upstream/oracle/pkg-gate: comparison src/tests/cli/t

equal deleted inserted replaced

-:9999de424bd0
+:783f0eef9725
 self.rurl2 = self.dcs[2].get_repo_url()
 self.tmppub = pub2_name
 self.make_misc_files(self.misc_files)
 self.pkgsend_bulk(self.rurl1, self.example_pkg10)
-self.acurl = self.ac.url + "/%s" % pub1_name
+self.acurl1 = self.ac.url + "/%s" % pub1_name
+self.acurl2 = self.ac.url + "/%s" % pub2_name
 # Our proxy is served by the same Apache controller, but uses
 # a different port.
 self.proxyurl = self.ac.url.replace("https", "http")
 self.proxyurl = self.proxyurl.replace(str(self.https_port),
 str(self.proxy_port))
 self.ac.start()
 # Test that creating an image using a HTTPS repo without
 # providing any keys or certificates fails.
 self.assertRaises(TransportFailures, self.image_create,
-self.acurl)
+self.acurl1)
-self.pkg_image_create(repourl=self.acurl, exit=1)
+self.pkg_image_create(repourl=self.acurl1, exit=1)
 api_obj = self.image_create()
 # Test that adding a HTTPS repo fails if the image does not
 # contain the trust anchor to verify the server's identity.
 self.pkg("set-publisher -k %(key)s -c %(cert)s -p %(url)s" % {
-"url": self.acurl,
+"url": self.acurl1,
 "cert": os.path.join(self.cs_dir, self.get_cli_cert("test")),
 "key": os.path.join(self.keys_dir, self.get_cli_key("test")),
 }, exit=1)
 # Add the trust anchor needed to verify the server's identity to
 # the image.
 self.seed_ta_dir("ta7")
 self.pkg("set-publisher -k %(key)s -c %(cert)s -p %(url)s" % {
-"url": self.acurl,
+"url": self.acurl1,
 "cert": os.path.join(self.cs_dir, self.get_cli_cert("test")),
 "key": os.path.join(self.keys_dir, self.get_cli_key("test")),
 })
 api_obj = self.get_img_api_obj()
 self._api_install(api_obj, ["example_pkg"])
 # HTTP proxy.
 self.image_create()
 self.seed_ta_dir("ta7")
 self.pkg("set-publisher --proxy %(proxy)s "
 "-k %(key)s -c %(cert)s -p %(url)s" % {
-"url": self.acurl,
+"url": self.acurl1,
 "cert": os.path.join(self.cs_dir, self.get_cli_cert("test")),
 "key": os.path.join(self.keys_dir, self.get_cli_key("test")),
 "proxy": self.proxyurl})
 self.pkg("install example_pkg")
 str(self.bad_proxy_port))
 self.image_create()
 self.seed_ta_dir("ta7")
 self.pkg("set-publisher --proxy %(proxy)s "
 "-k %(key)s -c %(cert)s -p %(url)s" % {
-"url": self.acurl,
+"url": self.acurl1,
 "cert": os.path.join(self.cs_dir, self.get_cli_cert("test")),
 "key": os.path.join(self.keys_dir, self.get_cli_key("test")),
 "proxy": bad_proxyurl}, exit=1)
 # Set the bad proxy in the image, verify we can't refresh,
 # then use an OS environment override to force the use of a
 # good proxy.
 self.pkg("set-publisher --no-refresh --proxy %(proxy)s "
 "-k %(key)s -c %(cert)s -g %(url)s test" % {
-"url": self.acurl,
+"url": self.acurl1,
 "cert": os.path.join(self.cs_dir, self.get_cli_cert("test")),
 "key": os.path.join(self.keys_dir, self.get_cli_key("test")),
 "proxy": bad_proxyurl}, exit=0)
 self.pkg("refresh", exit=1)
 proxy_env = {"https_proxy": self.proxyurl}
 self.image_create()
 # Set https-based publisher with correct cert.
 self.seed_ta_dir("ta7")
 self.pkg("set-publisher -k %(key)s -c %(cert)s -p %(url)s" % {
-"url": self.acurl,
+"url": self.acurl1,
 "cert": good_cert_path,
 "key": os.path.join(self.keys_dir, self.get_cli_key("test")),
 })
 # Set a second publisher
 self.pkg("set-publisher -p %(url)s" % {"url": self.rurl2})
 shutil.copy(bad_cert_path, pkg_cert_path)
 # Refreshing the second publisher should not try to validate
 # the cert for the first publisher.
 self.pkg("refresh %s" % self.tmppub)
+def test_expired_certs(self):
+""" Test that certificate validation needs to validate all
+certificates before raising an exception. (Bug 15507548)"""
+bad_cert_path = os.path.join(self.cs_dir,
+"cs3_ch1_ta3_cert.pem")
+good_cert_path_1 = os.path.join(self.cs_dir,
+self.get_cli_cert("test"))
+good_cert_path_2 = os.path.join(self.cs_dir,
+self.get_cli_cert("tmp"))
+self.ac.start()
+self.image_create()
+# Set https-based publisher with correct cert.
+self.seed_ta_dir("ta7")
+self.pkg("set-publisher -k %(key)s -c %(cert)s -p %(url)s" % {
+"url": self.acurl1,
+"cert": good_cert_path_1,
+"key": os.path.join(self.keys_dir, self.get_cli_key("test")),
+})
+# Set a second publisher
+self.pkg("set-publisher -k %(key)s -c %(cert)s -p %(url)s" % {
+"url": self.acurl2,
+"cert": good_cert_path_2,
+"key": os.path.join(self.keys_dir, self.get_cli_key("tmp")),
+})
+# Replace cert of first publisher with one that is expired.
+# Cert is stored by content hash in the pkg config of the image,
+# which must be a SHA-1 hash for backwards compatibility.
+ch = misc.get_data_digest(good_cert_path_1,
+hash_func=hashlib.sha1)[0]
+pkg_cert_path = os.path.join(self.get_img_path(), "var", "pkg",
+"ssl", ch)
+shutil.copy(bad_cert_path, pkg_cert_path)
+# Replace the second certificate with one that is expired.
+ch = misc.get_data_digest(good_cert_path_2,
+hash_func=hashlib.sha1)[0]
+pkg_cert_path = os.path.join(self.get_img_path(), "var", "pkg",
+"ssl", ch)
+shutil.copy(bad_cert_path, pkg_cert_path)
+# Refresh all publishers should try to validate all certs.
+self.pkg("refresh", exit=1)
+self.assert_("Publisher: tmp" in self.errout, self.errout)
+self.assert_("Publisher: test" in self.errout, self.errout)
 class TestDepotHTTPS(pkg5unittest.SingleDepotTestCase):
 # Tests in this suite use the read only data directory.
 need_ro_data = True

changeset 2980	783f0eef9725
parent 2962	ce8cd4c07986
child 3010	2741200f3d9e