예제 #1
0
    def test_scenario_2(self, mock_read_global_bundle, mock_read_bundle, mock_read_listings):
        """
        Setup
        - Global auth disabled
        - Individual repo auth enabled for repo X
        - Client cert signed by different CA than repo X
        - Client cert has entitlements

        Expected
        - Denied to repo X, permitted for repo Y
        """
        mock_read_global_bundle.return_value = None
        repo_x_bundle = {'ca': OTHER_CA, 'key': KEY, 'cert': CERT, }
        mock_read_listings.return_value = {'/pulp/pulp/fedora-14/x86_64': 'repo-x'}
        mock_read_bundle.return_value = repo_x_bundle

        # Test
        request_x = mock_environ(E_FULL,
                                 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
        request_y = mock_environ(E_FULL,
                                 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')

        response_x = oid_validation.authenticate(request_x, config=self.config)
        response_y = oid_validation.authenticate(request_y, config=self.config)

        # Verify
        self.assertTrue(not response_x)
        self.assertTrue(response_y)
예제 #2
0
    def __test_scenario_9(self):
        """
        Setup
        - Global auth enabled
        - Individual auth enabled for repo X
        - Different CA certificates for global and repo X configurations
        - Client cert signed by global CA certificate
        - Client cert has entitlements for both repos

        Excepted
        - Denied for repo X, passes for repo Y
        """

        # Setup
        global_bundle = {'ca': VALID_CA, 'key': KEY, 'cert': CERT, }
        self.auth_api.enable_global_repo_auth(global_bundle)

        repo_x_bundle = {'ca': OTHER_CA, 'key': KEY, 'cert': CERT, }
        self.repo_api.create('repo-x', 'Repo X', 'noarch', consumer_cert_data=repo_x_bundle,
                             feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
        self.repo_api.create('repo-y', 'Repo Y', 'noarch',
                             feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')

        # Test
        request_x = mock_environ(E_FULL,
                                 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
        request_y = mock_environ(E_FULL,
                                 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')

        response_x = oid_validation.authenticate(request_x, config=self.config)
        response_y = oid_validation.authenticate(request_y, config=self.config)

        # Verify
        self.assertTrue(not response_x)
        self.assertTrue(response_y)
예제 #3
0
    def test_scenario_3(self, mock_read_global_bundle, mock_read_bundle, mock_read_listings):
        """
        Setup
        - Global auth disabled
        - Individual repo auth enabled for repo X
        - Client cert signed by repo Y CA
        - Client cert does not have entitlements for requested URL

        Expected
        - Permitted to repo X, denied from repo Y
        """
        mock_read_global_bundle.return_value = None

        repo_y_bundle = {'ca': VALID_CA, 'key': KEY, 'cert': CERT, }
        mock_read_listings.return_value = {'/pulp/pulp/fedora-13/x86_64': 'repo-x'}
        mock_read_bundle.return_value = repo_y_bundle

        # Test
        request_x = mock_environ(E_LIMITED,
                                 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
        request_y = mock_environ(E_LIMITED,
                                 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')

        response_x = oid_validation.authenticate(request_x, config=self.config)
        response_y = oid_validation.authenticate(request_y, config=self.config)

        # Verify
        self.assertTrue(response_x)
        self.assertTrue(not response_y)
예제 #4
0
    def __test_scenario_13(self):
        repo_x_bundle = {'ca': OTHER_CA, 'key': OTHER_CERT_KEY,
                         'cert': OTHER_CERT, }
        self.repo_api.create('repo-x', 'Repo X', 'noarch', consumer_cert_data=repo_x_bundle,
                             feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
        self.repo_api.create('repo-y', 'Repo Y', 'noarch', consumer_cert_data=repo_x_bundle,
                             feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')

        # Test
        request_x = mock_environ(E_WILDCARD,
                                 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/os')
        request_y = mock_environ(E_WILDCARD,
                                 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/os')

        response_x = oid_validation.authenticate(request_x, config=self.config)
        response_y = oid_validation.authenticate(request_y, config=self.config)

        # Verify
        self.assertTrue(response_x)
        self.assertTrue(response_y)

        # Try to hit something that should be denied
        request_z = mock_environ(E_WILDCARD,
                                 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64'
                                 '/mrg-g/2.0/os')
        response_z = oid_validation.authenticate(request_z, config=self.config)
        self.assertTrue(not response_z)
예제 #5
0
    def __test_scenario_6(self):
        """
        Setup
        - Global auth enabled
        - Individual auth disabled
        - Client cert signed by non-global CA
        - Client cert has entitlements for both repos

