bzr branch
http://gegoxaren.bato24.eu/bzr/brz/remove-bazaar
|
6613.1.1
by Vincent Ladeuil
Use ssl module for the match_hostname function |
1 |
# Copyright (C) 2011, 2012, 2013, 2016 Canonical Ltd
|
|
6238.2.10
by Jelmer Vernooij
Add more tests for ssl.ca_certs option. |
2 |
#
|
3 |
# This program is free software; you can redistribute it and/or modify
|
|
4 |
# it under the terms of the GNU General Public License as published by
|
|
5 |
# the Free Software Foundation; either version 2 of the License, or
|
|
6 |
# (at your option) any later version.
|
|
7 |
#
|
|
8 |
# This program is distributed in the hope that it will be useful,
|
|
9 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
10 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
11 |
# GNU General Public License for more details.
|
|
12 |
#
|
|
13 |
# You should have received a copy of the GNU General Public License
|
|
14 |
# along with this program; if not, write to the Free Software
|
|
15 |
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
16 |
||
17 |
"""Tests for the SSL support in the urllib HTTP transport.
|
|
18 |
||
19 |
"""
|
|
20 |
||
|
6238.2.19
by Vincent Ladeuil
Just hack the tests until they pass. |
21 |
import os |
|
6613.1.5
by Vincent Ladeuil
Help python2.6 compatibility. |
22 |
import sys |
|
6238.2.10
by Jelmer Vernooij
Add more tests for ssl.ca_certs option. |
23 |
|
|
6624
by Jelmer Vernooij
Merge Python3 porting work ('py3 pokes') |
24 |
from .. import ( |
|
6238.2.19
by Vincent Ladeuil
Just hack the tests until they pass. |
25 |
config, |
26 |
trace, |
|
|
6613.1.1
by Vincent Ladeuil
Use ssl module for the match_hostname function |
27 |
)
|
|
6624
by Jelmer Vernooij
Merge Python3 porting work ('py3 pokes') |
28 |
from .. import tests |
29 |
from ..transport.http import _urllib2_wrappers |
|
30 |
from ..transport.http._urllib2_wrappers import ssl |
|
|
6613.1.5
by Vincent Ladeuil
Help python2.6 compatibility. |
31 |
|
32 |
||
33 |
class CaCertsConfigTests(tests.TestCaseInTempDir): |
|
|
6238.2.10
by Jelmer Vernooij
Add more tests for ssl.ca_certs option. |
34 |
|
|
6238.2.19
by Vincent Ladeuil
Just hack the tests until they pass. |
35 |
def get_stack(self, content): |
36 |
return config.MemoryStack(content.encode('utf-8')) |
|
37 |
||
|
6238.2.10
by Jelmer Vernooij
Add more tests for ssl.ca_certs option. |
38 |
def test_default_exists(self): |
|
6437.25.1
by Vincent Ladeuil
Provide default paths for ca certs for supported platforms |
39 |
"""Check that the default we provide exists for the tested platform.""" |
|
6238.2.19
by Vincent Ladeuil
Just hack the tests until they pass. |
40 |
stack = self.get_stack("") |
|
6437.25.1
by Vincent Ladeuil
Provide default paths for ca certs for supported platforms |
41 |
self.assertPathExists(stack.get('ssl.ca_certs')) |
|
6238.2.10
by Jelmer Vernooij
Add more tests for ssl.ca_certs option. |
42 |
|
43 |
def test_specified(self): |
|
44 |
self.build_tree(['cacerts.pem']) |
|
45 |
path = os.path.join(self.test_dir, "cacerts.pem") |
|
|
6238.2.19
by Vincent Ladeuil
Just hack the tests until they pass. |
46 |
stack = self.get_stack("ssl.ca_certs = %s\n" % path) |
|
6614.1.3
by Vincent Ladeuil
Fix assertEquals being deprecated by using assertEqual. |
47 |
self.assertEqual(path, stack.get('ssl.ca_certs')) |
|
6238.2.10
by Jelmer Vernooij
Add more tests for ssl.ca_certs option. |
48 |
|
49 |
def test_specified_doesnt_exist(self): |
|
|
6437.25.6
by Vincent Ladeuil
Feedback from mgz. |
50 |
stack = self.get_stack('') |
51 |
# Disable the default value mechanism to force the behavior we want
|
|
52 |
self.overrideAttr(_urllib2_wrappers.opt_ssl_ca_certs, 'default', |
|
53 |
os.path.join(self.test_dir, u"nonexisting.pem")) |
|
54 |
self.warnings = [] |
|
|
6613.1.1
by Vincent Ladeuil
Use ssl module for the match_hostname function |
55 |
|
|
6437.25.6
by Vincent Ladeuil
Feedback from mgz. |
56 |
def warning(*args): |
57 |
self.warnings.append(args[0] % args[1:]) |
|
58 |
self.overrideAttr(trace, 'warning', warning) |
|
|
6614.1.3
by Vincent Ladeuil
Fix assertEquals being deprecated by using assertEqual. |
59 |
self.assertEqual(None, stack.get('ssl.ca_certs')) |
|
6437.25.6
by Vincent Ladeuil
Feedback from mgz. |
60 |
self.assertLength(1, self.warnings) |
61 |
self.assertContainsRe(self.warnings[0], |
|
62 |
"is not valid for \"ssl.ca_certs\"") |
|
|
6238.2.10
by Jelmer Vernooij
Add more tests for ssl.ca_certs option. |
63 |
|
64 |
||
|
6613.1.5
by Vincent Ladeuil
