mirror of
https://github.com/kanidm/kanidm.git
synced 2025-02-23 12:37:00 +01:00
ae62f65dab
* Bump certifi from 2022.9.24 to 2022.12.7 in /pykanidm * fixes some broken tests due to a changed error message Bumps [certifi](https://github.com/certifi/python-certifi) from 2022.9.24 to 2022.12.7. - [Release notes](https://github.com/certifi/python-certifi/releases) - [Commits](https://github.com/certifi/python-certifi/compare/2022.09.24...2022.12.07) --- updated-dependencies: - dependency-name: certifi dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * Bump black from 22.10.0 to 22.12.0 in /pykanidm (#1256) Bumps [black](https://github.com/psf/black) from 22.10.0 to 22.12.0. - [Release notes](https://github.com/psf/black/releases) - [Changelog](https://github.com/psf/black/blob/main/CHANGES.md) - [Commits](https://github.com/psf/black/compare/22.10.0...22.12.0) --- updated-dependencies: - dependency-name: black dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * trying to fix tests Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
199 lines
5.2 KiB
Python
199 lines
5.2 KiB
Python
""" tests ssl validation and CA setting etc """
|
|
|
|
from pathlib import Path
|
|
from ssl import SSLCertVerificationError
|
|
|
|
import aiohttp
|
|
import aiohttp.client_exceptions
|
|
|
|
import pytest
|
|
|
|
|
|
from kanidm import KanidmClient
|
|
|
|
|
|
@pytest.mark.network
|
|
@pytest.mark.asyncio
|
|
async def test_ssl_valid() -> None:
|
|
"""tests a valid connection"""
|
|
|
|
url = "https://badssl.com"
|
|
|
|
client = KanidmClient(
|
|
uri=url,
|
|
)
|
|
|
|
result = await client.call_get("/")
|
|
assert result.content
|
|
print(f"{result.status_code=}")
|
|
|
|
|
|
@pytest.mark.network
|
|
@pytest.mark.asyncio
|
|
async def test_ssl_self_signed() -> None:
|
|
"""tests with a self-signed cert"""
|
|
|
|
url = "https://self-signed.badssl.com"
|
|
|
|
print("testing self.?signed cert with defaults and expecting an error")
|
|
client = KanidmClient(
|
|
uri=url,
|
|
)
|
|
with pytest.raises(aiohttp.client_exceptions.ClientConnectorCertificateError):
|
|
await client.call_get("/")
|
|
|
|
|
|
@pytest.mark.network
|
|
@pytest.mark.asyncio
|
|
async def test_ssl_self_signed_with_verify() -> None:
|
|
"""tests with a self-signed cert"""
|
|
|
|
client = KanidmClient(
|
|
uri="https://self-signed.badssl.com",
|
|
verify_certificate=False,
|
|
)
|
|
result = await client.call_get("/")
|
|
assert result.content
|
|
|
|
|
|
@pytest.mark.network
|
|
@pytest.mark.asyncio
|
|
async def test_ssl_self_signed_no_verify_certificate() -> None:
|
|
"""tests with a self-signed cert"""
|
|
|
|
client = KanidmClient(
|
|
uri="https://self-signed.badssl.com",
|
|
verify_certificate=False,
|
|
)
|
|
result = await client.call_get("/")
|
|
assert result.content
|
|
|
|
|
|
@pytest.mark.network
|
|
@pytest.mark.asyncio
|
|
async def test_ssl_wrong_hostname_throws_error() -> None:
|
|
"""tests with validate hostnames and wrong hostname in the cert"""
|
|
|
|
client = KanidmClient(uri="https://wrong.host.badssl.com/", verify_hostnames=True)
|
|
with pytest.raises(
|
|
aiohttp.client_exceptions.ClientConnectorCertificateError,
|
|
match="Cannot connect to host wrong.host.badssl.com:443",
|
|
):
|
|
result = await client.call_get("/")
|
|
assert result.content
|