        Expected
        - Denied to both repo X and Y
        """

        # Setup
        global_bundle = {'ca': OTHER_CA, 'key': KEY, 'cert': CERT, }
        self.auth_api.enable_global_repo_auth(global_bundle)

        self.repo_api.create('repo-x', 'Repo X', 'noarch',
                             feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
        self.repo_api.create('repo-y', 'Repo Y', 'noarch',
                             feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')

        # Test
        request_x = mock_environ(E_FULL,
                                 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
        request_y = mock_environ(E_FULL,
                                 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')

        response_x = oid_validation.authenticate(request_x, config=self.config)
        response_y = oid_validation.authenticate(request_y, config=self.config)

        # Verify
        self.assertTrue(not response_x)
        self.assertTrue(not response_y)
예제 #6
0
    def __test_scenario_1(self):
        """
        Setup
        - Global auth disabled
        - Individual repo auth enabled for repo X
        - Client cert signed by repo X CA
        - Client cert has entitlements

        Expected
        - Permitted for both repos
        """

        # Setup
        self.auth_api.disable_global_repo_auth()

        repo_x_bundle = {'ca': VALID_CA, 'key': KEY, 'cert': CERT, }
        self.repo_api.create('repo-x', 'Repo X', 'noarch', consumer_cert_data=repo_x_bundle,
                             feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
        self.repo_api.create('repo-y', 'Repo Y', 'noarch',
                             feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')

        # Test
        request_x = mock_environ(E_FULL,
                                 'https://localhost//pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
        request_y = mock_environ(E_FULL,
                                 'https://localhost//pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')

        response_x = oid_validation.authenticate(request_x, config=self.config)
        response_y = oid_validation.authenticate(request_y, config=self.config)

        # Verify
        self.assertTrue(response_x)
        self.assertTrue(response_y)
예제 #7
0
    def __test_scenario_12(self):
        """
        Setup
        - Global auth enabled
        - Individual auth enabled on repo X
        - Both global and individual auth use the same CA
        - No client cert in request

        Expected
        - Denied for both repo X and Y
        - No exceptions thrown
        """

        # Setup
        global_bundle = {'ca': VALID_CA, 'key': KEY, 'cert': CERT, }
        self.auth_api.enable_global_repo_auth(global_bundle)

        repo_x_bundle = {'ca': VALID_CA, 'key': KEY, 'cert': CERT, }
        self.repo_api.create('repo-x', 'Repo X', 'noarch', consumer_cert_data=repo_x_bundle,
                             feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
        self.repo_api.create('repo-y', 'Repo Y', 'noarch',
                             feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')

        # Test
        request_x = mock_environ('',
                                 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
        request_y = mock_environ('',
                                 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')

        response_x = oid_validation.authenticate(request_x, config=self.config)
        response_y = oid_validation.authenticate(request_y, config=self.config)

        # Verify
        self.assertTrue(not response_x)
        self.assertTrue(not response_y)
예제 #8
0
    def __test_scenario_14(self):
        """
        Setup
        - Global auth disabled
        - Individual repo auth enabled for repo X
        - Client cert signed by repo X CA
        - Client cert has an OID entitlement that ends with a yum variable.
          e.g., repos/pulp/pulp/fedora-14/$basearch/

        Expected
        - Permitted for both repos
        """

        # Setup
        self.auth_api.disable_global_repo_auth()

        repo_x_bundle = {
            'ca': OTHER_CA,
            'key': OTHER_CA_KEY,
            'cert': CERT,
        }
        self.repo_api.create(
            'repo-x',
            'Repo X',
            'noarch',
            consumer_cert_data=repo_x_bundle,
            feed=
            'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
        self.repo_api.create(
            'repo-y',
            'Repo Y',
            'noarch',
            feed=
            'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')

