httpie-cli/tests/test_ssl.py

import pytest
import pytest_httpbin.certs
import requests.exceptions
import ssl
import urllib3

from httpie.ssl import AVAILABLE_SSL_VERSION_ARG_MAPPING, DEFAULT_SSL_CIPHERS
from httpie.status import ExitStatus
from utils import HTTP_OK, TESTS_ROOT, http


try:
    # Handle OpenSSL errors, if installed.
    # See <https://github.com/jakubroztocil/httpie/issues/729>
    # noinspection PyUnresolvedReferences
    import OpenSSL.SSL
    ssl_errors = (
        requests.exceptions.SSLError,
        OpenSSL.SSL.Error,
    )
except ImportError:
    ssl_errors = (
        requests.exceptions.SSLError,
    )

CERTS_ROOT = TESTS_ROOT / 'client_certs'
CLIENT_CERT = str(CERTS_ROOT / 'client.crt')
CLIENT_KEY = str(CERTS_ROOT / 'client.key')
CLIENT_PEM = str(CERTS_ROOT / 'client.pem')


# We test against a local httpbin instance which uses a self-signed cert.
# Requests without --verify=<CA_BUNDLE> will fail with a verification error.
# See: https://github.com/kevin1024/pytest-httpbin#https-support
CA_BUNDLE = pytest_httpbin.certs.where()


@pytest.mark.parametrize('ssl_version',
                         AVAILABLE_SSL_VERSION_ARG_MAPPING.keys())
def test_ssl_version(httpbin_secure, ssl_version):
    try:
        r = http(
            '--ssl', ssl_version,
            httpbin_secure + '/get'
        )
        assert HTTP_OK in r
    except ssl_errors as e:
        if ssl_version == 'ssl3':
            # pytest-httpbin doesn't support ssl3
            pass
        elif e.__context__ is not None:  # Check if root cause was an unsupported TLS version
            root = e.__context__
            while root.__context__ is not None:
                root = root.__context__
            if isinstance(root, ssl.SSLError) and root.reason == "TLSV1_ALERT_PROTOCOL_VERSION":
                pytest.skip("Unsupported TLS version: {}".format(ssl_version))
        else:
            raise


class TestClientCert:

    def test_cert_and_key(self, httpbin_secure):
        r = http(httpbin_secure + '/get',
                 '--cert', CLIENT_CERT,
                 '--cert-key', CLIENT_KEY)
        assert HTTP_OK in r

    def test_cert_pem(self, httpbin_secure):
        r = http(httpbin_secure + '/get',
                 '--cert', CLIENT_PEM)
        assert HTTP_OK in r

    def test_cert_file_not_found(self, httpbin_secure):
        r = http(httpbin_secure + '/get',
                 '--cert', '/__not_found__',
                 tolerate_error_exit_status=True)
        assert r.exit_status == ExitStatus.ERROR
        assert 'No such file or directory' in r.stderr

    def test_cert_file_invalid(self, httpbin_secure):
        with pytest.raises(ssl_errors):
            http(httpbin_secure + '/get',
                 '--cert', __file__)

    def test_cert_ok_but_missing_key(self, httpbin_secure):
        with pytest.raises(ssl_errors):
            http(httpbin_secure + '/get',
                 '--cert', CLIENT_CERT)


class TestServerCert:

    def test_verify_no_OK(self, httpbin_secure):
        # Avoid warnings when explicitly testing insecure requests
        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
        r = http(httpbin_secure.url + '/get', '--verify=no')
        assert HTTP_OK in r

    @pytest.mark.parametrize('verify_value', ['false', 'fALse'])
    def test_verify_false_OK(self, httpbin_secure, verify_value):
        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
        r = http(httpbin_secure.url + '/get', '--verify', verify_value)
        assert HTTP_OK in r

    def test_verify_custom_ca_bundle_path(
        self, httpbin_secure_untrusted
    ):
        r = http(httpbin_secure_untrusted + '/get', '--verify', CA_BUNDLE)
        assert HTTP_OK in r

    def test_self_signed_server_cert_by_default_raises_ssl_error(
        self,
        httpbin_secure_untrusted
    ):
        with pytest.raises(ssl_errors):
            http(httpbin_secure_untrusted.url + '/get')

    def test_verify_custom_ca_bundle_invalid_path(self, httpbin_secure):
        # since 2.14.0 requests raises IOError
        with pytest.raises(ssl_errors + (IOError,)):
            http(httpbin_secure.url + '/get', '--verify', '/__not_found__')

    def test_verify_custom_ca_bundle_invalid_bundle(self, httpbin_secure):
        with pytest.raises(ssl_errors):
            http(httpbin_secure.url + '/get', '--verify', __file__)


