From 060ef1dfd5c9eba52c6ea6dd0294e77ddb211009 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Thu, 8 Oct 2020 16:42:19 +0300 Subject: [PATCH] tests: Filter useless warnings Filter out: * DeprecationWarnings for updater module when we are on purpose testing deprecated methods from updater * SubjectAltNameWarning for connections to our test server These warnings are visible with e.g. python3 test_updater.py The large change in test_download.py is just indentation into with-block. Signed-off-by: Jussi Kukkonen --- tests/test_download.py | 105 ++++++++++--------- tests/test_extraneous_dependencies_attack.py | 3 +- tests/test_mix_and_match_attack.py | 3 +- tests/test_updater.py | 30 ++++-- tests/utils.py | 12 +++ 5 files changed, 91 insertions(+), 62 deletions(-) diff --git a/tests/test_download.py b/tests/test_download.py index 276c49b8..f768c96d 100755 --- a/tests/test_download.py +++ b/tests/test_download.py @@ -38,6 +38,8 @@ import os import sys import unittest +import urllib3 +import warnings import tuf import tuf.download as download @@ -295,63 +297,68 @@ def test_https_connection(self): # the bad cert. Expect failure because even though we trust it, the # hostname we're connecting to does not match the hostname in the cert. logger.info('Trying HTTPS download of target file: ' + bad_https_url) - with self.assertRaises(requests.exceptions.SSLError): - download.safe_download(bad_https_url, target_data_length) - with self.assertRaises(requests.exceptions.SSLError): - download.unsafe_download(bad_https_url, target_data_length) + with warnings.catch_warnings(): + # We're ok with a slightly fishy localhost cert + warnings.filterwarnings('ignore', + category=urllib3.exceptions.SubjectAltNameWarning) - # Try connecting to the server processes with the good certs while not - # trusting the good certs (trusting the bad cert instead). Expect failure - # because even though the server's cert file is otherwise OK, we don't - # trust it. - logger.info('Trying HTTPS download of target file: ' + good_https_url) - with self.assertRaises(requests.exceptions.SSLError): - download.safe_download(good_https_url, target_data_length) - with self.assertRaises(requests.exceptions.SSLError): - download.unsafe_download(good_https_url, target_data_length) + with self.assertRaises(requests.exceptions.SSLError): + download.safe_download(bad_https_url, target_data_length) + with self.assertRaises(requests.exceptions.SSLError): + download.unsafe_download(bad_https_url, target_data_length) - logger.info('Trying HTTPS download of target file: ' + good2_https_url) - with self.assertRaises(requests.exceptions.SSLError): - download.safe_download(good2_https_url, target_data_length) - with self.assertRaises(requests.exceptions.SSLError): - download.unsafe_download(good2_https_url, target_data_length) + # Try connecting to the server processes with the good certs while not + # trusting the good certs (trusting the bad cert instead). Expect failure + # because even though the server's cert file is otherwise OK, we don't + # trust it. + logger.info('Trying HTTPS download of target file: ' + good_https_url) + with self.assertRaises(requests.exceptions.SSLError): + download.safe_download(good_https_url, target_data_length) + with self.assertRaises(requests.exceptions.SSLError): + download.unsafe_download(good_https_url, target_data_length) + + logger.info('Trying HTTPS download of target file: ' + good2_https_url) + with self.assertRaises(requests.exceptions.SSLError): + download.safe_download(good2_https_url, target_data_length) + with self.assertRaises(requests.exceptions.SSLError): + download.unsafe_download(good2_https_url, target_data_length) - # Configure environment to now trust the certfile that is expired. - os.environ['REQUESTS_CA_BUNDLE'] = expired_cert_fname - # Clear sessions to ensure that the certificate we just specified is used. - # TODO: Confirm necessity of this session clearing and lay out mechanics. - tuf.download._sessions = {} + # Configure environment to now trust the certfile that is expired. + os.environ['REQUESTS_CA_BUNDLE'] = expired_cert_fname + # Clear sessions to ensure that the certificate we just specified is used. + # TODO: Confirm necessity of this session clearing and lay out mechanics. + tuf.download._sessions = {} - # Try connecting to the server process with the expired cert while - # trusting the expired cert. Expect failure because even though we trust - # it, it is