def test_scenario_2(self, mock_read_global_bundle, mock_read_bundle, mock_read_listings):
"""
Setup
- Global auth disabled
- Individual repo auth enabled for repo X
- Client cert signed by different CA than repo X
- Client cert has entitlements
Expected
- Denied to repo X, permitted for repo Y
"""
mock_read_global_bundle.return_value = None
repo_x_bundle = {'ca': OTHER_CA, 'key': KEY, 'cert': CERT, }
mock_read_listings.return_value = {'/pulp/pulp/fedora-14/x86_64': 'repo-x'}
mock_read_bundle.return_value = repo_x_bundle
# Test
request_x = mock_environ(E_FULL,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
request_y = mock_environ(E_FULL,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')
response_x = oid_validation.authenticate(request_x, config=self.config)
response_y = oid_validation.authenticate(request_y, config=self.config)
# Verify
self.assertTrue(not response_x)
self.assertTrue(response_y)
def __test_scenario_9(self):
"""
Setup
- Global auth enabled
- Individual auth enabled for repo X
- Different CA certificates for global and repo X configurations
- Client cert signed by global CA certificate
- Client cert has entitlements for both repos
Excepted
- Denied for repo X, passes for repo Y
"""
# Setup
global_bundle = {'ca': VALID_CA, 'key': KEY, 'cert': CERT, }
self.auth_api.enable_global_repo_auth(global_bundle)
repo_x_bundle = {'ca': OTHER_CA, 'key': KEY, 'cert': CERT, }
self.repo_api.create('repo-x', 'Repo X', 'noarch', consumer_cert_data=repo_x_bundle,
feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
self.repo_api.create('repo-y', 'Repo Y', 'noarch',
feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')
# Test
request_x = mock_environ(E_FULL,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
request_y = mock_environ(E_FULL,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')
response_x = oid_validation.authenticate(request_x, config=self.config)
response_y = oid_validation.authenticate(request_y, config=self.config)
# Verify
self.assertTrue(not response_x)
self.assertTrue(response_y)
def test_scenario_3(self, mock_read_global_bundle, mock_read_bundle, mock_read_listings):
"""
Setup
- Global auth disabled
- Individual repo auth enabled for repo X
- Client cert signed by repo Y CA
- Client cert does not have entitlements for requested URL
Expected
- Permitted to repo X, denied from repo Y
"""
mock_read_global_bundle.return_value = None
repo_y_bundle = {'ca': VALID_CA, 'key': KEY, 'cert': CERT, }
mock_read_listings.return_value = {'/pulp/pulp/fedora-13/x86_64': 'repo-x'}
mock_read_bundle.return_value = repo_y_bundle
# Test
request_x = mock_environ(E_LIMITED,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
request_y = mock_environ(E_LIMITED,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')
response_x = oid_validation.authenticate(request_x, config=self.config)
response_y = oid_validation.authenticate(request_y, config=self.config)
# Verify
self.assertTrue(response_x)
self.assertTrue(not response_y)
def __test_scenario_13(self):
repo_x_bundle = {'ca': OTHER_CA, 'key': OTHER_CERT_KEY,
'cert': OTHER_CERT, }
self.repo_api.create('repo-x', 'Repo X', 'noarch', consumer_cert_data=repo_x_bundle,
feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
self.repo_api.create('repo-y', 'Repo Y', 'noarch', consumer_cert_data=repo_x_bundle,
feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')
# Test
request_x = mock_environ(E_WILDCARD,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/os')
request_y = mock_environ(E_WILDCARD,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/os')
response_x = oid_validation.authenticate(request_x, config=self.config)
