def test_ocsp_with_bogus_cache_files(tmpdir): """ Attempt to use bogus OCSP response data """ cache_file_name, target_hosts = _store_cache_in_file(tmpdir) ocsp = SFOCSP( ocsp_response_cache_uri='file://' + cache_file_name) OCSPCache.read_ocsp_response_cache_file(ocsp, cache_file_name) cache_data = OCSPCache.CACHE assert cache_data, "more than one cache entries should be stored." # setting bogus data current_time = int(time.time()) for k, _ in cache_data.items(): cache_data[k] = (current_time, b'bogus') # write back the cache file OCSPCache.CACHE = cache_data OCSPCache.write_ocsp_response_cache_file(ocsp, cache_file_name) # forces to use the bogus cache file but it should raise errors SnowflakeOCSP.clear_cache() ocsp = SFOCSP( ocsp_response_cache_uri='file://' + cache_file_name) for hostname in target_hosts: connection = _openssl_connect(hostname) assert ocsp.validate(hostname, connection), \ 'Failed to validate: {}'.format(hostname)
def _validate_certs_using_ocsp(url, cache_file_name): """Validate OCSP response. Deleting memory cache and file cache randomly.""" logger = logging.getLogger('test') import time import random time.sleep(random.randint(0, 3)) if random.random() < 0.2: logger.info('clearing up cache: OCSP_VALIDATION_CACHE') SnowflakeOCSP.clear_cache() if random.random() < 0.05: logger.info('deleting a cache file: %s', cache_file_name) SnowflakeOCSP.delete_cache_file() connection = _openssl_connect(url) ocsp = SFOCSP(ocsp_response_cache_uri='file://' + cache_file_name) ocsp.validate(url, connection)
def test_ocsp_wo_cache_server(): """OCSP Tests with Cache Server Disabled.""" SnowflakeOCSP.clear_cache() ocsp = SFOCSP(use_ocsp_cache_server=False) for url in TARGET_HOSTS: connection = _openssl_connect(url) assert ocsp.validate(url, connection), f"Failed to validate: {url}"
def test_ocsp_with_invalid_cache_file(): """OCSP tests with an invalid cache file.""" SnowflakeOCSP.clear_cache() # reset the memory cache ocsp = SFOCSP(ocsp_response_cache_uri="NEVER_EXISTS") for url in TARGET_HOSTS[0:1]: connection = _openssl_connect(url) assert ocsp.validate(url, connection), f"Failed to validate: {url}"
def test_ocsp(): """OCSP tests.""" # reset the memory cache SnowflakeOCSP.clear_cache() ocsp = SFOCSP() for url in TARGET_HOSTS: connection = _openssl_connect(url, timeout=5) assert ocsp.validate(url, connection), f"Failed to validate: {url}"
def test_ocsp_by_post_method(): """OCSP tests.""" # reset the memory cache SnowflakeOCSP.clear_cache() ocsp = SFOCSP(use_post_method=True) for url in TARGET_HOSTS: connection = _openssl_connect(url) assert ocsp.validate(url, connection), f"Failed to validate: {url}"
def test_ocsp(): """ OCSP tests """ # reset the memory cache SnowflakeOCSP.clear_cache() ocsp = SFOCSP() for url in TARGET_HOSTS: connection = _openssl_connect(url) assert ocsp.validate(url, connection), \ 'Failed to validate: {}'.format(url)
def test_ocsp_single_endpoint(): environ['SF_OCSP_ACTIVATE_NEW_ENDPOINT'] = 'True' SnowflakeOCSP.clear_cache() ocsp = SFOCSP() ocsp.OCSP_CACHE_SERVER.NEW_DEFAULT_CACHE_SERVER_BASE_URL = \ "https://snowflake.preprod3.us-west-2-dev.external-zone.snowflakecomputing.com:8085/ocsp/" connection = _openssl_connect("snowflake.okta.com") assert ocsp.validate("snowflake.okta.com", connection), \ 'Failed to validate: {}'.format("snowflake.okta.com") del environ['SF_OCSP_ACTIVATE_NEW_ENDPOINT']
def test_ocsp_with_file_cache(tmpdir): """OCSP tests and the cache server and file.""" tmp_dir = str(tmpdir.mkdir("ocsp_response_cache")) cache_file_name = path.join(tmp_dir, "cache_file.txt") # reset the memory cache SnowflakeOCSP.clear_cache() ocsp = SFOCSP(ocsp_response_cache_uri="file://" + cache_file_name) for url in TARGET_HOSTS: connection = _openssl_connect(url) assert ocsp.validate(url, connection), f"Failed to validate: {url}"
