def test_150_verify_keychain(self):
"""Test the verify keychain function"""
def testChain(path):
# Test that a chain with an untrusted CA is not valid
self.assertTrue(len(QgsAuthCertUtils.validateCertChain(QgsAuthCertUtils.certsFromFile(path))) > 0)
# Test that a chain with an untrusted CA is valid when the addRootCa argument is true
self.assertTrue(len(QgsAuthCertUtils.validateCertChain(QgsAuthCertUtils.certsFromFile(path), None, True)) == 0)
# Test that a chain with an untrusted CA is not valid when the addRootCa argument is true
# and a wrong domainis true
self.assertTrue(len(QgsAuthCertUtils.validateCertChain(QgsAuthCertUtils.certsFromFile(path), 'my.wrong.domain', True)) > 0)
testChain(PKIDATA + '/chain_subissuer-issuer-root.pem')
testChain(PKIDATA + '/localhost_ssl_w-chain.pem')
testChain(PKIDATA + '/fra_w-chain.pem')
path = PKIDATA + '/localhost_ssl_w-chain.pem'
# Test that a chain with an untrusted CA is not valid when the addRootCa argument is true
# and a wrong domain is set
self.assertTrue(len(QgsAuthCertUtils.validateCertChain(QgsAuthCertUtils.certsFromFile(path), 'my.wrong.domain', True)) > 0)
# Test that a chain with an untrusted CA is valid when the addRootCa argument is true
# and a right domain is set
self.assertTrue(len(QgsAuthCertUtils.validateCertChain(QgsAuthCertUtils.certsFromFile(path), 'localhost', True)) == 0)
# Test that a chain with an untrusted CA is not valid when the addRootCa argument is false
# and a right domain is set
self.assertTrue(len(QgsAuthCertUtils.validateCertChain(QgsAuthCertUtils.certsFromFile(path), 'localhost', False)) > 0)
def testChain(path):
# Test that a chain with an untrusted CA is not valid
self.assertTrue(len(QgsAuthCertUtils.validateCertChain(QgsAuthCertUtils.certsFromFile(path))) > 0)
# Test that a chain with an untrusted CA is valid when the addRootCa argument is true
self.assertTrue(len(QgsAuthCertUtils.validateCertChain(QgsAuthCertUtils.certsFromFile(path), None, True)) == 0)
# Test that a chain with an untrusted CA is not valid when the addRootCa argument is true
# and a wrong domainis true
self.assertTrue(len(QgsAuthCertUtils.validateCertChain(QgsAuthCertUtils.certsFromFile(path), 'my.wrong.domain', True)) > 0)
def mkPEMBundle(self, client_cert, client_key, password, chain):
return QgsPkiBundle.fromPemPaths(PKIDATA + '/' + client_cert,
PKIDATA + '/' + client_key,
password,
QgsAuthCertUtils.certsFromFile(
PKIDATA + '/' + chain
))
def test_070_servers(self):
# return
ssl_cert_path = os.path.join(PKIDATA, 'localhost_ssl_cert.pem')
ssl_cert = QgsAuthCertUtils.certsFromFile(ssl_cert_path)[0]
msg = 'SSL server certificate is null'
self.assertFalse(ssl_cert.isNull(), msg)
cert_sha = QgsAuthCertUtils.shaHexForCert(ssl_cert)
hostport = 'localhost:8443'
config = QgsAuthConfigSslServer()
config.setSslCertificate(ssl_cert)
config.setSslHostPort(hostport)
config.setSslIgnoredErrorEnums([QSslError.SelfSignedCertificate])
config.setSslPeerVerifyMode(QSslSocket.VerifyNone)
config.setSslPeerVerifyDepth(3)
config.setSslProtocol(QSsl.TlsV1)
msg = 'SSL config is null'
self.assertFalse(config.isNull(), msg)
msg = 'Could not store SSL config'
self.assertTrue(self.authm.storeSslCertCustomConfig(config), msg)
msg = 'Could not verify storage of SSL config'
self.assertTrue(
self.authm.existsSslCertCustomConfig(cert_sha, hostport), msg)
msg = 'Could not verify SSL config in all configs'
self.assertIsNotNone(self.authm.getSslCertCustomConfigs(), msg)
msg = 'Could not retrieve SSL config'
config2 = self.authm.getSslCertCustomConfig(cert_sha, hostport)
""":type: QgsAuthConfigSslServer"""
self.assertFalse(config2.isNull(), msg)
msg = 'Certificate of retrieved SSL config does not match'
self.assertEqual(config.sslCertificate(), config2.sslCertificate(), msg)
msg = 'HostPort of retrieved SSL config does not match'
self.assertEqual(config.sslHostPort(), config2.sslHostPort(), msg)
msg = 'IgnoredErrorEnums of retrieved SSL config does not match'
enums = config2.sslIgnoredErrorEnums()
self.assertTrue(QSslError.SelfSignedCertificate in enums, msg)
