def assert_ssl_error(virtual_server_setup):
try:
get_server_certificate_subject(virtual_server_setup.public_endpoint.public_ip,
virtual_server_setup.vs_host,
virtual_server_setup.public_endpoint.port_ssl)
pytest.fail("We expected an SSLError here, but didn't get it or got another error. Exiting...")
except SSLError:
print("The expected error was caught. Continue.")
def assert_unrecognized_name_error(endpoint, host):
try:
get_server_certificate_subject(endpoint.public_ip, host,
endpoint.port_ssl)
pytest.fail(
"We expected an SSLError here, but didn't get it or got another error. Exiting..."
)
except SSLError as e:
assert "SSL" in e.library
assert "TLSV1_UNRECOGNIZED_NAME" in e.reason
def assert_gb_subject(endpoint, host):
subject_dict = get_server_certificate_subject(endpoint.public_ip, host,
endpoint.port_ssl)
assert subject_dict[b'C'] == b'GB'
assert subject_dict[b'ST'] == b'Cambridgeshire'
assert subject_dict[b'O'] == b'nginx'
assert subject_dict[b'CN'] == b'cafe.example.com'
def assert_us_subject(endpoint, host):
subject_dict = get_server_certificate_subject(endpoint.public_ip, host,
endpoint.port_ssl)
assert subject_dict[b'C'] == b'US'
assert subject_dict[b'ST'] == b'CA'
assert subject_dict[b'O'] == b'Internet Widgits Pty Ltd'
assert subject_dict[b'CN'] == b'cafe.example.com'
def assert_gb_subject(virtual_server_setup):
subject_dict = get_server_certificate_subject(virtual_server_setup.public_endpoint.public_ip,
virtual_server_setup.vs_host,
virtual_server_setup.public_endpoint.port_ssl)
assert subject_dict[b'C'] == b'GB'
assert subject_dict[b'ST'] == b'Cambridgeshire'
assert subject_dict[b'O'] == b'nginx'
assert subject_dict[b'CN'] == b'cafe.example.com'
def assert_us_subject(virtual_server_setup):
subject_dict = get_server_certificate_subject(virtual_server_setup.public_endpoint.public_ip,
virtual_server_setup.vs_host,
virtual_server_setup.public_endpoint.port_ssl)
assert subject_dict[b'C'] == b'US'
assert subject_dict[b'ST'] == b'CA'
assert subject_dict[b'O'] == b'Internet Widgits Pty Ltd'
assert subject_dict[b'CN'] == b'cafe.example.com'
def test_certificate_subject(self, wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup):
subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip,
wildcard_tls_secret_setup.ingress_host,
wildcard_tls_secret_setup.public_endpoint.port_ssl)
assert subject_dict[b'C'] == b'ES'
assert subject_dict[b'ST'] == b'CanaryIslands'
assert subject_dict[b'O'] == b'nginx'
assert subject_dict[b'OU'] == b'example.com'
assert subject_dict[b'CN'] == b'example.com'
def test_certificate_subject(self, wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup):
subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip,
wildcard_tls_secret_setup.ingress_host,
wildcard_tls_secret_setup.public_endpoint.port_ssl)
assert subject_dict[b'C'] == b'ES'
assert subject_dict[b'ST'] == b'CanaryIslands'
assert subject_dict[b'O'] == b'nginx'
assert subject_dict[b'OU'] == b'example.com'
assert subject_dict[b'CN'] == b'example.com'
def test_certificate_subject_updates_after_secret_update(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller,
wildcard_tls_secret_setup):
replace_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name,
ingress_controller_prerequisites.namespace,
f"{TEST_DATA}/wildcard-tls-secret/gb-wildcard-tls-secret.yaml")
wait_before_test(1)
subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip,
wildcard_tls_secret_setup.ingress_host,
wildcard_tls_secret_setup.public_endpoint.port_ssl)
assert subject_dict[b'C'] == b'GB'
assert subject_dict[b'ST'] == b'Cambridgeshire'
assert subject_dict[b'CN'] == b'cafe.example.com'
