freeipa/ipatests/test_ipalib/test_util.py

#
# Copyright (C) 2018  FreeIPA Contributors see COPYING for license
#
"""Tests for ipalib.util module
"""

import os
import ssl
from unittest import mock

import pytest

from ipalib.util import (
    get_pager, create_https_connection, get_proper_tls_version_span
)
from ipaplatform.constants import constants


@pytest.mark.parametrize('pager,expected_result', [
    # Valid values
    ('cat', '/bin/cat'),
    ('/bin/cat', '/bin/cat'),
    # Invalid values (wrong command, package is not installed, etc)
    ('cat_', None),
    ('', None)
])
def test_get_pager(pager, expected_result):
    with mock.patch.dict(os.environ, {'PAGER': pager}):
        pager = get_pager()
        assert(pager == expected_result or pager.endswith(expected_result))


BASE_CTX = ssl.SSLContext(ssl.PROTOCOL_TLS)
if constants.TLS_HIGH_CIPHERS is not None:
    BASE_CTX.set_ciphers(constants.TLS_HIGH_CIPHERS)
else:
    BASE_CTX.set_ciphers("PROFILE=SYSTEM")

# options: IPA still supports Python 3.6 without min/max version setters
BASE_OPT = BASE_CTX.options
BASE_OPT |= (
    ssl.OP_ALL | ssl.OP_NO_COMPRESSION | ssl.OP_SINGLE_DH_USE |
    ssl.OP_SINGLE_ECDH_USE
)
TLS_OPT = (
    ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 |
    ssl.OP_NO_TLSv1_1
)
OP_NO_TLSv1_3 = getattr(ssl, "OP_NO_TLSv1_3", 0)  # make pylint happy


@pytest.mark.skip_if_platform(
    "debian", reason="Crypto policy is not supported on Debian"
)
@pytest.mark.parametrize('minver,maxver,opt,expected', [
    (None, None, BASE_OPT, None),
    (None, "tls1.3", BASE_OPT | TLS_OPT, ["tls1.2", "tls1.3"]),
    ("tls1.2", "tls1.3", BASE_OPT | TLS_OPT, ["tls1.2", "tls1.3"]),
    ("tls1.2", None, BASE_OPT | TLS_OPT, ["tls1.2", "tls1.3"]),
    ("tls1.2", "tls1.2", BASE_OPT | TLS_OPT | OP_NO_TLSv1_3, ["tls1.2"]),
    (None, "tls1.2", BASE_OPT | TLS_OPT | OP_NO_TLSv1_3, ["tls1.2"]),
    ("tls1.3", "tls1.3", BASE_OPT | TLS_OPT | ssl.OP_NO_TLSv1_2, ["tls1.3"]),
    ("tls1.3", None, BASE_OPT | TLS_OPT | ssl.OP_NO_TLSv1_2, ["tls1.3"]),
])
def test_tls_version_span(minver, maxver, opt, expected):
    assert get_proper_tls_version_span(minver, maxver) == expected
    # file must exist and contain certs
    cafile = ssl.get_default_verify_paths().cafile
    conn = create_https_connection(
        "invalid.test",
        cafile=cafile,
        tls_version_min=minver,
        tls_version_max=maxver
    )
    ctx = getattr(conn, "_context")
    assert ctx.options == BASE_OPT | opt
    assert ctx.get_ciphers() == BASE_CTX.get_ciphers()
Check pager's executable before subprocess.Popen Get the value of `PAGER` environment variable in case it's defined, check the executable, if it exists - use a pager, otherwise - print function. Fixes: https://pagure.io/freeipa/issue/7746 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 2018-12-05 07:54:29 -06:00			`#`
			`# Copyright (C) 2018 FreeIPA Contributors see COPYING for license`
			`#`
			`"""Tests for ipalib.util module`
			`"""`