msg = 'PeerVerifyMode of retrieved SSL config does not match'
self.assertEqual(config.sslPeerVerifyMode(),
config2.sslPeerVerifyMode(), msg)
msg = 'PeerVerifyDepth of retrieved SSL config does not match'
self.assertEqual(config.sslPeerVerifyDepth(),
config2.sslPeerVerifyDepth(), msg)
msg = 'Protocol of retrieved SSL config does not match'
self.assertEqual(config.sslProtocol(), config2.sslProtocol(), msg)
# dlg = QgsAuthSslConfigDialog(None, ssl_cert, hostport)
# dlg.exec_()
msg = 'Could not remove SSL config'
self.assertTrue(
self.authm.removeSslCertCustomConfig(cert_sha, hostport), msg)
msg = 'Could not verify removal of SSL config'
self.assertFalse(
self.authm.existsSslCertCustomConfig(cert_sha, hostport), msg)
def test_040_authorities(self):
def rebuild_caches():
m = 'Authorities cache could not be rebuilt'
self.assertTrue(self.authm.rebuildCaCertsCache(), m)
m = 'Authorities trust policy cache could not be rebuilt'
self.assertTrue(self.authm.rebuildTrustedCaCertsCache(), m)
def trusted_ca_certs():
tr_certs = self.authm.getTrustedCaCerts()
m = 'Trusted authorities cache is empty'
self.assertIsNotNone(tr_certs, m)
return tr_certs
msg = 'No system root CAs'
self.assertIsNotNone(self.authm.getSystemRootCAs())
# TODO: add more tests
full_chain = 'chains_subissuer-issuer-root_issuer2-root2.pem'
full_chain_path = os.path.join(PKIDATA, full_chain)
# load CA file authorities for later comaprison
# noinspection PyTypeChecker
# ca_certs = QSslCertificate.fromPath(full_chain_path)
ca_certs = QgsAuthCertUtils.certsFromFile(full_chain_path)
msg = 'Authorities file could not be parsed'
self.assertIsNotNone(ca_certs, msg)
msg = 'Authorities file parsed count is incorrect'
self.assertEqual(len(ca_certs), 5, msg)
# first test CA file can be set and loaded
msg = 'Authority file path setting could not be stored'
self.assertTrue(
self.authm.storeAuthSetting('cafile', full_chain_path), msg)
msg = "Authority file 'allow invalids' setting could not be stored"
self.assertTrue(
self.authm.storeAuthSetting('cafileallowinvalid', False), msg)
rebuild_caches()
trusted_certs = trusted_ca_certs()
not_cached = any([ca not in trusted_certs for ca in ca_certs])
msg = 'Authorities not in trusted authorities cache'
self.assertFalse(not_cached, msg)
# test CA file can be unset
msg = 'Authority file path setting could not be removed'
self.assertTrue(self.authm.removeAuthSetting('cafile'), msg)
msg = "Authority file 'allow invalids' setting could not be removed"
self.assertTrue(
self.authm.removeAuthSetting('cafileallowinvalid'), msg)
rebuild_caches()
trusted_certs = trusted_ca_certs()
still_cached = any([ca in trusted_certs for ca in ca_certs])
msg = 'Authorities still in trusted authorities cache'
self.assertFalse(still_cached, msg)
# test CAs can be stored in database
msg = "Authority certs could not be stored in database"
self.assertTrue(self.authm.storeCertAuthorities(ca_certs))
rebuild_caches()
trusted_certs = trusted_ca_certs()
not_cached = any([ca not in trusted_certs for ca in ca_certs])
msg = 'Stored authorities not in trusted authorities cache'
self.assertFalse(not_cached, msg)
def mkPEMBundle(self, client_cert, client_key, password, chain):
return QgsPkiBundle.fromPemPaths(
PKIDATA + '/' + client_cert, PKIDATA + '/' + client_key, password,
QgsAuthCertUtils.certsFromFile(PKIDATA + '/' + chain))
def test_070_servers(self):
# return
ssl_cert_path = os.path.join(PKIDATA, 'localhost_ssl_cert.pem')
ssl_cert = QgsAuthCertUtils.certsFromFile(ssl_cert_path)[0]
msg = 'SSL server certificate is null'
self.assertFalse(ssl_cert.isNull(), msg)
cert_sha = QgsAuthCertUtils.shaHexForCert(ssl_cert)
hostport = 'localhost:8443'
config = QgsAuthConfigSslServer()
config.setSslCertificate(ssl_cert)
config.setSslHostPort(hostport)
config.setSslIgnoredErrorEnums([QSslError.SelfSignedCertificate])
config.setSslPeerVerifyMode(QSslSocket.VerifyNone)
config.setSslPeerVerifyDepth(3)
config.setSslProtocol(QSsl.TlsV1_1)
msg = 'SSL config is null'
self.assertFalse(config.isNull(), msg)
