def test_ocsp_with_bogus_cache_files(tmpdir):
"""
Attempt to use bogus OCSP response data
"""
cache_file_name, target_hosts = _store_cache_in_file(tmpdir)
ocsp = SFOCSP(ocsp_response_cache_uri='file://' + cache_file_name)
OCSPCache.read_ocsp_response_cache_file(ocsp, cache_file_name)
cache_data = OCSPCache.CACHE
assert cache_data, "more than one cache entries should be stored."
# setting bogus data
current_time = int(time.time())
for k, v in cache_data.items():
cache_data[k] = (current_time, b'bogus')
# write back the cache file
OCSPCache.CACHE = cache_data
OCSPCache.write_ocsp_response_cache_file(ocsp, cache_file_name)
# forces to use the bogus cache file but it should raise errors
SnowflakeOCSP.clear_cache()
ocsp = SFOCSP(ocsp_response_cache_uri='file://' + cache_file_name)
for hostname in target_hosts:
connection = _openssl_connect(hostname)
assert ocsp.validate(hostname, connection), \
'Failed to validate: {0}'.format(hostname)
def test_ocsp_with_invalid_cache_file():
"""
OCSP tests with an invalid cache file
"""
SnowflakeOCSP.clear_cache() # reset the memory cache
ocsp = SFOCSP(ocsp_response_cache_uri="NEVER_EXISTS")
for url in TARGET_HOSTS[0:1]:
connection = _openssl_connect(url)
assert ocsp.validate(url, connection), \
'Failed to validate: {0}'.format(url)
def test_ocsp_wo_cache_server():
"""
OCSP Tests with Cache Server Disabled
"""
SnowflakeOCSP.clear_cache()
ocsp = SFOCSP(use_ocsp_cache_server=False)
for url in TARGET_HOSTS:
connection = _openssl_connect(url)
assert ocsp.validate(url, connection),\
'Failed to validate: {0}'.format(url)
def test_ocsp_by_post_method():
"""
OCSP tests
"""
# reset the memory cache
SnowflakeOCSP.clear_cache()
ocsp = SFOCSP(use_post_method=True)
for url in TARGET_HOSTS:
connection = _openssl_connect(url)
assert ocsp.validate(url, connection), \
'Failed to validate: {0}'.format(url)
def test_ocsp_single_endpoint():
environ['SF_OCSP_ACTIVATE_NEW_ENDPOINT'] = 'True'
SnowflakeOCSP.clear_cache()
ocsp = SFOCSP()
ocsp.OCSP_CACHE_SERVER.NEW_DEFAULT_CACHE_SERVER_BASE_URL = \
"https://snowflake.preprod2.us-west-2-dev.external-zone.snowflakecomputing.com:8085/ocsp/"
connection = _openssl_connect("snowflake.okta.com")
assert ocsp.validate("snowflake.okta.com", connection), \
'Failed to validate: {0}'.format("snowflake.okta.com")
del environ['SF_OCSP_ACTIVATE_NEW_ENDPOINT']
def test_ocsp_incomplete_chain():
"""
Test incomplete chained certificate
"""
incomplete_chain_cert = path.join(THIS_DIR, 'data', 'cert_tests',
'incomplete-chain.pem')
SnowflakeOCSP.clear_cache() # reset the memory cache
ocsp = SFOCSP()
with pytest.raises(OperationalError) as ex:
ocsp.validate_certfile(incomplete_chain_cert)
assert 'CA certificate is NOT found' in ex.value.msg
def test_ocsp_revoked_certificate():
"""
Test Revoked certificate.
"""
revoked_cert = path.join(THIS_DIR, 'data', 'cert_tests',
'revoked_certs.pem')
SnowflakeOCSP.clear_cache() # reset the memory cache
ocsp = SFOCSP()
with pytest.raises(OperationalError) as ex:
ocsp.validate_certfile(revoked_cert)
assert ex.value.errno == ex.value.errno == ER_SERVER_CERTIFICATE_REVOKED
def test_ocsp_with_file_cache(tmpdir):
"""
OCSP tests and the cache server and file
"""
tmp_dir = str(tmpdir.mkdir('ocsp_response_cache'))
cache_file_name = path.join(tmp_dir, 'cache_file.txt')
# reset the memory cache
SnowflakeOCSP.clear_cache()
ocsp = SFOCSP(ocsp_response_cache_uri='file://' + cache_file_name)
for url in TARGET_HOSTS:
connection = _openssl_connect(url)
assert ocsp.validate(url, connection), \
'Failed to validate: {0}'.format(url)
def test_ocsp_bad_validity():
SnowflakeOCSP.clear_cache()
environ["SF_OCSP_TEST_MODE"] = "true"
environ["SF_TEST_OCSP_FORCE_BAD_RESPONSE_VALIDITY"] = "true"
OCSPCache.del_cache_file()
ocsp = SFOCSP(use_ocsp_cache_server=False)
connection = _openssl_connect("snowflake.okta.com")
assert ocsp.validate("snowflake.okta.com", connection), "Connection should have passed with fail open"
del environ['SF_OCSP_TEST_MODE']
del environ['SF_TEST_OCSP_FORCE_BAD_RESPONSE_VALIDITY']
