def test_allow_request_when_cert_is_trusted(self): """ Assert a correctly configured client can fetch content. 1. Configure the distribution with an X.509 CertGuard. 2. Attempt to download content. """ set_distribution_base_path_and_download_a_content_unit_with_cert( self.distribution.pulp_href, self.DENIALS_BASE_PATH, self.repo.pulp_href, X509_CLIENT_CERT_FILE_PATH)
def test_allow_request_when_cert_matches_two_var_path(self): """ Assert a correctly configured client can fetch content from a two-variable path. 1. Configure the distribution with a two-variable path in the RHSM Cert. 2. Attempt to download content. """ set_distribution_base_path_and_download_a_content_unit_with_cert( self.distribution.pulp_href, RHSM_V3_TWO_VAR_BASE_PATH, self.repo.pulp_href, RHSM_V3_ONE_AND_TWO_VAR_CLIENT_CERT)
def test_denial_when_client_cert_is_trusted_but_expired(self): """ Assert denial when a client sends a trusted but expired cert that has a valid subpath. 1. Configure the distribution with valid path contained in the cert. 2. Attempt to download content with a trusted but expired cert. 3. Assert a 403 Unauthorized is returned. """ with self.assertRaises(HTTPError) as raised_exception: set_distribution_base_path_and_download_a_content_unit_with_cert( self.distribution.pulp_href, RHSM_V1_ONE_VAR_BASE_PATH, self.repo.pulp_href, RHSM_CLIENT_CERT_TRUSTED_BUT_EXPIRED) self.assertEqual(raised_exception.exception.response.status_code, 403)
def test_denial_when_client_cert_does_not_contain_subpath_of_distribution_base_path( self): """ Assert denial when a client with a cert that does not contain a subpath of the distribution. 1. Configure the distribution with path that is not a subpath contained in the cert. 2. Attempt to download content. 3. Assert a 403 Unauthorized is returned. """ with self.assertRaises(HTTPError) as raised_exception: set_distribution_base_path_and_download_a_content_unit_with_cert( self.distribution.pulp_href, RHSM_V3_INVALID_BASE_PATH, self.repo.pulp_href, RHSM_V3_ZERO_VAR_CLIENT_CERT) self.assertEqual(raised_exception.exception.response.status_code, 403)
def test_allow_request_when_apache_un_urlencoded_cert_is_trusted(self): """ Assert a correctly configured client can fetch content with reverse proxy Apache < 2.6.10. 1. Configure the distribution with an X.509 CertGuard. 2. Attempt to download content with an un-urlencoded certificate (Apache < 2.6.10 style) """ set_distribution_base_path_and_download_a_content_unit_with_cert( self.distribution.pulp_href, X509_BASE_PATH, self.repo.pulp_href, X509_UN_URLENCODED_CLIENT_CERT_FILE_PATH, url_encode=False, )
def test_allow_request_when_requesting_the_distribution_root(self): """ Assert a correctly configured client can fetch content from the root of a distribution. 1. Configure the distribution with a zero-variable path in the RHSM Cert. 2. Attempt to fetch the url of the distribution itself (its root). """ content_path = "" # This causes the root to be fetched set_distribution_base_path_and_download_a_content_unit_with_cert( self.distribution.pulp_href, RHSM_V3_ZERO_VAR_BASE_PATH, self.repo.pulp_href, RHSM_V3_ZERO_VAR_CLIENT_CERT, content_path, )
def test_allow_request_with_uber_cert_for_any_subpath(self): """ Assert a client with an uber cert can fetch any subpath. 1. Configure the distribution with a subpath of the uber cert. 2. Attempt to download content. 3. Configure the distribution with a different subpath of the uber cert. 4. Attempt to download content. """ set_distribution_base_path_and_download_a_content_unit_with_cert( self.distribution.pulp_href, RHSM_UBER_CERT_BASE_PATH_ONE, self.repo.pulp_href, RHSM_UBER_CLIENT_CERT) set_distribution_base_path_and_download_a_content_unit_with_cert( self.distribution.pulp_href, RHSM_UBER_CERT_BASE_PATH_TWO, self.repo.pulp_href, RHSM_UBER_CLIENT_CERT)
def test_denial_when_client_header_contains_an_untrusted_certificate(self): """ Assert denial when a client submits a valid but rhsm certificate but not for the trusted CA. 1. Configure the distribution with a valid base path. 2. Attempt to download content with an untrusted client certificate. 3. Assert a 403 Unauthorized is returned. """ with self.assertRaises(HTTPError) as raised_exception: set_distribution_base_path_and_download_a_content_unit_with_cert( self.distribution.pulp_href, self.DENIALS_BASE_PATH, self.repo.pulp_href, self.UNTRUSTED_CLIENT_CERT_PATH ) self.assertEqual(raised_exception.exception.response.status_code, 403)
def test_allow_request_to_subdir_of_path(self): """ Assert a correctly configured client can fetch content from a subdir of a distribution. 1. Configure the distribution with a zero-variable path in the RHSM Cert. 2. Attempt to download a content url with a subdir in it. 3. Assert a 404 was received. """ content_path = "somedir/made_up_content.iso" with self.assertRaises(HTTPError) as raised_exception: set_distribution_base_path_and_download_a_content_unit_with_cert( self.distribution.pulp_href, RHSM_V1_ZERO_VAR_BASE_PATH, self.repo.pulp_href, RHSM_V1_ZERO_VAR_CLIENT_CERT, content_path, ) # The path doesn't exist so we expect a 404, but the authorization part we are testing works self.assertEqual(raised_exception.exception.response.status_code, 404)