response_y = oid_validation.authenticate(request_y, config=self.config)
# Verify
self.assertTrue(response_x)
self.assertTrue(response_y)
# Try to hit something that should be denied
request_z = mock_environ(E_WILDCARD,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64'
'/mrg-g/2.0/os')
response_z = oid_validation.authenticate(request_z, config=self.config)
self.assertTrue(not response_z)
def __test_scenario_6(self):
"""
Setup
- Global auth enabled
- Individual auth disabled
- Client cert signed by non-global CA
- Client cert has entitlements for both repos
Expected
- Denied to both repo X and Y
"""
# Setup
global_bundle = {'ca': OTHER_CA, 'key': KEY, 'cert': CERT, }
self.auth_api.enable_global_repo_auth(global_bundle)
self.repo_api.create('repo-x', 'Repo X', 'noarch',
feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
self.repo_api.create('repo-y', 'Repo Y', 'noarch',
feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')
# Test
request_x = mock_environ(E_FULL,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
request_y = mock_environ(E_FULL,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')
response_x = oid_validation.authenticate(request_x, config=self.config)
response_y = oid_validation.authenticate(request_y, config=self.config)
# Verify
self.assertTrue(not response_x)
self.assertTrue(not response_y)
def __test_scenario_1(self):
"""
Setup
- Global auth disabled
- Individual repo auth enabled for repo X
- Client cert signed by repo X CA
- Client cert has entitlements
Expected
- Permitted for both repos
"""
# Setup
self.auth_api.disable_global_repo_auth()
repo_x_bundle = {'ca': VALID_CA, 'key': KEY, 'cert': CERT, }
self.repo_api.create('repo-x', 'Repo X', 'noarch', consumer_cert_data=repo_x_bundle,
feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
self.repo_api.create('repo-y', 'Repo Y', 'noarch',
feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')
# Test
request_x = mock_environ(E_FULL,
'https://localhost//pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
request_y = mock_environ(E_FULL,
'https://localhost//pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')
response_x = oid_validation.authenticate(request_x, config=self.config)
response_y = oid_validation.authenticate(request_y, config=self.config)
# Verify
self.assertTrue(response_x)
self.assertTrue(response_y)
def __test_scenario_12(self):
"""
Setup
- Global auth enabled
- Individual auth enabled on repo X
- Both global and individual auth use the same CA
- No client cert in request
Expected
- Denied for both repo X and Y
- No exceptions thrown
"""
# Setup
global_bundle = {'ca': VALID_CA, 'key': KEY, 'cert': CERT, }
self.auth_api.enable_global_repo_auth(global_bundle)
repo_x_bundle = {'ca': VALID_CA, 'key': KEY, 'cert': CERT, }
self.repo_api.create('repo-x', 'Repo X', 'noarch', consumer_cert_data=repo_x_bundle,
feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
self.repo_api.create('repo-y', 'Repo Y', 'noarch',
feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')
# Test
request_x = mock_environ('',
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
request_y = mock_environ('',
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')
response_x = oid_validation.authenticate(request_x, config=self.config)
response_y = oid_validation.authenticate(request_y, config=self.config)
# Verify
self.assertTrue(not response_x)
self.assertTrue(not response_y)
def __test_scenario_14(self):
"""
Setup
- Global auth disabled
- Individual repo auth enabled for repo X
- Client cert signed by repo X CA
- Client cert has an OID entitlement that ends with a yum variable.
