def test_setting_signature_doesnt_change_canonical_json(self):
recipe = RecipeFactory(name="unchanged", signed=False)
serialized = recipe.canonical_json()
recipe.signature = SignatureFactory()
recipe.save()
assert recipe.signature is not None
assert recipe.canonical_json() == serialized
def test_it_works(self):
signature = SignatureFactory()
serializer = SignatureSerializer(instance=signature)
assert serializer.data == {
'signature': Whatever.regex(r'[a-f0-9]{40}'),
'x5u': Whatever.startswith(signature.x5u),
'timestamp': Whatever.iso8601(),
'public_key': Whatever.regex(r'[a-zA-Z0-9/+]{160}')
}
def test_it_works(self):
signature = SignatureFactory()
serializer = SignatureSerializer(instance=signature)
assert serializer.data == {
"signature": Whatever.regex(r"[a-f0-9]{40}"),
"x5u": Whatever.startswith(signature.x5u),
"timestamp": Whatever.iso8601(),
"public_key": Whatever.regex(r"[a-zA-Z0-9/+]{160}"),
}
def test_it_ignores_signatures_not_in_use(self, mocker, settings):
settings.CERTIFICATES_EXPIRE_EARLY_DAYS = None
recipe = RecipeFactory(signed=True)
SignatureFactory(x5u='https://example.com/bad_x5u') # unused signature
mock_verify_x5u = mocker.patch('normandy.recipes.checks.signing.verify_x5u')
def side_effect(x5u, *args):
if 'bad' in x5u:
raise signing.BadCertificate('testing exception')
return True
mock_verify_x5u.side_effect = side_effect
errors = checks.signatures_use_good_certificates(None)
mock_verify_x5u.assert_called_once_with(recipe.signature.x5u, None)
assert errors == []
def test_it_cachebusts_x5u(self, settings):
signature = SignatureFactory()
# If none, do not cache bust
settings.AUTOGRAPH_X5U_CACHE_BUST = None
serializer = SignatureSerializer(instance=signature)
url_parts = list(urlparse.urlparse(serializer.data['x5u']))
query = urlparse.parse_qs(url_parts[4])
assert 'cachebust' not in query
# If set, cachebust using the value
settings.AUTOGRAPH_X5U_CACHE_BUST = 'new'
serializer = SignatureSerializer(instance=signature)
url_parts = list(urlparse.urlparse(serializer.data['x5u']))
query = urlparse.parse_qs(url_parts[4])
assert 'cachebust' in query
assert len(query['cachebust']) == 1
assert query['cachebust'][0] == 'new'
def load_data(self):
recipe = console_log('ErrorInvalidSignature executed', extra_filter_expression='true')
recipe.signature = SignatureFactory.create(data='blockbuster night part 1'.encode())
recipe.save()
def test_cant_change_signature_and_other_fields(self):
recipe = RecipeFactory(name="unchanged", signed=False)
recipe.signature = SignatureFactory()
with pytest.raises(ValidationError) as exc_info:
recipe.revise(name="changed")
assert exc_info.value.message == "Signatures must change alone"
