Merge pull request #679 from dod-ccpo/sync-crls

sync crls from CSP source
2019-03-01 11:59:57 -05:00
parent 7919dcdac8 c534ceda59
commit 7fbb8d05e0
13 changed files with 249 additions and 236 deletions
--- a/tests/domain/authnid/test_crl.py
+++ b/tests/domain/authnid/test_crl.py
@@ -3,14 +3,118 @@ import pytest
 import re
 import os
 import shutil
+from datetime import datetime, timezone, timedelta
 from OpenSSL import crypto, SSL
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.primitives.serialization import Encoding
+from cryptography.x509.oid import NameOID

 from atst.domain.authnid.crl import CRLCache, CRLRevocationException, NoOpCRLCache
-import atst.domain.authnid.crl.util as util

 from tests.mocks import FIXTURE_EMAIL_ADDRESS, DOD_CN


+def rsa_key():
+    return rsa.generate_private_key(
+        public_exponent=65537, key_size=2048, backend=default_backend()
+    )
+
+
+@pytest.fixture
+def ca_key():
+    return rsa_key()
+
+
+@pytest.fixture
+def make_x509():
+    def _make_x509(private_key, signer_key=None, cn="ATAT", signer_cn="ATAT"):
+        if signer_key is None:
+            signer_key = private_key
+
+        one_day = timedelta(1, 0, 0)
+        public_key = private_key.public_key()
+        builder = x509.CertificateBuilder()
+        builder = builder.subject_name(
+            x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, cn)])
+        )
+        builder = builder.issuer_name(
+            x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, signer_cn)])
+        )
+        if signer_key == private_key:
+            builder = builder.add_extension(
+                x509.BasicConstraints(ca=True, path_length=None), critical=True
+            )
+        builder = builder.not_valid_before(datetime.today() - (one_day * 2))
+        builder = builder.not_valid_after(datetime.today() + (one_day * 30))
+        builder = builder.serial_number(x509.random_serial_number())
+        builder = builder.public_key(public_key)
+        certificate = builder.sign(
+            private_key=signer_key, algorithm=hashes.SHA256(), backend=default_backend()
+        )
+
+        return certificate
+
+    return _make_x509
+
+
+@pytest.fixture
+def make_crl():
+    def _make_crl(private_key, last_update_days=-1, next_update_days=30, cn="ATAT"):
+        one_day = timedelta(1, 0, 0)
+        builder = x509.CertificateRevocationListBuilder()
+        builder = builder.issuer_name(
+            x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, cn)])
+        )
+        builder = builder.last_update(datetime.today() + (one_day * last_update_days))
+        builder = builder.next_update(datetime.today() + (one_day * next_update_days))
+        crl = builder.sign(
+            private_key=private_key,
+            algorithm=hashes.SHA256(),
+            backend=default_backend(),
+        )
+
+        return crl
+
+    return _make_crl
+
+
+def serialize_pki_object_to_disk(obj, name, encoding=Encoding.PEM):
+    with open(name, "wb") as file_:
+        file_.write(obj.public_bytes(encoding))
+
+        return name
+
+
+@pytest.fixture
+def ca_file(make_x509, ca_key, tmpdir):
+    ca = make_x509(ca_key)
+    ca_out = tmpdir.join("atat-ca.crt")
+    serialize_pki_object_to_disk(ca, ca_out)
+
+    return ca_out
+
+
+@pytest.fixture
+def expired_crl_file(make_crl, ca_key, tmpdir):
+    crl = make_crl(ca_key, last_update_days=-7, next_update_days=-1)
+    crl_out = tmpdir.join("atat-expired.crl")
+    serialize_pki_object_to_disk(crl, crl_out, encoding=Encoding.DER)
+
+    return crl_out
+
+
+@pytest.fixture
+def crl_file(make_crl, ca_key, tmpdir):
+    crl = make_crl(ca_key)
+    crl_out = tmpdir.join("atat-valid.crl")
+    serialize_pki_object_to_disk(crl, crl_out, encoding=Encoding.DER)
+
+    return crl_out
+
+
 class MockX509Store:
    def __init__(self):
        self.crls = []
@@ -26,14 +130,17 @@ class MockX509Store:
        pass