def test_ocsp_fail_close_w_single_endpoint(): SnowflakeOCSP.clear_cache() environ["SF_OCSP_TEST_MODE"] = "true" environ["SF_TEST_OCSP_URL"] = "http://httpbin.org/delay/10" environ["SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT"] = "5" OCSPCache.del_cache_file() ocsp = SFOCSP(use_ocsp_cache_server=False, use_fail_open=False) connection = _openssl_connect("snowflake.okta.com") with pytest.raises(RevocationCheckError) as ex: ocsp.validate("snowflake.okta.com", connection) try: assert ex.value.errno == ER_INVALID_OCSP_RESPONSE_CODE, "Connection should have failed" finally: del environ['SF_OCSP_TEST_MODE'] del environ['SF_TEST_OCSP_URL'] del environ['SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT']
def test_ocsp_bad_validity(): SnowflakeOCSP.clear_cache() environ["SF_OCSP_TEST_MODE"] = "true" environ["SF_TEST_OCSP_FORCE_BAD_RESPONSE_VALIDITY"] = "true" OCSPCache.del_cache_file() ocsp = SFOCSP(use_ocsp_cache_server=False) connection = _openssl_connect("snowflake.okta.com") assert ocsp.validate("snowflake.okta.com", connection), "Connection should have passed with fail open" del environ['SF_OCSP_TEST_MODE'] del environ['SF_TEST_OCSP_FORCE_BAD_RESPONSE_VALIDITY']
def _store_cache_in_file(tmpdir, target_hosts=None, filename=None): if target_hosts is None: target_hosts = TARGET_HOSTS if filename is None: filename = path.join(str(tmpdir), 'cache_file.txt') # cache OCSP response SnowflakeOCSP.clear_cache() ocsp = SFOCSP(ocsp_response_cache_uri='file://' + filename, use_ocsp_cache_server=False) for hostname in target_hosts: connection = _openssl_connect(hostname) assert ocsp.validate(hostname, connection), \ 'Failed to validate: {}'.format(hostname) assert path.exists(filename), "OCSP response cache file" return filename, target_hosts
def _store_cache_in_file(tmpdir, target_hosts=None): if target_hosts is None: target_hosts = TARGET_HOSTS os.environ['SF_OCSP_RESPONSE_CACHE_DIR'] = str(tmpdir) OCSPCache.reset_cache_dir() filename = path.join(str(tmpdir), 'ocsp_response_cache.json') # cache OCSP response SnowflakeOCSP.clear_cache() ocsp = SFOCSP(ocsp_response_cache_uri='file://' + filename, use_ocsp_cache_server=False) for hostname in target_hosts: connection = _openssl_connect(hostname) assert ocsp.validate(hostname, connection), \ 'Failed to validate: {}'.format(hostname) assert path.exists(filename), "OCSP response cache file" return filename, target_hosts
def test_ocsp_fail_open_w_single_endpoint(): SnowflakeOCSP.clear_cache() OCSPCache.del_cache_file() environ["SF_OCSP_TEST_MODE"] = "true" environ["SF_TEST_OCSP_URL"] = "http://httpbin.org/delay/10" environ["SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT"] = "5" ocsp = SFOCSP(use_ocsp_cache_server=False) connection = _openssl_connect("snowflake.okta.com") try: assert ocsp.validate("snowflake.okta.com", connection), \ 'Failed to validate: {}'.format("snowflake.okta.com") finally: del environ['SF_OCSP_TEST_MODE'] del environ['SF_TEST_OCSP_URL'] del environ['SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT']
def test_ocsp_wo_cache_file(): """ OCSP tests without File cache. NOTE: Use /etc as a readonly directory such that no cache file is used. """ # reset the memory cache SnowflakeOCSP.clear_cache() OCSPCache.del_cache_file() environ['SF_OCSP_RESPONSE_CACHE_DIR'] = '/etc' OCSPCache.reset_cache_dir() try: ocsp = SFOCSP() for url in TARGET_HOSTS: connection = _openssl_connect(url) assert ocsp.validate(url, connection), \ 'Failed to validate: {}'.format(url) finally: del environ['SF_OCSP_RESPONSE_CACHE_DIR'] OCSPCache.reset_cache_dir()