1
# Copyright (C) 2011, 2012, 2013, 2016 Canonical Ltd
3
# This program is free software; you can redistribute it and/or modify
4
# it under the terms of the GNU General Public License as published by
5
# the Free Software Foundation; either version 2 of the License, or
6
# (at your option) any later version.
8
# This program is distributed in the hope that it will be useful,
9
# but WITHOUT ANY WARRANTY; without even the implied warranty of
10
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11
# GNU General Public License for more details.
13
# You should have received a copy of the GNU General Public License
14
# along with this program; if not, write to the Free Software
15
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17
"""Tests for the SSL support in the urllib HTTP transport.
28
from bzrlib.errors import (
29
ConfigOptionValueError,
31
from bzrlib import tests
32
from bzrlib.transport.http import _urllib2_wrappers
33
from bzrlib.transport.http._urllib2_wrappers import ssl
36
class CaCertsConfigTests(tests.TestCaseInTempDir):
38
def get_stack(self, content):
39
return config.MemoryStack(content.encode('utf-8'))
41
def test_default_exists(self):
42
"""Check that the default we provide exists for the tested platform."""
43
stack = self.get_stack("")
44
self.assertPathExists(stack.get('ssl.ca_certs'))
46
def test_specified(self):
47
self.build_tree(['cacerts.pem'])
48
path = os.path.join(self.test_dir, "cacerts.pem")
49
stack = self.get_stack("ssl.ca_certs = %s\n" % path)
50
self.assertEqual(path, stack.get('ssl.ca_certs'))
52
def test_specified_doesnt_exist(self):
53
stack = self.get_stack('')
54
# Disable the default value mechanism to force the behavior we want
55
self.overrideAttr(_urllib2_wrappers.opt_ssl_ca_certs, 'default',
56
os.path.join(self.test_dir, u"nonexisting.pem"))
60
self.warnings.append(args[0] % args[1:])
61
self.overrideAttr(trace, 'warning', warning)
62
self.assertEqual(None, stack.get('ssl.ca_certs'))
63
self.assertLength(1, self.warnings)
64
self.assertContainsRe(self.warnings[0],
65
"is not valid for \"ssl.ca_certs\"")
68
class CertReqsConfigTests(tests.TestCaseInTempDir):
70
def test_default(self):
71
stack = config.MemoryStack("")
72
self.assertEqual(ssl.CERT_REQUIRED, stack.get("ssl.cert_reqs"))
74
def test_from_string(self):
75
stack = config.MemoryStack("ssl.cert_reqs = none\n")
76
self.assertEqual(ssl.CERT_NONE, stack.get("ssl.cert_reqs"))
77
stack = config.MemoryStack("ssl.cert_reqs = required\n")
78
self.assertEqual(ssl.CERT_REQUIRED, stack.get("ssl.cert_reqs"))
79
stack = config.MemoryStack("ssl.cert_reqs = invalid\n")
80
self.assertRaises(ConfigOptionValueError, stack.get, "ssl.cert_reqs")
83
class MatchHostnameTests(tests.TestCase):
86
super(MatchHostnameTests, self).setUp()
87
if sys.version_info < (2, 7, 9):
88
raise tests.TestSkipped(
89
'python version too old to provide proper'
90
' https hostname verification')
92
def test_no_certificate(self):
93
self.assertRaises(ValueError,
94
ssl.match_hostname, {}, "example.com")
96
def test_wildcards_in_cert(self):
97
def ok(cert, hostname):
98
ssl.match_hostname(cert, hostname)
100
def not_ok(cert, hostname):
102
ssl.CertificateError,
103
ssl.match_hostname, cert, hostname)
105
# Python Issue #17980: avoid denials of service by refusing more than
106
# one wildcard per fragment.
107
ok({'subject': ((('commonName', 'a*b.com'),),)}, 'axxb.com')
108
not_ok({'subject': ((('commonName', 'a*b.co*'),),)}, 'axxb.com')
109
not_ok({'subject': ((('commonName', 'a*b*.com'),),)}, 'axxbxxc.com')
111
def test_no_valid_attributes(self):
112
self.assertRaises(ssl.CertificateError, ssl.match_hostname,
113
{"Problem": "Solved"}, "example.com")
115
def test_common_name(self):
116
cert = {'subject': ((('commonName', 'example.com'),),)}
118
ssl.match_hostname(cert, "example.com"))
119
self.assertRaises(ssl.CertificateError, ssl.match_hostname,
added
removed
bzrlib/tests/test_https_urllib.py
