2015-01-24 00:55:03 +02:00
|
|
|
import pytest
|
|
|
|
import pytest_httpbin.certs
|
2018-11-14 17:10:08 +02:00
|
|
|
import requests.exceptions
|
2020-08-06 22:24:03 +02:00
|
|
|
import ssl
|
|
|
|
import urllib3
|
2015-01-24 00:55:03 +02:00
|
|
|
|
2020-05-23 13:26:06 +02:00
|
|
|
from httpie.ssl import AVAILABLE_SSL_VERSION_ARG_MAPPING, DEFAULT_SSL_CIPHERS
|
2019-09-16 13:26:18 +02:00
|
|
|
from httpie.status import ExitStatus
|
2021-05-05 14:13:39 +02:00
|
|
|
from .utils import HTTP_OK, TESTS_ROOT, http
|
2018-11-14 17:10:08 +02:00
|
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
# Handle OpenSSL errors, if installed.
|
2020-12-23 23:07:27 +02:00
|
|
|
# See <https://github.com/httpie/httpie/issues/729>
|
2018-11-14 17:10:08 +02:00
|
|
|
# noinspection PyUnresolvedReferences
|
|
|
|
import OpenSSL.SSL
|
|
|
|
ssl_errors = (
|
|
|
|
requests.exceptions.SSLError,
|
|
|
|
OpenSSL.SSL.Error,
|
|
|
|
)
|
|
|
|
except ImportError:
|
|
|
|
ssl_errors = (
|
|
|
|
requests.exceptions.SSLError,
|
|
|
|
)
|
2015-01-24 00:55:03 +02:00
|
|
|
|
2020-05-23 13:26:06 +02:00
|
|
|
CERTS_ROOT = TESTS_ROOT / 'client_certs'
|
|
|
|
CLIENT_CERT = str(CERTS_ROOT / 'client.crt')
|
|
|
|
CLIENT_KEY = str(CERTS_ROOT / 'client.key')
|
|
|
|
CLIENT_PEM = str(CERTS_ROOT / 'client.pem')
|
|
|
|
|
2015-01-24 00:55:03 +02:00
|
|
|
|
|
|
|
# We test against a local httpbin instance which uses a self-signed cert.
|
|
|
|
# Requests without --verify=<CA_BUNDLE> will fail with a verification error.
|
|
|
|
# See: https://github.com/kevin1024/pytest-httpbin#https-support
|
|
|
|
CA_BUNDLE = pytest_httpbin.certs.where()
|
|
|
|
|
|
|
|
|
2020-05-23 13:26:06 +02:00
|
|
|
@pytest.mark.parametrize('ssl_version',
|
|
|
|
AVAILABLE_SSL_VERSION_ARG_MAPPING.keys())
|
2016-03-02 06:12:05 +02:00
|
|
|
def test_ssl_version(httpbin_secure, ssl_version):
|
|
|
|
try:
|
|
|
|
r = http(
|
|
|
|
'--ssl', ssl_version,
|
|
|
|
httpbin_secure + '/get'
|
|
|
|
)
|
|
|
|
assert HTTP_OK in r
|
2018-11-14 17:10:08 +02:00
|
|
|
except ssl_errors as e:
|
2019-08-29 08:14:19 +02:00
|
|
|
if ssl_version == 'ssl3':
|
|
|
|
# pytest-httpbin doesn't support ssl3
|
|
|
|
pass
|
2020-08-06 22:24:03 +02:00
|
|
|
elif e.__context__ is not None: # Check if root cause was an unsupported TLS version
|
|
|
|
root = e.__context__
|
|
|
|
while root.__context__ is not None:
|
|
|
|
root = root.__context__
|
|
|
|
if isinstance(root, ssl.SSLError) and root.reason == "TLSV1_ALERT_PROTOCOL_VERSION":
|
2021-05-26 14:09:38 +02:00
|
|
|
pytest.skip(f'Unsupported TLS version: {ssl_version}')
|
2016-03-02 06:12:05 +02:00
|
|
|
else:
|
|
|
|
raise
|
|
|
|
|
|
|
|
|
2016-03-01 20:53:23 +02:00
|
|
|
class TestClientCert:
|
2015-01-24 00:55:03 +02:00
|
|
|
|
2016-03-02 04:35:40 +02:00
|
|
|
def test_cert_and_key(self, httpbin_secure):
|
|
|
|
r = http(httpbin_secure + '/get',
|
|
|
|
'--cert', CLIENT_CERT,
|
|
|
|
'--cert-key', CLIENT_KEY)
|
|
|
|
assert HTTP_OK in r
|
|
|
|
|
|
|
|
def test_cert_pem(self, httpbin_secure):
|
|
|
|
r = http(httpbin_secure + '/get',
|
|
|
|
'--cert', CLIENT_PEM)
|
|
|
|
assert HTTP_OK in r
|
|
|
|
|
2015-01-24 00:55:03 +02:00
|
|
|
def test_cert_file_not_found(self, httpbin_secure):
|
|
|
|
r = http(httpbin_secure + '/get',
|
|
|
|
'--cert', '/__not_found__',
|
2019-09-03 17:14:39 +02:00
|
|
|
tolerate_error_exit_status=True)
|
2015-01-24 00:55:03 +02:00
|
|
|
assert r.exit_status == ExitStatus.ERROR
|
2021-05-31 10:10:41 +02:00
|
|
|
