def test_preloaded(self): # apis.google.com has regular includeSubDomains self.reqs['responses']['https'].url = 'https://apis.google.com/' result = public_key_pinning(self.reqs) self.assertEquals('hpkp-preloaded', result['result']) self.assertTrue(result['includeSubDomains']) self.assertTrue(result['pass']) self.assertTrue(result['preloaded']) self.reqs['responses']['https'].url = 'https://foo.apis.google.com' result = public_key_pinning(self.reqs) self.assertEquals('hpkp-preloaded', result['result']) self.assertTrue(result['includeSubDomains']) self.assertTrue(result['pass']) self.assertTrue(result['preloaded']) # Dropbox Static uses include_subdomains_for_pinning self.reqs['responses']['https'].url = 'https://foo.dropboxstatic.com/' result = public_key_pinning(self.reqs) self.assertEquals('hpkp-preloaded', result['result']) self.assertTrue(result['includeSubDomains']) self.assertTrue(result['pass']) self.assertTrue(result['preloaded'])
def test_preloaded(self): # apis.google.com has regular includeSubDomains self.reqs['responses']['https'].url = 'https://apis.google.com/' result = public_key_pinning(self.reqs) self.assertEquals('hpkp-preloaded', result['result']) self.assertTrue(result['includeSubDomains']) self.assertTrue(result['pass']) self.assertTrue(result['preloaded']) self.reqs['responses']['https'].url = 'https://foo.apis.google.com' result = public_key_pinning(self.reqs) self.assertEquals('hpkp-preloaded', result['result']) self.assertTrue(result['includeSubDomains']) self.assertTrue(result['pass']) self.assertTrue(result['preloaded']) # Dropbox Static uses include_subdomains_for_pinning self.reqs['responses']['https'].url = 'https://foo.dropboxstatic.com/' result = public_key_pinning(self.reqs) self.assertEquals('hpkp-preloaded', result['result']) self.assertTrue(result['includeSubDomains']) self.assertTrue(result['pass']) self.assertTrue(result['preloaded'])
def test_header_invalid(self): # No pins self.reqs['responses']['https'].headers[ 'Public-Key-Pins'] = 'max-age=15768000; includeSubDomains; preload' result = public_key_pinning(self.reqs) self.assertEquals('hpkp-header-invalid', result['result']) self.assertEquals(0, result['numPins']) self.assertFalse(result['pass']) # No max-age self.reqs['responses']['https'].headers['Public-Key-Pins'] = ( 'pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; ' 'pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; ' 'report-uri="http://example.com/pkp-report"') result = public_key_pinning(self.reqs) self.assertEquals('hpkp-header-invalid', result['result']) self.assertEquals(None, result['max-age']) self.assertEquals(2, result['numPins']) self.assertFalse(result['pass']) # Not enough pins self.reqs['responses']['https'].headers['Public-Key-Pins'] = ( 'max-age=15768000; ' 'pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; ' 'report-uri="http://example.com/pkp-report"') result = public_key_pinning(self.reqs) self.assertEquals('hpkp-header-invalid', result['result']) self.assertEquals(15768000, result['max-age']) self.assertEquals(1, result['numPins']) self.assertFalse(result['pass'])
def test_header_invalid(self): # No pins self.reqs['responses']['https'].headers['Public-Key-Pins'] = 'max-age=15768000; includeSubDomains; preload' result = public_key_pinning(self.reqs) self.assertEquals('hpkp-header-invalid', result['result']) self.assertEquals(0, result['numPins']) self.assertFalse(result['pass']) # No max-age self.reqs['responses']['https'].headers['Public-Key-Pins'] = ( 'pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; ' 'pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; ' 'report-uri="http://example.com/pkp-report"') result = public_key_pinning(self.reqs) self.assertEquals('hpkp-header-invalid', result['result']) self.assertEquals(None, result['max-age']) self.assertEquals(2, result['numPins']) self.assertFalse(result['pass']) # Not enough pins self.reqs['responses']['https'].headers['Public-Key-Pins'] = ( 'max-age=15768000; ' 'pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; ' 'report-uri="http://example.com/pkp-report"') result = public_key_pinning(self.reqs) self.assertEquals('hpkp-header-invalid', result['result']) self.assertEquals(15768000, result['max-age']) self.assertEquals(1, result['numPins']) self.assertFalse(result['pass'])
