60 self.rurl2 = self.dcs[2].get_repo_url() |
60 self.rurl2 = self.dcs[2].get_repo_url() |
61 self.tmppub = pub2_name |
61 self.tmppub = pub2_name |
62 |
62 |
63 self.make_misc_files(self.misc_files) |
63 self.make_misc_files(self.misc_files) |
64 self.pkgsend_bulk(self.rurl1, self.example_pkg10) |
64 self.pkgsend_bulk(self.rurl1, self.example_pkg10) |
65 self.acurl = self.ac.url + "/%s" % pub1_name |
65 self.acurl1 = self.ac.url + "/%s" % pub1_name |
|
66 self.acurl2 = self.ac.url + "/%s" % pub2_name |
66 # Our proxy is served by the same Apache controller, but uses |
67 # Our proxy is served by the same Apache controller, but uses |
67 # a different port. |
68 # a different port. |
68 self.proxyurl = self.ac.url.replace("https", "http") |
69 self.proxyurl = self.ac.url.replace("https", "http") |
69 self.proxyurl = self.proxyurl.replace(str(self.https_port), |
70 self.proxyurl = self.proxyurl.replace(str(self.https_port), |
70 str(self.proxy_port)) |
71 str(self.proxy_port)) |
75 |
76 |
76 self.ac.start() |
77 self.ac.start() |
77 # Test that creating an image using a HTTPS repo without |
78 # Test that creating an image using a HTTPS repo without |
78 # providing any keys or certificates fails. |
79 # providing any keys or certificates fails. |
79 self.assertRaises(TransportFailures, self.image_create, |
80 self.assertRaises(TransportFailures, self.image_create, |
80 self.acurl) |
81 self.acurl1) |
81 self.pkg_image_create(repourl=self.acurl, exit=1) |
82 self.pkg_image_create(repourl=self.acurl1, exit=1) |
82 api_obj = self.image_create() |
83 api_obj = self.image_create() |
83 |
84 |
84 # Test that adding a HTTPS repo fails if the image does not |
85 # Test that adding a HTTPS repo fails if the image does not |
85 # contain the trust anchor to verify the server's identity. |
86 # contain the trust anchor to verify the server's identity. |
86 self.pkg("set-publisher -k %(key)s -c %(cert)s -p %(url)s" % { |
87 self.pkg("set-publisher -k %(key)s -c %(cert)s -p %(url)s" % { |
87 "url": self.acurl, |
88 "url": self.acurl1, |
88 "cert": os.path.join(self.cs_dir, self.get_cli_cert("test")), |
89 "cert": os.path.join(self.cs_dir, self.get_cli_cert("test")), |
89 "key": os.path.join(self.keys_dir, self.get_cli_key("test")), |
90 "key": os.path.join(self.keys_dir, self.get_cli_key("test")), |
90 }, exit=1) |
91 }, exit=1) |
91 |
92 |
92 # Add the trust anchor needed to verify the server's identity to |
93 # Add the trust anchor needed to verify the server's identity to |
93 # the image. |
94 # the image. |
94 self.seed_ta_dir("ta7") |
95 self.seed_ta_dir("ta7") |
95 self.pkg("set-publisher -k %(key)s -c %(cert)s -p %(url)s" % { |
96 self.pkg("set-publisher -k %(key)s -c %(cert)s -p %(url)s" % { |
96 "url": self.acurl, |
97 "url": self.acurl1, |
97 "cert": os.path.join(self.cs_dir, self.get_cli_cert("test")), |
98 "cert": os.path.join(self.cs_dir, self.get_cli_cert("test")), |
98 "key": os.path.join(self.keys_dir, self.get_cli_key("test")), |
99 "key": os.path.join(self.keys_dir, self.get_cli_key("test")), |
99 }) |
100 }) |
100 api_obj = self.get_img_api_obj() |
101 api_obj = self.get_img_api_obj() |
101 self._api_install(api_obj, ["example_pkg"]) |