Help python2.6 compatibility. |
65 |
class CertReqsConfigTests(tests.TestCaseInTempDir): |
|
6238.2.10
by Jelmer Vernooij
Add more tests for ssl.ca_certs option. |
66 |
|
67 |
def test_default(self): |
|
|
6238.2.19
by Vincent Ladeuil
Just hack the tests until they pass. |
68 |
stack = config.MemoryStack("") |
|
6614.1.3
by Vincent Ladeuil
Fix assertEquals being deprecated by using assertEqual. |
69 |
self.assertEqual(ssl.CERT_REQUIRED, stack.get("ssl.cert_reqs")) |
|
6238.2.10
by Jelmer Vernooij
Add more tests for ssl.ca_certs option. |
70 |
|
71 |
def test_from_string(self): |
|
|
6238.2.19
by Vincent Ladeuil
Just hack the tests until they pass. |
72 |
stack = config.MemoryStack("ssl.cert_reqs = none\n") |
|
6614.1.3
by Vincent Ladeuil
Fix assertEquals being deprecated by using assertEqual. |
73 |
self.assertEqual(ssl.CERT_NONE, stack.get("ssl.cert_reqs")) |
|
6238.2.19
by Vincent Ladeuil
Just hack the tests until they pass. |
74 |
stack = config.MemoryStack("ssl.cert_reqs = required\n") |
|
6614.1.3
by Vincent Ladeuil
Fix assertEquals being deprecated by using assertEqual. |
75 |
self.assertEqual(ssl.CERT_REQUIRED, stack.get("ssl.cert_reqs")) |
|
6238.2.19
by Vincent Ladeuil
Just hack the tests until they pass. |
76 |
stack = config.MemoryStack("ssl.cert_reqs = invalid\n") |
|
6737
by Jelmer Vernooij
Merge lp:~jelmer/brz/move-errors-config. |
77 |
self.assertRaises(config.ConfigOptionValueError, stack.get, |
78 |
"ssl.cert_reqs") |
|
|
6238.2.11
by Jelmer Vernooij
add basic tests for match_hostname. |
79 |
|
80 |
||
|
6613.1.5
by Vincent Ladeuil
Help python2.6 compatibility. |
81 |
class MatchHostnameTests(tests.TestCase): |
82 |
||
83 |
def setUp(self): |
|
84 |
super(MatchHostnameTests, self).setUp() |
|
85 |
if sys.version_info < (2, 7, 9): |
|
86 |
raise tests.TestSkipped( |
|
87 |
'python version too old to provide proper'
|
|
88 |
' https hostname verification') |
|
|
6238.2.11
by Jelmer Vernooij
add basic tests for match_hostname. |
89 |
|
90 |
def test_no_certificate(self): |
|
|
6238.2.19
by Vincent Ladeuil
Just hack the tests until they pass. |
91 |
self.assertRaises(ValueError, |
|
6613.1.1
by Vincent Ladeuil
Use ssl module for the match_hostname function |
92 |
ssl.match_hostname, {}, "example.com") |
|
6238.2.11
by Jelmer Vernooij
add basic tests for match_hostname. |
93 |
|
|
6573.1.1
by Andrew Starr-Bochicchio
Fix possible abuse of _urllib2_wrappers.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099). |
94 |
def test_wildcards_in_cert(self): |
95 |
def ok(cert, hostname): |
|
|
6613.1.1
by Vincent Ladeuil
Use ssl module for the match_hostname function |
96 |
ssl.match_hostname(cert, hostname) |
97 |
||
98 |
def not_ok(cert, hostname): |
|
99 |
self.assertRaises( |
|
100 |
ssl.CertificateError, |
|
101 |
ssl.match_hostname, cert, hostname) |
|
|
6573.1.1
by Andrew Starr-Bochicchio
Fix possible abuse of _urllib2_wrappers.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099). |
102 |
|
103 |
# Python Issue #17980: avoid denials of service by refusing more than
|
|
104 |
# one wildcard per fragment.
|
|
|
6613.1.1
by Vincent Ladeuil
Use ssl module for the match_hostname function |
105 |
ok({'subject': ((('commonName', 'a*b.com'),),)}, 'axxb.com') |
106 |
not_ok({'subject': ((('commonName', 'a*b.co*'),),)}, 'axxb.com') |
|
107 |
not_ok({'subject': ((('commonName', 'a*b*.com'),),)}, 'axxbxxc.com') |
|
|
6573.1.1
by Andrew Starr-Bochicchio
Fix possible abuse of _urllib2_wrappers.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099). |
108 |
|
|
6238.2.11
by Jelmer Vernooij
add basic tests for match_hostname. |
109 |
def test_no_valid_attributes(self): |
|
6613.1.1
by Vincent Ladeuil
Use ssl module for the match_hostname function |
110 |
self.assertRaises(ssl.CertificateError, ssl.match_hostname, |
|
6238.2.19
by Vincent Ladeuil
Just hack the tests until they pass. |
111 |
{"Problem": "Solved"}, "example.com") |
|
6238.2.11
by Jelmer Vernooij
add basic tests for match_hostname. |
112 |
|
113 |
def test_common_name(self): |
|
114 |
cert = {'subject': ((('commonName', 'example.com'),),)} |
|
|
6238.2.19
by Vincent Ladeuil
Just hack the tests until they pass. |
115 |
self.assertIs(None, |
|
6613.1.1
by Vincent Ladeuil
Use ssl module for the match_hostname function |
116 |
ssl.match_hostname(cert, "example.com")) |
117 |
self.assertRaises(ssl.CertificateError, ssl.match_hostname, |
|
|
6238.2.19
by Vincent Ladeuil
Just hack the tests until they pass. |
118 |
cert, "example.org") |