def test_works_when_client_auth_succeeded(self): # Given a server that requires client authentication with VulnerableOpenSslServer( client_auth_config=ClientAuthenticationServerConfigurationEnum. REQUIRED) as server: # And the client provides a client certificate client_creds = ClientAuthenticationCredentials( client_certificate_chain_path=server. get_client_certificate_path(), client_key_path=server.get_client_key_path(), ) server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port, client_auth_credentials=client_creds, ) server_info = server_test.perform() # The plugin works fine plugin = HttpHeadersPlugin() plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand()) self.assertIsNone(plugin_result.expect_ct_header) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_expect_ct_disabled(self): server_test = ServerConnectivityTester(hostname='hsts.badssl.com') server_info = server_test.perform() plugin = HttpHeadersPlugin() plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand()) assert not plugin_result.expect_ct_header assert plugin_result.as_text() assert plugin_result.as_xml() assert pickle.dumps(plugin_result)
def test_expect_ct_disabled(self): server_info = ServerConnectivityInfo(hostname='hsts.badssl.com') server_info.test_connectivity_to_server() plugin = HttpHeadersPlugin() plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand()) self.assertFalse(plugin_result.expect_ct_header) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) self.assertTrue(pickle.dumps(plugin_result))
def test_legacy_ssl_client_missing_verified_chain(self): # Given a tls1.0 server server_test = ServerConnectivityTester(hostname='tls-v1-0.badssl.com', port=1010) server_info = server_test.perform() # The plugin does not throw an exception trying to access LegacySslClient.get_verified_chain() plugin = HttpHeadersPlugin() plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand()) assert plugin_result.as_text() assert plugin_result.as_xml()
def test_hsts_enabled(self): server_info = ServerConnectivityInfo(hostname=u'hsts.badssl.com') server_info.test_connectivity_to_server() plugin = HttpHeadersPlugin() plugin_result = plugin.process_task(server_info, 'http_headers') self.assertTrue(plugin_result.hsts_header) self.assertFalse(plugin_result.hpkp_header) self.assertIsNone(plugin_result.is_valid_pin_configured) self.assertIsNone(plugin_result.is_backup_pin_configured) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_hpkp_enabled(self): server_info = ServerConnectivityInfo(hostname=u'github.com') server_info.test_connectivity_to_server() plugin = HttpHeadersPlugin() plugin_result = plugin.process_task(server_info, 'http_headers') self.assertTrue(plugin_result.hpkp_header) self.assertTrue(plugin_result.is_valid_pin_configured) self.assertTrue(plugin_result.is_backup_pin_configured) self.assertTrue(plugin_result.verified_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_hpkp_enabled(self): server_info = ServerConnectivityInfo(hostname='github.com') server_info.test_connectivity_to_server() plugin = HttpHeadersPlugin() plugin_result = plugin.process_task(server_info, 'http_headers') self.assertTrue(plugin_result.hpkp_header) self.assertTrue(plugin_result.is_valid_pin_configured) self.assertTrue(plugin_result.is_backup_pin_configured) self.assertTrue(plugin_result.verified_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_hsts_enabled(self): server_info = ServerConnectivityInfo(hostname='hsts.badssl.com') server_info.test_connectivity_to_server() plugin = HttpHeadersPlugin() plugin_result = plugin.process_task(server_info, 'http_headers') self.assertTrue(plugin_result.hsts_header) self.assertFalse(plugin_result.hpkp_header) self.assertIsNone(plugin_result.is_valid_pin_configured) self.assertIsNone(plugin_result.is_backup_pin_configured) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml())
def test_expect_ct_enabled(self): # Github was the only server I could find with expect-ct header set server_test = ServerConnectivityTester(hostname='github.com') server_info = server_test.perform() plugin = HttpHeadersPlugin() plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand()) assert plugin_result.expect_ct_header assert plugin_result.expect_ct_header.max_age >= 0 assert plugin_result.as_text() assert plugin_result.as_xml() assert pickle.dumps(plugin_result)
def test_fails_when_client_auth_failed(self): # Given a server that requires client authentication with ModernOpenSslServer( client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: # And the client does NOT provide a client certificate server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = server_test.perform() # The plugin fails when a client cert was not supplied plugin = HttpHeadersPlugin() with self.assertRaises(ClientCertificateRequested): plugin.process_task(server_info, HttpHeadersScanCommand())