def test_ciphers(httpbin_secure):
    r = http(
        httpbin_secure.url + '/get',
        '--ciphers',
        DEFAULT_SSL_CIPHERS,
    )
    assert HTTP_OK in r


def test_ciphers_none_can_be_selected(httpbin_secure):
    r = http(
        httpbin_secure.url + '/get',
        '--ciphers',
        '__FOO__',
        tolerate_error_exit_status=True,
    )
    assert r.exit_status == ExitStatus.ERROR
    # Linux/macOS:
    #   http: error: SSLError: ('No cipher can be selected.',)
    # OpenBSD:
    #   <https://marc.info/?l=openbsd-ports&m=159251948515635&w=2>
    #   http: error: Error: [('SSL routines', '(UNKNOWN)SSL_internal', 'no cipher match')]
    assert 'cipher' in r.stderr
Added tests for client as well as server SSL certificate handling. 2015-01-23 23:55:03 +01:00			`import pytest`
			`import pytest_httpbin.certs`
Fix tests for installation with pyOpenSSL #729 2018-11-14 16:10:08 +01:00			`import requests.exceptions`
Quieten ssl tests (#952) * Add skip when required TLS version unsupported Allow tests to skip, rather than fail from SSL errors with unsupported TLS version, e.g. if Openssl is configured with MinProtocol higher than the version being tested. * Regenerate test certificate and key Regenerate these with more secure settings for the sake of future proofing, regenerate the key using RSA 4096 and sign the certificate with SHA512. This fixes test failures in tests/test_ssl.py when the user's OpenSSL security level is set to a value greater than 1 and resolves issue #948 * Suppress SSL warnings in no verify tests 2020-08-06 22:24:03 +02:00			`import ssl`
			`import urllib3`
Added tests for client as well as server SSL certificate handling. 2015-01-23 23:55:03 +01:00
Add support for --ciphers (#870) 2020-05-23 13:26:06 +02:00			`from httpie.ssl import AVAILABLE_SSL_VERSION_ARG_MAPPING, DEFAULT_SSL_CIPHERS`
Add `httpie.status` 2019-09-16 13:26:18 +02:00			`from httpie.status import ExitStatus`
Fix tests for installation with pyOpenSSL #729 2018-11-14 16:10:08 +01:00			`from utils import HTTP_OK, TESTS_ROOT, http`


			`try:`
			`# Handle OpenSSL errors, if installed.`
			`# See <https://github.com/jakubroztocil/httpie/issues/729>`
			`# noinspection PyUnresolvedReferences`
			`import OpenSSL.SSL`
			`ssl_errors = (`
			`requests.exceptions.SSLError,`
			`OpenSSL.SSL.Error,`
			`)`
			`except ImportError:`
			`ssl_errors = (`
			`requests.exceptions.SSLError,`
			`)`
Added tests for client as well as server SSL certificate handling. 2015-01-23 23:55:03 +01:00
Add support for --ciphers (#870) 2020-05-23 13:26:06 +02:00			`CERTS_ROOT = TESTS_ROOT / 'client_certs'`
			`CLIENT_CERT = str(CERTS_ROOT / 'client.crt')`
			`CLIENT_KEY = str(CERTS_ROOT / 'client.key')`
			`CLIENT_PEM = str(CERTS_ROOT / 'client.pem')`

Added tests for client as well as server SSL certificate handling. 2015-01-23 23:55:03 +01:00
			`# We test against a local httpbin instance which uses a self-signed cert.`
			`# Requests without --verify=<CA_BUNDLE> will fail with a verification error.`
			`# See: https://github.com/kevin1024/pytest-httpbin#https-support`
			`CA_BUNDLE = pytest_httpbin.certs.where()`


Add support for --ciphers (#870) 2020-05-23 13:26:06 +02:00			`@pytest.mark.parametrize('ssl_version',`
			`AVAILABLE_SSL_VERSION_ARG_MAPPING.keys())`
Added --ssl=<PROTOCOL_VERSION> Closes #98 2016-03-02 05:12:05 +01:00			`def test_ssl_version(httpbin_secure, ssl_version):`
			`try:`
			`r = http(`
			`'--ssl', ssl_version,`
			`httpbin_secure + '/get'`
			`)`
			`assert HTTP_OK in r`
Fix tests for installation with pyOpenSSL #729 2018-11-14 16:10:08 +01:00			`except ssl_errors as e:`
fix test_ssl_version II 2019-08-29 08:14:19 +02:00			`if ssl_version == 'ssl3':`
			`# pytest-httpbin doesn't support ssl3`
			`pass`
Quieten ssl tests (#952) * Add skip when required TLS version unsupported Allow tests to skip, rather than fail from SSL errors with unsupported TLS version, e.g. if Openssl is configured with MinProtocol higher than the version being tested. * Regenerate test certificate and key Regenerate these with more secure settings for the sake of future proofing, regenerate the key using RSA 4096 and sign the certificate with SHA512. This fixes test failures in tests/test_ssl.py when the user's OpenSSL security level is set to a value greater than 1 and resolves issue #948 * Suppress SSL warnings in no verify tests 2020-08-06 22:24:03 +02:00			`elif e.__context__ is not None: # Check if root cause was an unsupported TLS version`
			`root = e.__context__`
			`while root.__context__ is not None:`
			`root = root.__context__`
			`if isinstance(root, ssl.SSLError) and root.reason == "TLSV1_ALERT_PROTOCOL_VERSION":`
			`pytest.skip("Unsupported TLS version: {}".format(ssl_version))`
Added --ssl=<PROTOCOL_VERSION> Closes #98 2016-03-02 05:12:05 +01:00			`else:`
			`raise`


