def test_fails_when_client_auth_failed(self):
# Given a server that requires client authentication
with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
# And sslyze does NOT provide a client certificate
server_location = ServerNetworkLocationViaDirectConnection(
hostname=server.hostname, ip_address=server.ip_address, port=server.port
)
server_info = ServerConnectivityTester().perform(server_location)
# When scanning for HTTP headers, it fails
with pytest.raises(ClientCertificateRequested):
HttpHeadersImplementation.scan_server(server_info)
def test_http_error(self):
# Given a server to scan
with ModernOpenSslServer(
# And the server will trigger an error when receiving an HTTP request
should_reply_to_http_requests=False) as server:
server_location = ServerNetworkLocation(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When scanning for HTTP headers, it succeeds
result: HttpHeadersScanResult = HttpHeadersImplementation.scan_server(
server_info)
# And the result mention the error returned by the server when sending an HTTP request
assert result.http_error_trace
assert result.http_request_sent
# And the other result fields are not set
assert not result.http_path_redirected_to
assert not result.expect_ct_header
# And a CLI output can be generated
assert HttpHeadersImplementation.cli_connector_cls.result_to_console_output(
result)
# And the result can be converted to JSON
result_as_json = HttpHeadersScanResultAsJson.from_orm(result).json()
assert result_as_json
def test_works_when_client_auth_succeeded(self):
# Given a server that requires client authentication
with LegacyOpenSslServer(
client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
server_location = ServerNetworkLocation(
hostname=server.hostname,
ip_address=server.ip_address,
port=server.port)
# And sslyze provides a client certificate
network_config = ServerNetworkConfiguration(
tls_server_name_indication=server.hostname,
tls_client_auth_credentials=ClientAuthenticationCredentials(
certificate_chain_path=server.get_client_certificate_path(
),
key_path=server.get_client_key_path()),
)
server_info = check_connectivity_to_server_and_return_info(
server_location, network_config)
# When scanning for HTTP headers, it succeeds
result: HttpHeadersScanResult = HttpHeadersImplementation.scan_server(
server_info)
assert not result.strict_transport_security_header
assert not result.expect_ct_header
def test_expect_ct_enabled(self):
# Given a server to scan that has Expect-CT enabled
server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup(
"github.com", 443)
server_info = ServerConnectivityTester().perform(server_location)
# When scanning for HTTP headers, it succeeds
result: HttpHeadersScanResult = HttpHeadersImplementation.perform(
server_info)
# And the Expect-CT header was detected
assert result.expect_ct_header
assert result.expect_ct_header.max_age >= 0
def test_hsts_and_hpkp_disabled(self):
# Given a server to scan that does not have security headers
server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup(
"expired.badssl.com", 443)
server_info = ServerConnectivityTester().perform(server_location)
# When scanning for HTTP headers, it succeeds
result: HttpHeadersScanResult = HttpHeadersImplementation.perform(
server_info)
# And no headers are detected
assert not result.strict_transport_security_header
assert not result.public_key_pins_header
assert not result.public_key_pins_report_only_header
assert not result.expect_ct_header
def test_expect_ct_enabled(self):
# Given a server to scan that has Expect-CT enabled
server_location = ServerNetworkLocation("github.com", 443)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When scanning for HTTP headers, it succeeds
result: HttpHeadersScanResult = HttpHeadersImplementation.scan_server(
server_info)
# And the Expect-CT header was detected
assert result.expect_ct_header
assert result.expect_ct_header.max_age >= 0
# And a CLI output can be generated
assert HttpHeadersImplementation.cli_connector_cls.result_to_console_output(
result)
def test_hsts_enabled(self):
# Given a server to scan that has HSTS enabled
server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup("hsts.badssl.com", 443)
server_info = ServerConnectivityTester().perform(server_location)
# When scanning for HTTP headers, it succeeds
result: HttpHeadersScanResult = HttpHeadersImplementation.scan_server(server_info)
# And only HSTS is detected
assert result.http_request_sent
assert result.http_path_redirected_to
assert result.strict_transport_security_header
assert not result.public_key_pins_header
assert not result.public_key_pins_report_only_header
assert not result.expect_ct_header
# And a CLI output can be generated
assert HttpHeadersImplementation.cli_connector_cls.result_to_console_output(result)
def test_all_headers_disabled(self):
# Given a server to scan that does not have security headers
server_location = ServerNetworkLocation("expired.badssl.com", 443)
server_info = check_connectivity_to_server_and_return_info(
server_location)
# When scanning for HTTP headers, it succeeds
result: HttpHeadersScanResult = HttpHeadersImplementation.scan_server(
server_info)
# And no headers are detected
assert result.http_request_sent
assert result.http_path_redirected_to
assert not result.strict_transport_security_header
assert not result.expect_ct_header
# And a CLI output can be generated
assert HttpHeadersImplementation.cli_connector_cls.result_to_console_output(
result)