e.g., repos/pulp/pulp/fedora-14/$basearch/
Expected
- Permitted for both repos
"""
# Setup
self.auth_api.disable_global_repo_auth()
repo_x_bundle = {
'ca': OTHER_CA,
'key': OTHER_CA_KEY,
'cert': CERT,
}
self.repo_api.create(
'repo-x',
'Repo X',
'noarch',
consumer_cert_data=repo_x_bundle,
feed=
'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
self.repo_api.create(
'repo-y',
'Repo Y',
'noarch',
feed=
'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')
# Test
request_x = mock_environ(
E_VARIABLE_CERT + E_VARIABLE_KEY,
'https://localhost//pulp/repos/repos/pulp/pulp/fedora-14/x86_64'
'/os/repodata/repomd.xml')
request_xx = mock_environ(
E_VARIABLE_CERT + E_VARIABLE_KEY,
'https://localhost//pulp/repos/repos/pulp/pulp/fedora-14/i386'
'/os/repodata/repomd.xml')
request_y = mock_environ(
E_VARIABLE_CERT + E_VARIABLE_KEY,
'https://localhost//pulp/repos/repos/pulp/pulp/fedora-13/x86_64'
'/os/repodata/repomd.xml')
response_x = oid_validation.authenticate(request_x, config=self.config)
response_xx = oid_validation.authenticate(request_xx,
config=self.config)
response_y = oid_validation.authenticate(request_y, config=self.config)
# Verify
self.assertTrue(response_x)
self.assertTrue(response_y)
self.assertTrue(response_xx)
def __test_scenario_12(self):
"""
Setup
- Global auth enabled
- Individual auth enabled on repo X
- Both global and individual auth use the same CA
- No client cert in request
Expected
- Denied for both repo X and Y
- No exceptions thrown
"""
# Setup
global_bundle = {
'ca': VALID_CA,
'key': KEY,
'cert': CERT,
}
self.auth_api.enable_global_repo_auth(global_bundle)
repo_x_bundle = {
'ca': VALID_CA,
'key': KEY,
'cert': CERT,
}
self.repo_api.create(
'repo-x',
'Repo X',
'noarch',
consumer_cert_data=repo_x_bundle,
feed=
'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
self.repo_api.create(
'repo-y',
'Repo Y',
'noarch',
feed=
'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')
# Test
request_x = mock_environ(
'',
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
request_y = mock_environ(
'',
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')
response_x = oid_validation.authenticate(request_x, config=self.config)
response_y = oid_validation.authenticate(request_y, config=self.config)
# Verify
self.assertTrue(not response_x)
self.assertTrue(not response_y)
def __test_scenario_9(self):
"""
Setup
- Global auth enabled
- Individual auth enabled for repo X
- Different CA certificates for global and repo X configurations
- Client cert signed by global CA certificate
- Client cert has entitlements for both repos
Excepted
- Denied for repo X, passes for repo Y
"""
# Setup
global_bundle = {
'ca': VALID_CA,
'key': KEY,
'cert': CERT,
}
self.auth_api.enable_global_repo_auth(global_bundle)
repo_x_bundle = {
'ca': OTHER_CA,
'key': KEY,
'cert': CERT,
}
self.repo_api.create(
'repo-x',
'Repo X',
'noarch',
consumer_cert_data=repo_x_bundle,
feed=
'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
self.repo_api.create(
'repo-y',
'Repo Y',
'noarch',
feed=
'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')
# Test
request_x = mock_environ(
E_FULL,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
request_y = mock_environ(
E_FULL,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')
response_x = oid_validation.authenticate(request_x, config=self.config)
response_y = oid_validation.authenticate(request_y, config=self.config)
# Verify
self.assertTrue(not response_x)
self.assertTrue(response_y)
def __test_scenario_1(self):
"""
Setup
- Global auth disabled
- Individual repo auth enabled for repo X
- Client cert signed by repo X CA
- Client cert has entitlements
Expected
- Permitted for both repos
"""
# Setup
self.auth_api.disable_global_repo_auth()
repo_x_bundle = {
'ca': VALID_CA,
'key': KEY,
'cert': CERT,
}
self.repo_api.create(
'repo-x',
'Repo X',
'noarch',
consumer_cert_data=repo_x_bundle,
feed=
'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
self.repo_api.create(
'repo-y',
'Repo Y',
'noarch',
feed=
'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')
# Test
request_x = mock_environ(
E_FULL,
'https://localhost//pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
request_y = mock_environ(
E_FULL,
'https://localhost//pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')
response_x = oid_validation.authenticate(request_x, config=self.config)
response_y = oid_validation.authenticate(request_y, config=self.config)
# Verify
self.assertTrue(response_x)
self.assertTrue(response_y)
def test_is_valid_verify_ssl_undefined(self, mock_read_bundle,
mock_read_listings,
validate_certificate_pem,
_check_extensions):
"""
Test is_valid when verify_ssl is undefined.
