def test_160_cert_viable(self): """Text the viability of a given certificate""" # null cert cert = QSslCertificate() self.assertFalse(QgsAuthCertUtils.certIsCurrent(cert)) res = QgsAuthCertUtils.certViabilityErrors(cert) self.assertTrue(len(res) == 0) self.assertFalse(QgsAuthCertUtils.certIsViable(cert)) cert.clear() res.clear() # valid cert cert = QgsAuthCertUtils.certFromFile(PKIDATA + '/gerardus_cert.pem') self.assertTrue(QgsAuthCertUtils.certIsCurrent(cert)) res = QgsAuthCertUtils.certViabilityErrors(cert) self.assertTrue(len(res) == 0) self.assertTrue(QgsAuthCertUtils.certIsViable(cert)) cert.clear() res.clear() # expired cert cert = QgsAuthCertUtils.certFromFile(PKIDATA + '/marinus_cert-EXPIRED.pem') self.assertFalse(QgsAuthCertUtils.certIsCurrent(cert)) res = QgsAuthCertUtils.certViabilityErrors(cert) self.assertTrue(len(res) > 0) self.assertTrue(QSslError(QSslError.CertificateExpired, cert) in res) self.assertFalse(QgsAuthCertUtils.certIsViable(cert))
def setUpAuth(cls): """Run before all tests and set up authentication""" authm = QgsApplication.authManager() assert (authm.setMasterPassword('masterpassword', True)) cls.sslrootcert_path = os.path.join(cls.certsdata_path, 'chains_subissuer-issuer-root_issuer2-root2.pem') assert os.path.isfile(cls.sslrootcert_path) os.chmod(cls.sslrootcert_path, stat.S_IRUSR) cls.sslrootcert = QSslCertificate.fromPath(cls.sslrootcert_path) assert cls.sslrootcert is not None authm.storeCertAuthorities(cls.sslrootcert) authm.rebuildCaCertsCache() authm.rebuildTrustedCaCertsCache() cls.server_cert = os.path.join(cls.certsdata_path, '127_0_0_1_ssl_cert.pem') cls.server_key = os.path.join(cls.certsdata_path, '127_0_0_1_ssl_key.pem') cls.server_rootcert = cls.sslrootcert_path os.chmod(cls.server_cert, stat.S_IRUSR) os.chmod(cls.server_key, stat.S_IRUSR) os.chmod(cls.server_rootcert, stat.S_IRUSR) os.environ['QGIS_SERVER_HOST'] = cls.hostname os.environ['QGIS_SERVER_PORT'] = str(cls.port) os.environ['QGIS_SERVER_OAUTH2_KEY'] = cls.server_key os.environ['QGIS_SERVER_OAUTH2_CERTIFICATE'] = cls.server_cert os.environ['QGIS_SERVER_OAUTH2_USERNAME'] = cls.username os.environ['QGIS_SERVER_OAUTH2_PASSWORD'] = cls.password os.environ['QGIS_SERVER_OAUTH2_AUTHORITY'] = cls.server_rootcert # Set default token expiration to 2 seconds, note that this can be # also controlled when issuing token requests by adding ttl=<int> # to the query string os.environ['QGIS_SERVER_OAUTH2_TOKEN_EXPIRES_IN'] = '2'
def setUpAuth(cls): """Run before all tests and set up authentication""" authm = QgsAuthManager.instance() assert authm.setMasterPassword("masterpassword", True) cls.pg_conf = os.path.join(cls.tempfolder, "postgresql.conf") cls.pg_hba = os.path.join(cls.tempfolder, "pg_hba.conf") # Client side cls.sslrootcert_path = os.path.join(cls.certsdata_path, "chains_subissuer-issuer-root_issuer2-root2.pem") cls.sslcert = os.path.join(cls.certsdata_path, "gerardus_cert.pem") cls.sslkey = os.path.join(cls.certsdata_path, "gerardus_key.pem") assert os.path.isfile(cls.sslcert) assert os.path.isfile(cls.sslkey) assert os.path.isfile(cls.sslrootcert_path) os.chmod(cls.sslcert, stat.S_IRUSR) os.chmod(cls.sslkey, stat.S_IRUSR) os.chmod(cls.sslrootcert_path, stat.S_IRUSR) cls.auth_config = QgsAuthMethodConfig("PKI-Paths") cls.auth_config.setConfig("certpath", cls.sslcert) cls.auth_config.setConfig("keypath", cls.sslkey) cls.auth_config.setName("test_pki_auth_config") cls.username = "******" cls.sslrootcert = QSslCertificate.fromPath(cls.sslrootcert_path) assert cls.sslrootcert is not None authm.storeCertAuthorities(cls.sslrootcert) authm.rebuildCaCertsCache() authm.rebuildTrustedCaCertsCache() authm.rebuildCertTrustCache() assert authm.storeAuthenticationConfig(cls.auth_config)[0] assert cls.auth_config.isValid() # Server side cls.server_cert = os.path.join(cls.certsdata_path, "localhost_ssl_cert.pem") cls.server_key = os.path.join(cls.certsdata_path, "localhost_ssl_key.pem") cls.server_rootcert = cls.sslrootcert_path os.chmod(cls.server_cert, stat.S_IRUSR) os.chmod(cls.server_key, stat.S_IRUSR) os.chmod(cls.server_rootcert, stat.S_IRUSR) # Place conf in the data folder with open(cls.pg_conf, "w+") as f: f.write( QGIS_POSTGRES_CONF_TEMPLATE % { "port": cls.port, "tempfolder": cls.tempfolder, "server_cert": cls.server_cert, "server_key": cls.server_key, "sslrootcert_path": cls.sslrootcert_path, } ) with open(cls.pg_hba, "w+") as f: f.write(QGIS_POSTGRES_HBA_TEMPLATE)
def setUpAuth(cls): """Run before all tests and set up authentication""" authm = QgsApplication.authManager() assert (authm.setMasterPassword('masterpassword', True)) cls.pg_conf = os.path.join(cls.tempfolder, 'postgresql.conf') cls.pg_hba = os.path.join(cls.tempfolder, 'pg_hba.conf') # Client side cls.sslrootcert_path = os.path.join(cls.certsdata_path, 'chains_subissuer-issuer-root_issuer2-root2.pem') cls.sslcert = os.path.join(cls.certsdata_path, 'gerardus_cert.pem') cls.sslkey = os.path.join(cls.certsdata_path, 'gerardus_key.pem') assert os.path.isfile(cls.sslcert) assert os.path.isfile(cls.sslkey) assert os.path.isfile(cls.sslrootcert_path) os.chmod(cls.sslcert, stat.S_IRUSR) os.chmod(cls.sslkey, stat.S_IRUSR) os.chmod(cls.sslrootcert_path, stat.S_IRUSR) cls.auth_config = QgsAuthMethodConfig("PKI-Paths") cls.auth_config.setConfig('certpath', cls.sslcert) cls.auth_config.setConfig('keypath', cls.sslkey) cls.auth_config.setName('test_pki_auth_config') cls.username = '******' cls.sslrootcert = QSslCertificate.fromPath(cls.sslrootcert_path) assert cls.sslrootcert is not None authm.storeCertAuthorities(cls.sslrootcert) authm.rebuildCaCertsCache() authm.rebuildTrustedCaCertsCache() authm.rebuildCertTrustCache() assert (authm.storeAuthenticationConfig(cls.auth_config)[0]) assert cls.auth_config.isValid() # Server side cls.server_cert = os.path.join(cls.certsdata_path, 'localhost_ssl_cert.pem') cls.server_key = os.path.join(cls.certsdata_path, 'localhost_ssl_key.pem') cls.server_rootcert = cls.sslrootcert_path os.chmod(cls.server_cert, stat.S_IRUSR) os.chmod(cls.server_key, stat.S_IRUSR) os.chmod(cls.server_rootcert, stat.S_IRUSR) # Place conf in the data folder with open(cls.pg_conf, 'w+') as f: f.write(QGIS_POSTGRES_CONF_TEMPLATE % { 'port': cls.port, 'tempfolder': cls.tempfolder, 'server_cert': cls.server_cert, 'server_key': cls.server_key, 'sslrootcert_path': cls.sslrootcert_path, }) with open(cls.pg_hba, 'w+') as f: f.write(QGIS_POSTGRES_HBA_TEMPLATE)