        # Test
        request_x = mock_environ(
            E_VARIABLE_CERT + E_VARIABLE_KEY,
            'https://localhost//pulp/repos/repos/pulp/pulp/fedora-14/x86_64'
            '/os/repodata/repomd.xml')
        request_xx = mock_environ(
            E_VARIABLE_CERT + E_VARIABLE_KEY,
            'https://localhost//pulp/repos/repos/pulp/pulp/fedora-14/i386'
            '/os/repodata/repomd.xml')
        request_y = mock_environ(
            E_VARIABLE_CERT + E_VARIABLE_KEY,
            'https://localhost//pulp/repos/repos/pulp/pulp/fedora-13/x86_64'
            '/os/repodata/repomd.xml')

        response_x = oid_validation.authenticate(request_x, config=self.config)
        response_xx = oid_validation.authenticate(request_xx,
                                                  config=self.config)
        response_y = oid_validation.authenticate(request_y, config=self.config)

        # Verify
        self.assertTrue(response_x)
        self.assertTrue(response_y)
        self.assertTrue(response_xx)
예제 #9
0
    def __test_scenario_12(self):
        """
        Setup
        - Global auth enabled
        - Individual auth enabled on repo X
        - Both global and individual auth use the same CA
        - No client cert in request

        Expected
        - Denied for both repo X and Y
        - No exceptions thrown
        """

        # Setup
        global_bundle = {
            'ca': VALID_CA,
            'key': KEY,
            'cert': CERT,
        }
        self.auth_api.enable_global_repo_auth(global_bundle)

        repo_x_bundle = {
            'ca': VALID_CA,
            'key': KEY,
            'cert': CERT,
        }
        self.repo_api.create(
            'repo-x',
            'Repo X',
            'noarch',
            consumer_cert_data=repo_x_bundle,
            feed=
            'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
        self.repo_api.create(
            'repo-y',
            'Repo Y',
            'noarch',
            feed=
            'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')

        # Test
        request_x = mock_environ(
            '',
            'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
        request_y = mock_environ(
            '',
            'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')

        response_x = oid_validation.authenticate(request_x, config=self.config)
        response_y = oid_validation.authenticate(request_y, config=self.config)

        # Verify
        self.assertTrue(not response_x)
        self.assertTrue(not response_y)
예제 #10
0
    def __test_scenario_9(self):
        """
        Setup
        - Global auth enabled
        - Individual auth enabled for repo X
        - Different CA certificates for global and repo X configurations
        - Client cert signed by global CA certificate
        - Client cert has entitlements for both repos

        Excepted
        - Denied for repo X, passes for repo Y
        """

        # Setup
        global_bundle = {
            'ca': VALID_CA,
            'key': KEY,
            'cert': CERT,
        }
        self.auth_api.enable_global_repo_auth(global_bundle)

        repo_x_bundle = {
            'ca': OTHER_CA,
            'key': KEY,
            'cert': CERT,
        }
        self.repo_api.create(
            'repo-x',
            'Repo X',
            'noarch',
            consumer_cert_data=repo_x_bundle,
            feed=
            'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
        self.repo_api.create(
            'repo-y',
            'Repo Y',
            'noarch',
            feed=
            'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')

        # Test
        request_x = mock_environ(
            E_FULL,
            'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
        request_y = mock_environ(
            E_FULL,
            'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')

        response_x = oid_validation.authenticate(request_x, config=self.config)
        response_y = oid_validation.authenticate(request_y, config=self.config)

        # Verify
        self.assertTrue(not response_x)
        self.assertTrue(response_y)
예제 #11
0
    def __test_scenario_1(self):
        """
        Setup
        - Global auth disabled
        - Individual repo auth enabled for repo X
        - Client cert signed by repo X CA
        - Client cert has entitlements

        Expected
        - Permitted for both repos
        """

        # Setup
        self.auth_api.disable_global_repo_auth()

        repo_x_bundle = {
            'ca': VALID_CA,
            'key': KEY,
            'cert': CERT,
        }
        self.repo_api.create(
            'repo-x',
            'Repo X',
            'noarch',
            consumer_cert_data=repo_x_bundle,
            feed=
            'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
        self.repo_api.create(
            'repo-y',
            'Repo Y',
            'noarch',
            feed=
            'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')

        # Test
        request_x = mock_environ(
            E_FULL,
            'https://localhost//pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
        request_y = mock_environ(
            E_FULL,
            'https://localhost//pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')

        response_x = oid_validation.authenticate(request_x, config=self.config)
        response_y = oid_validation.authenticate(request_y, config=self.config)