"""
self.config.remove_option('main', 'verify_ssl')
repo_x_bundle = {
'ca': OTHER_CA,
'key': KEY,
'cert': CERT,
}
mock_read_listings.return_value = {
'/pulp/pulp/fedora-14/x86_64': 'repo-x'
}
mock_read_bundle.return_value = repo_x_bundle
request_x = mock_environ(
E_FULL,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
valid = oid_validation.authenticate(request_x, config=self.config)
# Make sure we didn't call into the cert validation code
self.assertEqual(validate_certificate_pem.call_count, 1)
# It should be other because we mocked validate_certificate_pem to return False
self.assertEqual(valid, False)
# _check_extensions shouldn't have been called
self.assertEqual(_check_extensions.call_count, 0)
def test_is_valid_verify_ssl_false(self, mock_read_bundle,
mock_read_listings,
validate_certificate_pem,
_check_extensions):
"""
Test is_valid when verify_ssl is false.
"""
self.config.set('main', 'verify_ssl', 'false')
repo_x_bundle = {
'ca': OTHER_CA,
'key': KEY,
'cert': CERT,
}
mock_read_listings.return_value = {
'/pulp/pulp/fedora-14/x86_64': 'repo-x'
}
mock_read_bundle.return_value = repo_x_bundle
request_x = mock_environ(
E_FULL,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
valid = oid_validation.authenticate(request_x, config=self.config)
# Make sure we didn't call into the cert validation code
self.assertEqual(validate_certificate_pem.call_count, 0)
# It should be valid because we mocked _check_extensions to return True
self.assertEqual(valid, True)
def __test_scenario_6(self):
"""
Setup
- Global auth enabled
- Individual auth disabled
- Client cert signed by non-global CA
- Client cert has entitlements for both repos
Expected
- Denied to both repo X and Y
"""
# Setup
global_bundle = {
'ca': OTHER_CA,
'key': KEY,
'cert': CERT,
}
self.auth_api.enable_global_repo_auth(global_bundle)
self.repo_api.create(
'repo-x',
'Repo X',
'noarch',
feed=
'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
self.repo_api.create(
'repo-y',
'Repo Y',
'noarch',
feed=
'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')
# Test
request_x = mock_environ(
E_FULL,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
request_y = mock_environ(
E_FULL,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')
response_x = oid_validation.authenticate(request_x, config=self.config)
response_y = oid_validation.authenticate(request_y, config=self.config)
# Verify
self.assertTrue(not response_x)
self.assertTrue(not response_y)
def __test_scenario_14(self):
"""
Setup
- Global auth disabled
- Individual repo auth enabled for repo X
- Client cert signed by repo X CA
- Client cert has an OID entitlement that ends with a yum variable.
e.g., repos/pulp/pulp/fedora-14/$basearch/
Expected
- Permitted for both repos
"""
# Setup
self.auth_api.disable_global_repo_auth()
repo_x_bundle = {'ca': OTHER_CA, 'key': OTHER_CA_KEY, 'cert': CERT, }
self.repo_api.create('repo-x', 'Repo X', 'noarch', consumer_cert_data=repo_x_bundle,
feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
self.repo_api.create('repo-y', 'Repo Y', 'noarch',
feed='http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')
# Test
request_x = mock_environ(E_VARIABLE_CERT +
E_VARIABLE_KEY,
'https://localhost//pulp/repos/repos/pulp/pulp/fedora-14/x86_64'
'/os/repodata/repomd.xml')
request_xx = mock_environ(E_VARIABLE_CERT +
E_VARIABLE_KEY,
'https://localhost//pulp/repos/repos/pulp/pulp/fedora-14/i386'
'/os/repodata/repomd.xml')
request_y = mock_environ(E_VARIABLE_CERT +
E_VARIABLE_KEY,
'https://localhost//pulp/repos/repos/pulp/pulp/fedora-13/x86_64'
'/os/repodata/repomd.xml')
response_x = oid_validation.authenticate(request_x, config=self.config)
response_xx = oid_validation.authenticate(request_xx, config=self.config)
response_y = oid_validation.authenticate(request_y, config=self.config)
# Verify
self.assertTrue(response_x)
self.assertTrue(response_y)
self.assertTrue(response_xx)