assert '/__not_found__: No such file or directory' in r.stderr
|
2015-01-24 00:55:03 +02:00
|
|
|
|
|
|
|
def test_cert_file_invalid(self, httpbin_secure):
|
2018-11-14 17:10:08 +02:00
|
|
|
with pytest.raises(ssl_errors):
|
2015-01-24 00:55:03 +02:00
|
|
|
http(httpbin_secure + '/get',
|
|
|
|
'--cert', __file__)
|
|
|
|
|
|
|
|
def test_cert_ok_but_missing_key(self, httpbin_secure):
|
2018-11-14 17:10:08 +02:00
|
|
|
with pytest.raises(ssl_errors):
|
2015-01-24 00:55:03 +02:00
|
|
|
http(httpbin_secure + '/get',
|
|
|
|
'--cert', CLIENT_CERT)
|
|
|
|
|
|
|
|
|
2016-03-01 20:53:23 +02:00
|
|
|
class TestServerCert:
|
2016-03-06 11:42:35 +02:00
|
|
|
|
2015-01-24 00:55:03 +02:00
|
|
|
def test_verify_no_OK(self, httpbin_secure):
|
2020-08-06 22:24:03 +02:00
|
|
|
# Avoid warnings when explicitly testing insecure requests
|
|
|
|
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
2015-01-24 00:55:03 +02:00
|
|
|
r = http(httpbin_secure.url + '/get', '--verify=no')
|
|
|
|
assert HTTP_OK in r
|
|
|
|
|
2017-02-17 01:56:07 +02:00
|
|
|
@pytest.mark.parametrize('verify_value', ['false', 'fALse'])
|
|
|
|
def test_verify_false_OK(self, httpbin_secure, verify_value):
|
2020-08-06 22:24:03 +02:00
|
|
|
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
2017-02-17 01:56:07 +02:00
|
|
|
r = http(httpbin_secure.url + '/get', '--verify', verify_value)
|
|
|
|
assert HTTP_OK in r
|
|
|
|
|
2015-01-24 00:55:03 +02:00
|
|
|
def test_verify_custom_ca_bundle_path(
|
2018-11-14 17:10:08 +02:00
|
|
|
self, httpbin_secure_untrusted
|
|
|
|
):
|
2016-03-06 11:42:35 +02:00
|
|
|
r = http(httpbin_secure_untrusted + '/get', '--verify', CA_BUNDLE)
|
2015-01-24 00:55:03 +02:00
|
|
|
assert HTTP_OK in r
|
|
|
|
|
2016-03-02 04:35:40 +02:00
|
|
|
def test_self_signed_server_cert_by_default_raises_ssl_error(
|
2018-11-14 17:10:08 +02:00
|
|
|
self,
|
|
|
|
httpbin_secure_untrusted
|
|
|
|
):
|
|
|
|
with pytest.raises(ssl_errors):
|
2016-03-06 11:42:35 +02:00
|
|
|
http(httpbin_secure_untrusted.url + '/get')
|
2016-03-02 04:35:40 +02:00
|
|
|
|
2015-01-24 00:55:03 +02:00
|
|
|
def test_verify_custom_ca_bundle_invalid_path(self, httpbin_secure):
|
2021-05-31 10:10:41 +02:00
|
|
|
# since 2.14.0 requests raises IOError (an OSError subclass)
|
|
|
|
with pytest.raises(ssl_errors + (OSError,)):
|
2015-01-24 00:55:03 +02:00
|
|
|
http(httpbin_secure.url + '/get', '--verify', '/__not_found__')
|
|
|
|
|
|
|
|
def test_verify_custom_ca_bundle_invalid_bundle(self, httpbin_secure):
|
2018-11-14 17:10:08 +02:00
|
|
|
with pytest.raises(ssl_errors):
|
2015-01-24 00:55:03 +02:00
|
|
|
http(httpbin_secure.url + '/get', '--verify', __file__)
|
2020-05-23 13:26:06 +02:00
|
|
|
|
|
|
|
|
|
|
|
def test_ciphers(httpbin_secure):
|
|
|
|
r = http(
|
|
|
|
httpbin_secure.url + '/get',
|
|
|
|
'--ciphers',
|
|
|
|
DEFAULT_SSL_CIPHERS,
|
|
|
|
)
|
|
|
|
assert HTTP_OK in r
|
|
|
|
|
|
|
|
|
|
|
|
def test_ciphers_none_can_be_selected(httpbin_secure):
|
|
|
|
r = http(
|
|
|
|
httpbin_secure.url + '/get',
|
|
|
|
'--ciphers',
|
|
|
|
'__FOO__',
|
|
|
|
tolerate_error_exit_status=True,
|
|
|
|
)
|
|
|
|
assert r.exit_status == ExitStatus.ERROR
|
2020-06-19 18:26:08 +02:00
|
|
|
# Linux/macOS:
|
|
|
|
# http: error: SSLError: ('No cipher can be selected.',)
|
|
|
|
# OpenBSD:
|
|
|
|
# <https://marc.info/?l=openbsd-ports&m=159251948515635&w=2>
|
|
|
|
# http: error: Error: [('SSL routines', '(UNKNOWN)SSL_internal', 'no cipher match')]
|
|
|
|
assert 'cipher' in r.stderr
|