openstack/deb-python-pyngus
Code Issues Proposed changes

Add client authentication tests

Browse Source
This commit is contained in:
Kenneth Giusti 2017-01-04 15:40:07 -05:00
parent 3ebf9c2765
commit 2189d3fa44
3 changed files with 50 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
examples/utils.py
View File

@ -126,6 +126,7 @@ def process_connection(connection, my_socket):
connection.close() connection.close()
return True return True
# Map the send callback status to a string # Map the send callback status to a string
SEND_STATUS = { SEND_STATUS = {
pyngus.SenderLink.ABORTED: "Aborted", pyngus.SenderLink.ABORTED: "Aborted",

49
tests/unit_tests/connection.py
View File

@ -28,6 +28,7 @@ from string import Template
from proton import Condition from proton import Condition
from proton import Message from proton import Message
from proton import SSLUnavailable from proton import SSLUnavailable
from proton import SSLException
from proton import SASL from proton import SASL
import pyngus import pyngus
@ -348,7 +349,9 @@ class APITest(common.Test):
def _test_ssl(self, def _test_ssl(self,
server_password="server-password", server_password="server-password",
server_dns="some.server.com"): server_dns="some.server.com",
client_password=None,
client_dns=None):
def _testpath(file): def _testpath(file):
""" Set the full path to the PEM files.""" """ Set the full path to the PEM files."""
@ -359,12 +362,21 @@ class APITest(common.Test):
"x-ssl-identity": (_testpath("server-certificate.pem"), "x-ssl-identity": (_testpath("server-certificate.pem"),
_testpath("server-private-key.pem"), _testpath("server-private-key.pem"),
server_password)} server_password)}
if client_dns:
s_props['x-ssl-ca-file'] = _testpath("ca-certificate.pem")
s_props['x-ssl-verify-mode'] = 'verify-peer'
s_props['x-ssl-peer-name'] = client_dns
server = self.container1.create_connection("server", server = self.container1.create_connection("server",
properties=s_props) properties=s_props)
c_props = {"x-ssl-ca-file": _testpath("ca-certificate.pem"), c_props = {"x-ssl-ca-file": _testpath("ca-certificate.pem"),
"x-ssl-verify-mode": "verify-peer", "x-ssl-verify-mode": "verify-peer",
"x-ssl-peer-name": server_dns} "x-ssl-peer-name": server_dns}
if client_password:
c_props['x-ssl-identity'] = (_testpath("client-certificate.pem"),
_testpath("client-private-key.pem"),
client_password)
client = self.container2.create_connection("client", client = self.container2.create_connection("client",
properties=c_props) properties=c_props)
server.open() server.open()
@ -384,7 +396,8 @@ class APITest(common.Test):
assert False, "error expected!" assert False, "error expected!"
except SSLUnavailable: except SSLUnavailable:
raise common.Skipped("SSL not available.") raise common.Skipped("SSL not available.")
except Exception: except SSLException:
# should fail to open the certificate
pass pass
def test_ssl_name_fail(self): def test_ssl_name_fail(self):
@ -393,7 +406,37 @@ class APITest(common.Test):
assert False, "error expected!" assert False, "error expected!"
except SSLUnavailable: except SSLUnavailable:
raise common.Skipped("SSL not available.") raise common.Skipped("SSL not available.")
except Exception: except AssertionError:
# connection setup should fail
pass
def test_ssl_client_auth_ok(self):
try:
self._test_ssl(client_password="client-password",
client_dns="my.client.com")
except SSLUnavailable:
raise common.Skipped("SSL not available.")
def test_ssl_client_pw_fail(self):
try:
self._test_ssl(client_password="bad password",
client_dns="my.client.com")
assert False, "error expected!"
except SSLUnavailable:
raise common.Skipped("SSL not available.")
except SSLException:
# should fail to open the certificate
pass
def test_ssl_client_name_fail(self):
try:
self._test_ssl(client_password="client-password",
client_dns="my.Xclient.com")
assert False, "error expected!"
except SSLUnavailable:
raise common.Skipped("SSL not available.")
except AssertionError:
# connection setup should fail
pass pass
def test_io_input_close(self): def test_io_input_close(self):

6
tests/unit_tests/ssl_db/setup_ssl.sh
View File

@ -68,9 +68,9 @@ $OPENSSL pkcs12 -nocerts -passin pass:server-password -in server.pkcs12 -passout
CLIENT_COMMON_NAME="my.client.com" CLIENT_COMMON_NAME="my.client.com"
# Create a certificate request for the client certificate. Use the CA's certificate to sign it: # Create a certificate request for the client certificate. Use the CA's certificate to sign it:
$KEYTOOL -storetype pkcs12 -keystore client.pkcs12 -storepass client-password -alias client-certificate -keypass client-password -genkey -dname "CN=$CLIENT_COMMON_NAME" -validity 99999 $KEYTOOL -storetype pkcs12 -keystore client.pkcs12 -storepass client-password -alias client-certificate -keypass client-password -genkey -dname "CN=$CLIENT_COMMON_NAME" -validity 99999
keytool -storetype pkcs12 -keystore client.pkcs12 -storepass client-password -alias client-certificate -keypass client-password -certreq -file client-request.pem $KEYTOOL -storetype pkcs12 -keystore client.pkcs12 -storepass client-password -alias client-certificate -keypass client-password -certreq -file client-request.pem
keytool -storetype pkcs12 -keystore ca.pkcs12 -storepass ca-password -alias ca -keypass ca-password -gencert -rfc -validity 99999 -infile client-request.pem -outfile client-certificate.pem $KEYTOOL -storetype pkcs12 -keystore ca.pkcs12 -storepass ca-password -alias ca -keypass ca-password -gencert -rfc -validity 99999 -infile client-request.pem -outfile client-certificate.pem
openssl pkcs12 -nocerts -passin pass:client-password -in client.pkcs12 -passout pass:client-password -out client-private-key.pem $OPENSSL pkcs12 -nocerts -passin pass:client-password -in client.pkcs12 -passout pass:client-password -out client-private-key.pem
# clean up all the unnecessary stuff # clean up all the unnecessary stuff
rm *.pkcs12 *-request.pem rm *.pkcs12 *-request.pem