def setUpAuth(cls): """Run before all tests and set up authentication""" authm = QgsApplication.authManager() assert (authm.setMasterPassword('masterpassword', True)) cls.pg_conf = os.path.join(cls.tempfolder, 'postgresql.conf') cls.pg_hba = os.path.join(cls.tempfolder, 'pg_hba.conf') # Client side cls.sslrootcert_path = os.path.join(cls.certsdata_path, 'chains_subissuer-issuer-root_issuer2-root2.pem') cls.sslcert = os.path.join(cls.certsdata_path, 'gerardus_cert.pem') cls.sslkey = os.path.join(cls.certsdata_path, 'gerardus_key.pem') assert os.path.isfile(cls.sslcert) assert os.path.isfile(cls.sslkey) assert os.path.isfile(cls.sslrootcert_path) os.chmod(cls.sslcert, stat.S_IRUSR) os.chmod(cls.sslkey, stat.S_IRUSR) os.chmod(cls.sslrootcert_path, stat.S_IRUSR) cls.auth_config = QgsAuthMethodConfig("PKI-Paths") cls.auth_config.setConfig('certpath', cls.sslcert) cls.auth_config.setConfig('keypath', cls.sslkey) cls.auth_config.setName('test_pki_auth_config') cls.username = '******' cls.sslrootcert = QSslCertificate.fromPath(cls.sslrootcert_path) assert cls.sslrootcert is not None authm.storeCertAuthorities(cls.sslrootcert) authm.rebuildCaCertsCache() authm.rebuildTrustedCaCertsCache() authm.rebuildCertTrustCache() assert (authm.storeAuthenticationConfig(cls.auth_config)[0]) assert cls.auth_config.isValid() # Server side cls.server_cert = os.path.join(cls.certsdata_path, 'localhost_ssl_cert.pem') cls.server_key = os.path.join(cls.certsdata_path, 'localhost_ssl_key.pem') cls.server_rootcert = cls.sslrootcert_path os.chmod(cls.server_cert, stat.S_IRUSR) os.chmod(cls.server_key, stat.S_IRUSR) os.chmod(cls.server_rootcert, stat.S_IRUSR) # Place conf in the data folder with open(cls.pg_conf, 'w+') as f: f.write(QGIS_POSTGRES_CONF_TEMPLATE % { 'port': cls.port, 'tempfolder': cls.tempfolder, 'server_cert': cls.server_cert, 'server_key': cls.server_key, 'sslrootcert_path': cls.sslrootcert_path, }) with open(cls.pg_hba, 'w+') as f: f.write(QGIS_POSTGRES_HBA_TEMPLATE)
def setUpAuth(cls): """Run before all tests and set up authentication""" authm = QgsApplication.authManager() assert (authm.setMasterPassword('masterpassword', True)) cls.sslrootcert_path = os.path.join( cls.certsdata_path, 'chains_subissuer-issuer-root_issuer2-root2.pem') cls.sslcert = os.path.join(cls.certsdata_path, 'gerardus_cert.pem') cls.sslkey = os.path.join(cls.certsdata_path, 'gerardus_key.pem') assert os.path.isfile(cls.sslcert) assert os.path.isfile(cls.sslkey) assert os.path.isfile(cls.sslrootcert_path) os.chmod(cls.sslcert, stat.S_IRUSR) os.chmod(cls.sslkey, stat.S_IRUSR) os.chmod(cls.sslrootcert_path, stat.S_IRUSR) cls.auth_config = QgsAuthMethodConfig("PKI-Paths") cls.auth_config.setConfig('certpath', cls.sslcert) cls.auth_config.setConfig('keypath', cls.sslkey) cls.auth_config.setName('test_pki_auth_config') cls.username = '******' cls.sslrootcert = QSslCertificate.fromPath(cls.sslrootcert_path) assert cls.sslrootcert is not None authm.storeCertAuthorities(cls.sslrootcert) authm.rebuildCaCertsCache() authm.rebuildTrustedCaCertsCache() assert (authm.storeAuthenticationConfig(cls.auth_config)[0]) assert cls.auth_config.isValid() # cls.server_cert = os.path.join(cls.certsdata_path, 'localhost_ssl_cert.pem') cls.server_cert = os.path.join(cls.certsdata_path, '127_0_0_1_ssl_cert.pem') # cls.server_key = os.path.join(cls.certsdata_path, 'localhost_ssl_key.pem') cls.server_key = os.path.join(cls.certsdata_path, '127_0_0_1_ssl_key.pem') cls.server_rootcert = cls.sslrootcert_path os.chmod(cls.server_cert, stat.S_IRUSR) os.chmod(cls.server_key, stat.S_IRUSR) os.chmod(cls.server_rootcert, stat.S_IRUSR) os.environ['QGIS_SERVER_HOST'] = cls.hostname os.environ['QGIS_SERVER_PORT'] = str(cls.port) os.environ['QGIS_SERVER_PKI_KEY'] = cls.server_key os.environ['QGIS_SERVER_PKI_CERTIFICATE'] = cls.server_cert os.environ['QGIS_SERVER_PKI_USERNAME'] = cls.username os.environ['QGIS_SERVER_PKI_AUTHORITY'] = cls.server_rootcert
