1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
# Copyright (C) 2011, 2012, 2013, 2016 Canonical Ltd
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
"""Tests for the SSL support in the urllib HTTP transport.
"""
import os
import sys
from bzrlib import (
config,
trace,
)
from bzrlib.errors import (
ConfigOptionValueError,
)
from bzrlib import tests
from bzrlib.transport.http import _urllib2_wrappers
from bzrlib.transport.http._urllib2_wrappers import ssl
class CaCertsConfigTests(tests.TestCaseInTempDir):
def get_stack(self, content):
return config.MemoryStack(content.encode('utf-8'))
def test_default_exists(self):
"""Check that the default we provide exists for the tested platform."""
stack = self.get_stack("")
self.assertPathExists(stack.get('ssl.ca_certs'))
def test_specified(self):
self.build_tree(['cacerts.pem'])
path = os.path.join(self.test_dir, "cacerts.pem")
stack = self.get_stack("ssl.ca_certs = %s\n" % path)
self.assertEqual(path, stack.get('ssl.ca_certs'))
def test_specified_doesnt_exist(self):
stack = self.get_stack('')
# Disable the default value mechanism to force the behavior we want
self.overrideAttr(_urllib2_wrappers.opt_ssl_ca_certs, 'default',
os.path.join(self.test_dir, u"nonexisting.pem"))
self.warnings = []
def warning(*args):
self.warnings.append(args[0] % args[1:])
self.overrideAttr(trace, 'warning', warning)
self.assertEqual(None, stack.get('ssl.ca_certs'))
self.assertLength(1, self.warnings)
self.assertContainsRe(self.warnings[0],
"is not valid for \"ssl.ca_certs\"")
class CertReqsConfigTests(tests.TestCaseInTempDir):
def test_default(self):
stack = config.MemoryStack("")
self.assertEqual(ssl.CERT_REQUIRED, stack.get("ssl.cert_reqs"))
def test_from_string(self):
stack = config.MemoryStack("ssl.cert_reqs = none\n")
self.assertEqual(ssl.CERT_NONE, stack.get("ssl.cert_reqs"))
stack = config.MemoryStack("ssl.cert_reqs = required\n")
self.assertEqual(ssl.CERT_REQUIRED, stack.get("ssl.cert_reqs"))
stack = config.MemoryStack("ssl.cert_reqs = invalid\n")
self.assertRaises(ConfigOptionValueError, stack.get, "ssl.cert_reqs")
class MatchHostnameTests(tests.TestCase):
def setUp(self):
super(MatchHostnameTests, self).setUp()
if sys.version_info < (2, 7, 9):
raise tests.TestSkipped(
'python version too old to provide proper'
' https hostname verification')
def test_no_certificate(self):
self.assertRaises(ValueError,
ssl.match_hostname, {}, "example.com")
def test_wildcards_in_cert(self):
def ok(cert, hostname):
ssl.match_hostname(cert, hostname)
def not_ok(cert, hostname):
self.assertRaises(
ssl.CertificateError,
ssl.match_hostname, cert, hostname)
# Python Issue #17980: avoid denials of service by refusing more than
# one wildcard per fragment.
ok({'subject': ((('commonName', 'a*b.com'),),)}, 'axxb.com')
not_ok({'subject': ((('commonName', 'a*b.co*'),),)}, 'axxb.com')
not_ok({'subject': ((('commonName', 'a*b*.com'),),)}, 'axxbxxc.com')
def test_no_valid_attributes(self):
self.assertRaises(ssl.CertificateError, ssl.match_hostname,
{"Problem": "Solved"}, "example.com")
def test_common_name(self):
cert = {'subject': ((('commonName', 'example.com'),),)}
self.assertIs(None,
ssl.match_hostname(cert, "example.com"))
self.assertRaises(ssl.CertificateError, ssl.match_hostname,
cert, "example.org")
|