def test_150_verify_keychain(self): """Test the verify keychain function""" def testChain(path): # Test that a chain with an untrusted CA is not valid self.assertTrue(len(QgsAuthCertUtils.validateCertChain(QgsAuthCertUtils.certsFromFile(path))) > 0) # Test that a chain with an untrusted CA is valid when the addRootCa argument is true self.assertTrue(len(QgsAuthCertUtils.validateCertChain(QgsAuthCertUtils.certsFromFile(path), None, True)) == 0) # Test that a chain with an untrusted CA is not valid when the addRootCa argument is true # and a wrong domainis true self.assertTrue(len(QgsAuthCertUtils.validateCertChain(QgsAuthCertUtils.certsFromFile(path), 'my.wrong.domain', True)) > 0) testChain(PKIDATA + '/chain_subissuer-issuer-root.pem') testChain(PKIDATA + '/localhost_ssl_w-chain.pem') testChain(PKIDATA + '/fra_w-chain.pem') path = PKIDATA + '/localhost_ssl_w-chain.pem' # Test that a chain with an untrusted CA is not valid when the addRootCa argument is true # and a wrong domain is set self.assertTrue(len(QgsAuthCertUtils.validateCertChain(QgsAuthCertUtils.certsFromFile(path), 'my.wrong.domain', True)) > 0) # Test that a chain with an untrusted CA is valid when the addRootCa argument is true # and a right domain is set self.assertTrue(len(QgsAuthCertUtils.validateCertChain(QgsAuthCertUtils.certsFromFile(path), 'localhost', True)) == 0) # Test that a chain with an untrusted CA is not valid when the addRootCa argument is false # and a right domain is set self.assertTrue(len(QgsAuthCertUtils.validateCertChain(QgsAuthCertUtils.certsFromFile(path), 'localhost', False)) > 0)
def testChain(path): # Test that a chain with an untrusted CA is not valid self.assertTrue(len(QgsAuthCertUtils.validateCertChain(QgsAuthCertUtils.certsFromFile(path))) > 0) # Test that a chain with an untrusted CA is valid when the addRootCa argument is true self.assertTrue(len(QgsAuthCertUtils.validateCertChain(QgsAuthCertUtils.certsFromFile(path), None, True)) == 0) # Test that a chain with an untrusted CA is not valid when the addRootCa argument is true # and a wrong domainis true self.assertTrue(len(QgsAuthCertUtils.validateCertChain(QgsAuthCertUtils.certsFromFile(path), 'my.wrong.domain', True)) > 0)
def mkPEMBundle(self, client_cert, client_key, password, chain): return QgsPkiBundle.fromPemPaths(PKIDATA + '/' + client_cert, PKIDATA + '/' + client_key, password, QgsAuthCertUtils.certsFromFile( PKIDATA + '/' + chain ))
def test_070_servers(self): # return ssl_cert_path = os.path.join(PKIDATA, 'localhost_ssl_cert.pem') ssl_cert = QgsAuthCertUtils.certsFromFile(ssl_cert_path)[0] msg = 'SSL server certificate is null' self.assertFalse(ssl_cert.isNull(), msg) cert_sha = QgsAuthCertUtils.shaHexForCert(ssl_cert) hostport = 'localhost:8443' config = QgsAuthConfigSslServer() config.setSslCertificate(ssl_cert) config.setSslHostPort(hostport) config.setSslIgnoredErrorEnums([QSslError.SelfSignedCertificate]) config.setSslPeerVerifyMode(QSslSocket.VerifyNone) config.setSslPeerVerifyDepth(3) config.setSslProtocol(QSsl.TlsV1) msg = 'SSL config is null' self.assertFalse(config.isNull(), msg) msg = 'Could not store SSL config' self.assertTrue(self.authm.storeSslCertCustomConfig(config), msg) msg = 'Could not verify storage of SSL config' self.assertTrue( self.authm.existsSslCertCustomConfig(cert_sha, hostport), msg) msg = 'Could not verify SSL config in all configs' self.assertIsNotNone(self.authm.getSslCertCustomConfigs(), msg) msg = 'Could not retrieve SSL config' config2 = self.authm.getSslCertCustomConfig(cert_sha, hostport) """:type: QgsAuthConfigSslServer""" self.assertFalse(config2.isNull(), msg) msg = 'Certificate of retrieved SSL config does not match' self.assertEqual(config.sslCertificate(), config2.sslCertificate(), msg) msg = 'HostPort of retrieved SSL config does not match' self.assertEqual(config.sslHostPort(), config2.sslHostPort(), msg) msg = 'IgnoredErrorEnums of retrieved SSL config does not match' enums = config2.sslIgnoredErrorEnums() self.assertTrue(QSslError.SelfSignedCertificate