			`import os`
Don't hard-code client's TLS versions and ciphers Client connections no longer override TLS version range and ciphers by default. Instead clients use the default settings from the system's crypto policy. Minimum TLS version is now TLS 1.2. The default crypto policy on RHEL 8 sets TLS 1.2 as minimum version, while Fedora 31 sets TLS 1.0 as minimum version. The minimum version is configured with OpenSSL 1.1.1 APIs. Python 3.6 lacks the setters to override the system policy. The effective minimum version is always TLS 1.2, because FreeIPA reconfigures Apache HTTPd on Fedora. Fixes: https://pagure.io/freeipa/issue/8125 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com> 2019-11-22 03:42:11 -06:00			`import ssl`
Check pager's executable before subprocess.Popen Get the value of `PAGER` environment variable in case it's defined, check the executable, if it exists - use a pager, otherwise - print function. Fixes: https://pagure.io/freeipa/issue/7746 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 2018-12-05 07:54:29 -06:00			`from unittest import mock`

			`import pytest`

Don't hard-code client's TLS versions and ciphers Client connections no longer override TLS version range and ciphers by default. Instead clients use the default settings from the system's crypto policy. Minimum TLS version is now TLS 1.2. The default crypto policy on RHEL 8 sets TLS 1.2 as minimum version, while Fedora 31 sets TLS 1.0 as minimum version. The minimum version is configured with OpenSSL 1.1.1 APIs. Python 3.6 lacks the setters to override the system policy. The effective minimum version is always TLS 1.2, because FreeIPA reconfigures Apache HTTPd on Fedora. Fixes: https://pagure.io/freeipa/issue/8125 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com> 2019-11-22 03:42:11 -06:00			`from ipalib.util import (`
			`get_pager, create_https_connection, get_proper_tls_version_span`
			`)`
			`from ipaplatform.constants import constants`
Check pager's executable before subprocess.Popen Get the value of `PAGER` environment variable in case it's defined, check the executable, if it exists - use a pager, otherwise - print function. Fixes: https://pagure.io/freeipa/issue/7746 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 2018-12-05 07:54:29 -06:00

			`@pytest.mark.parametrize('pager,expected_result', [`
			`# Valid values`
Fix unnecessary usrmerge assumptions On non-usrmerge systems (e.g., Debian), bash, mv, cp, cat, tail, keyctl, and gzip live in /bin, not /usr/bin. On usrmerge systems, /bin is a symlink to /usr/bin (or vice versa), so this has no effect. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 2019-04-10 16:25:37 -05:00			`('cat', '/bin/cat'),`
			`('/bin/cat', '/bin/cat'),`
Check pager's executable before subprocess.Popen Get the value of `PAGER` environment variable in case it's defined, check the executable, if it exists - use a pager, otherwise - print function. Fixes: https://pagure.io/freeipa/issue/7746 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 2018-12-05 07:54:29 -06:00			`# Invalid values (wrong command, package is not installed, etc)`
			`('cat_', None),`
			`('', None)`
			`])`
			`def test_get_pager(pager, expected_result):`
			`with mock.patch.dict(os.environ, {'PAGER': pager}):`
Fix unnecessary usrmerge assumptions On non-usrmerge systems (e.g., Debian), bash, mv, cp, cat, tail, keyctl, and gzip live in /bin, not /usr/bin. On usrmerge systems, /bin is a symlink to /usr/bin (or vice versa), so this has no effect. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 2019-04-10 16:25:37 -05:00			`pager = get_pager()`
			`assert(pager == expected_result or pager.endswith(expected_result))`
Don't hard-code client's TLS versions and ciphers Client connections no longer override TLS version range and ciphers by default. Instead clients use the default settings from the system's crypto policy. Minimum TLS version is now TLS 1.2. The default crypto policy on RHEL 8 sets TLS 1.2 as minimum version, while Fedora 31 sets TLS 1.0 as minimum version. The minimum version is configured with OpenSSL 1.1.1 APIs. Python 3.6 lacks the setters to override the system policy. The effective minimum version is always TLS 1.2, because FreeIPA reconfigures Apache HTTPd on Fedora. Fixes: https://pagure.io/freeipa/issue/8125 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com> 2019-11-22 03:42:11 -06:00