def __test_scenario_13(self):
repo_x_bundle = {
'ca': OTHER_CA,
'key': OTHER_CERT_KEY,
'cert': OTHER_CERT,
}
self.repo_api.create(
'repo-x',
'Repo X',
'noarch',
consumer_cert_data=repo_x_bundle,
feed=
'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-14/x86_64')
self.repo_api.create(
'repo-y',
'Repo Y',
'noarch',
consumer_cert_data=repo_x_bundle,
feed=
'http://repos.fedorapeople.org/repos/pulp/pulp/fedora-13/x86_64')
# Test
request_x = mock_environ(
E_WILDCARD,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/os')
request_y = mock_environ(
E_WILDCARD,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/os')
response_x = oid_validation.authenticate(request_x, config=self.config)
response_y = oid_validation.authenticate(request_y, config=self.config)
# Verify
self.assertTrue(response_x)
self.assertTrue(response_y)
# Try to hit something that should be denied
request_z = mock_environ(
E_WILDCARD,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64'
'/mrg-g/2.0/os')
response_z = oid_validation.authenticate(request_z, config=self.config)
self.assertTrue(not response_z)
def test_no_mod_ssl_vars(self):
"""
Test that if 'mod_ssl.var_lookup' is missing, it is handled gracefully.
"""
environ = mock_environ(E_FULL,
'https://localhost/some/repo/package.rpm')
environ.pop('mod_ssl.var_lookup')
self.assertFalse(oid_validation.authenticate(environ))
environ['wsgi.errors'].write.assert_called_once_with(
'Authentication failed; no client certificate provided in request.\n'
)
def test_scenario_3(self, mock_read_global_bundle, mock_read_bundle,
mock_read_listings):
"""
Setup
- Global auth disabled
- Individual repo auth enabled for repo X
- Client cert signed by repo Y CA
- Client cert does not have entitlements for requested URL
Expected
- Permitted to repo X, denied from repo Y
"""
mock_read_global_bundle.return_value = None
repo_y_bundle = {
'ca': VALID_CA,
'key': KEY,
'cert': CERT,
}
mock_read_listings.return_value = {
'/pulp/pulp/fedora-13/x86_64': 'repo-x'
}
mock_read_bundle.return_value = repo_y_bundle
# Test
request_x = mock_environ(
E_LIMITED,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
request_y = mock_environ(
E_LIMITED,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')
response_x = oid_validation.authenticate(request_x, config=self.config)
response_y = oid_validation.authenticate(request_y, config=self.config)
# Verify
self.assertTrue(response_x)
self.assertTrue(not response_y)
def test_no_mod_ssl_vars(self):
"""
Test that if 'mod_ssl.var_lookup' is missing, it is handled gracefully.
"""
environ = mock_environ(
E_FULL,
'https://localhost/some/repo/package.rpm'
)
environ.pop('mod_ssl.var_lookup')
self.assertFalse(oid_validation.authenticate(environ))
environ['wsgi.errors'].write.assert_called_once_with(
'Authentication failed; no client certificate provided in request.\n'
)
def test_scenario_2(self, mock_read_global_bundle, mock_read_bundle,
mock_read_listings):
"""
Setup
- Global auth disabled
- Individual repo auth enabled for repo X
- Client cert signed by different CA than repo X
- Client cert has entitlements
Expected
- Denied to repo X, permitted for repo Y
"""
mock_read_global_bundle.return_value = None
repo_x_bundle = {
'ca': OTHER_CA,
'key': KEY,
'cert': CERT,
}
mock_read_listings.return_value = {
'/pulp/pulp/fedora-14/x86_64': 'repo-x'
}
mock_read_bundle.return_value = repo_x_bundle
# Test
request_x = mock_environ(
E_FULL,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
request_y = mock_environ(
E_FULL,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-13/x86_64/')
response_x = oid_validation.authenticate(request_x, config=self.config)
response_y = oid_validation.authenticate(request_y, config=self.config)
# Verify
self.assertTrue(not response_x)
self.assertTrue(response_y)
def test_ssl_client_cert_set(self, mock_oid_validation):
"""
Test that if the client cert is in SSL_CLIENT_CERT, that certificate is used.