def _store_cache_in_file(tmpdir, target_hosts=None, filename=None):
if target_hosts is None:
target_hosts = TARGET_HOSTS
if filename is None:
filename = path.join(str(tmpdir), 'cache_file.txt')
# cache OCSP response
SnowflakeOCSP.clear_cache()
ocsp = SFOCSP(ocsp_response_cache_uri='file://' + filename,
use_ocsp_cache_server=False)
for hostname in target_hosts:
connection = _openssl_connect(hostname)
assert ocsp.validate(hostname, connection), \
'Failed to validate: {0}'.format(hostname)
assert path.exists(filename), "OCSP response cache file"
return filename, target_hosts
def _validate_certs_using_ocsp(url, cache_file_name):
"""
Validate OCSP response. Deleting memory cache and file cache randomly
"""
logger = logging.getLogger('test')
import time
import random
time.sleep(random.randint(0, 3))
if random.random() < 0.2:
logger.info('clearing up cache: OCSP_VALIDATION_CACHE')
SnowflakeOCSP.clear_cache()
if random.random() < 0.05:
logger.info('deleting a cache file: %s', cache_file_name)
SnowflakeOCSP.delete_cache_file()
connection = _openssl_connect(url)
ocsp = SFOCSP(ocsp_response_cache_uri='file://' + cache_file_name)
ocsp.validate(url, connection)
def test_ocsp_fail_open_w_single_endpoint():
SnowflakeOCSP.clear_cache()
OCSPCache.del_cache_file()
environ["SF_OCSP_TEST_MODE"] = "true"
environ["SF_TEST_OCSP_URL"] = "http://httpbin.org/delay/10"
environ["SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT"] = "5"
ocsp = SFOCSP(use_ocsp_cache_server=False)
connection = _openssl_connect("snowflake.okta.com")
try:
assert ocsp.validate("snowflake.okta.com", connection), \
'Failed to validate: {0}'.format("snowflake.okta.com")
finally:
del environ['SF_OCSP_TEST_MODE']
del environ['SF_TEST_OCSP_URL']
del environ['SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT']
def test_ocsp_wo_cache_file():
"""
OCSP tests without File cache.
NOTE: Use /etc as a readonly directory such that no cache file is used.
"""
# reset the memory cache
SnowflakeOCSP.clear_cache()
OCSPCache.del_cache_file()
environ['SF_OCSP_RESPONSE_CACHE_DIR'] = '/etc'
OCSPCache.reset_cache_dir()
try:
ocsp = SFOCSP()
for url in TARGET_HOSTS:
connection = _openssl_connect(url)
assert ocsp.validate(url, connection), \
'Failed to validate: {0}'.format(url)
finally:
del environ['SF_OCSP_RESPONSE_CACHE_DIR']
OCSPCache.reset_cache_dir()
def test_ocsp_fail_close_w_single_endpoint():
SnowflakeOCSP.clear_cache()
environ["SF_OCSP_TEST_MODE"] = "true"
environ["SF_TEST_OCSP_URL"] = "http://httpbin.org/delay/10"
environ["SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT"] = "5"
OCSPCache.del_cache_file()
ocsp = SFOCSP(use_ocsp_cache_server=False, use_fail_open=False)
connection = _openssl_connect("snowflake.okta.com")
with pytest.raises(RevocationCheckError) as ex:
ocsp.validate("snowflake.okta.com", connection)
try:
assert ex.value.errno == ER_INVALID_OCSP_RESPONSE_CODE, "Connection should have failed"
finally:
del environ['SF_OCSP_TEST_MODE']
del environ['SF_TEST_OCSP_URL']
del environ['SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT']
def test_wildcard_ocsp_bypass_ssd():
"""
Clean any skeletons of past tests
"""
_teardown_ssd_test_setup()
"""
Setup OCSP instance to use test keys
for authenticating SSD
"""
priv_key = _get_test_priv_key(1)
ts = int(time.time())
hostname = 'sfcsupport.us-east-1.snowflakecomputing.com'
tmp_dir = str(tempfile.gettempdir())
temp_ocsp_file_path = path.join(tmp_dir, "ocsp_cache_backup.json")
temp_ocsp_obj = SFOCSP()
cid = temp_ocsp_obj.encode_cert_id_base64(ret_wildcard_hkey())
ssd = _create_cert_spec_ocsp_bypass_token(priv_key, cid)
js_ssd = {}
with codecs.open(OCSP_RESPONSE_CACHE_URI,
"r",
encoding='utf-8',
errors='ignore') as f:
js = json.load(f)
js.update({cid: [ts, b64encode(ssd).decode('ascii')]})
with codecs.open(temp_ocsp_file_path,
"w",
encoding='utf-8',
errors='ignore') as f_ssd:
json.dump(js_ssd, f_ssd)
ocsp = _setup_ssd_test(temp_ocsp_file_path)
connection = _openssl_connect(hostname)
assert (ocsp.validate(hostname, connection),
"Failed to validate {} using Wildcard OCSP Bypass SSD".format(
hostname))