in enums, msg) msg = 'PeerVerifyMode of retrieved SSL config does not match' self.assertEqual(config.sslPeerVerifyMode(), config2.sslPeerVerifyMode(), msg) msg = 'PeerVerifyDepth of retrieved SSL config does not match' self.assertEqual(config.sslPeerVerifyDepth(), config2.sslPeerVerifyDepth(), msg) msg = 'Protocol of retrieved SSL config does not match' self.assertEqual(config.sslProtocol(), config2.sslProtocol(), msg) # dlg = QgsAuthSslConfigDialog(None, ssl_cert, hostport) # dlg.exec_() msg = 'Could not remove SSL config' self.assertTrue( self.authm.removeSslCertCustomConfig(cert_sha, hostport), msg) msg = 'Could not verify removal of SSL config' self.assertFalse( self.authm.existsSslCertCustomConfig(cert_sha, hostport), msg)
def test_040_authorities(self): def rebuild_caches(): m = 'Authorities cache could not be rebuilt' self.assertTrue(self.authm.rebuildCaCertsCache(), m) m = 'Authorities trust policy cache could not be rebuilt' self.assertTrue(self.authm.rebuildTrustedCaCertsCache(), m) def trusted_ca_certs(): tr_certs = self.authm.getTrustedCaCerts() m = 'Trusted authorities cache is empty' self.assertIsNotNone(tr_certs, m) return tr_certs msg = 'No system root CAs' self.assertIsNotNone(self.authm.getSystemRootCAs()) # TODO: add more tests full_chain = 'chains_subissuer-issuer-root_issuer2-root2.pem' full_chain_path = os.path.join(PKIDATA, full_chain) # load CA file authorities for later comaprison # noinspection PyTypeChecker # ca_certs = QSslCertificate.fromPath(full_chain_path) ca_certs = QgsAuthCertUtils.certsFromFile(full_chain_path) msg = 'Authorities file could not be parsed' self.assertIsNotNone(ca_certs, msg) msg = 'Authorities file parsed count is incorrect' self.assertEqual(len(ca_certs), 5, msg) # first test CA file can be set and loaded msg = 'Authority file path setting could not be stored' self.assertTrue( self.authm.storeAuthSetting('cafile', full_chain_path), msg) msg = "Authority file 'allow invalids' setting could not be stored" self.assertTrue( self.authm.storeAuthSetting('cafileallowinvalid', False), msg) rebuild_caches() trusted_certs = trusted_ca_certs() not_cached = any([ca not in trusted_certs for ca in ca_certs]) msg = 'Authorities not in trusted authorities cache' self.assertFalse(not_cached, msg) # test CA file can be unset msg = 'Authority file path setting could not be removed' self.assertTrue(self.authm.removeAuthSetting('cafile'), msg) msg = "Authority file 'allow invalids' setting could not be removed" self.assertTrue( self.authm.removeAuthSetting('cafileallowinvalid'), msg) rebuild_caches() trusted_certs = trusted_ca_certs() still_cached = any([ca in trusted_certs for ca in ca_certs]) msg = 'Authorities still in trusted authorities cache' self.assertFalse(still_cached, msg) # test CAs can be stored in database msg = "Authority certs could not be stored in database" self.assertTrue(self.authm.storeCertAuthorities(ca_certs)) rebuild_caches() trusted_certs = trusted_ca_certs() not_cached = any([ca not in trusted_certs for ca in ca_certs]) msg = 'Stored authorities not in trusted authorities cache' self.assertFalse(not_cached, msg)
def mkPEMBundle(self, client_cert, client_key, password, chain): return QgsPkiBundle.fromPemPaths( PKIDATA + '/' + client_cert, PKIDATA + '/' + client_key, password, QgsAuthCertUtils.certsFromFile(PKIDATA + '/' + chain))
def test_070_servers(self): # return ssl_cert_path = os.path.join(PKIDATA, 'localhost_ssl_cert.pem') ssl_cert = QgsAuthCertUtils.certsFromFile(ssl_cert_path)[0] msg = 'SSL server certificate is null' self.assertFalse(ssl_cert.isNull(), msg) cert_sha = QgsAuthCertUtils.shaHexForCert(ssl_cert) hostport = 'localhost:8443' config = QgsAuthConfigSslServer() config.setSslCertificate(ssl_cert) config.setSslHostPort(hostport) config.setSslIgnoredErrorEnums([QSslError.SelfSignedCertificate]) config.setSslPeerVerifyMode(QSslSocket.VerifyNone) config.setSslPeerVerifyDepth(3) config.setSslProtocol(QSsl.TlsV1_1) msg = 'SSL config is null' self.assertFalse(config.isNull(), msg) msg = 