From 97774379834f0a06731093de54c986f8f7fd51a3 Mon Sep 17 00:00:00 2001
From: Ruben Pollan <meskio@sindominio.net>
Date: Tue, 16 May 2017 18:57:16 +0200
Subject: [bug] fail bonafide bootstrap for self sign certs

- Resolves: #8881
---
 tests/integration/bonafide/test_config.py | 146 ++++++++++++++++++++++++++++++
 1 file changed, 146 insertions(+)
 create mode 100644 tests/integration/bonafide/test_config.py

(limited to 'tests/integration/bonafide/test_config.py')

diff --git a/tests/integration/bonafide/test_config.py b/tests/integration/bonafide/test_config.py
new file mode 100644
index 00000000..aeb2c842
--- /dev/null
+++ b/tests/integration/bonafide/test_config.py
@@ -0,0 +1,146 @@
+# -*- coding: utf-8 -*-
+# test_config.py
+# Copyright (C) 2015-2017 LEAP
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import os.path
+
+from BaseHTTPServer import BaseHTTPRequestHandler
+from twisted.internet import defer
+from twisted.trial import unittest
+
+from leap.bitmask.bonafide.config import Provider
+from leap.bitmask.bonafide.errors import NetworkError
+from leap.common.testing.basetest import BaseLeapTest
+from leap.common.testing.https_server import BaseHTTPSServerTestCase
+
+
+class ConfigTest(BaseHTTPSServerTestCase, unittest.TestCase, BaseLeapTest):
+
+    def setUp(self):
+        self.addr = Addr()
+        self.request_handler = request_handler(self.addr)
+        BaseHTTPSServerTestCase.setUp(self)
+        self.addr.host = 'localhost'
+        self.addr.port = self.PORT
+
+    def test_bootstrap_self_sign_cert_fails(self):
+        home = os.path.join(self.home, 'self_sign')
+        os.mkdir(home)
+        provider = Provider(self.addr.domain, autoconf=True, basedir=home)
+        d = provider.callWhenMainConfigReady(lambda: "Cert was accepted")
+        return self.assertFailure(d, NetworkError)
+
+    def test_bootstrap_pinned_cert(self):
+        cacert = os.path.join(os.path.dirname(__file__),
+                              "cacert.pem")
+        home = os.path.join(self.home, 'pinned')
+        os.mkdir(home)
+        provider = Provider(self.addr.domain, autoconf=True, basedir=home,
+                            cert_path=cacert)
+
+        def check_provider():
+            config = provider.config()
+            self.assertEqual(config["domain"], self.addr.host)
+            self.assertEqual(config["ca_cert_fingerprint"],
+                             "SHA256: %s" % fingerprint)
+
+        provider.callWhenMainConfigReady(check_provider)
+        return defer.gatherResults([
+            provider.first_bootstrap[provider._domain],
+            provider.ongoing_bootstrap[provider._domain]])
+
+
+class Addr(object):
+    def __init__(self, host='localhost', port='4443'):
+        self.host = host
+        self.port = port
+
+    @property
+    def domain(self):
+        return "%s:%s" % (self.host, self.port)
+
+
+def request_handler(addr):
+    class RequestHandler(BaseHTTPRequestHandler):
+        def do_GET(self):
+            if self.path == '/provider.json':
+                body = provider_json % {
+                    'host': addr.host,
+                    'port': addr.port,
+                    'fingerprint': fingerprint
+                }
+
+            elif self.path == '/ca.crt':
+                cacert = os.path.join(os.path.dirname(__file__),
+                                      "leaptestscert.pem")
+                with open(cacert, 'r') as f:
+                    castr = f.read()
+                body = castr
+
+            elif self.path == '/1/configs.json':
+                body = configs_json
+
+            else:
+                body = '{"error": "not implemented"}'
+
+            self.send_response(200)
+            self.send_header('Content-type', 'applicatino/json')
+            self.send_header('Content-Length', str(len(body)))
+            self.end_headers()
+            self.wfile.write(body)
+
+    return RequestHandler
+
+
+fingerprint = \
+    "cd0131b3352b7a29c307156b24f09fe862b1f5a2e55be7cd888048b91770f220"
+provider_json = """
+{
+  "api_uri": "https://%(host)s:%(port)s",
+  "api_version": "1",
+  "ca_cert_fingerprint": "SHA256: %(fingerprint)s",
+  "ca_cert_uri": "https://%(host)s:%(port)s/ca.crt",
+  "default_language": "en",
+  "description": {
+    "en": "example"
+  },
+  "domain": "%(host)s",
+  "enrollment_policy": "open",
+  "languages": [
+    "en"
+  ],
+  "name": {
+    "en": "Bitmask"
+  },
+  "service": {
+    "allow_anonymous": false,
+    "allow_free": true,
+    "allow_limited_bandwidth": false,
+    "allow_paid": false,
+    "allow_registration": true,
+    "allow_unlimited_bandwidth": true,
+    "bandwidth_limit": 102401,
+    "default_service_level": 1,
+    "levels": {
+      "1": {
+        "description": "hi.",
+        "name": "free"
+      }
+    }
+  },
+  "services": []
+}
+"""
+configs_json = "{}"
-- 
cgit v1.2.3