msg = 'Could not store SSL config'
self.assertTrue(self.authm.storeSslCertCustomConfig(config), msg)
msg = 'Could not verify storage of SSL config'
self.assertTrue(
self.authm.existsSslCertCustomConfig(cert_sha, hostport), msg)
msg = 'Could not verify SSL config in all configs'
self.assertIsNotNone(self.authm.sslCertCustomConfigs(), msg)
msg = 'Could not retrieve SSL config'
config2 = self.authm.sslCertCustomConfig(cert_sha, hostport)
""":type: QgsAuthConfigSslServer"""
self.assertFalse(config2.isNull(), msg)
msg = 'Certificate of retrieved SSL config does not match'
self.assertEqual(config.sslCertificate(), config2.sslCertificate(),
msg)
msg = 'HostPort of retrieved SSL config does not match'
self.assertEqual(config.sslHostPort(), config2.sslHostPort(), msg)
msg = 'IgnoredErrorEnums of retrieved SSL config does not match'
enums = config2.sslIgnoredErrorEnums()
self.assertTrue(QSslError.SelfSignedCertificate in enums, msg)
msg = 'PeerVerifyMode of retrieved SSL config does not match'
self.assertEqual(config.sslPeerVerifyMode(),
config2.sslPeerVerifyMode(), msg)
msg = 'PeerVerifyDepth of retrieved SSL config does not match'
self.assertEqual(config.sslPeerVerifyDepth(),
config2.sslPeerVerifyDepth(), msg)
msg = 'Protocol of retrieved SSL config does not match'
self.assertEqual(config.sslProtocol(), config2.sslProtocol(), msg)
# dlg = QgsAuthSslConfigDialog(None, ssl_cert, hostport)
# dlg.exec_()
msg = 'Could not remove SSL config'
self.assertTrue(
self.authm.removeSslCertCustomConfig(cert_sha, hostport), msg)
msg = 'Could not verify removal of SSL config'
self.assertFalse(
self.authm.existsSslCertCustomConfig(cert_sha, hostport), msg)
def test_040_authorities(self):
def rebuild_caches():
m = 'Authorities cache could not be rebuilt'
self.assertTrue(self.authm.rebuildCaCertsCache(), m)
m = 'Authorities trust policy cache could not be rebuilt'
self.assertTrue(self.authm.rebuildTrustedCaCertsCache(), m)
def trusted_ca_certs():
tr_certs = self.authm.trustedCaCerts()
m = 'Trusted authorities cache is empty'
self.assertIsNotNone(tr_certs, m)
return tr_certs
msg = 'No system root CAs'
self.assertIsNotNone(self.authm.systemRootCAs())
# TODO: add more tests
full_chain = 'chains_subissuer-issuer-root_issuer2-root2.pem'
full_chain_path = os.path.join(PKIDATA, full_chain)
# load CA file authorities for later comaprison
# noinspection PyTypeChecker
# ca_certs = QSslCertificate.fromPath(full_chain_path)
ca_certs = QgsAuthCertUtils.certsFromFile(full_chain_path)
msg = 'Authorities file could not be parsed'
self.assertIsNotNone(ca_certs, msg)
msg = 'Authorities file parsed count is incorrect'
self.assertEqual(len(ca_certs), 5, msg)
# first test CA file can be set and loaded
msg = 'Authority file path setting could not be stored'
self.assertTrue(self.authm.storeAuthSetting('cafile', full_chain_path),
msg)
msg = "Authority file 'allow invalids' setting could not be stored"
self.assertTrue(
self.authm.storeAuthSetting('cafileallowinvalid', False), msg)
rebuild_caches()
trusted_certs = trusted_ca_certs()
not_cached = any([ca not in trusted_certs for ca in ca_certs])
msg = 'Authorities not in trusted authorities cache'
self.assertFalse(not_cached, msg)
# test CA file can be unset
msg = 'Authority file path setting could not be removed'
self.assertTrue(self.authm.removeAuthSetting('cafile'), msg)
msg = "Authority file 'allow invalids' setting could not be removed"
self.assertTrue(self.authm.removeAuthSetting('cafileallowinvalid'),
msg)
rebuild_caches()
trusted_certs = trusted_ca_certs()
still_cached = any([ca in trusted_certs for ca in ca_certs])
msg = 'Authorities still in trusted authorities cache'
self.assertFalse(still_cached, msg)
# test CAs can be stored in database
msg = "Authority certs could not be stored in database"
self.assertTrue(self.authm.storeCertAuthorities(ca_certs))
rebuild_caches()
trusted_certs = trusted_ca_certs()
not_cached = any([ca not in trusted_certs for ca in ca_certs])
msg = 'Stored authorities not in trusted authorities cache'
self.assertFalse(not_cached, msg)