102 self._api_install(api_obj, ["example_pkg"]) |
125 # HTTP proxy. |
126 # HTTP proxy. |
126 self.image_create() |
127 self.image_create() |
127 self.seed_ta_dir("ta7") |
128 self.seed_ta_dir("ta7") |
128 self.pkg("set-publisher --proxy %(proxy)s " |
129 self.pkg("set-publisher --proxy %(proxy)s " |
129 "-k %(key)s -c %(cert)s -p %(url)s" % { |
130 "-k %(key)s -c %(cert)s -p %(url)s" % { |
130 "url": self.acurl, |
131 "url": self.acurl1, |
131 "cert": os.path.join(self.cs_dir, self.get_cli_cert("test")), |
132 "cert": os.path.join(self.cs_dir, self.get_cli_cert("test")), |
132 "key": os.path.join(self.keys_dir, self.get_cli_key("test")), |
133 "key": os.path.join(self.keys_dir, self.get_cli_key("test")), |
133 "proxy": self.proxyurl}) |
134 "proxy": self.proxyurl}) |
134 self.pkg("install example_pkg") |
135 self.pkg("install example_pkg") |
135 |
136 |
140 str(self.bad_proxy_port)) |
141 str(self.bad_proxy_port)) |
141 self.image_create() |
142 self.image_create() |
142 self.seed_ta_dir("ta7") |
143 self.seed_ta_dir("ta7") |
143 self.pkg("set-publisher --proxy %(proxy)s " |
144 self.pkg("set-publisher --proxy %(proxy)s " |
144 "-k %(key)s -c %(cert)s -p %(url)s" % { |
145 "-k %(key)s -c %(cert)s -p %(url)s" % { |
145 "url": self.acurl, |
146 "url": self.acurl1, |
146 "cert": os.path.join(self.cs_dir, self.get_cli_cert("test")), |
147 "cert": os.path.join(self.cs_dir, self.get_cli_cert("test")), |
147 "key": os.path.join(self.keys_dir, self.get_cli_key("test")), |
148 "key": os.path.join(self.keys_dir, self.get_cli_key("test")), |
148 "proxy": bad_proxyurl}, exit=1) |
149 "proxy": bad_proxyurl}, exit=1) |
149 |
150 |
150 # Set the bad proxy in the image, verify we can't refresh, |
151 # Set the bad proxy in the image, verify we can't refresh, |
151 # then use an OS environment override to force the use of a |
152 # then use an OS environment override to force the use of a |
152 # good proxy. |
153 # good proxy. |
153 self.pkg("set-publisher --no-refresh --proxy %(proxy)s " |
154 self.pkg("set-publisher --no-refresh --proxy %(proxy)s " |
154 "-k %(key)s -c %(cert)s -g %(url)s test" % { |
155 "-k %(key)s -c %(cert)s -g %(url)s test" % { |
155 "url": self.acurl, |
156 "url": self.acurl1, |
156 "cert": os.path.join(self.cs_dir, self.get_cli_cert("test")), |
157 "cert": os.path.join(self.cs_dir, self.get_cli_cert("test")), |
157 "key": os.path.join(self.keys_dir, self.get_cli_key("test")), |
158 "key": os.path.join(self.keys_dir, self.get_cli_key("test")), |
158 "proxy": bad_proxyurl}, exit=0) |
159 "proxy": bad_proxyurl}, exit=0) |
159 self.pkg("refresh", exit=1) |
160 self.pkg("refresh", exit=1) |
160 proxy_env = {"https_proxy": self.proxyurl} |
161 proxy_env = {"https_proxy": self.proxyurl} |
174 self.image_create() |
175 self.image_create() |
175 |
176 |
176 # Set https-based publisher with correct cert. |
177 # Set https-based publisher with correct cert. |
177 self.seed_ta_dir("ta7") |
178 self.seed_ta_dir("ta7") |
178 self.pkg("set-publisher -k %(key)s -c %(cert)s -p %(url)s" % { |
179 self.pkg("set-publisher -k %(key)s -c %(cert)s -p %(url)s" % { |
179 "url": self.acurl, |
180 "url": self.acurl1, |
