class TestDummyModule(unittest.TestCase): ''' test dummy client / auditor, no SSL whatsoever ''' logger = logging.getLogger('TestDummyModule') MAIN_JOIN_TIMEOUT = 5 HAMMER_ATTEMPTS = 3 def test_dummy(self): ''' This test establishes a bunch of plain TCP connections against dummy auditor. The dummy auditor just acknowledges the fact of connection happening. ''' # these variables will be updated from a hook function invoked from main self.got_result_start = 0 self.got_result = 0 self.got_result_end = 0 self.got_bulk_result = 0 self.nstray = 0 # the hook function def main__handle_result(res): ''' This function overrides main.handle_result() and updates our counters ''' if isinstance(res, ClientAuditStartEvent): self.got_result_start = self.got_result_start + 1 elif isinstance(res, ClientAuditEndEvent): self.got_result_end = self.got_result_end + 1 elif isinstance(res, ClientConnectionAuditResult): self.got_result = self.got_result + 1 elif isinstance(res, ClientAuditResult): self.got_bulk_result = self.got_bulk_result + 1 else: self.nstray = self.nstray + 1 # allocate port port = get_next_listener_port() # create a client hammering our test listener self.hammer = TCPConnectionHammer(self.HAMMER_ATTEMPTS) # create main, the target of the test self.main = SSLCAuditCLI(['-m', 'dummy', '-l', ("%s:%d" % (TEST_LISTENER_ADDR, port))]) self.main.handle_result = main__handle_result # tell the hammer how many attempts to make exactly self.hammer.set_peer((TEST_LISTENER_ADDR, port)) # start server and client self.main.start() self.hammer.start() self.main.join(timeout=5) self.hammer.stop() self.main.stop() # make sure we have received expected number of results self.assertEquals(self.got_result_start, 1) self.assertEquals(self.got_result, 2) self.assertEquals(self.got_result_end, 1) self.assertEquals(self.got_bulk_result, 1) self.assertEquals(self.nstray, 0)
class TestSSLCertModule(unittest.TestCase): """ Unittests for SSLCert. """ logger = logging.getLogger("TestSSLCertModule") def test_plain_tcp_client(self): # Plain TCP client causes unexpected UNEXPECTED_EOF. eccars = [ # user-supplied certificate ECCAR(SSLProfileSpec_UserSupplied(TEST_USER_CERT_CN), UNEXPECTED_EOF), # self-signed certificates ECCAR(SSLProfileSpec_SelfSigned(DEFAULT_CN), UNEXPECTED_EOF), ECCAR(SSLProfileSpec_SelfSigned(TEST_USER_CN), UNEXPECTED_EOF), ECCAR(SSLProfileSpec_SelfSigned(TEST_SERVER_CN), UNEXPECTED_EOF), # signed by user-supplied certificate ECCAR(SSLProfileSpec_Signed(DEFAULT_CN, TEST_USER_CERT_CN), UNEXPECTED_EOF), ECCAR(SSLProfileSpec_Signed(TEST_USER_CN, TEST_USER_CERT_CN), UNEXPECTED_EOF), ECCAR(SSLProfileSpec_Signed(TEST_SERVER_CN, TEST_USER_CERT_CN), UNEXPECTED_EOF), # signed by user-supplied CA ECCAR(SSLProfileSpec_Signed(DEFAULT_CN, TEST_USER_CA_CN), UNEXPECTED_EOF), ECCAR(SSLProfileSpec_Signed(TEST_USER_CN, TEST_USER_CA_CN), UNEXPECTED_EOF), ECCAR(SSLProfileSpec_Signed(TEST_SERVER_CN, TEST_USER_CA_CN), UNEXPECTED_EOF), # default CN, signed by user-supplied CA, with an intermediate CA ECCAR(SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_NONE_CN, TEST_USER_CA_CN), UNEXPECTED_EOF), ECCAR(SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_FALSE_CN, TEST_USER_CA_CN), UNEXPECTED_EOF), ECCAR(SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_TRUE_CN, TEST_USER_CA_CN), UNEXPECTED_EOF), # user-supplied CN signed by user-supplied CA, with an intermediate CA ECCAR(SSLProfileSpec_IMCA_Signed(TEST_USER_CN, IM_CA_NONE_CN, TEST_USER_CA_CN), UNEXPECTED_EOF), ECCAR(SSLProfileSpec_IMCA_Signed(TEST_USER_CN, IM_CA_FALSE_CN, TEST_USER_CA_CN), UNEXPECTED_EOF), ECCAR(SSLProfileSpec_IMCA_Signed(TEST_USER_CN, IM_CA_TRUE_CN, TEST_USER_CA_CN), UNEXPECTED_EOF), # replica of server certificate signed by user-supplied