Cleanup 2016-03-01 19:53:23 +01:00			`class TestClientCert:`
Added tests for client as well as server SSL certificate handling. 2015-01-23 23:55:03 +01:00
Run positive tests first Trying to debug failing SSL tests on Travis - kevin1024/pytest-httpbin#32 2016-03-02 03:35:40 +01:00			`def test_cert_and_key(self, httpbin_secure):`
			`r = http(httpbin_secure + '/get',`
			`'--cert', CLIENT_CERT,`
			`'--cert-key', CLIENT_KEY)`
			`assert HTTP_OK in r`

			`def test_cert_pem(self, httpbin_secure):`
			`r = http(httpbin_secure + '/get',`
			`'--cert', CLIENT_PEM)`
			`assert HTTP_OK in r`

Added tests for client as well as server SSL certificate handling. 2015-01-23 23:55:03 +01:00			`def test_cert_file_not_found(self, httpbin_secure):`
			`r = http(httpbin_secure + '/get',`
			`'--cert', '/__not_found__',`
Add one-by-one processing of each HTTP request or response and --offline 2019-09-03 17:14:39 +02:00			`tolerate_error_exit_status=True)`
Added tests for client as well as server SSL certificate handling. 2015-01-23 23:55:03 +01:00			`assert r.exit_status == ExitStatus.ERROR`
			`assert 'No such file or directory' in r.stderr`

			`def test_cert_file_invalid(self, httpbin_secure):`
Fix tests for installation with pyOpenSSL #729 2018-11-14 16:10:08 +01:00			`with pytest.raises(ssl_errors):`
Added tests for client as well as server SSL certificate handling. 2015-01-23 23:55:03 +01:00			`http(httpbin_secure + '/get',`
			`'--cert', __file__)`

			`def test_cert_ok_but_missing_key(self, httpbin_secure):`
Fix tests for installation with pyOpenSSL #729 2018-11-14 16:10:08 +01:00			`with pytest.raises(ssl_errors):`
Added tests for client as well as server SSL certificate handling. 2015-01-23 23:55:03 +01:00			`http(httpbin_secure + '/get',`
			`'--cert', CLIENT_CERT)`


Cleanup 2016-03-01 19:53:23 +01:00			`class TestServerCert:`
Run tests against both HTTP and HTTPS Some of the tests now use the `httpbin_both` fixture from pytest-httpbin. Also, made httpbin's CA trusted by default and added `httpbin_secure_untrusted` fixture to allow overriding that for particular tests. 2016-03-06 10:42:35 +01:00
Added tests for client as well as server SSL certificate handling. 2015-01-23 23:55:03 +01:00			`def test_verify_no_OK(self, httpbin_secure):`
Quieten ssl tests (#952) * Add skip when required TLS version unsupported Allow tests to skip, rather than fail from SSL errors with unsupported TLS version, e.g. if Openssl is configured with MinProtocol higher than the version being tested. * Regenerate test certificate and key Regenerate these with more secure settings for the sake of future proofing, regenerate the key using RSA 4096 and sign the certificate with SHA512. This fixes test failures in tests/test_ssl.py when the user's OpenSSL security level is set to a value greater than 1 and resolves issue #948 * Suppress SSL warnings in no verify tests 2020-08-06 22:24:03 +02:00			`# Avoid warnings when explicitly testing insecure requests`
			`urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)`
Added tests for client as well as server SSL certificate handling. 2015-01-23 23:55:03 +01:00			`r = http(httpbin_secure.url + '/get', '--verify=no')`
			`assert HTTP_OK in r`