180 "cert": good_cert_path, |
181 "cert": good_cert_path, |
181 "key": os.path.join(self.keys_dir, self.get_cli_key("test")), |
182 "key": os.path.join(self.keys_dir, self.get_cli_key("test")), |
182 }) |
183 }) |
183 # Set a second publisher |
184 # Set a second publisher |
184 self.pkg("set-publisher -p %(url)s" % {"url": self.rurl2}) |
185 self.pkg("set-publisher -p %(url)s" % {"url": self.rurl2}) |
197 shutil.copy(bad_cert_path, pkg_cert_path) |
198 shutil.copy(bad_cert_path, pkg_cert_path) |
198 |
199 |
199 # Refreshing the second publisher should not try to validate |
200 # Refreshing the second publisher should not try to validate |
200 # the cert for the first publisher. |
201 # the cert for the first publisher. |
201 self.pkg("refresh %s" % self.tmppub) |
202 self.pkg("refresh %s" % self.tmppub) |
|
203 |
|
204 def test_expired_certs(self): |
|
205 """ Test that certificate validation needs to validate all |
|
206 certificates before raising an exception. (Bug 15507548)""" |
|
207 |
|
208 bad_cert_path = os.path.join(self.cs_dir, |
|
209 "cs3_ch1_ta3_cert.pem") |
|
210 good_cert_path_1 = os.path.join(self.cs_dir, |
|
211 self.get_cli_cert("test")) |
|
212 good_cert_path_2 = os.path.join(self.cs_dir, |
|
213 self.get_cli_cert("tmp")) |
|
214 self.ac.start() |
|
215 self.image_create() |
|
216 |
|
217 # Set https-based publisher with correct cert. |
|
218 self.seed_ta_dir("ta7") |
|
219 self.pkg("set-publisher -k %(key)s -c %(cert)s -p %(url)s" % { |
|
220 "url": self.acurl1, |
|
221 "cert": good_cert_path_1, |
|
222 "key": os.path.join(self.keys_dir, self.get_cli_key("test")), |
|
223 }) |
|
224 # Set a second publisher |
|
225 self.pkg("set-publisher -k %(key)s -c %(cert)s -p %(url)s" % { |
|
226 "url": self.acurl2, |
|
227 "cert": good_cert_path_2, |
|
228 "key": os.path.join(self.keys_dir, self.get_cli_key("tmp")), |
|
229 }) |
|
230 |
|
231 # Replace cert of first publisher with one that is expired. |
|
232 |
|
233 # Cert is stored by content hash in the pkg config of the image, |
|
234 # which must be a SHA-1 hash for backwards compatibility. |
|
235 ch = misc.get_data_digest(good_cert_path_1, |
|
236 hash_func=hashlib.sha1)[0] |
|
237 pkg_cert_path = os.path.join(self.get_img_path(), "var", "pkg", |
|
238 "ssl", ch) |
|
239 shutil.copy(bad_cert_path, pkg_cert_path) |
|
240 |
|
241 # Replace the second certificate with one that is expired. |
|
242 ch = misc.get_data_digest(good_cert_path_2, |
|
243 hash_func=hashlib.sha1)[0] |
|
244 pkg_cert_path = os.path.join(self.get_img_path(), "var", "pkg", |
|
245 "ssl", ch) |
|
246 shutil.copy(bad_cert_path, pkg_cert_path) |
|
247 |
|
248 # Refresh all publishers should try to validate all certs. |
|
249 self.pkg("refresh", exit=1) |
|
250 self.assert_("Publisher: tmp" in self.errout, self.errout) |
|
251 self.assert_("Publisher: test" in self.errout, self.errout) |
202 |
252 |
203 |
253 |
204 class TestDepotHTTPS(pkg5unittest.SingleDepotTestCase): |
254 class TestDepotHTTPS(pkg5unittest.SingleDepotTestCase): |
205 # Tests in this suite use the read only data directory. |
255 # Tests in this suite use the read only data directory. |
206 need_ro_data = True |
256 need_ro_data = True |