        # Verify
        self.assertTrue(response_x)
        self.assertTrue(response_y)
예제 #12
0
    def test_is_valid_verify_ssl_undefined(self, mock_read_bundle,
                                           mock_read_listings,
                                           validate_certificate_pem,
                                           _check_extensions):
        """
        Test is_valid when verify_ssl is undefined.
        """
        self.config.remove_option('main', 'verify_ssl')
        repo_x_bundle = {
            'ca': OTHER_CA,
            'key': KEY,
            'cert': CERT,
        }
        mock_read_listings.return_value = {
            '/pulp/pulp/fedora-14/x86_64': 'repo-x'
        }
        mock_read_bundle.return_value = repo_x_bundle
        request_x = mock_environ(
            E_FULL,
            'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')

        valid = oid_validation.authenticate(request_x, config=self.config)

        # Make sure we didn't call into the cert validation code
        self.assertEqual(validate_certificate_pem.call_count, 1)
        # It should be other because we mocked validate_certificate_pem to return False
        self.assertEqual(valid, False)
        # _check_extensions shouldn't have been called
        self.assertEqual(_check_extensions.call_count, 0)
예제 #13
0
    def test_is_valid_verify_ssl_false(self, mock_read_bundle,
                                       mock_read_listings,
                                       validate_certificate_pem,
                                       _check_extensions):
        """
        Test is_valid when verify_ssl is false.
        """
        self.config.set('main', 'verify_ssl', 'false')
        repo_x_bundle = {
            'ca': OTHER_CA,
            'key': KEY,
            'cert': CERT,
        }
        mock_read_listings.return_value = {
            '/pulp/pulp/fedora-14/x86_64': 'repo-x'
        }
        mock_read_bundle.return_value = repo_x_bundle
        request_x = mock_environ(
            E_FULL,
            'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')

        valid = oid_validation.authenticate(request_x, config=self.config)

        # Make sure we didn't call into the cert validation code
        self.assertEqual(validate_certificate_pem.call_count, 0)
        # It should be valid because we mocked _check_extensions to return True
        self.assertEqual(valid, True)
예제 #14
0
    def __test_scenario_6(self):
        """
        Setup
        - Global auth enabled
        - Individual auth disabled
        - Client cert signed by non-global CA
        - Client cert has entitlements for both repos

        Expected
        - Denied to both repo X and Y
        """

        # Setup
        global_bundle = {
            'ca': OTHER_CA,
            'key': KEY,
            'cert': CERT,
        }
        self.auth_api.enable_global_repo_auth(global_bundle)

        self.repo_api.create(
            'repo-x',
            'Repo X',
            'noarch',
            feed=
            'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
        self.repo_api.create(
            'repo-y',
            'Repo Y',
            'noarch',
            feed=
            'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')

        # Test
        request_x = mock_environ(
            E_FULL,
            'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
        request_y = mock_environ(
            E_FULL,
            'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')

        response_x = oid_validation.authenticate(request_x, config=self.config)
        response_y = oid_validation.authenticate(request_y, config=self.config)

        # Verify
        self.assertTrue(not response_x)
        self.assertTrue(not response_y)
예제 #15
0
    def __test_scenario_14(self):
        """
        Setup
        - Global auth disabled
        - Individual repo auth enabled for repo X
        - Client cert signed by repo X CA
        - Client cert has an OID entitlement that ends with a yum variable.
          e.g., repos/pulp/pulp/fedora-14/$basearch/

        Expected
        - Permitted for both repos
        """

        # Setup
        self.auth_api.disable_global_repo_auth()

        repo_x_bundle = {'ca': OTHER_CA, 'key': OTHER_CA_KEY, 'cert': CERT, }
        self.repo_api.create('repo-x', 'Repo X', 'noarch', consumer_cert_data=repo_x_bundle,
                             feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
        self.repo_api.create('repo-y', 'Repo Y', 'noarch',
                             feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')

        # Test
        request_x = mock_environ(E_VARIABLE_CERT +
                                 E_VARIABLE_KEY,
                                 'https://localhost//pulp/repos/repos/pulp/pulp/fedora-14/x86_64'
                                 '/os/repodata/repomd.xml')
        request_xx = mock_environ(E_VARIABLE_CERT +
                                  E_VARIABLE_KEY,
                                  'https://localhost//pulp/repos/repos/pulp/pulp/fedora-14/i386'
                                  '/os/repodata/repomd.xml')
        request_y = mock_environ(E_VARIABLE_CERT +
                                 E_VARIABLE_KEY,
                                 'https://localhost//pulp/repos/repos/pulp/pulp/fedora-13/x86_64'
                                 '/os/repodata/repomd.xml')

        response_x = oid_validation.authenticate(request_x, config=self.config)
        response_xx = oid_validation.authenticate(request_xx, config=self.config)
        response_y = oid_validation.authenticate(request_y, config=self.config)