def test_no_https(self): self.reqs['responses']['auto'].headers['Public-Key-Pins'] = 'max-age=15768000' self.reqs['responses']['http'].headers['Public-Key-Pins'] = 'max-age=15768000' self.reqs['responses']['https'] = None result = public_key_pinning(self.reqs) self.assertEquals('hpkp-not-implemented-no-https', result['result']) self.assertTrue(result['pass'])
def test_no_https(self): self.reqs['responses']['auto'].headers['Public-Key-Pins'] = 'max-age=15768000' self.reqs['responses']['http'].headers['Public-Key-Pins'] = 'max-age=15768000' self.reqs['responses']['https'] = None result = public_key_pinning(self.reqs) self.assertEquals('hpkp-not-implemented-no-https', result['result']) self.assertTrue(result['pass'])
def test_max_age_too_low(self): self.reqs['responses']['https'].headers['Public-Key-Pins'] = ( 'max-age=86400; ' 'pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; ' 'pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; ' 'report-uri="http://example.com/pkp-report"') result = public_key_pinning(self.reqs) self.assertEquals('hpkp-implemented-max-age-less-than-fifteen-days', result['result']) self.assertTrue(result['pass'])
def test_max_age_too_low(self): self.reqs['responses']['https'].headers['Public-Key-Pins'] = ( 'max-age=86400; ' 'pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; ' 'pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; ' 'report-uri="http://example.com/pkp-report"') result = public_key_pinning(self.reqs) self.assertEquals('hpkp-implemented-max-age-less-than-fifteen-days', result['result']) self.assertTrue(result['pass'])
def test_invalid_cert(self): self.reqs['responses']['https'].headers['Public-Key-Pins'] = ( 'max-age=15768000; ' 'includeSubDomains; ' 'pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; ' 'pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; ' 'report-uri="http://example.com/pkp-report"') self.reqs['responses']['https'].verified = False result = public_key_pinning(self.reqs) self.assertEquals('hpkp-invalid-cert', result['result']) self.assertTrue(result['pass'])
def test_invalid_cert(self): self.reqs['responses']['https'].headers['Public-Key-Pins'] = ( 'max-age=15768000; ' 'includeSubDomains; ' 'pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; ' 'pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; ' 'report-uri="http://example.com/pkp-report"') self.reqs['responses']['https'].verified = False result = public_key_pinning(self.reqs) self.assertEquals('hpkp-invalid-cert', result['result']) self.assertTrue(result['pass'])
def test_implemented(self): self.reqs['responses']['https'].headers['Public-Key-Pins'] = ( 'max-age=15768000; ' 'includeSubDomains; ' 'pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; ' 'pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; ' 'report-uri="http://example.com/pkp-report"') result = public_key_pinning(self.reqs) self.assertEquals('hpkp-implemented-max-age-at-least-fifteen-days', result['result']) self.assertEquals(15768000, result['max-age']) self.assertEquals(15768000, result['max-age']) self.assertTrue(result['includeSubDomains']) self.assertTrue(result['pass'])
def test_implemented(self): self.reqs['responses']['https'].headers['Public-Key-Pins'] = ( 'max-age=15768000; ' 'includeSubDomains; ' 'pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; ' 'pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; ' 'report-uri="http://example.com/pkp-report"') result = public_key_pinning(self.reqs) self.assertEquals('hpkp-implemented-max-age-at-least-fifteen-days', result['result']) self.assertEquals(15768000, result['max-age']) self.assertEquals(15768000, result['max-age']) self.assertTrue(result['includeSubDomains']) self.assertTrue(result['pass'])
def test_missing(self): result = public_key_pinning(self.reqs) self.assertEquals('hpkp-not-implemented', result['result']) self.assertTrue(result['pass'])
def test_missing(self): result = public_key_pinning(self.reqs) self.assertEquals('hpkp-not-implemented', result['result']) self.assertTrue(result['pass'])