freeipa/ipatests/test_ipalib/test_util.py
Christian Heimes c2608cfe8a Add skip_if_platform marker
Make it easier to skip tests based on platform ID and platform LIKE_ID.

Skip some tests that are not working on Debian-like platforms

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2020-04-28 15:33:57 +02:00

78 lines
2.4 KiB
Python

#
# Copyright (C) 2018 FreeIPA Contributors see COPYING for license
#
"""Tests for ipalib.util module
"""
import os
import ssl
from unittest import mock
import pytest
from ipalib.util import (
get_pager, create_https_connection, get_proper_tls_version_span
)
from ipaplatform.constants import constants
@pytest.mark.parametrize('pager,expected_result', [
# Valid values
('cat', '/bin/cat'),
('/bin/cat', '/bin/cat'),
# Invalid values (wrong command, package is not installed, etc)
('cat_', None),
('', None)
])
def test_get_pager(pager, expected_result):
with mock.patch.dict(os.environ, {'PAGER': pager}):
pager = get_pager()
assert(pager == expected_result or pager.endswith(expected_result))
BASE_CTX = ssl.SSLContext(ssl.PROTOCOL_TLS)
if constants.TLS_HIGH_CIPHERS is not None:
BASE_CTX.set_ciphers(constants.TLS_HIGH_CIPHERS)
else:
BASE_CTX.set_ciphers("PROFILE=SYSTEM")
# options: IPA still supports Python 3.6 without min/max version setters
BASE_OPT = BASE_CTX.options
BASE_OPT |= (
ssl.OP_ALL | ssl.OP_NO_COMPRESSION | ssl.OP_SINGLE_DH_USE |
ssl.OP_SINGLE_ECDH_USE
)
TLS_OPT = (
ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 |
ssl.OP_NO_TLSv1_1
)
OP_NO_TLSv1_3 = getattr(ssl, "OP_NO_TLSv1_3", 0) # make pylint happy
@pytest.mark.skip_if_platform(
"debian", reason="Crypto policy is not supported on Debian"
)
@pytest.mark.parametrize('minver,maxver,opt,expected', [
(None, None, BASE_OPT, None),
(None, "tls1.3", BASE_OPT | TLS_OPT, ["tls1.2", "tls1.3"]),
("tls1.2", "tls1.3", BASE_OPT | TLS_OPT, ["tls1.2", "tls1.3"]),
("tls1.2", None, BASE_OPT | TLS_OPT, ["tls1.2", "tls1.3"]),
("tls1.2", "tls1.2", BASE_OPT | TLS_OPT | OP_NO_TLSv1_3, ["tls1.2"]),
(None, "tls1.2", BASE_OPT | TLS_OPT | OP_NO_TLSv1_3, ["tls1.2"]),
("tls1.3", "tls1.3", BASE_OPT | TLS_OPT | ssl.OP_NO_TLSv1_2, ["tls1.3"]),
("tls1.3", None, BASE_OPT | TLS_OPT | ssl.OP_NO_TLSv1_2, ["tls1.3"]),
])
def test_tls_version_span(minver, maxver, opt, expected):
assert get_proper_tls_version_span(minver, maxver) == expected
# file must exist and contain certs
cafile = ssl.get_default_verify_paths().cafile
conn = create_https_connection(
"invalid.test",
cafile=cafile,
tls_version_min=minver,
tls_version_max=maxver
)
ctx = getattr(conn, "_context")
assert ctx.options == BASE_OPT | opt
assert ctx.get_ciphers() == BASE_CTX.get_ciphers()