        # Verify
        self.assertTrue(response_x)
        self.assertTrue(response_y)
        self.assertTrue(response_xx)
예제 #16
0
    def __test_scenario_13(self):
        repo_x_bundle = {
            'ca': OTHER_CA,
            'key': OTHER_CERT_KEY,
            'cert': OTHER_CERT,
        }
        self.repo_api.create(
            'repo-x',
            'Repo X',
            'noarch',
            consumer_cert_data=repo_x_bundle,
            feed=
            'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
        self.repo_api.create(
            'repo-y',
            'Repo Y',
            'noarch',
            consumer_cert_data=repo_x_bundle,
            feed=
            'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')

        # Test
        request_x = mock_environ(
            E_WILDCARD,
            'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/os')
        request_y = mock_environ(
            E_WILDCARD,
            'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/os')

        response_x = oid_validation.authenticate(request_x, config=self.config)
        response_y = oid_validation.authenticate(request_y, config=self.config)

        # Verify
        self.assertTrue(response_x)
        self.assertTrue(response_y)

        # Try to hit something that should be denied
        request_z = mock_environ(
            E_WILDCARD,
            'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64'
            '/mrg-g/2.0/os')
        response_z = oid_validation.authenticate(request_z, config=self.config)
        self.assertTrue(not response_z)
예제 #17
0
    def test_no_mod_ssl_vars(self):
        """
        Test that if 'mod_ssl.var_lookup' is missing, it is handled gracefully.
        """
        environ = mock_environ(E_FULL,
                               'https://localhost/some/repo/package.rpm')
        environ.pop('mod_ssl.var_lookup')

        self.assertFalse(oid_validation.authenticate(environ))
        environ['wsgi.errors'].write.assert_called_once_with(
            'Authentication failed; no client certificate provided in request.\n'
        )
예제 #18
0
    def test_scenario_3(self, mock_read_global_bundle, mock_read_bundle,
                        mock_read_listings):
        """
        Setup
        - Global auth disabled
        - Individual repo auth enabled for repo X
        - Client cert signed by repo Y CA
        - Client cert does not have entitlements for requested URL

        Expected
        - Permitted to repo X, denied from repo Y
        """
        mock_read_global_bundle.return_value = None

        repo_y_bundle = {
            'ca': VALID_CA,
            'key': KEY,
            'cert': CERT,
        }
        mock_read_listings.return_value = {
            '/pulp/pulp/fedora-13/x86_64': 'repo-x'
        }
        mock_read_bundle.return_value = repo_y_bundle

        # Test
        request_x = mock_environ(
            E_LIMITED,
            'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
        request_y = mock_environ(
            E_LIMITED,
            'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')

        response_x = oid_validation.authenticate(request_x, config=self.config)
        response_y = oid_validation.authenticate(request_y, config=self.config)

        # Verify
        self.assertTrue(response_x)
        self.assertTrue(not response_y)
예제 #19
0
    def test_no_mod_ssl_vars(self):
        """
        Test that if 'mod_ssl.var_lookup' is missing, it is handled gracefully.
        """
        environ = mock_environ(
            E_FULL,
            'https://localhost/some/repo/package.rpm'
        )
        environ.pop('mod_ssl.var_lookup')

        self.assertFalse(oid_validation.authenticate(environ))
        environ['wsgi.errors'].write.assert_called_once_with(
            'Authentication failed; no client certificate provided in request.\n'
        )
예제 #20
0
    def test_scenario_2(self, mock_read_global_bundle, mock_read_bundle,
                        mock_read_listings):
        """
        Setup
        - Global auth disabled
        - Individual repo auth enabled for repo X
        - Client cert signed by different CA than repo X
        - Client cert has entitlements

        Expected
        - Denied to repo X, permitted for repo Y
        """
        mock_read_global_bundle.return_value = None
        repo_x_bundle = {
            'ca': OTHER_CA,
            'key': KEY,
            'cert': CERT,
        }
        mock_read_listings.return_value = {
            '/pulp/pulp/fedora-14/x86_64': 'repo-x'
        }
        mock_read_bundle.return_value = repo_x_bundle

        # Test
        request_x = mock_environ(
            E_FULL,
            'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
        request_y = mock_environ(
            E_FULL,
            'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')

        response_x = oid_validation.authenticate(request_x, config=self.config)
        response_y = oid_validation.authenticate(request_y, config=self.config)

        # Verify
        self.assertTrue(not response_x)
        self.assertTrue(response_y)
예제 #21
0
    def test_ssl_client_cert_set(self, mock_oid_validation):
        """
        Test that if the client cert is in SSL_CLIENT_CERT, that certificate is used.