Add --verify true/false tests and CHANGELOG 2017-02-17 00:56:07 +01:00			`@pytest.mark.parametrize('verify_value', ['false', 'fALse'])`
			`def test_verify_false_OK(self, httpbin_secure, verify_value):`
Quieten ssl tests (#952) * Add skip when required TLS version unsupported Allow tests to skip, rather than fail from SSL errors with unsupported TLS version, e.g. if Openssl is configured with MinProtocol higher than the version being tested. * Regenerate test certificate and key Regenerate these with more secure settings for the sake of future proofing, regenerate the key using RSA 4096 and sign the certificate with SHA512. This fixes test failures in tests/test_ssl.py when the user's OpenSSL security level is set to a value greater than 1 and resolves issue #948 * Suppress SSL warnings in no verify tests 2020-08-06 22:24:03 +02:00			`urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)`
Add --verify true/false tests and CHANGELOG 2017-02-17 00:56:07 +01:00			`r = http(httpbin_secure.url + '/get', '--verify', verify_value)`
			`assert HTTP_OK in r`

Added tests for client as well as server SSL certificate handling. 2015-01-23 23:55:03 +01:00			`def test_verify_custom_ca_bundle_path(`
Fix tests for installation with pyOpenSSL #729 2018-11-14 16:10:08 +01:00			`self, httpbin_secure_untrusted`
			`):`
Run tests against both HTTP and HTTPS Some of the tests now use the `httpbin_both` fixture from pytest-httpbin. Also, made httpbin's CA trusted by default and added `httpbin_secure_untrusted` fixture to allow overriding that for particular tests. 2016-03-06 10:42:35 +01:00			`r = http(httpbin_secure_untrusted + '/get', '--verify', CA_BUNDLE)`
Added tests for client as well as server SSL certificate handling. 2015-01-23 23:55:03 +01:00			`assert HTTP_OK in r`

Run positive tests first Trying to debug failing SSL tests on Travis - kevin1024/pytest-httpbin#32 2016-03-02 03:35:40 +01:00			`def test_self_signed_server_cert_by_default_raises_ssl_error(`
Fix tests for installation with pyOpenSSL #729 2018-11-14 16:10:08 +01:00			`self,`
			`httpbin_secure_untrusted`
			`):`
			`with pytest.raises(ssl_errors):`
Run tests against both HTTP and HTTPS Some of the tests now use the `httpbin_both` fixture from pytest-httpbin. Also, made httpbin's CA trusted by default and added `httpbin_secure_untrusted` fixture to allow overriding that for particular tests. 2016-03-06 10:42:35 +01:00			`http(httpbin_secure_untrusted.url + '/get')`
Run positive tests first Trying to debug failing SSL tests on Travis - kevin1024/pytest-httpbin#32 2016-03-02 03:35:40 +01:00
Added tests for client as well as server SSL certificate handling. 2015-01-23 23:55:03 +01:00			`def test_verify_custom_ca_bundle_invalid_path(self, httpbin_secure):`
Support requests>=2.14.0 From that release onwards, `cert_verify` raises `IOError` [1]. 1: https://github.com/kennethreitz/requests/commit/7d8b87c 2017-05-17 18:51:43 +02:00			`# since 2.14.0 requests raises IOError`
Fix tests for installation with pyOpenSSL #729 2018-11-14 16:10:08 +01:00			`with pytest.raises(ssl_errors + (IOError,)):`
Added tests for client as well as server SSL certificate handling. 2015-01-23 23:55:03 +01:00			`http(httpbin_secure.url + '/get', '--verify', '/__not_found__')`

			`def test_verify_custom_ca_bundle_invalid_bundle(self, httpbin_secure):`
Fix tests for installation with pyOpenSSL #729 2018-11-14 16:10:08 +01:00			`with pytest.raises(ssl_errors):`
Added tests for client as well as server SSL certificate handling. 2015-01-23 23:55:03 +01:00			`http(httpbin_secure.url + '/get', '--verify', __file__)`
Add support for --ciphers (#870) 2020-05-23 13:26:06 +02:00

			`def test_ciphers(httpbin_secure):`
			`r = http(`
			`httpbin_secure.url + '/get',`
			`'--ciphers',`
			`DEFAULT_SSL_CIPHERS,`
			`)`
			`assert HTTP_OK in r`


			`def test_ciphers_none_can_be_selected(httpbin_secure):`
			`r = http(`
			`httpbin_secure.url + '/get',`
			`'--ciphers',`
			`'__FOO__',`
			`tolerate_error_exit_status=True,`
			`)`
			`assert r.exit_status == ExitStatus.ERROR`
Fixed `test_ciphers_none_can_be_selected` on OpenBSD Thanks @juped! 2020-06-19 18:26:08 +02:00			`# Linux/macOS:`
			`# http: error: SSLError: ('No cipher can be selected.',)`
			`# OpenBSD:`
			`# <https://marc.info/?l=openbsd-ports&m=159251948515635&w=2>`
			`# http: error: Error: [('SSL routines', '(UNKNOWN)SSL_internal', 'no cipher match')]`
			`assert 'cipher' in r.stderr`