expired. - logger.info('Trying HTTPS download of target file: ' + expired_https_url) - with self.assertRaises(requests.exceptions.SSLError): - download.safe_download(expired_https_url, target_data_length) - with self.assertRaises(requests.exceptions.SSLError): - download.unsafe_download(expired_https_url, target_data_length) + # Try connecting to the server process with the expired cert while + # trusting the expired cert. Expect failure because even though we trust + # it, it is expired. + logger.info('Trying HTTPS download of target file: ' + expired_https_url) + with self.assertRaises(requests.exceptions.SSLError): + download.safe_download(expired_https_url, target_data_length) + with self.assertRaises(requests.exceptions.SSLError): + download.unsafe_download(expired_https_url, target_data_length) - # Try connecting to the server processes with the good certs while - # trusting the appropriate good certs. Expect success. - # TODO: expand testing to switch expected certificates back and forth a - # bit more while clearing / not clearing sessions. - os.environ['REQUESTS_CA_BUNDLE'] = good_cert_fname - # Clear sessions to ensure that the certificate we just specified is used. - # TODO: Confirm necessity of this session clearing and lay out mechanics. - tuf.download._sessions = {} - logger.info('Trying HTTPS download of target file: ' + good_https_url) - download.safe_download(good_https_url, target_data_length).close() - download.unsafe_download(good_https_url, target_data_length).close() + # Try connecting to the server processes with the good certs while + # trusting the appropriate good certs. Expect success. + # TODO: expand testing to switch expected certificates back and forth a + # bit more while clearing / not clearing sessions. + os.environ['REQUESTS_CA_BUNDLE'] = good_cert_fname + # Clear sessions to ensure that the certificate we just specified is used. + # TODO: Confirm necessity of this session clearing and lay out mechanics. + tuf.download._sessions = {} + logger.info('Trying HTTPS download of target file: ' + good_https_url) + download.safe_download(good_https_url, target_data_length).close() + download.unsafe_download(good_https_url, target_data_length).close() - os.environ['REQUESTS_CA_BUNDLE'] = good2_cert_fname - # Clear sessions to ensure that the certificate we just specified is used. - # TODO: Confirm necessity of this session clearing and lay out mechanics. - tuf.download._sessions = {} - logger.info('Trying HTTPS download of target file: ' + good2_https_url) - download.safe_download(good2_https_url, target_data_length).close() - download.unsafe_download(good2_https_url, target_data_length).close() + os.environ['REQUESTS_CA_BUNDLE'] = good2_cert_fname + # Clear sessions to ensure that the certificate we just specified is used. + # TODO: Confirm necessity of this session clearing and lay out mechanics. + tuf.download._sessions = {} + logger.info('Trying HTTPS download of target file: ' + good2_https_url) + download.safe_download(good2_https_url, target_data_length).close() + download.unsafe_download(good2_https_url, target_data_length).close() finally: for proc_handler in [ diff --git a/tests/test_extraneous_dependencies_attack.py b/tests/test_extraneous_dependencies_attack.py index c5f92c9e..195b0a2e 100755 --- a/tests/test_extraneous_dependencies_attack.py +++ b/tests/test_extraneous_dependencies_attack.py @@ -201,7 +201,8 @@ def test_with_tuf(self): self.repository_updater.refresh() try: - self.repository_updater.targets_of_role('role1') + with utils.ignore_deprecation_warnings('tuf.client.updater'): + self.repository_updater.targets_of_role('role1') # Verify that the specific 'tuf.exceptions.ForbiddenTargetError' exception is raised # by each mirror. diff --git a/tests/test_mix_and_match_attack.py b/tests/test_mix_and_match_attack.py index 9be6c54f..45325dca 100755 --- a/tests/test_mix_and_match_attack.py +++ b/tests/test_mix_and_match_attack.py @@ -221,7 +221,8 @@ def test_with_tuf(self): self.repository_updater.refresh() try: - self.repository_updater.targets_of_role('role1') + with utils.ignore_deprecation_warnings('tuf.client.updater'): + self.repository_updater.targets_of_role('role1') # Verify that the specific # 'tuf.exceptions.BadVersionNumberError' exception is raised by diff --git a/tests/test_updater.py b/tests/test_updater.py index 8c76a96c..3967ec07 100644 --- a/tests/test_updater.py +++ b/tests/test_updater.py @@ -1000,7 +1000,8 @@ def test_5_all_targets(self): self.repository_updater.refresh() # Test: normal case. - all_targets = self.repository_updater.all_targets() + with utils.ignore_deprecation_warnings('tuf.client.updater'): + all_targets = self.repository_updater.all_targets() # Verify format of 'all_targets', it should correspond to # 'TARGETINFOS_SCHEMA'. @@ -1044,7 +1045,8 @@ def test_5_targets_of_role(self): # Test: normal case. - targetinfos = self.repository_updater.targets_of_role('role1') + with utils.ignore_deprecation_warnings('tuf.client.updater'): + targetinfos = self.repository_updater.targets_of_role('role1') # Verify that the expected role files were downloaded and installed. os.path.exists(os.path.join(self.client_metadata_current, 'targets.json')) @@ -1061,10 +1063,11 @@ def test_5_targets_of_role(self): # Test: Invalid arguments. # targets_of_role() expected a string rolename. - self.assertRaises(securesystemslib.exceptions.FormatError, self.repository_updater.targets_of_role, - 8) - self.assertRaises(tuf.exceptions.UnknownRoleError, self.repository_updater.targets_of_role, - 'unknown_rolename') + with utils.ignore_deprecation_warnings('tuf.client.updater'): + self.assertRaises(securesystemslib.exceptions.FormatError, self.repository_updater.targets_of_role, + 8) + self.assertRaises(tuf.exceptions.UnknownRoleError, self.repository_updater.targets_of_role, + 'unknown_rolename') @@ -1398,7 +1401,8 @@ def test_7_updated_targets(self): # Get the list of target files. It will be used as an argument to the # 'updated_targets()' function. - all_targets = self.repository_updater.all_targets() + with utils.ignore_deprecation_warnings('tuf.client.updater'): + all_targets = self.repository_updater.all_targets() # Test for duplicates and targets in the root directory of the repository. additional_target = all_targets[0].copy() @@ -1412,7 +1416,8 @@ def test_7_updated_targets(self): updated_targets = \ self.repository_updater.updated_targets(all_targets, destination_directory) - all_targets = self.repository_updater.all_targets() + with utils.ignore_deprecation_warnings('tuf.client.updater'): + all_targets = self.repository_updater.all_targets() # Assumed the pre-generated repository specifies two target files in # 'targets.json' and one delegated target file in 'role1.json'. @@ -1479,7 +1484,8 @@ def test_7_updated_targets(self): self.repository_updater.refresh() # Verify that the new target file is considered updated. - all_targets = self.repository_updater.all_targets() + with utils.ignore_deprecation_warnings('tuf.client.updater'): + all_targets = self.repository_updater.all_targets() updated_targets = \ self.repository_updater.updated_targets(all_targets, destination_directory) self.assertEqual(len(updated_targets), 1) @@ -1522,7 +1528,8 @@ def test_8_remove_obsolete_targets(self): destination_directory = self.make_temp_directory() # Populate 'destination_direction' with all target files. - all_targets = self.repository_updater.all_targets() + with utils.ignore_deprecation_warnings('tuf.client.updater'): + all_targets = self.repository_updater.all_targets() self.assertEqual(len(os.listdir(destination_directory)), 0) @@ -1553,7 +1560,8 @@ def test_8_remove_obsolete_targets(self): # Verify number of target files in 'destination_directory' (should be 1 # after the update made to the remote repository), and call # 'remove_obsolete_targets()'. - all_targets = self.repository_updater.all_targets() + with utils.ignore_deprecation_warnings('tuf.client.updater'): + all_targets = self.repository_updater.all_targets() updated_targets = \ self.repository_updater.updated_targets(all_targets, diff --git a/tests/utils.py b/tests/utils.py index 26751d8d..c3cd5a0a 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -21,6 +21,7 @@ """ import argparse +from contextlib import contextmanager import errno import logging import socket @@ -28,6 +29,7 @@ import subprocess import tempfile import random +import warnings import tuf.log @@ -46,6 +48,16 @@ def __init__(self, value="Timeout"): def __str__(self): return repr(self.value) + +@contextmanager +def ignore_deprecation_warnings(module): + with warnings.catch_warnings(): + warnings.filterwarnings('ignore', + category=DeprecationWarning, + module=module) + yield + + # Wait until host:port accepts connections. # Raises TimeoutError if this does not happen within timeout seconds # There are major differences between operating systems on how this works