        It may be the case that 'SSL_CLIENT_CERT' is set in the 'environ' dictionary.
        It might also be the case that 'mod_ssl.var_lookup' is not set, and we should
        handle that case.
        """
        environ = mock_environ(E_FULL,
                               'https://localhost/some/repo/package.rpm')
        environ['SSL_CLIENT_CERT'] = E_FULL
        environ.pop('mod_ssl.var_lookup')
        mock_oid_validation.return_value.is_valid.return_value = True

        self.assertTrue(oid_validation.authenticate(environ))
        mock_oid_validation.return_value.is_valid.assert_called_once_with(
            '/some/repo/package.rpm', E_FULL, environ['wsgi.errors'].write)
예제 #22
0
    def test_is_valid_verify_ssl_false(self, mock_read_bundle, mock_read_listings,
                                       validate_certificate_pem, _check_extensions):
        """
        Test is_valid when verify_ssl is false.
        """
        self.config.set('main', 'verify_ssl', 'false')
        repo_x_bundle = {'ca': OTHER_CA, 'key': KEY, 'cert': CERT, }
        mock_read_listings.return_value = {'/pulp/pulp/fedora-14/x86_64': 'repo-x'}
        mock_read_bundle.return_value = repo_x_bundle
        request_x = mock_environ(E_FULL,
                                 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')

        valid = oid_validation.authenticate(request_x, config=self.config)

        # Make sure we didn't call into the cert validation code
        self.assertEqual(validate_certificate_pem.call_count, 0)
        # It should be valid because we mocked _check_extensions to return True
        self.assertEqual(valid, True)
예제 #23
0
    def test_ssl_client_cert_set(self, mock_oid_validation):
        """
        Test that if the client cert is in SSL_CLIENT_CERT, that certificate is used.

        It may be the case that 'SSL_CLIENT_CERT' is set in the 'environ' dictionary.
        It might also be the case that 'mod_ssl.var_lookup' is not set, and we should
        handle that case.
        """
        environ = mock_environ(
            E_FULL,
            'https://localhost/some/repo/package.rpm'
        )
        environ['SSL_CLIENT_CERT'] = E_FULL
        environ.pop('mod_ssl.var_lookup')
        mock_oid_validation.return_value.is_valid.return_value = True

        self.assertTrue(oid_validation.authenticate(environ))
        mock_oid_validation.return_value.is_valid.assert_called_once_with(
            '/some/repo/package.rpm', E_FULL, environ['wsgi.errors'].write)
예제 #24
0
    def test_is_valid_verify_ssl_undefined(self, mock_read_bundle, mock_read_listings,
                                           validate_certificate_pem, _check_extensions):
        """
        Test is_valid when verify_ssl is undefined.
        """
        self.config.remove_option('main', 'verify_ssl')
        repo_x_bundle = {'ca': OTHER_CA, 'key': KEY, 'cert': CERT, }
        mock_read_listings.return_value = {'/pulp/pulp/fedora-14/x86_64': 'repo-x'}
        mock_read_bundle.return_value = repo_x_bundle
        request_x = mock_environ(E_FULL,
                                 'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')

        valid = oid_validation.authenticate(request_x, config=self.config)

        # Make sure we didn't call into the cert validation code
        self.assertEqual(validate_certificate_pem.call_count, 1)
        # It should be other because we mocked validate_certificate_pem to return False
        self.assertEqual(valid, False)
        # _check_extensions shouldn't have been called
        self.assertEqual(_check_extensions.call_count, 0)
예제 #25
0
    def test_authenticate_loads_config(self, mock_validator, mock_config):
        environ = mock_environ(E_FULL, 'https://nowhere/path/to')

        oid_validation.authenticate(environ)

        mock_config.assert_called_once_with()
예제 #26
0
    def test_authenticate_loads_config(self, mock_validator, mock_config):
        environ = mock_environ(E_FULL, 'https://nowhere/path/to')

        oid_validation.authenticate(environ)

        mock_config.assert_called_once_with()