def test_ocsp_with_bogus_cache_files(tmpdir): """ Attempt to use bogus OCSP response data """ cache_file_name, target_hosts = _store_cache_in_file(tmpdir) ocsp = SFOCSP(ocsp_response_cache_uri='file://' + cache_file_name) OCSPCache.read_ocsp_response_cache_file(ocsp, cache_file_name) cache_data = OCSPCache.CACHE assert cache_data, "more than one cache entries should be stored." # setting bogus data current_time = int(time.time()) for k, v in cache_data.items(): cache_data[k] = (current_time, b'bogus') # write back the cache file OCSPCache.CACHE = cache_data OCSPCache.write_ocsp_response_cache_file(ocsp, cache_file_name) # forces to use the bogus cache file but it should raise errors SnowflakeOCSP.clear_cache() ocsp = SFOCSP(ocsp_response_cache_uri='file://' + cache_file_name) for hostname in target_hosts: connection = _openssl_connect(hostname) assert ocsp.validate(hostname, connection), \ 'Failed to validate: {0}'.format(hostname)
def test_ocsp_with_invalid_cache_file(): """ OCSP tests with an invalid cache file """ SnowflakeOCSP.clear_cache() # reset the memory cache ocsp = SFOCSP(ocsp_response_cache_uri="NEVER_EXISTS") for url in TARGET_HOSTS[0:1]: connection = _openssl_connect(url) assert ocsp.validate(url, connection), \ 'Failed to validate: {0}'.format(url)
def test_ocsp_wo_cache_server(): """ OCSP Tests with Cache Server Disabled """ SnowflakeOCSP.clear_cache() ocsp = SFOCSP(use_ocsp_cache_server=False) for url in TARGET_HOSTS: connection = _openssl_connect(url) assert ocsp.validate(url, connection),\ 'Failed to validate: {0}'.format(url)
def test_ocsp_by_post_method(): """ OCSP tests """ # reset the memory cache SnowflakeOCSP.clear_cache() ocsp = SFOCSP(use_post_method=True) for url in TARGET_HOSTS: connection = _openssl_connect(url) assert ocsp.validate(url, connection), \ 'Failed to validate: {0}'.format(url)
def test_ocsp_single_endpoint(): environ['SF_OCSP_ACTIVATE_NEW_ENDPOINT'] = 'True' SnowflakeOCSP.clear_cache() ocsp = SFOCSP() ocsp.OCSP_CACHE_SERVER.NEW_DEFAULT_CACHE_SERVER_BASE_URL = \ "https://snowflake.preprod2.us-west-2-dev.external-zone.snowflakecomputing.com:8085/ocsp/" connection = _openssl_connect("snowflake.okta.com") assert ocsp.validate("snowflake.okta.com", connection), \ 'Failed to validate: {0}'.format("snowflake.okta.com") del environ['SF_OCSP_ACTIVATE_NEW_ENDPOINT']
def test_ocsp_incomplete_chain(): """ Test incomplete chained certificate """ incomplete_chain_cert = path.join(THIS_DIR, 'data', 'cert_tests', 'incomplete-chain.pem') SnowflakeOCSP.clear_cache() # reset the memory cache ocsp = SFOCSP() with pytest.raises(OperationalError) as ex: ocsp.validate_certfile(incomplete_chain_cert) assert 'CA certificate is NOT found' in ex.value.msg
def test_ocsp_revoked_certificate(): """ Test Revoked certificate. """ revoked_cert = path.join(THIS_DIR, 'data', 'cert_tests', 'revoked_certs.pem') SnowflakeOCSP.clear_cache() # reset the memory cache ocsp = SFOCSP() with pytest.raises(OperationalError) as ex: ocsp.validate_certfile(revoked_cert) assert ex.value.errno == ex.value.errno == ER_SERVER_CERTIFICATE_REVOKED
def test_ocsp_with_file_cache(tmpdir): """ OCSP tests and the cache server and file """ tmp_dir = str(tmpdir.mkdir('ocsp_response_cache')) cache_file_name = path.join(tmp_dir, 'cache_file.txt') # reset the memory cache SnowflakeOCSP.clear_cache() ocsp = SFOCSP(ocsp_response_cache_uri='file://' + cache_file_name) for url in TARGET_HOSTS: connection = _openssl_connect(url) assert ocsp.validate(url, connection), \ 'Failed to validate: {0}'.format(url)
def test_ocsp_bad_validity(): SnowflakeOCSP.clear_cache() environ["SF_OCSP_TEST_MODE"] = "true" environ["SF_TEST_OCSP_FORCE_BAD_RESPONSE_VALIDITY"] = "true" OCSPCache.del_cache_file() ocsp = SFOCSP(use_ocsp_cache_server=False) connection = _openssl_connect("snowflake.okta.com") assert ocsp.validate("snowflake.okta.com", connection), "Connection should have passed with fail open" del environ['SF_OCSP_TEST_MODE'] del environ['SF_TEST_OCSP_FORCE_BAD_RESPONSE_VALIDITY']
