mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
c2608cfe8a
Make it easier to skip tests based on platform ID and platform LIKE_ID. Skip some tests that are not working on Debian-like platforms Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Levin <slev@altlinux.org>
78 lines
2.4 KiB
Python
78 lines
2.4 KiB
Python
#
|
|
# Copyright (C) 2018 FreeIPA Contributors see COPYING for license
|
|
#
|
|
"""Tests for ipalib.util module
|
|
"""
|
|
|
|
import os
|
|
import ssl
|
|
from unittest import mock
|
|
|
|
import pytest
|
|
|
|
from ipalib.util import (
|
|
get_pager, create_https_connection, get_proper_tls_version_span
|
|
)
|
|
from ipaplatform.constants import constants
|
|
|
|
|
|
@pytest.mark.parametrize('pager,expected_result', [
|
|
# Valid values
|
|
('cat', '/bin/cat'),
|
|
('/bin/cat', '/bin/cat'),
|
|
# Invalid values (wrong command, package is not installed, etc)
|
|
('cat_', None),
|
|
('', None)
|
|
])
|
|
def test_get_pager(pager, expected_result):
|
|
with mock.patch.dict(os.environ, {'PAGER': pager}):
|
|
pager = get_pager()
|
|
assert(pager == expected_result or pager.endswith(expected_result))
|
|
|
|
|
|
BASE_CTX = ssl.SSLContext(ssl.PROTOCOL_TLS)
|
|
if constants.TLS_HIGH_CIPHERS is not None:
|
|
BASE_CTX.set_ciphers(constants.TLS_HIGH_CIPHERS)
|
|
else:
|
|
BASE_CTX.set_ciphers("PROFILE=SYSTEM")
|
|
|
|
# options: IPA still supports Python 3.6 without min/max version setters
|
|
BASE_OPT = BASE_CTX.options
|
|
BASE_OPT |= (
|
|
ssl.OP_ALL | ssl.OP_NO_COMPRESSION | ssl.OP_SINGLE_DH_USE |
|
|
ssl.OP_SINGLE_ECDH_USE
|
|
)
|
|
TLS_OPT = (
|
|
ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 |
|
|
ssl.OP_NO_TLSv1_1
|
|
)
|
|
OP_NO_TLSv1_3 = getattr(ssl, "OP_NO_TLSv1_3", 0) # make pylint happy
|
|
|
|
|
|
@pytest.mark.skip_if_platform(
|
|
"debian", reason="Crypto policy is not supported on Debian"
|
|
)
|
|
@pytest.mark.parametrize('minver,maxver,opt,expected', [
|
|
(None, None, BASE_OPT, None),
|
|
(None, "tls1.3", BASE_OPT | TLS_OPT, ["tls1.2", "tls1.3"]),
|
|
("tls1.2", "tls1.3", BASE_OPT | TLS_OPT, ["tls1.2", "tls1.3"]),
|
|
("tls1.2", None, BASE_OPT | TLS_OPT, ["tls1.2", "tls1.3"]),
|
|
("tls1.2", "tls1.2", BASE_OPT | TLS_OPT | OP_NO_TLSv1_3, ["tls1.2"]),
|
|
(None, "tls1.2", BASE_OPT | TLS_OPT | OP_NO_TLSv1_3, ["tls1.2"]),
|
|
("tls1.3", "tls1.3", BASE_OPT | TLS_OPT | ssl.OP_NO_TLSv1_2, ["tls1.3"]),
|
|
("tls1.3", None, BASE_OPT | TLS_OPT | ssl.OP_NO_TLSv1_2, ["tls1.3"]),
|
|
])
|
|
def test_tls_version_span(minver, maxver, opt, expected):
|
|
assert get_proper_tls_version_span(minver, maxver) == expected
|
|
# file must exist and contain certs
|
|
cafile = ssl.get_default_verify_paths().cafile
|
|
conn = create_https_connection(
|
|
"invalid.test",
|
|
cafile=cafile,
|
|
tls_version_min=minver,
|
|
tls_version_max=maxver
|
|
)
|
|
ctx = getattr(conn, "_context")
|
|
assert ctx.options == BASE_OPT | opt
|
|
assert ctx.get_ciphers() == BASE_CTX.get_ciphers()
|