def setUpAuth(cls): """Run before all tests and set up authentication""" authm = QgsApplication.authManager() assert (authm.setMasterPassword('masterpassword', True)) cls.sslrootcert_path = os.path.join(cls.certsdata_path, 'chains_subissuer-issuer-root_issuer2-root2.pem') cls.sslcert = os.path.join(cls.certsdata_path, 'gerardus_cert.pem') cls.sslkey = os.path.join(cls.certsdata_path, 'gerardus_key.pem') assert os.path.isfile(cls.sslcert) assert os.path.isfile(cls.sslkey) assert os.path.isfile(cls.sslrootcert_path) os.chmod(cls.sslcert, stat.S_IRUSR) os.chmod(cls.sslkey, stat.S_IRUSR) os.chmod(cls.sslrootcert_path, stat.S_IRUSR) cls.auth_config = QgsAuthMethodConfig("PKI-Paths") cls.auth_config.setConfig('certpath', cls.sslcert) cls.auth_config.setConfig('keypath', cls.sslkey) cls.auth_config.setName('test_pki_auth_config') cls.username = '******' cls.sslrootcert = QSslCertificate.fromPath(cls.sslrootcert_path) assert cls.sslrootcert is not None authm.storeCertAuthorities(cls.sslrootcert) authm.rebuildCaCertsCache() authm.rebuildTrustedCaCertsCache() assert (authm.storeAuthenticationConfig(cls.auth_config)[0]) assert cls.auth_config.isValid() # cls.server_cert = os.path.join(cls.certsdata_path, 'localhost_ssl_cert.pem') cls.server_cert = os.path.join(cls.certsdata_path, '127_0_0_1_ssl_cert.pem') # cls.server_key = os.path.join(cls.certsdata_path, 'localhost_ssl_key.pem') cls.server_key = os.path.join(cls.certsdata_path, '127_0_0_1_ssl_key.pem') cls.server_rootcert = cls.sslrootcert_path os.chmod(cls.server_cert, stat.S_IRUSR) os.chmod(cls.server_key, stat.S_IRUSR) os.chmod(cls.server_rootcert, stat.S_IRUSR) os.environ['QGIS_SERVER_HOST'] = cls.hostname os.environ['QGIS_SERVER_PORT'] = str(cls.port) os.environ['QGIS_SERVER_PKI_KEY'] = cls.server_key os.environ['QGIS_SERVER_PKI_CERTIFICATE'] = cls.server_cert os.environ['QGIS_SERVER_PKI_USERNAME'] = cls.username os.environ['QGIS_SERVER_PKI_AUTHORITY'] = cls.server_rootcert
def setUpAuth(cls): """Run before all tests and set up authentication""" authm = QgsApplication.authManager() assert (authm.setMasterPassword('masterpassword', True)) cls.sslrootcert_path = os.path.join( cls.certsdata_path, 'chains_subissuer-issuer-root_issuer2-root2.pem') assert os.path.isfile(cls.sslrootcert_path) os.chmod(cls.sslrootcert_path, stat.S_IRUSR) cls.sslrootcert = QSslCertificate.fromPath(cls.sslrootcert_path) assert cls.sslrootcert is not None authm.storeCertAuthorities(cls.sslrootcert) authm.rebuildCaCertsCache() authm.rebuildTrustedCaCertsCache() cls.server_cert = os.path.join(cls.certsdata_path, '127_0_0_1_ssl_cert.pem') cls.server_key = os.path.join(cls.certsdata_path, '127_0_0_1_ssl_key.pem') cls.server_rootcert = cls.sslrootcert_path os.chmod(cls.server_cert, stat.S_IRUSR) os.chmod(cls.server_key, stat.S_IRUSR) os.chmod(cls.server_rootcert, stat.S_IRUSR) os.environ['QGIS_SERVER_HOST'] = cls.hostname