def test_fails_when_client_auth_failed(self):
        # Given a server that requires client authentication
        with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
            # And sslyze does NOT provide a client certificate
            server_location = ServerNetworkLocationViaDirectConnection(
                hostname=server.hostname, ip_address=server.ip_address, port=server.port
            )
            server_info = ServerConnectivityTester().perform(server_location)

            # When scanning for HTTP headers, it fails
            with pytest.raises(ClientCertificateRequested):
                HttpHeadersImplementation.scan_server(server_info)
Exemplo n.º 2
0
    def test_http_error(self):
        # Given a server to scan
        with ModernOpenSslServer(
                # And the server will trigger an error when receiving an HTTP request
                should_reply_to_http_requests=False) as server:
            server_location = ServerNetworkLocation(
                hostname=server.hostname,
                ip_address=server.ip_address,
                port=server.port)
            server_info = check_connectivity_to_server_and_return_info(
                server_location)

            # When scanning for HTTP headers, it succeeds
            result: HttpHeadersScanResult = HttpHeadersImplementation.scan_server(
                server_info)

        # And the result mention the error returned by the server when sending an HTTP request
        assert result.http_error_trace
        assert result.http_request_sent

        # And the other result fields are not set
        assert not result.http_path_redirected_to
        assert not result.expect_ct_header

        # And a CLI output can be generated
        assert HttpHeadersImplementation.cli_connector_cls.result_to_console_output(
            result)

        # And the result can be converted to JSON
        result_as_json = HttpHeadersScanResultAsJson.from_orm(result).json()
        assert result_as_json
Exemplo n.º 3
0
    def test_works_when_client_auth_succeeded(self):
        # Given a server that requires client authentication
        with LegacyOpenSslServer(
                client_auth_config=ClientAuthConfigEnum.REQUIRED) as server:
            server_location = ServerNetworkLocation(
                hostname=server.hostname,
                ip_address=server.ip_address,
                port=server.port)
            # And sslyze provides a client certificate
            network_config = ServerNetworkConfiguration(
                tls_server_name_indication=server.hostname,
                tls_client_auth_credentials=ClientAuthenticationCredentials(
                    certificate_chain_path=server.get_client_certificate_path(
                    ),
                    key_path=server.get_client_key_path()),
            )
            server_info = check_connectivity_to_server_and_return_info(
                server_location, network_config)

            # When scanning for HTTP headers, it succeeds
            result: HttpHeadersScanResult = HttpHeadersImplementation.scan_server(
                server_info)

            assert not result.strict_transport_security_header
            assert not result.expect_ct_header
    def test_expect_ct_enabled(self):
        # Given a server to scan that has Expect-CT enabled
        server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup("github.com", 443)
        server_info = ServerConnectivityTester().perform(server_location)

        # When scanning for HTTP headers, it succeeds
        result: HttpHeadersScanResult = HttpHeadersImplementation.scan_server(server_info)

        # And the Expect-CT header was detected
        assert result.expect_ct_header
        assert result.expect_ct_header.max_age >= 0

        # And a CLI output can be generated
        assert HttpHeadersImplementation.cli_connector_cls.result_to_console_output(result)
Exemplo n.º 5
0
    def test_expect_ct_enabled(self):
        # Given a server to scan that has Expect-CT enabled
        server_location = ServerNetworkLocation("github.com", 443)
        server_info = check_connectivity_to_server_and_return_info(
            server_location)

        # When scanning for HTTP headers, it succeeds
        result: HttpHeadersScanResult = HttpHeadersImplementation.scan_server(
            server_info)

        # And the Expect-CT header was detected
        assert result.expect_ct_header
        assert result.expect_ct_header.max_age >= 0

        # And a CLI output can be generated
        assert HttpHeadersImplementation.cli_connector_cls.result_to_console_output(
            result)
    def test_hsts_and_hpkp_disabled(self):
        # Given a server to scan that does not have security headers
        server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup("expired.badssl.com", 443)
        server_info = ServerConnectivityTester().perform(server_location)

        # When scanning for HTTP headers, it succeeds
        result: HttpHeadersScanResult = HttpHeadersImplementation.scan_server(server_info)

        # And no headers are detected
        assert result.http_request_sent
        assert result.http_path_redirected_to
        assert not result.strict_transport_security_header
        assert not result.public_key_pins_header
        assert not result.public_key_pins_report_only_header
        assert not result.expect_ct_header

        # And a CLI output can be generated
        assert HttpHeadersImplementation.cli_connector_cls.result_to_console_output(result)
Exemplo n.º 7
0
    def test_all_headers_disabled(self):
        # Given a server to scan that does not have security headers
        server_location = ServerNetworkLocation("expired.badssl.com", 443)
        server_info = check_connectivity_to_server_and_return_info(
            server_location)

        # When scanning for HTTP headers, it succeeds
        result: HttpHeadersScanResult = HttpHeadersImplementation.scan_server(
            server_info)

        # And no headers are detected
        assert result.http_request_sent
        assert result.http_path_redirected_to
        assert not result.strict_transport_security_header
        assert not result.expect_ct_header

        # And a CLI output can be generated
        assert HttpHeadersImplementation.cli_connector_cls.result_to_console_output(
            result)