'Could not store SSL config' self.assertTrue(self.authm.storeSslCertCustomConfig(config), msg) msg = 'Could not verify storage of SSL config' self.assertTrue( self.authm.existsSslCertCustomConfig(cert_sha, hostport), msg) msg = 'Could not verify SSL config in all configs' self.assertIsNotNone(self.authm.sslCertCustomConfigs(), msg) msg = 'Could not retrieve SSL config' config2 = self.authm.sslCertCustomConfig(cert_sha, hostport) """:type: QgsAuthConfigSslServer""" self.assertFalse(config2.isNull(), msg) msg = 'Certificate of retrieved SSL config does not match' self.assertEqual(config.sslCertificate(), config2.sslCertificate(), msg) msg = 'HostPort of retrieved SSL config does not match' self.assertEqual(config.sslHostPort(), config2.sslHostPort(), msg) msg = 'IgnoredErrorEnums of retrieved SSL config does not match' enums = config2.sslIgnoredErrorEnums() self.assertTrue(QSslError.SelfSignedCertificate in enums, msg) msg = 'PeerVerifyMode of retrieved SSL config does not match' self.assertEqual(config.sslPeerVerifyMode(), config2.sslPeerVerifyMode(), msg) msg = 'PeerVerifyDepth of retrieved SSL config does not match' self.assertEqual(config.sslPeerVerifyDepth(), config2.sslPeerVerifyDepth(), msg) msg = 'Protocol of retrieved SSL config does not match' self.assertEqual(config.sslProtocol(), config2.sslProtocol(), msg) # dlg = QgsAuthSslConfigDialog(None, ssl_cert, hostport) # dlg.exec_() msg = 'Could not remove SSL config' self.assertTrue( self.authm.removeSslCertCustomConfig(cert_sha, hostport), msg) msg = 'Could not verify removal of SSL config' self.assertFalse( self.authm.existsSslCertCustomConfig(cert_sha, hostport), msg)
def test_040_authorities(self): def rebuild_caches(): m = 'Authorities cache could not be rebuilt' self.assertTrue(self.authm.rebuildCaCertsCache(), m) m = 'Authorities trust policy cache could not be rebuilt' self.assertTrue(self.authm.rebuildTrustedCaCertsCache(), m) def trusted_ca_certs(): tr_certs = self.authm.trustedCaCerts() m = 'Trusted authorities cache is empty' self.assertIsNotNone(tr_certs, m) return tr_certs msg = 'No system root CAs' self.assertIsNotNone(self.authm.systemRootCAs()) # TODO: add more tests full_chain = 'chains_subissuer-issuer-root_issuer2-root2.pem' full_chain_path = os.path.join(PKIDATA, full_chain) # load CA file authorities for later comaprison # noinspection PyTypeChecker # ca_certs = QSslCertificate.fromPath(full_chain_path) ca_certs = QgsAuthCertUtils.certsFromFile(full_chain_path) msg = 'Authorities file could not be parsed' self.assertIsNotNone(ca_certs, msg) msg = 'Authorities file parsed count is incorrect' self.assertEqual(len(ca_certs), 5, msg) # first test CA file can be set and loaded msg = 'Authority file path setting could not be stored' self.assertTrue(self.authm.storeAuthSetting('cafile', full_chain_path), msg) msg = "Authority file 'allow invalids' setting could not be stored" self.assertTrue( self.authm.storeAuthSetting('cafileallowinvalid', False), msg) rebuild_caches() trusted_certs = trusted_ca_certs() not_cached = any([ca not in trusted_certs for ca in ca_certs]) msg = 'Authorities not in trusted authorities cache' self.assertFalse(not_cached, msg) # test CA file can be unset msg = 'Authority file path setting could not be removed' self.assertTrue(self.authm.removeAuthSetting('cafile'), msg) msg = "Authority file 'allow invalids' setting could not be removed" self.assertTrue(self.authm.removeAuthSetting('cafileallowinvalid'), msg) rebuild_caches() trusted_certs = trusted_ca_certs() still_cached = any([ca in trusted_certs for ca in ca_certs]) msg = 'Authorities still in trusted authorities cache' self.assertFalse(still_cached, msg) # test CAs can be stored in database msg = "Authority certs could not be stored in database" self.assertTrue(self.authm.storeCertAuthorities(ca_certs)) rebuild_caches() trusted_certs = trusted_ca_certs() not_cached = any([ca not in trusted_certs for ca in ca_certs]) msg = 'Stored authorities not in trusted authorities cache' self.assertFalse(not_cached, msg)