates)
self.assertEqual(1, len(json["certs"]))
cert_info = json["certs"][0]
self.assertEqual("testcert.crt", cert_info["path"])
self.assertEqual(set(["somecoolhost", "bar", "baz"]),
set(cert_info["names"]))
self.assertFalse(cert_info["expired"])
# Remove the certificate.
self.deleteResponse(SuperUserCustomCertificate,
params=dict(certpath="testcert.crt"))
# Make sure it is gone.
json = self.getJsonResponse(SuperUserCustomCertificates)
self.assertEqual(0, len(json["certs"]))
def test_path_sanitization(self):
# Upload a certificate.
cert_contents, _ = generate_test_cert(hostname='somecoolhost', expires=-10)
self.postResponse(SuperUserCustomCertificate, params=dict(certpath='testcert/../foobar.crt'),
file=(StringIO(cert_contents), 'testcert/../foobar.crt'), expected_code=204)
# Make sure it is present.
json = self.getJsonResponse(SuperUserCustomCertificates)
self.assertEquals(1, len(json['certs']))
cert_info = json['certs'][0]
self.assertEquals('foobar.crt', cert_info['path'])
def test_path_sanitization(self):
# Upload a certificate.
cert_contents, _ = generate_test_cert(hostname="somecoolhost",
expires=-10)
self.postResponse(
SuperUserCustomCertificate,
params=dict(certpath="testcert/../foobar.crt"),
file=(StringIO(cert_contents), "testcert/../foobar.crt"),
expected_code=204,
)
# Make sure it is present.
json = self.getJsonResponse(SuperUserCustomCertificates)
self.assertEqual(1, len(json["certs"]))
cert_info = json["certs"][0]
self.assertEqual("foobar.crt", cert_info["path"])
def test_expired_custom_certificate(self):
# Upload a certificate.
cert_contents, _ = generate_test_cert(hostname="somecoolhost",
expires=-10)
self.postResponse(
SuperUserCustomCertificate,
params=dict(certpath="testcert.crt"),
file=(StringIO(cert_contents), "testcert.crt"),
expected_code=204,
)
# Make sure it is present.
json = self.getJsonResponse(SuperUserCustomCertificates)
self.assertEquals(1, len(json["certs"]))
cert_info = json["certs"][0]
self.assertEquals("testcert.crt", cert_info["path"])
self.assertEquals(set(["somecoolhost"]), set(cert_info["names"]))
self.assertTrue(cert_info["expired"])
def test_custom_certificates(self):
# Upload a certificate.
cert_contents, _ = generate_test_cert(hostname='somecoolhost', san_list=['DNS:bar', 'DNS:baz'])
self.postResponse(SuperUserCustomCertificate, params=dict(certpath='testcert.crt'),
file=(StringIO(cert_contents), 'testcert.crt'), expected_code=204)
# Make sure it is present.
json = self.getJsonResponse(SuperUserCustomCertificates)
self.assertEquals(1, len(json['certs']))
cert_info = json['certs'][0]
self.assertEquals('testcert.crt', cert_info['path'])
self.assertEquals(set(['somecoolhost', 'bar', 'baz']), set(cert_info['names']))
self.assertFalse(cert_info['expired'])
# Remove the certificate.
self.deleteResponse(SuperUserCustomCertificate, params=dict(certpath='testcert.crt'))
# Make sure it is gone.
json = self.getJsonResponse(SuperUserCustomCertificates)
self.assertEquals(0, len(json['certs']))
)
def test_skip_validate_ssl(unvalidated_config, app):
validator = SSLValidator()
validator.validate(ValidatorContext(unvalidated_config))
@pytest.mark.parametrize(
"cert, server_hostname, expected_error, error_message",
[
(
("invalidcert", "invalidkey"),
"someserver",
ConfigValidationException,
"Could not load SSL certificate: no start line",
),
(generate_test_cert(hostname="someserver"), "someserver", None, None),
(
generate_test_cert(hostname="invalidserver"),
"someserver",
ConfigValidationException,
'Supported names "invalidserver" in SSL cert do not match server hostname "someserver"',
),
(generate_test_cert(hostname="someserver"), "someserver:1234", None,
None),
(
generate_test_cert(hostname="invalidserver"),
"someserver:1234",
ConfigValidationException,
'Supported names "invalidserver" in SSL cert do not match server hostname "someserver"',
),
(
from test.fixtures import *
from app import config_provider
@pytest.mark.parametrize('unvalidated_config', [
({}),
({'PREFERRED_URL_SCHEME': 'http'}),
({'PREFERRED_URL_SCHEME': 'https', 'EXTERNAL_TLS_TERMINATION': True}),
])
def test_skip_validate_ssl(unvalidated_config, app):
validator = SSLValidator()
validator.validate(ValidatorContext(unvalidated_config))
@pytest.mark.parametrize('cert, server_hostname, expected_error, error_message', [
('invalidcert', 'someserver', ConfigValidationException, 'Could not load SSL certificate: no start line'),
(generate_test_cert(hostname='someserver'), 'someserver', None, None),
(generate_test_cert(hostname='invalidserver'), 'someserver', ConfigValidationException,
'Supported names "invalidserver" in SSL cert do not match server hostname "someserver"'),
(generate_test_cert(hostname='someserver'), 'someserver:1234', None, None),
(generate_test_cert(hostname='invalidserver'), 'someserver:1234', ConfigValidationException,
'Supported names "invalidserver" in SSL cert do not match server hostname "someserver"'),
(generate_test_cert(hostname='someserver:1234'), 'someserver:1234', ConfigValidationException,
'Supported names "someserver:1234" in SSL cert do not match server hostname "someserver"'),
(generate_test_cert(hostname='someserver:more'), 'someserver:more', None, None),
(generate_test_cert(hostname='someserver:more'), 'someserver:more:1234', None, None),
])
def test_validate_ssl(cert, server_hostname, expected_error, error_message, app):
with NamedTemporaryFile(delete=False) as cert_file:
cert_file.write(cert[0])
cert_file.seek(0)