CA, with an intermediate CA ECCAR(SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_NONE_CN, TEST_USER_CA_CN), UNEXPECTED_EOF), ECCAR(SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_FALSE_CN, TEST_USER_CA_CN), UNEXPECTED_EOF), ECCAR(SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_TRUE_CN, TEST_USER_CA_CN), UNEXPECTED_EOF), ] self._main_test(get_full_test_args(), TCPConnectionHammer(len(eccars)), eccars) def test_cn_verifying_client(self): # CN verifying client only cares about getting a correct CN eccars = [ # user-supplied certificate ECCAR(SSLProfileSpec_UserSupplied(TEST_USER_CERT_CN), ConnectedGotEOFBeforeTimeout()), # self-signed certificates ECCAR(SSLProfileSpec_SelfSigned(DEFAULT_CN), ConnectedGotEOFBeforeTimeout()), ECCAR(SSLProfileSpec_SelfSigned(LOCALHOST), ConnectedGotRequest(HAMMER_HELLO)), ECCAR(SSLProfileSpec_SelfSigned(TEST_SERVER_CN), ConnectedGotEOFBeforeTimeout()), # signed by user-supplied certificate ECCAR(SSLProfileSpec_Signed(DEFAULT_CN, TEST_USER_CERT_CN), ConnectedGotEOFBeforeTimeout()), ECCAR(SSLProfileSpec_Signed(LOCALHOST, TEST_USER_CERT_CN), ConnectedGotRequest(HAMMER_HELLO)), ECCAR(SSLProfileSpec_Signed(TEST_SERVER_CN, TEST_USER_CERT_CN), ConnectedGotEOFBeforeTimeout()), # signed by user-supplied CA ECCAR(SSLProfileSpec_Signed(DEFAULT_CN, TEST_USER_CA_CN), ConnectedGotEOFBeforeTimeout()), ECCAR(SSLProfileSpec_Signed(LOCALHOST, TEST_USER_CA_CN), ConnectedGotRequest(HAMMER_HELLO)), ECCAR(SSLProfileSpec_Signed(TEST_SERVER_CN, TEST_USER_CA_CN), ConnectedGotEOFBeforeTimeout()), # default CN, signed by user-supplied CA, with an intermediate CA ECCAR( SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_NONE_CN, TEST_USER_CA_CN), ConnectedGotEOFBeforeTimeout() ), ECCAR( SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_FALSE_CN, TEST_USER_CA_CN), ConnectedGotEOFBeforeTimeout() ), ECCAR( SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_TRUE_CN, TEST_USER_CA_CN), ConnectedGotEOFBeforeTimeout() ), # user-supplied CN signed by user-supplied CA, with an intermediate CA ECCAR( SSLProfileSpec_IMCA_Signed(LOCALHOST, IM_CA_NONE_CN, TEST_USER_CA_CN), ConnectedGotRequest(HAMMER_HELLO) ), ECCAR( SSLProfileSpec_IMCA_Signed(LOCALHOST, IM_CA_FALSE_CN, TEST_USER_CA_CN), ConnectedGotRequest(HAMMER_HELLO), ), ECCAR( SSLProfileSpec_IMCA_Signed(LOCALHOST, IM_CA_TRUE_CN, TEST_USER_CA_CN), ConnectedGotRequest(HAMMER_HELLO) ), # replica of server certificate signed by user-supplied CA, with an intermediate CA ECCAR( SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_NONE_CN, TEST_USER_CA_CN), ConnectedGotEOFBeforeTimeout(), ), ECCAR( SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_FALSE_CN, TEST_USER_CA_CN), ConnectedGotEOFBeforeTimeout(), ), ECCAR( SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_TRUE_CN, TEST_USER_CA_CN), ConnectedGotEOFBeforeTimeout(), ), ] self._main_test( get_full_test_args(user_cn=LOCALHOST), CNVerifyingSSLConnectionHammer(len(eccars), HAMMER_HELLO), eccars ) def test_curl(self): # curl does all the checks eccars = [ # user-supplied certificate ECCAR(SSLProfileSpec_UserSupplied(TEST_USER_CERT_CN), ConnectedGotEOFBeforeTimeout()), # self-signed certificates ECCAR(SSLProfileSpec_SelfSigned(DEFAULT_CN), ALERT_UNKNOWN_CA), ECCAR(SSLProfileSpec_SelfSigned(LOCALHOST), ALERT_UNKNOWN_CA), ECCAR(SSLProfileSpec_SelfSigned(TEST_SERVER_CN), ALERT_UNKNOWN_CA), # signed by user-supplied certificate ECCAR(SSLProfileSpec_Signed(DEFAULT_CN, TEST_USER_CERT_CN), ALERT_UNKNOWN_CA), ECCAR(SSLProfileSpec_Signed(LOCALHOST, TEST_USER_CERT_CN), ALERT_UNKNOWN_CA), ECCAR(SSLProfileSpec_Signed(TEST_SERVER_CN, TEST_USER_CERT_CN), ALERT_UNKNOWN_CA), # signed by user-supplied CA