diff options
Diffstat (limited to 'test/test_tls_conf_command.py')
-rw-r--r-- | test/test_tls_conf_command.py | 171 |
1 files changed, 89 insertions, 82 deletions
diff --git a/test/test_tls_conf_command.py b/test/test_tls_conf_command.py index 605848ea..49df7bf3 100644 --- a/test/test_tls_conf_command.py +++ b/test/test_tls_conf_command.py @@ -1,111 +1,118 @@ import ssl import pytest -from unit.applications.tls import TestApplicationTLS +from unit.applications.tls import ApplicationTLS +prerequisites = {'modules': {'openssl': 'any'}} -class TestTLSConfCommand(TestApplicationTLS): - prerequisites = {'modules': {'openssl': 'any'}} +client = ApplicationTLS() - @pytest.fixture(autouse=True) - def setup_method_fixture(self, request): - self.certificate() - assert 'success' in self.conf( - { - "listeners": { - "*:7080": { - "pass": "routes", - "tls": {"certificate": "default"}, - } - }, - "routes": [{"action": {"return": 200}}], - "applications": {}, - } - ), 'load application configuration' +@pytest.fixture(autouse=True) +def setup_method_fixture(): + client.certificate() - def test_tls_conf_command(self): - def check_no_connection(): - try: - self.get_ssl() - pytest.fail('Unexpected connection.') + assert 'success' in client.conf( + { + "listeners": { + "*:7080": { + "pass": "routes", + "tls": {"certificate": "default"}, + } + }, + "routes": [{"action": {"return": 200}}], + "applications": {}, + } + ), 'load application configuration' - except (ssl.SSLError, ConnectionRefusedError): - pass - # Set one conf_commands (disable protocol). +def test_tls_conf_command(): + def check_no_connection(): + try: + client.get_ssl() + pytest.fail('Unexpected connection.') - (resp, sock) = self.get_ssl(start=True) + except (ssl.SSLError, ConnectionRefusedError): + pass - shared_ciphers = sock.shared_ciphers() - protocols = list(set(c[1] for c in shared_ciphers)) - protocol = sock.cipher()[1] + # Set one conf_commands (disable protocol). - if '/' in protocol: - pytest.skip('Complex protocol format.') + (_, sock) = client.get_ssl(start=True) - assert 'success' in self.conf( - { - "certificate": "default", - "conf_commands": {"protocol": f'-{protocol}'}, - }, - 'listeners/*:7080/tls', - ), 'protocol disabled' + shared_ciphers = sock.shared_ciphers() - sock.close() + if not shared_ciphers: + pytest.skip('no shared ciphers') + + protocols = list(set(c[1] for c in shared_ciphers)) + protocol = sock.cipher()[1] - if len(protocols) > 1: - (resp, sock) = self.get_ssl(start=True) + if '/' in protocol: + pytest.skip('Complex protocol format.') - cipher = sock.cipher() - assert cipher[1] != protocol, 'new protocol used' + assert 'success' in client.conf( + { + "certificate": "default", + "conf_commands": {"protocol": f'-{protocol}'}, + }, + 'listeners/*:7080/tls', + ), 'protocol disabled' - shared_ciphers = sock.shared_ciphers() - ciphers = list(set(c for c in shared_ciphers if c[1] == cipher[1])) + sock.close() - sock.close() - else: - check_no_connection() - pytest.skip('One TLS protocol available only.') + if len(protocols) > 1: + (_, sock) = client.get_ssl(start=True) - # Set two conf_commands (disable protocol and cipher). + cipher = sock.cipher() + assert cipher[1] != protocol, 'new protocol used' - assert 'success' in self.conf( - { - "certificate": "default", - "conf_commands": { - "protocol": f'-{protocol}', - "cipherstring": f"{cipher[1]}:!{cipher[0]}", - }, + shared_ciphers = sock.shared_ciphers() + ciphers = list(set(c for c in shared_ciphers if c[1] == cipher[1])) + + sock.close() + else: + check_no_connection() + pytest.skip('One TLS protocol available only.') + + # Set two conf_commands (disable protocol and cipher). + + assert 'success' in client.conf( + { + "certificate": "default", + "conf_commands": { + "protocol": f'-{protocol}', + "cipherstring": f"{cipher[1]}:!{cipher[0]}", }, - 'listeners/*:7080/tls', - ), 'cipher disabled' + }, + 'listeners/*:7080/tls', + ), 'cipher disabled' - if len(ciphers) > 1: - (resp, sock) = self.get_ssl(start=True) + if len(ciphers) > 1: + (_, sock) = client.get_ssl(start=True) - cipher_new = sock.cipher() - assert cipher_new[1] == cipher[1], 'previous protocol used' - assert cipher_new[0] != cipher[0], 'new cipher used' + cipher_new = sock.cipher() + assert cipher_new[1] == cipher[1], 'previous protocol used' + assert cipher_new[0] != cipher[0], 'new cipher used' - sock.close() + sock.close() - else: - check_no_connection() + else: + check_no_connection() - def test_tls_conf_command_invalid(self, skip_alert): - skip_alert(r'SSL_CONF_cmd', r'failed to apply new conf') - def check_conf_commands(conf_commands): - assert 'error' in self.conf( - {"certificate": "default", "conf_commands": conf_commands}, - 'listeners/*:7080/tls', - ), 'ivalid conf_commands' +def test_tls_conf_command_invalid(skip_alert): + skip_alert(r'SSL_CONF_cmd', r'failed to apply new conf') - check_conf_commands([]) - check_conf_commands("blah") - check_conf_commands({"": ""}) - check_conf_commands({"blah": ""}) - check_conf_commands({"protocol": {}}) - check_conf_commands({"protocol": "blah"}) - check_conf_commands({"protocol": "TLSv1.2", "blah": ""}) + def check_conf_commands(conf_commands): + assert 'error' in client.conf( + {"certificate": "default", "conf_commands": conf_commands}, + 'listeners/*:7080/tls', + ), 'ivalid conf_commands' + + check_conf_commands([]) + check_conf_commands("blah") + check_conf_commands({"": ""}) + check_conf_commands({"blah": ""}) + check_conf_commands({"protocol": {}}) + check_conf_commands({"protocol": "blah"}) + check_conf_commands({"protocol": "TLSv1.2", "blah": ""}) |