← Back to branch summary

~bzr-pqm/bzr/bzr.dev 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120

# Copyright (C) 2011, 2012, 2013, 2016 Canonical Ltd
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

"""Tests for the SSL support in the urllib HTTP transport.

"""

import os
import sys

from bzrlib import (
    config,
    trace,
)
from bzrlib.errors import (
    ConfigOptionValueError,
)
from bzrlib import tests
from bzrlib.transport.http import _urllib2_wrappers
from bzrlib.transport.http._urllib2_wrappers import ssl


class CaCertsConfigTests(tests.TestCaseInTempDir):

    def get_stack(self, content):
        return config.MemoryStack(content.encode('utf-8'))

    def test_default_exists(self):
        """Check that the default we provide exists for the tested platform."""
        stack = self.get_stack("")
        self.assertPathExists(stack.get('ssl.ca_certs'))

    def test_specified(self):
        self.build_tree(['cacerts.pem'])
        path = os.path.join(self.test_dir, "cacerts.pem")
        stack = self.get_stack("ssl.ca_certs = %s\n" % path)
        self.assertEqual(path, stack.get('ssl.ca_certs'))

    def test_specified_doesnt_exist(self):
        stack = self.get_stack('')
        # Disable the default value mechanism to force the behavior we want
        self.overrideAttr(_urllib2_wrappers.opt_ssl_ca_certs, 'default',
                          os.path.join(self.test_dir, u"nonexisting.pem"))
        self.warnings = []

        def warning(*args):
            self.warnings.append(args[0] % args[1:])
        self.overrideAttr(trace, 'warning', warning)
        self.assertEqual(None, stack.get('ssl.ca_certs'))
        self.assertLength(1, self.warnings)
        self.assertContainsRe(self.warnings[0],
                              "is not valid for \"ssl.ca_certs\"")


class CertReqsConfigTests(tests.TestCaseInTempDir):

    def test_default(self):
        stack = config.MemoryStack("")
        self.assertEqual(ssl.CERT_REQUIRED, stack.get("ssl.cert_reqs"))

    def test_from_string(self):
        stack = config.MemoryStack("ssl.cert_reqs = none\n")
        self.assertEqual(ssl.CERT_NONE, stack.get("ssl.cert_reqs"))
        stack = config.MemoryStack("ssl.cert_reqs = required\n")
        self.assertEqual(ssl.CERT_REQUIRED, stack.get("ssl.cert_reqs"))
        stack = config.MemoryStack("ssl.cert_reqs = invalid\n")
        self.assertRaises(ConfigOptionValueError, stack.get, "ssl.cert_reqs")


class MatchHostnameTests(tests.TestCase):

    def setUp(self):
        super(MatchHostnameTests, self).setUp()
        if sys.version_info < (2, 7, 9):
            raise tests.TestSkipped(
                'python version too old to provide proper'
                ' https hostname verification')

    def test_no_certificate(self):
        self.assertRaises(ValueError,
                          ssl.match_hostname, {}, "example.com")

    def test_wildcards_in_cert(self):
        def ok(cert, hostname):
            ssl.match_hostname(cert, hostname)

        def not_ok(cert, hostname):
            self.assertRaises(
                ssl.CertificateError,
                ssl.match_hostname, cert, hostname)

        # Python Issue #17980: avoid denials of service by refusing more than
        # one wildcard per fragment.
        ok({'subject': ((('commonName', 'a*b.com'),),)}, 'axxb.com')
        not_ok({'subject': ((('commonName', 'a*b.co*'),),)}, 'axxb.com')
        not_ok({'subject': ((('commonName', 'a*b*.com'),),)}, 'axxbxxc.com')

    def test_no_valid_attributes(self):
        self.assertRaises(ssl.CertificateError, ssl.match_hostname,
                          {"Problem": "Solved"}, "example.com")

    def test_common_name(self):
        cert = {'subject': ((('commonName', 'example.com'),),)}
        self.assertIs(None,
                      ssl.match_hostname(cert, "example.com"))
        self.assertRaises(ssl.CertificateError, ssl.match_hostname,
                          cert, "example.org")