ECCAR(SSLProfileSpec_Signed(DEFAULT_CN, TEST_USER_CA_CN), ConnectedGotEOFBeforeTimeout()), ECCAR(SSLProfileSpec_Signed(LOCALHOST, TEST_USER_CA_CN), ConnectedGotRequest()), ECCAR(SSLProfileSpec_Signed(TEST_SERVER_CN, TEST_USER_CA_CN), ConnectedGotEOFBeforeTimeout()), # default CN, signed by user-supplied CA, with an intermediate CA ECCAR(SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_NONE_CN, TEST_USER_CA_CN), ALERT_UNKNOWN_CA), ECCAR(SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_FALSE_CN, TEST_USER_CA_CN), ALERT_UNKNOWN_CA), ECCAR( SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_TRUE_CN, TEST_USER_CA_CN), ConnectedGotEOFBeforeTimeout() ), # user-supplied CN signed by user-supplied CA, with an intermediate CA ECCAR(SSLProfileSpec_IMCA_Signed(LOCALHOST, IM_CA_NONE_CN, TEST_USER_CA_CN), ALERT_UNKNOWN_CA), ECCAR(SSLProfileSpec_IMCA_Signed(LOCALHOST, IM_CA_FALSE_CN, TEST_USER_CA_CN), ALERT_UNKNOWN_CA), ECCAR(SSLProfileSpec_IMCA_Signed(LOCALHOST, IM_CA_TRUE_CN, TEST_USER_CA_CN), ConnectedGotRequest()), # replica of server certificate signed by user-supplied CA, with an intermediate CA ECCAR(SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_NONE_CN, TEST_USER_CA_CN), ALERT_UNKNOWN_CA), ECCAR(SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_FALSE_CN, TEST_USER_CA_CN), ALERT_UNKNOWN_CA), ECCAR( SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_TRUE_CN, TEST_USER_CA_CN), ConnectedGotEOFBeforeTimeout(), ), ] self._main_test(get_full_test_args(user_cn=LOCALHOST), CurlHammer(len(eccars), TEST_USER_CA_CERT_FILE), eccars) def tearDown(self): if self.main != None: self.main.stop() def _main_test(self, main_args, hammer, expected_results): """ This is a main worker function. It allocates external resources and launches threads, to make sure they are freed this function was to be called exactly once per test method, to allow tearDown() method to cleanup properly. """ self._main_test_init(main_args, hammer) self._main_test_do(expected_results) def _main_test_init(self, args, hammer): # allocate port port = TestConfig.get_next_listener_port() # create main, the target of the test test_name = "%s %s" % (hammer, args) main_args = ["-l", "%s:%d" % (TestConfig.TEST_LISTENER_ADDR, port)] main_args.extend(args) self.main = SSLCAuditCLI(main_args) # collect classes of observed audit results self.actual_results = [] self.orig_main__handle_result = self.main.handle_result def main__handle_result(res): self.orig_main__handle_result(res) if isinstance(res, ClientConnectionAuditResult): self.actual_results.append(res) else: pass # ignore events print res self.main.handle_result = main__handle_result self.hammer = hammer if self.hammer != None: self.hammer.set_peer((TestConfig.TEST_LISTENER_ADDR, port)) def _main_test_do(self, expected_results): # run the server self.main.start() # start the hammer if any if self.hammer != None: self.hammer.start() # wait for main to finish its job self.main.join(timeout=TestConfig.TEST_MAIN_JOIN_TIMEOUT) # on timeout throws exception, which we let propagate after we shut the hammer and the main thread self.assertFalse(self.main.is_alive(), "main thread is still alive") # stop the hammer if any if self.hammer != None: self.hammer.stop() # stop the server self.main.stop() # check if the actual results match expected ones if len(expected_results) != len(self.actual_results): mismatch = True print "! length mismatch len(er)=%d, len(ar)=%d" % (len(expected_results), len(self.actual_results)) for er in expected_results: print "er=%s" % er for ar in self.actual_results: print "ar=%s" % ar else: mismatch = False for i in range(len(expected_results)): er = expected_results[i] ar = self.actual_results[i] if not er.matches(ar): print "! mismatch\n\ter=%s\n\tar=%s" % (er, ar) mismatch = True self.assertFalse(mismatch)