|
|
|
|
|
@pytest.mark.network
|
|
@pytest.mark.asyncio
|
|
async def test_ssl_wrong_hostname_dont_verify_hostnames() -> None:
|
|
"""tests with validate hostnames and wrong hostname in the cert"""
|
|
|
|
client = KanidmClient(
|
|
uri="https://wrong.host.badssl.com/",
|
|
verify_hostnames=False,
|
|
)
|
|
result = await client.call_get("/")
|
|
assert result.content
|
|
|
|
|
|
@pytest.mark.network
|
|
@pytest.mark.asyncio
|
|
async def test_ssl_wrong_hostname_verify_certificate() -> None:
|
|
"""tests with validate hostnames and wrong hostname in the cert"""
|
|
|
|
client = KanidmClient(
|
|
uri="https://wrong.host.badssl.com/",
|
|
verify_hostnames=False,
|
|
verify_certificate=False,
|
|
)
|
|
result = await client.call_get("/")
|
|
assert result.content
|
|
|
|
|
|
@pytest.mark.network
|
|
@pytest.mark.asyncio
|
|
async def test_ssl_revoked() -> None:
|
|
"""tests with a revoked certificate"""
|
|
|
|
with pytest.raises(aiohttp.ClientConnectorCertificateError):
|
|
client = KanidmClient(
|
|
uri="https://revoked.badssl.com/",
|
|
verify_certificate=True,
|
|
)
|
|
result = await client.call_get("/")
|
|
assert result.content
|
|
|
|
client = KanidmClient(
|
|
uri="https://revoked.badssl.com/",
|
|
verify_certificate=False,
|
|
)
|
|
result = await client.call_get("/")
|
|
assert result.content
|
|
|
|
|
|
@pytest.mark.network
|
|
@pytest.mark.asyncio
|
|
async def test_ssl_expired() -> None:
|
|
"""tests with an expired certificate"""
|
|
|
|
client = KanidmClient(
|
|
uri="https://expired.badssl.com/",
|
|
)
|
|
with pytest.raises(
|
|
aiohttp.client_exceptions.ClientConnectorCertificateError,
|
|
match="certificate verify failed: certificate has expired",
|
|
):
|
|
result = await client.call_get("/")
|
|
assert result.content
|
|
|
|
|
|
@pytest.mark.network
|
|
@pytest.mark.asyncio
|
|
async def test_ssl_expired_ignore() -> None:
|
|
"""tests with an expired certificate"""
|
|
|
|
client = KanidmClient(
|
|
uri="https://expired.badssl.com/",
|
|
verify_certificate=False,
|
|
)
|
|
result = await client.call_get("/")
|
|
assert result.content
|
|
|
|
|
|
@pytest.mark.network
|
|
@pytest.mark.asyncio
|
|
async def test_ssl_untrusted_root_throws() -> None:
|
|
"""tests with an untrusted root, which should throw an error"""
|
|
|
|
client = KanidmClient(
|
|
uri="https://untrusted-root.badssl.com/",
|
|
)
|
|
with pytest.raises(
|
|
SSLCertVerificationError,
|
|
match="certificate verify failed: self.?signed certificate in certificate chain",
|
|
):
|
|
result = await client.call_get("/")
|
|
assert result.content
|
|
|
|
|
|
@pytest.mark.network
|
|
@pytest.mark.asyncio
|
|
async def test_ssl_untrusted_root_configured() -> None:
|
|
"""tests with an untrusted root, which should throw an error"""
|
|
|
|
testcert = Path("./tests/badssl_trusted_ca.pem").resolve()
|
|
|
|
if not testcert.exists():
|
|
pytest.skip(f"The trusted cert is missing from {testcert}")
|
|
|
|
client = KanidmClient(
|
|
uri="https://untrusted-root.badssl.com/",
|
|
ca_path=testcert.resolve().as_posix(),
|
|
)
|
|
with pytest.raises(
|
|
aiohttp.client_exceptions.ClientConnectorCertificateError,
|
|
match="certificate verify failed: self.?signed certificate in certificate chain",
|
|
):
|
|
result = await client.call_get("/")
|
|
assert result.content
|