-def test_can_build_crl_list(monkeypatch):
-    location = "ssl/client-certs/client-ca.der.crl"
-    cache = CRLCache(
-        "ssl/client-certs/client-ca.crt",
-        crl_locations=[location],
-        store_class=MockX509Store,
-    )
+def test_can_build_crl_list(ca_file, ca_key, make_crl, tmpdir):
+    crl = make_crl(ca_key)
+    crl_file = tmpdir.join("atat.crl")
+    serialize_pki_object_to_disk(crl, crl_file, encoding=Encoding.DER)
+
+    cache = CRLCache(ca_file, crl_locations=[crl_file], store_class=MockX509Store)
+    issuer_der = crl.issuer.public_bytes(default_backend())
    assert len(cache.crl_cache.keys()) == 1
+    assert issuer_der in cache.crl_cache
+    assert cache.crl_cache[issuer_der]["location"] == crl_file
+    assert cache.crl_cache[issuer_der]["expires"] == crl.next_update


 def test_can_build_trusted_root_list():
@@ -104,47 +211,6 @@ def test_multistep_certificate_chain():
    assert cache.crl_check(cert)


-def test_parse_disa_pki_list():
-    with open("tests/fixtures/disa-pki.html") as disa:
-        disa_html = disa.read()
-        crl_list = util.crl_list_from_disa_html(disa_html)
-        href_matches = re.findall("DOD(ROOT|EMAIL|ID)?CA", disa_html)
-        assert len(crl_list) > 0
-        assert len(crl_list) == len(href_matches)
-
-
-class MockStreamingResponse:
-    def __init__(self, content_chunks, code=200):
-        self.content_chunks = content_chunks
-        self.status_code = code
-
-    def iter_content(self, chunk_size=0):
-        return self.content_chunks
-
-    def __enter__(self):
-        return self
-
-    def __exit__(self, *args):
-        pass
-
-
-def test_write_crl(tmpdir, monkeypatch):
-    monkeypatch.setattr(
-        "requests.get", lambda u, **kwargs: MockStreamingResponse([b"it worked"])
-    )
-    crl = "crl_1"
-    assert util.write_crl(tmpdir, "random_target_dir", crl)
-    assert [p.basename for p in tmpdir.listdir()] == [crl]
-    assert [p.read() for p in tmpdir.listdir()] == ["it worked"]
-
-
-def test_skips_crl_if_it_has_not_been_modified(tmpdir, monkeypatch):
-    monkeypatch.setattr(
-        "requests.get", lambda u, **kwargs: MockStreamingResponse([b"it worked"], 304)
-    )
-    assert not util.write_crl(tmpdir, "random_target_dir", "crl_file_name")
-
-
 class FakeLogger:
    def __init__(self):
        self.messages = []
@@ -159,29 +225,27 @@ class FakeLogger:
        self.messages.append(msg)


-def test_refresh_crls_with_error(tmpdir, monkeypatch):
-    def _mock_create_connection(*args, **kwargs):
-        raise TimeoutError
-
-    fake_crl = "https://fakecrl.com/fake.crl"
-
-    monkeypatch.setattr(
-        "urllib3.util.connection.create_connection", _mock_create_connection
-    )
-    monkeypatch.setattr("atst.domain.authnid.crl.util.fetch_disa", lambda *args: None)
-    monkeypatch.setattr(
-        "atst.domain.authnid.crl.util.crl_list_from_disa_html", lambda *args: [fake_crl]
-    )
-
-    logger = FakeLogger()
-    util.refresh_crls(tmpdir, tmpdir, logger)
-
-    assert "Error downloading {}".format(fake_crl) in logger.messages[-1]
-
-
 def test_no_op_crl_cache_logs_common_name():
    logger = FakeLogger()
    cert = open("ssl/client-certs/atat.mil.crt", "rb").read()
    cache = NoOpCRLCache(logger=logger)
    assert cache.crl_check(cert)
    assert "ART.GARFUNKEL.1234567890" in logger.messages[-1]
+
+
+def test_updates_expired_certs(ca_file, expired_crl_file, crl_file, ca_key, make_x509):
+    """
+    Given a CRLCache object with an expired CRL and a function for updating the
+    CRLs, the CRLCache should run the update function before checking a
+    certificate that requires the expired CRL.
+    """
+    client_cert = make_x509(rsa_key(), signer_key=ca_key, cn="chewbacca")
+    client_pem = client_cert.public_bytes(Encoding.PEM)
+
+    def _crl_update_func():
+        shutil.copyfile(crl_file, expired_crl_file)
+
+    crl_cache = CRLCache(
+        ca_file, crl_locations=[expired_crl_file], crl_update_func=_crl_update_func
+    )
+    crl_cache.crl_check(client_pem)