def _store_cache_in_file(tmpdir, target_hosts=None, filename=None): if target_hosts is None: target_hosts = TARGET_HOSTS if filename is None: filename = path.join(str(tmpdir), 'cache_file.txt') # cache OCSP response SnowflakeOCSP.clear_cache() ocsp = SFOCSP(ocsp_response_cache_uri='file://' + filename, use_ocsp_cache_server=False) for hostname in target_hosts: connection = _openssl_connect(hostname) assert ocsp.validate(hostname, connection), \ 'Failed to validate: {0}'.format(hostname) assert path.exists(filename), "OCSP response cache file" return filename, target_hosts
def _validate_certs_using_ocsp(url, cache_file_name): """ Validate OCSP response. Deleting memory cache and file cache randomly """ logger = logging.getLogger('test') import time import random time.sleep(random.randint(0, 3)) if random.random() < 0.2: logger.info('clearing up cache: OCSP_VALIDATION_CACHE') SnowflakeOCSP.clear_cache() if random.random() < 0.05: logger.info('deleting a cache file: %s', cache_file_name) SnowflakeOCSP.delete_cache_file() connection = _openssl_connect(url) ocsp = SFOCSP(ocsp_response_cache_uri='file://' + cache_file_name) ocsp.validate(url, connection)
def test_ocsp_fail_open_w_single_endpoint(): SnowflakeOCSP.clear_cache() OCSPCache.del_cache_file() environ["SF_OCSP_TEST_MODE"] = "true" environ["SF_TEST_OCSP_URL"] = "http://httpbin.org/delay/10" environ["SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT"] = "5" ocsp = SFOCSP(use_ocsp_cache_server=False) connection = _openssl_connect("snowflake.okta.com") try: assert ocsp.validate("snowflake.okta.com", connection), \ 'Failed to validate: {0}'.format("snowflake.okta.com") finally: del environ['SF_OCSP_TEST_MODE'] del environ['SF_TEST_OCSP_URL'] del environ['SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT']
def test_ocsp_wo_cache_file(): """ OCSP tests without File cache. NOTE: Use /etc as a readonly directory such that no cache file is used. """ # reset the memory cache SnowflakeOCSP.clear_cache() OCSPCache.del_cache_file() environ['SF_OCSP_RESPONSE_CACHE_DIR'] = '/etc' OCSPCache.reset_cache_dir() try: ocsp = SFOCSP() for url in TARGET_HOSTS: connection = _openssl_connect(url) assert ocsp.validate(url, connection), \ 'Failed to validate: {0}'.format(url) finally: del environ['SF_OCSP_RESPONSE_CACHE_DIR'] OCSPCache.reset_cache_dir()
def test_ocsp_fail_close_w_single_endpoint(): SnowflakeOCSP.clear_cache() environ["SF_OCSP_TEST_MODE"] = "true" environ["SF_TEST_OCSP_URL"] = "http://httpbin.org/delay/10" environ["SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT"] = "5" OCSPCache.del_cache_file() ocsp = SFOCSP(use_ocsp_cache_server=False, use_fail_open=False) connection = _openssl_connect("snowflake.okta.com") with pytest.raises(RevocationCheckError) as ex: ocsp.validate("snowflake.okta.com", connection) try: assert ex.value.errno == ER_INVALID_OCSP_RESPONSE_CODE, "Connection should have failed" finally: del environ['SF_OCSP_TEST_MODE'] del environ['SF_TEST_OCSP_URL'] del environ['SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT']
def test_wildcard_ocsp_bypass_ssd(): """ Clean any skeletons of past tests """ _teardown_ssd_test_setup() """ Setup OCSP instance to use test keys for authenticating SSD """ priv_key = _get_test_priv_key(1) ts = int(time.time()) hostname = 'sfcsupport.us-east-1.snowflakecomputing.com' tmp_dir = str(tempfile.gettempdir()) temp_ocsp_file_path = path.join(tmp_dir, "ocsp_cache_backup.json") temp_ocsp_obj = SFOCSP() cid = temp_ocsp_obj.encode_cert_id_base64(ret_wildcard_hkey()) ssd = _create_cert_spec_ocsp_bypass_token(priv_key, cid) js_ssd = {} with codecs.open(OCSP_RESPONSE_CACHE_URI, "r", encoding='utf-8', errors='ignore') as f: js = json.load(f) js.update({cid: [ts, b64encode(ssd).decode('ascii')]}) with codecs.open(temp_ocsp_file_path, "w", encoding='utf-8', errors='ignore') as f_ssd: json.dump(js_ssd, f_ssd) ocsp = _setup_ssd_test(temp_ocsp_file_path) connection = _openssl_connect(hostname) assert (ocsp.validate(hostname, connection), "Failed to validate {} using Wildcard OCSP Bypass SSD".format( hostname))