It may be the case that 'SSL_CLIENT_CERT' is set in the 'environ' dictionary.
It might also be the case that 'mod_ssl.var_lookup' is not set, and we should
handle that case.
"""
environ = mock_environ(E_FULL,
'https://localhost/some/repo/package.rpm')
environ['SSL_CLIENT_CERT'] = E_FULL
environ.pop('mod_ssl.var_lookup')
mock_oid_validation.return_value.is_valid.return_value = True
self.assertTrue(oid_validation.authenticate(environ))
mock_oid_validation.return_value.is_valid.assert_called_once_with(
'/some/repo/package.rpm', E_FULL, environ['wsgi.errors'].write)
def test_is_valid_verify_ssl_false(self, mock_read_bundle, mock_read_listings,
validate_certificate_pem, _check_extensions):
"""
Test is_valid when verify_ssl is false.
"""
self.config.set('main', 'verify_ssl', 'false')
repo_x_bundle = {'ca': OTHER_CA, 'key': KEY, 'cert': CERT, }
mock_read_listings.return_value = {'/pulp/pulp/fedora-14/x86_64': 'repo-x'}
mock_read_bundle.return_value = repo_x_bundle
request_x = mock_environ(E_FULL,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
valid = oid_validation.authenticate(request_x, config=self.config)
# Make sure we didn't call into the cert validation code
self.assertEqual(validate_certificate_pem.call_count, 0)
# It should be valid because we mocked _check_extensions to return True
self.assertEqual(valid, True)
def test_ssl_client_cert_set(self, mock_oid_validation):
"""
Test that if the client cert is in SSL_CLIENT_CERT, that certificate is used.
It may be the case that 'SSL_CLIENT_CERT' is set in the 'environ' dictionary.
It might also be the case that 'mod_ssl.var_lookup' is not set, and we should
handle that case.
"""
environ = mock_environ(
E_FULL,
'https://localhost/some/repo/package.rpm'
)
environ['SSL_CLIENT_CERT'] = E_FULL
environ.pop('mod_ssl.var_lookup')
mock_oid_validation.return_value.is_valid.return_value = True
self.assertTrue(oid_validation.authenticate(environ))
mock_oid_validation.return_value.is_valid.assert_called_once_with(
'/some/repo/package.rpm', E_FULL, environ['wsgi.errors'].write)
def test_is_valid_verify_ssl_undefined(self, mock_read_bundle, mock_read_listings,
validate_certificate_pem, _check_extensions):
"""
Test is_valid when verify_ssl is undefined.
"""
self.config.remove_option('main', 'verify_ssl')
repo_x_bundle = {'ca': OTHER_CA, 'key': KEY, 'cert': CERT, }
mock_read_listings.return_value = {'/pulp/pulp/fedora-14/x86_64': 'repo-x'}
mock_read_bundle.return_value = repo_x_bundle
request_x = mock_environ(E_FULL,
'https://localhost/pulp/repos/repos/pulp/pulp/fedora-14/x86_64/')
valid = oid_validation.authenticate(request_x, config=self.config)
# Make sure we didn't call into the cert validation code
self.assertEqual(validate_certificate_pem.call_count, 1)
# It should be other because we mocked validate_certificate_pem to return False
self.assertEqual(valid, False)
# _check_extensions shouldn't have been called
self.assertEqual(_check_extensions.call_count, 0)
def test_authenticate_loads_config(self, mock_validator, mock_config):
environ = mock_environ(E_FULL, 'https://nowhere/path/to')
oid_validation.authenticate(environ)
mock_config.assert_called_once_with()
def test_authenticate_loads_config(self, mock_validator, mock_config):
environ = mock_environ(E_FULL, 'https://nowhere/path/to')
oid_validation.authenticate(environ)
mock_config.assert_called_once_with()