def test_fails_when_client_auth_failed_tls_1_2(self): # Given a server with TLS 1.2 that requires client authentication with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: # And the client does NOT provide a client certificate server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port ) server_info = server_test.perform() # The plugin fails when a client cert was not supplied plugin = HttpHeadersPlugin() with pytest.raises(ClientCertificateRequested): plugin.process_task(server_info, HttpHeadersScanCommand())
def test_expect_ct_enabled(self): # Github was the only server I could find with expect-ct header set server_info = ServerConnectivityInfo(hostname='github.com') server_info.test_connectivity_to_server() plugin = HttpHeadersPlugin() plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand()) self.assertTrue(plugin_result.expect_ct_header) self.assertTrue(plugin_result.expect_ct_header.max_age >= 0) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) self.assertTrue(pickle.dumps(plugin_result))
def test_hsts_and_hpkp_disabled(self): server_test = ServerConnectivityTester(hostname='expired.badssl.com') server_info = server_test.perform() plugin = HttpHeadersPlugin() plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand()) self.assertFalse(plugin_result.hsts_header) self.assertFalse(plugin_result.hpkp_header) self.assertIsNone(plugin_result.is_valid_pin_configured) self.assertIsNone(plugin_result.is_backup_pin_configured) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_hsts_and_hpkp_disabled(self): server_info = ServerConnectivityInfo(hostname='expired.badssl.com') server_info.test_connectivity_to_server() plugin = HttpHeadersPlugin() plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand()) self.assertFalse(plugin_result.hsts_header) self.assertFalse(plugin_result.hpkp_header) self.assertIsNone(plugin_result.is_valid_pin_configured) self.assertIsNone(plugin_result.is_backup_pin_configured) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_hsts_and_hpkp_disabled(self): server_test = ServerConnectivityTester(hostname='expired.badssl.com') server_info = server_test.perform() plugin = HttpHeadersPlugin() plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand()) assert not plugin_result.strict_transport_security_header assert not plugin_result.public_key_pins_header assert plugin_result.is_valid_pin_configured is None assert plugin_result.is_backup_pin_configured is None assert plugin_result.as_text() assert plugin_result.as_xml() # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue assert pickle.dumps(plugin_result)
def test_hpkp_enabled(self): server_info = ServerConnectivityInfo(hostname='github.com') server_info.test_connectivity_to_server() plugin = HttpHeadersPlugin() plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand()) self.assertTrue(plugin_result.hpkp_header) self.assertTrue(plugin_result.is_valid_pin_configured) self.assertTrue(plugin_result.is_backup_pin_configured) self.assertTrue(plugin_result.verified_certificate_chain) self.assertTrue(plugin_result.as_text()) self.assertTrue(plugin_result.as_xml()) # Ensure the results are pickable so the ConcurrentScanner can receive them via a Queue self.assertTrue(pickle.dumps(plugin_result))
def test_fails_when_client_auth_failed(self): # Given a server that requires client authentication try: with VulnerableOpenSslServer( client_auth_config= ClientAuthenticationServerConfigurationEnum.REQUIRED ) as server: # And the client does NOT provide a client certificate server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port) server_info = server_test.perform() # The plugin fails when a client cert was not supplied plugin = HttpHeadersPlugin() with self.assertRaises(ClientCertificateRequested): plugin.process_task(server_info, HttpHeadersScanCommand()) except NotOnLinux64Error: logging.warning('WARNING: Not on Linux - skipping test') return
def test_works_when_client_auth_succeeded(self): # Given a server that requires client authentication with ModernOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: # And the client provides a client certificate client_creds = ClientAuthenticationCredentials( client_certificate_chain_path=server.get_client_certificate_path(), client_key_path=server.get_client_key_path(), ) server_test = ServerConnectivityTester( hostname=server.hostname, ip_address=server.ip_address, port=server.port, client_auth_credentials=client_creds, ) server_info = server_test.perform() # The plugin works fine plugin = HttpHeadersPlugin() plugin_result = plugin.process_task(server_info, HttpHeadersScanCommand()) assert plugin_result.expect_ct_header is None assert plugin_result.as_text() assert plugin_result.as_xml()