- if it is provided, don't require the certificate filename to be
provided as an absolute path
- raise an error if the provided certificate filename does not
point to an existing file, rather than just printing and
ignoring (to avoid possible future diagnostic headaches)
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
Added Python version checking and changed behavior
in Python2.7.9+ to use custom certificate for target server
inherited from command line argument.
In Python versions < 2.7.9, proxy_server.py does not perform certificate
validation of the target server. As that is not part of what the current
tests using this script require, that is currently OK. In Python
versions > 2.7.9 (SSLContext was added in 2.7.9), the same code actually does
check the certificate, using the system's trusted CAs. As a result, since we
are using custom certificates, we need to either disable certificate
checking in 2.7.9 or load the specific CA for target test server, using the
SSLContext and create_default_context functionality also added in 2.7.9. It
is easier to do the latter, so the behavior in 2.7.9+ is to check the cert
and below 2.7.9 is not to. Note that we do not support Python < 2.7.
SSLContext is also available in all Python3 versions that we support.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
as that set of tests is now redundant, and depended on Twisted,
which we need not depend on.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
add more explanatory comments in test_proxy.use,
and prepare for rename of proxy2.py to proxy_server.py in next
commit (separate so that the rename can be seen as such).
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
- move some configuration values up to the module level (proxy certs
dir, proxy ca key and cert, general certs dir).
- add explanatory comments for these values
- create the proxy's host-specific client certificates directory
if it does not yet exist.
- note that the module is not thread-safe
- fix a Windows-incompatible line (explicit path separator)
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
- client makes HTTPS connection to proxy; proxy makes HTTP
connection to target server
- client makes HTTPS connection to proxy; proxy makes HTTPS
connection to target server
Added functionality to the proxy2.py script to allow it to
take and use a certificate to use to validate the target
server.
Also added clarifying comments in test_proxy_use.py.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
Fixes a typo in arg processing for test script proxy2.py.
Also removes an outdated comment and clarifies another.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
for proxy testing. Also update the test scripts to point to
the new location of ssl certificates and ssl keys.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
in proxy2. And use it to run both relaying and intercepting proxies.
True: normal HTTP proxy. Support HTTP & HTTPS connections to target server
False: intercepting MITM transparent HTTPS proxy. Makes own TLS connections
and has its own cert; must be trusted by the client and is able to
modify requests.
Also perform some cleanup of test_proxy_use.py
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
- adds inaz2/proxy2.py, copied code.
- adds dev dependency on twisted for a simple proxy test
- adds a new test module, test_proxy_use, and runs those tests only in
Python2.7 (as proxy2 only supports Python2.7) using new logic in
aggregate_tests.py.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
Rewrite test_https_connection to do a more thorough test, including
the use of an unknown certificate and the use of a good certificate
which lists a hostname not matching that expected in the connection.
In the process, made some small changes to the simple_https_server
module used in tests (takes an extra argument: certificate file to
use). Given the extent of the changes to test_https_connection, I
also made some style adjustments to better match our code style
guidelines.
I also reduced the length of a delay after the https servers
started from 1s to 0.2s, as part of a general campaign to speed up
the TUF tests. 200ms should do to start the servers, and if not,
I'll adjust it upward.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
to extract hostname. After commit
"use a different session per hostname",
the code no longer raises MissingSchema if a URL is malformed in
certain cases. Since it parses URLs to extract the hostname and
would have raised securesystemslib.exceptions.FormatError, so the
test would have to check for that error instead of requests's
MissingSchema.
However, it's best to use a different error type, since while that
would be, true enough, a formatting error, FormatError is customarily
reserved for the automatic detection based on schemas in formats.py
(using <SCHEMA>.check_match()), and in any case it is not a
securesystemslib error.
So this commit adds error type tuf.exceptions.URLParsingError and
raises it if the hostname cannot be isolated in a URL, and checks
for it in test_download.py.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
and also clarify setup workflow in test_slow_retrieval_attack.
Because the test was written incorrectly, the test was failing
with a bad hash error after 31 seconds, when it should instead
have been failing because the slow retrieval attack was not
averted.
In particular, a target file was updated, but metadata was not
correctly updated on the repository and, further, the client's
copy of the metadata was never updated. (The client continued
to expect 31 bytes of target file instead of 400 or 800.)
The way the test used to run, the target file change
previously had no purpose.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
Also halves the duration of a failed test (from 800s to 400s).
Otherwise, this is a code-style-only change.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
The test for repository_tool.get_filepaths_in_directory now expects
absolute paths, and also now tests the *results* of the function's use when
the recursive flag is on.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
