def test_preloaded(self):
# apis.google.com has regular includeSubDomains
self.reqs['responses']['https'].url = 'https://apis.google.com/'
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-preloaded', result['result'])
self.assertTrue(result['includeSubDomains'])
self.assertTrue(result['pass'])
self.assertTrue(result['preloaded'])
self.reqs['responses']['https'].url = 'https://foo.apis.google.com'
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-preloaded', result['result'])
self.assertTrue(result['includeSubDomains'])
self.assertTrue(result['pass'])
self.assertTrue(result['preloaded'])
# Dropbox Static uses include_subdomains_for_pinning
self.reqs['responses']['https'].url = 'https://foo.dropboxstatic.com/'
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-preloaded', result['result'])
self.assertTrue(result['includeSubDomains'])
self.assertTrue(result['pass'])
self.assertTrue(result['preloaded'])
def test_preloaded(self):
# apis.google.com has regular includeSubDomains
self.reqs['responses']['https'].url = 'https://apis.google.com/'
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-preloaded', result['result'])
self.assertTrue(result['includeSubDomains'])
self.assertTrue(result['pass'])
self.assertTrue(result['preloaded'])
self.reqs['responses']['https'].url = 'https://foo.apis.google.com'
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-preloaded', result['result'])
self.assertTrue(result['includeSubDomains'])
self.assertTrue(result['pass'])
self.assertTrue(result['preloaded'])
# Dropbox Static uses include_subdomains_for_pinning
self.reqs['responses']['https'].url = 'https://foo.dropboxstatic.com/'
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-preloaded', result['result'])
self.assertTrue(result['includeSubDomains'])
self.assertTrue(result['pass'])
self.assertTrue(result['preloaded'])
def test_header_invalid(self):
# No pins
self.reqs['responses']['https'].headers[
'Public-Key-Pins'] = 'max-age=15768000; includeSubDomains; preload'
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-header-invalid', result['result'])
self.assertEquals(0, result['numPins'])
self.assertFalse(result['pass'])
# No max-age
self.reqs['responses']['https'].headers['Public-Key-Pins'] = (
'pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; '
'pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; '
'report-uri="http://example.com/pkp-report"')
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-header-invalid', result['result'])
self.assertEquals(None, result['max-age'])
self.assertEquals(2, result['numPins'])
self.assertFalse(result['pass'])
# Not enough pins
self.reqs['responses']['https'].headers['Public-Key-Pins'] = (
'max-age=15768000; '
'pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; '
'report-uri="http://example.com/pkp-report"')
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-header-invalid', result['result'])
self.assertEquals(15768000, result['max-age'])
self.assertEquals(1, result['numPins'])
self.assertFalse(result['pass'])
def test_header_invalid(self):
# No pins
self.reqs['responses']['https'].headers['Public-Key-Pins'] = 'max-age=15768000; includeSubDomains; preload'
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-header-invalid', result['result'])
self.assertEquals(0, result['numPins'])
self.assertFalse(result['pass'])
# No max-age
self.reqs['responses']['https'].headers['Public-Key-Pins'] = (
'pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; '
'pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; '
'report-uri="http://example.com/pkp-report"')
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-header-invalid', result['result'])
self.assertEquals(None, result['max-age'])
self.assertEquals(2, result['numPins'])
self.assertFalse(result['pass'])
# Not enough pins
self.reqs['responses']['https'].headers['Public-Key-Pins'] = (
'max-age=15768000; '
'pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; '
'report-uri="http://example.com/pkp-report"')
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-header-invalid', result['result'])
self.assertEquals(15768000, result['max-age'])
self.assertEquals(1, result['numPins'])
self.assertFalse(result['pass'])
def test_no_https(self):
self.reqs['responses']['auto'].headers['Public-Key-Pins'] = 'max-age=15768000'
self.reqs['responses']['http'].headers['Public-Key-Pins'] = 'max-age=15768000'
self.reqs['responses']['https'] = None
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-not-implemented-no-https', result['result'])
self.assertTrue(result['pass'])
def test_no_https(self):
self.reqs['responses']['auto'].headers['Public-Key-Pins'] = 'max-age=15768000'
self.reqs['responses']['http'].headers['Public-Key-Pins'] = 'max-age=15768000'
self.reqs['responses']['https'] = None
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-not-implemented-no-https', result['result'])
self.assertTrue(result['pass'])
def test_max_age_too_low(self):
self.reqs['responses']['https'].headers['Public-Key-Pins'] = (
'max-age=86400; '
'pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; '
'pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; '
'report-uri="http://example.com/pkp-report"')
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-implemented-max-age-less-than-fifteen-days', result['result'])
self.assertTrue(result['pass'])
def test_max_age_too_low(self):
self.reqs['responses']['https'].headers['Public-Key-Pins'] = (
'max-age=86400; '
'pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; '
'pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; '
'report-uri="http://example.com/pkp-report"')
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-implemented-max-age-less-than-fifteen-days', result['result'])
self.assertTrue(result['pass'])
def test_invalid_cert(self):
self.reqs['responses']['https'].headers['Public-Key-Pins'] = (
'max-age=15768000; '
'includeSubDomains; '
'pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; '
'pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; '
'report-uri="http://example.com/pkp-report"')
self.reqs['responses']['https'].verified = False
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-invalid-cert', result['result'])
self.assertTrue(result['pass'])
def test_invalid_cert(self):
self.reqs['responses']['https'].headers['Public-Key-Pins'] = (
'max-age=15768000; '
'includeSubDomains; '
'pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; '
'pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; '
'report-uri="http://example.com/pkp-report"')
self.reqs['responses']['https'].verified = False
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-invalid-cert', result['result'])
self.assertTrue(result['pass'])
def test_implemented(self):
self.reqs['responses']['https'].headers['Public-Key-Pins'] = (
'max-age=15768000; '
'includeSubDomains; '
'pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; '
'pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; '
'report-uri="http://example.com/pkp-report"')
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-implemented-max-age-at-least-fifteen-days', result['result'])
self.assertEquals(15768000, result['max-age'])
self.assertEquals(15768000, result['max-age'])
self.assertTrue(result['includeSubDomains'])
self.assertTrue(result['pass'])
def test_implemented(self):
self.reqs['responses']['https'].headers['Public-Key-Pins'] = (
'max-age=15768000; '
'includeSubDomains; '
'pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; '
'pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; '
'report-uri="http://example.com/pkp-report"')
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-implemented-max-age-at-least-fifteen-days', result['result'])
self.assertEquals(15768000, result['max-age'])
self.assertEquals(15768000, result['max-age'])
self.assertTrue(result['includeSubDomains'])
self.assertTrue(result['pass'])
def test_missing(self):
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-not-implemented', result['result'])
self.assertTrue(result['pass'])
def test_missing(self):
result = public_key_pinning(self.reqs)
self.assertEquals('hpkp-not-implemented', result['result'])
self.assertTrue(result['pass'])
