make crl_check a CRLCache method
This commit is contained in:
dandds
luis cielak
@@ -1,7 +1,7 @@
|
||||
import pytest
|
||||
|
||||
from atst.domain.authnid import AuthenticationContext
|
||||
from atst.domain.authnid.crl import CRLCache
|
||||
from atst.domain.authnid.crl import CRLCache, CRLRevocationException
|
||||
from atst.domain.exceptions import UnauthenticatedError, NotFoundError
|
||||
from atst.domain.users import Users
|
||||
|
||||
@@ -12,20 +12,24 @@ CERT = open("tests/fixtures/{}.crt".format(FIXTURE_EMAIL_ADDRESS)).read()
|
||||
|
||||
|
||||
class MockCRLCache():
|
||||
def get_store(self, cert):
|
||||
pass
|
||||
def __init__(self, valid=True):
|
||||
self.valid = valid
|
||||
|
||||
def crl_check(self, cert):
|
||||
if self.valid:
|
||||
return True
|
||||
|
||||
raise CRLRevocationException()
|
||||
|
||||
|
||||
def test_can_authenticate(monkeypatch):
|
||||
monkeypatch.setattr("atst.domain.authnid.crl_check", lambda *args: True)
|
||||
def test_can_authenticate():
|
||||
auth_context = AuthenticationContext(
|
||||
MockCRLCache(), "SUCCESS", DOD_SDN, CERT
|
||||
)
|
||||
assert auth_context.authenticate()
|
||||
|
||||
|
||||
def test_unsuccessful_status(monkeypatch):
|
||||
monkeypatch.setattr("atst.domain.authnid.crl_check", lambda *args: True)
|
||||
def test_unsuccessful_status():
|
||||
auth_context = AuthenticationContext(
|
||||
MockCRLCache(), "FAILURE", DOD_SDN, CERT
|
||||
)
|
||||
@@ -36,11 +40,9 @@ def test_unsuccessful_status(monkeypatch):
|
||||
assert "client authentication" in message
|
||||
|
||||
|
||||
def test_crl_check_fails(monkeypatch):
|
||||
cache = CRLCache('ssl/client-certs/client-ca.crt', crl_locations=['ssl/client-certs/client-ca.der.crl'])
|
||||
cert = open("ssl/client-certs/bad-atat.mil.crt", "r").read()
|
||||
def test_crl_check_fails():
|
||||
auth_context = AuthenticationContext(
|
||||
cache, "SUCCESS", DOD_SDN, cert
|
||||
MockCRLCache(False), "SUCCESS", DOD_SDN, CERT
|
||||
)
|
||||
with pytest.raises(UnauthenticatedError) as excinfo:
|
||||
assert auth_context.authenticate()
|
||||
@@ -49,8 +51,7 @@ def test_crl_check_fails(monkeypatch):
|
||||
assert "CRL check" in message
|
||||
|
||||
|
||||
def test_bad_sdn(monkeypatch):
|
||||
monkeypatch.setattr("atst.domain.authnid.crl_check", lambda *args: True)
|
||||
def test_bad_sdn():
|
||||
auth_context = AuthenticationContext(
|
||||
MockCRLCache(), "SUCCESS", "abc123", CERT
|
||||
)
|
||||
@@ -61,8 +62,7 @@ def test_bad_sdn(monkeypatch):
|
||||
assert "SDN" in message
|
||||
|
||||
|
||||
def test_user_exists(monkeypatch):
|
||||
monkeypatch.setattr("atst.domain.authnid.crl_check", lambda *args: True)
|
||||
def test_user_exists():
|
||||
user = UserFactory.create(**DOD_SDN_INFO)
|
||||
auth_context = AuthenticationContext(
|
||||
MockCRLCache(), "SUCCESS", DOD_SDN, CERT
|
||||
@@ -72,8 +72,7 @@ def test_user_exists(monkeypatch):
|
||||
assert auth_user == user
|
||||
|
||||
|
||||
def test_creates_user(monkeypatch):
|
||||
monkeypatch.setattr("atst.domain.authnid.crl_check", lambda *args: True)
|
||||
def test_creates_user():
|
||||
# check user does not exist
|
||||
with pytest.raises(NotFoundError):
|
||||
Users.get_by_dod_id(DOD_SDN_INFO["dod_id"])
|
||||
@@ -86,8 +85,7 @@ def test_creates_user(monkeypatch):
|
||||
assert user.email == FIXTURE_EMAIL_ADDRESS
|
||||
|
||||
|
||||
def test_user_cert_has_no_email(monkeypatch):
|
||||
monkeypatch.setattr("atst.domain.authnid.crl_check", lambda *args: True)
|
||||
def test_user_cert_has_no_email():
|
||||
cert = open("ssl/client-certs/atat.mil.crt").read()
|
||||
auth_context = AuthenticationContext(
|
||||
MockCRLCache(), "SUCCESS", DOD_SDN, cert
|
||||
|
||||
@@ -5,7 +5,7 @@ import os
|
||||
import shutil
|
||||
from OpenSSL import crypto, SSL
|
||||
|
||||
from atst.domain.authnid.crl import crl_check, CRLCache, CRLRevocationException
|
||||
from atst.domain.authnid.crl import CRLCache, CRLRevocationException
|
||||
import atst.domain.authnid.crl.util as util
|
||||
|
||||
from tests.mocks import FIXTURE_EMAIL_ADDRESS
|
||||
@@ -54,9 +54,9 @@ def test_can_validate_certificate():
|
||||
)
|
||||
good_cert = open("ssl/client-certs/atat.mil.crt", "rb").read()
|
||||
bad_cert = open("ssl/client-certs/bad-atat.mil.crt", "rb").read()
|
||||
assert crl_check(cache, good_cert)
|
||||
assert cache.crl_check(good_cert)
|
||||
with pytest.raises(CRLRevocationException):
|
||||
crl_check(cache, bad_cert)
|
||||
cache.crl_check(bad_cert)
|
||||
|
||||
|
||||
def test_can_dynamically_update_crls(tmpdir):
|
||||
@@ -64,18 +64,18 @@ def test_can_dynamically_update_crls(tmpdir):
|
||||
shutil.copyfile("ssl/client-certs/client-ca.der.crl", crl_file)
|
||||
cache = CRLCache("ssl/server-certs/ca-chain.pem", crl_locations=[crl_file])
|
||||
cert = open("ssl/client-certs/atat.mil.crt", "rb").read()
|
||||
assert crl_check(cache, cert)
|
||||
assert cache.crl_check(cert)
|
||||
# override the original CRL with one that revokes atat.mil.crt
|
||||
shutil.copyfile("tests/fixtures/test.der.crl", crl_file)
|
||||
with pytest.raises(CRLRevocationException):
|
||||
assert crl_check(cache, cert)
|
||||
assert cache.crl_check(cert)
|
||||
|
||||
|
||||
def test_throws_error_for_missing_issuer():
|
||||
cache = CRLCache("ssl/server-certs/ca-chain.pem", crl_locations=[])
|
||||
cert = open("tests/fixtures/{}.crt".format(FIXTURE_EMAIL_ADDRESS), "rb").read()
|
||||
with pytest.raises(CRLRevocationException) as exc:
|
||||
assert crl_check(cache, cert)
|
||||
assert cache.crl_check(cert)
|
||||
(message,) = exc.value.args
|
||||
assert "issuer" in message
|
||||
|
||||
|
||||
Reference in New Issue
Block a user