			`BASE_CTX = ssl.SSLContext(ssl.PROTOCOL_TLS)`
			`if constants.TLS_HIGH_CIPHERS is not None:`
			`BASE_CTX.set_ciphers(constants.TLS_HIGH_CIPHERS)`
			`else:`
			`BASE_CTX.set_ciphers("PROFILE=SYSTEM")`

			`# options: IPA still supports Python 3.6 without min/max version setters`
			`BASE_OPT = BASE_CTX.options`
			`BASE_OPT \|= (`
			`ssl.OP_ALL \| ssl.OP_NO_COMPRESSION \| ssl.OP_SINGLE_DH_USE \|`
			`ssl.OP_SINGLE_ECDH_USE`
			`)`
			`TLS_OPT = (`
			`ssl.OP_NO_SSLv2 \| ssl.OP_NO_SSLv3 \| ssl.OP_NO_TLSv1 \|`
			`ssl.OP_NO_TLSv1_1`
			`)`
			`OP_NO_TLSv1_3 = getattr(ssl, "OP_NO_TLSv1_3", 0) # make pylint happy`


Add skip_if_platform marker Make it easier to skip tests based on platform ID and platform LIKE_ID. Skip some tests that are not working on Debian-like platforms Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Levin <slev@altlinux.org> 2020-04-27 05:33:26 -05:00			`@pytest.mark.skip_if_platform(`
			`"debian", reason="Crypto policy is not supported on Debian"`
			`)`
Don't hard-code client's TLS versions and ciphers Client connections no longer override TLS version range and ciphers by default. Instead clients use the default settings from the system's crypto policy. Minimum TLS version is now TLS 1.2. The default crypto policy on RHEL 8 sets TLS 1.2 as minimum version, while Fedora 31 sets TLS 1.0 as minimum version. The minimum version is configured with OpenSSL 1.1.1 APIs. Python 3.6 lacks the setters to override the system policy. The effective minimum version is always TLS 1.2, because FreeIPA reconfigures Apache HTTPd on Fedora. Fixes: https://pagure.io/freeipa/issue/8125 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com> 2019-11-22 03:42:11 -06:00			`@pytest.mark.parametrize('minver,maxver,opt,expected', [`
			`(None, None, BASE_OPT, None),`
			`(None, "tls1.3", BASE_OPT \| TLS_OPT, ["tls1.2", "tls1.3"]),`
			`("tls1.2", "tls1.3", BASE_OPT \| TLS_OPT, ["tls1.2", "tls1.3"]),`
			`("tls1.2", None, BASE_OPT \| TLS_OPT, ["tls1.2", "tls1.3"]),`
			`("tls1.2", "tls1.2", BASE_OPT \| TLS_OPT \| OP_NO_TLSv1_3, ["tls1.2"]),`
			`(None, "tls1.2", BASE_OPT \| TLS_OPT \| OP_NO_TLSv1_3, ["tls1.2"]),`
			`("tls1.3", "tls1.3", BASE_OPT \| TLS_OPT \| ssl.OP_NO_TLSv1_2, ["tls1.3"]),`
			`("tls1.3", None, BASE_OPT \| TLS_OPT \| ssl.OP_NO_TLSv1_2, ["tls1.3"]),`
			`])`
			`def test_tls_version_span(minver, maxver, opt, expected):`
			`assert get_proper_tls_version_span(minver, maxver) == expected`
			`# file must exist and contain certs`
			`cafile = ssl.get_default_verify_paths().cafile`
			`conn = create_https_connection(`
			`"invalid.test",`
			`cafile=cafile,`
			`tls_version_min=minver,`
			`tls_version_max=maxver`
			`)`
			`ctx = getattr(conn, "_context")`
			`assert ctx.options == BASE_OPT \| opt`
			`assert ctx.get_ciphers() == BASE_CTX.get_ciphers()`