def test_load_certificate():
# Try loading an invalid certificate.
with pytest.raises(CertInvalidException):
load_certificate("someinvalidcontents")
# Load a valid certificate.
(public_key_data, _) = generate_test_cert()
cert = load_certificate(public_key_data)
assert not cert.expired
assert cert.names == set(["somehostname"])
assert cert.matches_name("somehostname")
def validate(cls, validator_context):
"""
Validates the SSL configuration (if enabled).
"""
config = validator_context.config
config_provider = validator_context.config_provider
# Skip if non-SSL.
if config.get("PREFERRED_URL_SCHEME", "http") != "https":
return
# Skip if externally terminated.
if config.get("EXTERNAL_TLS_TERMINATION", False) is True:
return
# Verify that we have all the required SSL files.
for filename in SSL_FILENAMES:
if not config_provider.volume_file_exists(filename):
raise ConfigValidationException(
"Missing required SSL file: %s" % filename)
# Read the contents of the SSL certificate.
with config_provider.get_volume_file(SSL_FILENAMES[0]) as f:
cert_contents = f.read()
# Validate the certificate.
try:
certificate = load_certificate(cert_contents)
except CertInvalidException as cie:
raise ConfigValidationException(
"Could not load SSL certificate: %s" % cie)
# Verify the certificate has not expired.
if certificate.expired:
raise ConfigValidationException(
"The specified SSL certificate has expired.")
# Verify the hostname matches the name in the certificate.
if not certificate.matches_name(_ssl_cn(config["SERVER_HOSTNAME"])):
msg = 'Supported names "%s" in SSL cert do not match server hostname "%s"' % (
", ".join(list(certificate.names)),
_ssl_cn(config["SERVER_HOSTNAME"]),
)
raise ConfigValidationException(msg)
# Verify the private key against the certificate.
private_key_path = None
with config_provider.get_volume_file(SSL_FILENAMES[1]) as f:
private_key_path = f.name
if not private_key_path:
# Only in testing.
return
try:
certificate.validate_private_key(private_key_path)
except KeyInvalidException as kie:
raise ConfigValidationException(
"SSL private key failed to validate: %s" % kie)
def test_hostnames():
(public_key_data, _) = generate_test_cert(hostname="foo",
san_list=["DNS:bar", "DNS:baz"])
cert = load_certificate(public_key_data)
assert cert.names == set(["foo", "bar", "baz"])
for name in cert.names:
assert cert.matches_name(name)
def test_hostnames():
(public_key_data, _) = generate_test_cert(hostname='foo',
san_list=['DNS:bar', 'DNS:baz'])
cert = load_certificate(public_key_data)
assert cert.names == set(['foo', 'bar', 'baz'])
for name in cert.names:
assert cert.matches_name(name)
def test_validate_private_key():
(public_key_data, private_key_data) = generate_test_cert()
private_key = NamedTemporaryFile(delete=True)
private_key.write(private_key_data)
private_key.seek(0)
cert = load_certificate(public_key_data)
cert.validate_private_key(private_key.name)
def test_invalid_private_key():
(public_key_data, _) = generate_test_cert()
private_key = NamedTemporaryFile(delete=True)
private_key.write("somerandomdata")
private_key.seek(0)
cert = load_certificate(public_key_data)
with pytest.raises(KeyInvalidException):
cert.validate_private_key(private_key.name)
def test_wildcard_hostnames():
(public_key_data, _) = generate_test_cert(hostname="foo",
san_list=["DNS:*.bar"])
cert = load_certificate(public_key_data)
assert cert.names == set(["foo", "*.bar"])
for name in cert.names:
assert cert.matches_name(name)
assert cert.matches_name("something.bar")
assert cert.matches_name("somethingelse.bar")
assert cert.matches_name("cool.bar")
assert not cert.matches_name("*")
def test_wildcard_hostnames():
(public_key_data, _) = generate_test_cert(hostname='foo',
san_list=['DNS:*.bar'])
cert = load_certificate(public_key_data)
assert cert.names == set(['foo', '*.bar'])
for name in cert.names:
assert cert.matches_name(name)
assert cert.matches_name('something.bar')
assert cert.matches_name('somethingelse.bar')
assert cert.matches_name('cool.bar')
assert not cert.matches_name('*')
def test_nondns_hostnames():
(public_key_data, _) = generate_test_cert(hostname="foo",
san_list=["URI:yarg"])
cert = load_certificate(public_key_data)
assert cert.names == set(["foo"])
def test_expired_certificate():
(public_key_data, _) = generate_test_cert(expires=-100)
cert = load_certificate(public_key_data)
assert cert.expired
def test_nondns_hostnames():
(public_key_data, _) = generate_test_cert(hostname='foo',
san_list=['URI:yarg'])
cert = load_certificate(public_key_data)
assert cert.names == set(['foo'])