os.environ['QGIS_SERVER_PORT'] = str(cls.port) os.environ['QGIS_SERVER_OAUTH2_KEY'] = cls.server_key os.environ['QGIS_SERVER_OAUTH2_CERTIFICATE'] = cls.server_cert os.environ['QGIS_SERVER_OAUTH2_USERNAME'] = cls.username os.environ['QGIS_SERVER_OAUTH2_PASSWORD'] = cls.password os.environ['QGIS_SERVER_OAUTH2_AUTHORITY'] = cls.server_rootcert # Set default token expiration to 2 seconds, note that this can be # also controlled when issuing token requests by adding ttl=<int> # to the query string os.environ['QGIS_SERVER_OAUTH2_TOKEN_EXPIRES_IN'] = '2'
def _populatePKITestCerts(): removePKITestCerts() assert (AUTHCFGID is None) # set alice PKI data pkipath = os.path.join(os.path.dirname(__file__), 'data', 'certs', 'certs-keys') p_config = QgsAuthMethodConfig() p_config.setName("alice") p_config.setMethod('PKI-PKCS#12') p_config.setUri("http://example.com") p_config.setConfig("certpath", os.path.join(pkipath, 'alice.p12')) assert p_config.isValid() # add authorities cacerts = QSslCertificate.fromPath(os.path.join(pkipath, 'subissuer-issuer-root-ca_issuer-2-root-2-ca_chains.pem')) assert cacerts is not None authm.storeCertAuthorities(cacerts) authm.rebuildCaCertsCache() authm.rebuildTrustedCaCertsCache() # register alice data in auth authm.storeAuthenticationConfig(p_config) authid = p_config.id() assert (authid is not None) assert (authid != '') return authid
def run(plugin): """Import intermediate certs and return True on success""" if QgsApplication.authManager().isDisabled(): plugin.log(QgsApplication.authManager().disabledMessage()) return False ca_pems = dict() with wincertstore.CertSystemStore("CA") as store: for cert in store.itercerts(usage=None): # plugin.log(cert.get_name()) # plugin.log(cert.enhanced_keyusage_names()) ca_pems[cert.get_name()] = cert.get_pem() plugin.log( plugin.tr("Number of possible CAs found: {0}").format(len(ca_pems))) if not ca_pems: return False ca_certs = [] trusted_cas = QgsApplication.authManager().trustedCaCertsCache() for ca_cn, ca_pem in ca_pems.items(): try: ca_bytes = ca_pem.encode('ASCII') except UnicodeEncodeError: continue pem_ba = QByteArray(ca_bytes) cas = QSslCertificate.fromData(pem_ba) # plugin.log("Converted PEM to QSslCertificate {0}: ".format(ca_cn)) if not cas: plugin.log( plugin.tr("Could not convert PEM to QSslCertificate: {0}"). format(ca_cn)) continue ca = cas[0] # noinspection PyArgumentList if not QgsAuthCertUtils.certIsViable(cert=ca): plugin.log(plugin.tr(" cert not viable: {0}").format(ca_cn)) continue # noinspection PyArgumentList if not QgsAuthCertUtils.certificateIsAuthority(cert=ca): plugin.log(plugin.tr(" cert not a CA: {0}").format(ca_cn)) continue if ca in trusted_cas: plugin.log( plugin.tr(" cert already in trusted CA cache: {0}").format( ca_cn)) continue plugin.log(plugin.tr(" found CA to add: {0}").format(ca_cn)) ca_certs.append(ca) if ca_certs: plugin.log(plugin.tr("Storing CAs in auth system db")) if not QgsApplication.authManager().storeCertAuthorities(ca_certs): plugin.log(plugin.tr(" FAILED")) return False plugin.log(plugin.tr(" SUCCESS")) plugin.log(plugin.tr("Reinitializing auth system SSL caches")) QgsApplication.authManager().initSslCaches() return True else: plugin.log(plugin.tr("No CAs found to store in auth system db")) return True