summaryrefslogtreecommitdiffstats
path: root/test/modules/tls/test_02_conf.py
blob: 88be80c3a673194a11eee311810a606fcd1c3826 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
import os
from datetime import timedelta

import pytest

from .conf import TlsTestConf


class TestConf:

    @pytest.fixture(autouse=True, scope='class')
    def _class_scope(self, env):
        TlsTestConf(env=env).install()
        assert env.apache_restart() == 0

    @pytest.fixture(autouse=True, scope='function')
    def _function_scope(self, env):
        if env.is_live(timeout=timedelta(milliseconds=100)):
            assert env.apache_stop() == 0

    def test_tls_02_conf_cert_args_missing(self, env):
        conf = TlsTestConf(env=env)
        conf.add("TLSCertificate")
        conf.install()
        assert env.apache_fail() == 0

    def test_tls_02_conf_cert_single_arg(self, env):
        conf = TlsTestConf(env=env)
        conf.add("TLSCertificate cert.pem")
        conf.install()
        assert env.apache_fail() == 0

    def test_tls_02_conf_cert_file_missing(self, env):
        conf = TlsTestConf(env=env)
        conf.add("TLSCertificate cert.pem key.pem")
        conf.install()
        assert env.apache_fail() == 0

    def test_tls_02_conf_cert_file_exist(self, env):
        conf = TlsTestConf(env=env)
        conf.add("TLSCertificate test-02-cert.pem test-02-key.pem")
        conf.install()
        for name in ["test-02-cert.pem", "test-02-key.pem"]:
            with open(os.path.join(env.server_dir, name), "w") as fd:
                fd.write("")
        assert env.apache_fail() == 0

    def test_tls_02_conf_cert_listen_missing(self, env):
        conf = TlsTestConf(env=env)
        conf.add("TLSEngine")
        conf.install()
        assert env.apache_fail() == 0

    def test_tls_02_conf_cert_listen_wrong(self, env):
        conf = TlsTestConf(env=env)
        conf.add("TLSEngine ^^^^^")
        conf.install()
        assert env.apache_fail() == 0

    @pytest.mark.parametrize("listen", [
        "443",
        "129.168.178.188:443",
        "[::]:443",
    ])
    def test_tls_02_conf_cert_listen_valid(self, env, listen: str):
        conf = TlsTestConf(env=env)
        if not env.has_shared_module("tls"):
            # Without cert/key openssl will complain
            conf.add("SSLEngine on");
            conf.install()
            assert env.apache_restart() == 1
        else:
            conf.add("TLSEngine {listen}".format(listen=listen))
            conf.install()
            assert env.apache_restart() == 0

    def test_tls_02_conf_cert_listen_cert(self, env):
        domain = env.domain_a
        conf = TlsTestConf(env=env)
        conf.add_tls_vhosts(domains=[domain])
        conf.install()
        assert env.apache_restart() == 0

    def test_tls_02_conf_proto_wrong(self, env):
        conf = TlsTestConf(env=env)
        conf.add("TLSProtocol wrong")
        conf.install()
        assert env.apache_fail() == 0

    @pytest.mark.parametrize("proto", [
        "default",
        "TLSv1.2+",
        "TLSv1.3+",
        "TLSv0x0303+",
    ])
    def test_tls_02_conf_proto_valid(self, env, proto):
        conf = TlsTestConf(env=env)
        conf.add("TLSProtocol {proto}".format(proto=proto))
        conf.install()
        assert env.apache_restart() == 0

    def test_tls_02_conf_honor_wrong(self, env):
        conf = TlsTestConf(env=env)
        conf.add("TLSHonorClientOrder wrong")
        conf.install()
        assert env.apache_fail() == 0

    @pytest.mark.parametrize("honor", [
        "on",
        "OfF",
    ])
    def test_tls_02_conf_honor_valid(self, env, honor: str):
        conf = TlsTestConf(env=env)
        conf.add("TLSHonorClientOrder {honor}".format(honor=honor))
        conf.install()
        assert env.apache_restart() == 0

    @pytest.mark.parametrize("cipher", [
        "default",
        "TLS13_AES_128_GCM_SHA256:TLS13_AES_256_GCM_SHA384:TLS13_CHACHA20_POLY1305_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:"
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:"
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
        """TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \\
        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\\
        TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"""
    ])
    def test_tls_02_conf_cipher_valid(self, env, cipher):
        conf = TlsTestConf(env=env)
        conf.add("TLSCiphersPrefer {cipher}".format(cipher=cipher))
        conf.install()
        assert env.apache_restart() == 0

    @pytest.mark.parametrize("cipher", [
        "wrong",
        "YOLO",
        "TLS_NULL_WITH_NULL_NULLX",       # not supported
        "TLS_DHE_RSA_WITH_AES128_GCM_SHA256",     # not supported
    ])
    def test_tls_02_conf_cipher_wrong(self, env, cipher):
        conf = TlsTestConf(env=env)
        conf.add("TLSCiphersPrefer {cipher}".format(cipher=cipher))
        conf.install()
        assert env.apache_fail() == 0