def test_certificate_subject_remains_with_invalid_secret(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller,
wildcard_tls_secret_setup):
replace_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name,
ingress_controller_prerequisites.namespace,
f"{TEST_DATA}/wildcard-tls-secret/invalid-wildcard-tls-secret.yaml")
wait_before_test(1)
subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip,
wildcard_tls_secret_setup.ingress_host,
wildcard_tls_secret_setup.public_endpoint.port_ssl)
assert subject_dict[b'C'] == b'ES'
assert subject_dict[b'ST'] == b'CanaryIslands'
assert subject_dict[b'CN'] == b'example.com'
def test_certificate_subject_remains_with_invalid_secret(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller,
wildcard_tls_secret_setup):
replace_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name,
ingress_controller_prerequisites.namespace,
f"{TEST_DATA}/wildcard-tls-secret/invalid-wildcard-tls-secret.yaml")
wait_before_test(1)
subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip,
wildcard_tls_secret_setup.ingress_host,
wildcard_tls_secret_setup.public_endpoint.port_ssl)
assert subject_dict[b'C'] == b'ES'
assert subject_dict[b'ST'] == b'CanaryIslands'
assert subject_dict[b'CN'] == b'example.com'
def test_certificate_subject_updates_after_secret_update(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller,
wildcard_tls_secret_setup):
replace_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name,
ingress_controller_prerequisites.namespace,
f"{TEST_DATA}/wildcard-tls-secret/gb-wildcard-tls-secret.yaml")
wait_before_test(1)
subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip,
wildcard_tls_secret_setup.ingress_host,
wildcard_tls_secret_setup.public_endpoint.port_ssl)
assert subject_dict[b'C'] == b'GB'
assert subject_dict[b'ST'] == b'Cambridgeshire'
assert subject_dict[b'CN'] == b'cafe.example.com'
def test_response_and_subject_remains_after_secret_delete(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller,
wildcard_tls_secret_setup):
delete_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name,
ingress_controller_prerequisites.namespace)
wait_before_test(1)
req_url = f"https://{wildcard_tls_secret_setup.public_endpoint.public_ip}:{wildcard_tls_secret_setup.public_endpoint.port_ssl}/backend1"
resp = requests.get(req_url, headers={"host": wildcard_tls_secret_setup.ingress_host}, verify=False)
assert resp.status_code == 200
subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip,
wildcard_tls_secret_setup.ingress_host,
wildcard_tls_secret_setup.public_endpoint.port_ssl)
assert subject_dict[b'C'] == b'GB'
assert subject_dict[b'ST'] == b'Cambridgeshire'
assert subject_dict[b'CN'] == b'cafe.example.com'
def test_response_and_subject_remains_after_secret_delete(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller,
wildcard_tls_secret_setup):
delete_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name,
ingress_controller_prerequisites.namespace)
wait_before_test(1)
req_url = f"https://{wildcard_tls_secret_setup.public_endpoint.public_ip}:{wildcard_tls_secret_setup.public_endpoint.port_ssl}/backend1"
resp = requests.get(req_url, headers={"host": wildcard_tls_secret_setup.ingress_host}, verify=False)
assert resp.status_code == 200
subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip,
wildcard_tls_secret_setup.ingress_host,
wildcard_tls_secret_setup.public_endpoint.port_ssl)
assert subject_dict[b'C'] == b'GB'
assert subject_dict[b'ST'] == b'Cambridgeshire'
assert subject_dict[b'CN'] == b'cafe.example.com'
def assert_cn(endpoint, cn):
host = "random" # any host would work
subject_dict = get_server_certificate_subject(endpoint.public_ip, host,
endpoint.port_ssl)
assert subject_dict[b'CN'] == cn.encode('ascii')