Imported Debian patch 4.7.2-3
This commit is contained in:
Timo Aaltonen
committed by
Mario Fetka
Mario Fetka
parent
27edeba051
commit
8bc559c5a1
@@ -1,77 +0,0 @@
|
||||
#
|
||||
# Copyright (C) 2018 FreeIPA Contributors see COPYING for license
|
||||
#
|
||||
"""Tests for ipalib.util module
|
||||
"""
|
||||
|
||||
import os
|
||||
import ssl
|
||||
from unittest import mock
|
||||
|
||||
import pytest
|
||||
|
||||
from ipalib.util import (
|
||||
get_pager, create_https_connection, get_proper_tls_version_span
|
||||
)
|
||||
from ipaplatform.constants import constants
|
||||
|
||||
|
||||
@pytest.mark.parametrize('pager,expected_result', [
|
||||
# Valid values
|
||||
('cat', '/bin/cat'),
|
||||
('/bin/cat', '/bin/cat'),
|
||||
# Invalid values (wrong command, package is not installed, etc)
|
||||
('cat_', None),
|
||||
('', None)
|
||||
])
|
||||
def test_get_pager(pager, expected_result):
|
||||
with mock.patch.dict(os.environ, {'PAGER': pager}):
|
||||
pager = get_pager()
|
||||
assert(pager == expected_result or pager.endswith(expected_result))
|
||||
|
||||
|
||||
BASE_CTX = ssl.SSLContext(ssl.PROTOCOL_TLS)
|
||||
if constants.TLS_HIGH_CIPHERS is not None:
|
||||
BASE_CTX.set_ciphers(constants.TLS_HIGH_CIPHERS)
|
||||
else:
|
||||
BASE_CTX.set_ciphers("PROFILE=SYSTEM")
|
||||
|
||||
# options: IPA still supports Python 3.6 without min/max version setters
|
||||
BASE_OPT = BASE_CTX.options
|
||||
BASE_OPT |= (
|
||||
ssl.OP_ALL | ssl.OP_NO_COMPRESSION | ssl.OP_SINGLE_DH_USE |
|
||||
ssl.OP_SINGLE_ECDH_USE
|
||||
)
|
||||
TLS_OPT = (
|
||||
ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1 |
|
||||
ssl.OP_NO_TLSv1_1
|
||||
)
|
||||
OP_NO_TLSv1_3 = getattr(ssl, "OP_NO_TLSv1_3", 0) # make pylint happy
|
||||
|
||||
|
||||
@pytest.mark.skip_if_platform(
|
||||
"debian", reason="Crypto policy is not supported on Debian"
|
||||
)
|
||||
@pytest.mark.parametrize('minver,maxver,opt,expected', [
|
||||
(None, None, BASE_OPT, None),
|
||||
(None, "tls1.3", BASE_OPT | TLS_OPT, ["tls1.2", "tls1.3"]),
|
||||
("tls1.2", "tls1.3", BASE_OPT | TLS_OPT, ["tls1.2", "tls1.3"]),
|
||||
("tls1.2", None, BASE_OPT | TLS_OPT, ["tls1.2", "tls1.3"]),
|
||||
("tls1.2", "tls1.2", BASE_OPT | TLS_OPT | OP_NO_TLSv1_3, ["tls1.2"]),
|
||||
(None, "tls1.2", BASE_OPT | TLS_OPT | OP_NO_TLSv1_3, ["tls1.2"]),
|
||||
("tls1.3", "tls1.3", BASE_OPT | TLS_OPT | ssl.OP_NO_TLSv1_2, ["tls1.3"]),
|
||||
("tls1.3", None, BASE_OPT | TLS_OPT | ssl.OP_NO_TLSv1_2, ["tls1.3"]),
|
||||
])
|
||||
def test_tls_version_span(minver, maxver, opt, expected):
|
||||
assert get_proper_tls_version_span(minver, maxver) == expected
|
||||
# file must exist and contain certs
|
||||
cafile = ssl.get_default_verify_paths().cafile
|
||||
conn = create_https_connection(
|
||||
"invalid.test",
|
||||
cafile=cafile,
|
||||
tls_version_min=minver,
|
||||
tls_version_max=maxver
|
||||
)
|
||||
ctx = getattr(conn, "_context")
|
||||
assert ctx.options == BASE_OPT | opt
|
||||
assert ctx.get_ciphers() == BASE_CTX.get_ciphers()
|
||||
Reference in New Issue
Block a user