certbot/certbot-compatibility-test/certbot_compatibility_test/validator.py

"""Validators to determine the current webserver configuration"""
import logging
import socket
from typing import cast
from typing import Mapping
from typing import Optional
from typing import Union

from OpenSSL import crypto
import requests

from acme import crypto_util
from acme import errors as acme_errors

logger = logging.getLogger(__name__)


class Validator:
    """Collection of functions to test a live webserver's configuration"""

    def certificate(self, cert: crypto.X509, name: Union[str, bytes],
                    alt_host: Optional[str] = None, port: int = 443) -> bool:
        """Verifies the certificate presented at name is cert"""
        if alt_host is None:
            # In fact, socket.gethostbyname accepts both bytes and str, but types do not know that.
            host = socket.gethostbyname(cast(str, name)).encode()
        elif isinstance(alt_host, bytes):
            host = alt_host
        else:
            host = alt_host.encode()
        name = name if isinstance(name, bytes) else name.encode()

        try:
            presented_cert = crypto_util.probe_sni(name, host, port)
        except acme_errors.Error as error:
            logger.exception(str(error))
            return False

        # Despite documentation saying that bytes are expected for digest(), we must provide a str.
        return presented_cert.digest(cast(bytes, "sha256")) == cert.digest(cast(bytes, "sha256"))

    def redirect(self, name: str, port: int = 80,
                 headers: Optional[Mapping[str, str]] = None) -> bool:
        """Test whether webserver redirects to secure connection."""
        url = "http://{0}:{1}".format(name, port)
        if headers:
            response = requests.get(url, headers=headers, allow_redirects=False)
        else:
            response = requests.get(url, allow_redirects=False)

        redirect_location = response.headers.get("location", "")
        # We're checking that the redirect we added behaves correctly.
        # It's okay for some server configuration to redirect to an
        # http URL, as long as it's on some other domain.
        if not redirect_location.startswith("https://"):
            return False

        if response.status_code != 301:
            logger.error("Server did not redirect with permanent code")
            return False

        return True

    def any_redirect(self, name: str, port: int = 80,
                     headers: Optional[Mapping[str, str]] = None) -> bool:
        """Test whether webserver redirects."""
        url = "http://{0}:{1}".format(name, port)
        if headers:
            response = requests.get(url, headers=headers, allow_redirects=False)
        else:
            response = requests.get(url, allow_redirects=False)

        return response.status_code in range(300, 309)

    def hsts(self, name: str) -> bool:
        """Test for HTTP Strict Transport Security header"""
        headers = requests.get("https://" + name).headers
        hsts_header = headers.get("strict-transport-security")

        if not hsts_header:
            return False

        # Split directives following RFC6797, section 6.1
        directives = [d.split("=") for d in hsts_header.split(";")]
        max_age = [d for d in directives if d[0] == "max-age"]

        if not max_age:
            logger.error("Server responded with invalid HSTS header field")
            return False

        try:
            max_age_value = int(max_age[0][1])
        except ValueError:
            logger.error("Server responded with invalid HSTS header field")
            return False

        # Test whether HSTS does not expire for at least two weeks.
        if max_age_value <= (2 * 7 * 24 * 3600):
            logger.error("HSTS should not expire in less than two weeks")
            return False

        return True

    def ocsp_stapling(self, name: str) -> None:
        """Verify ocsp stapling for domain."""
        raise NotImplementedError()
Added validator code 2015-07-22 16:47:09 -04:00			`"""Validators to determine the current webserver configuration"""`
Finished basic Apache test framework 2015-07-22 21:25:09 -04:00			`import logging`
			`import socket`
Add type annotations to the certbot package (part 1) (#9084) * Extract from #9084 * Cast/ignore types during the transition * Fix after review * Fix lint 2021-11-11 22:27:46 -05:00			`from typing import cast`
Fully type certbot-compatibility-test (#9133) * Finish typing the module * Use cast * Precise type 2021-12-13 20:14:11 -05:00			`from typing import Mapping`
			`from typing import Optional`
			`from typing import Union`
Added validator code 2015-07-22 16:47:09 -04:00
Fully type certbot-compatibility-test (#9133) * Finish typing the module * Use cast * Precise type 2021-12-13 20:14:11 -05:00			`from OpenSSL import crypto`
Reorganize imports (#7616) * Isort execution * Fix pylint, adapt coverage * New isort * Fix magic_typing lint * Second round * Fix pylint * Third round. Store isort configuration * Fix latest mistakes * Other fixes * Add newline * Fix lint errors 2019-12-09 15:50:20 -05:00			`import requests`
encode to bytes as necessary in Validator.certificate (#4026) 2017-01-17 15:13:10 -05:00
Finished basic Apache test framework 2015-07-22 21:25:09 -04:00			`from acme import crypto_util`
			`from acme import errors as acme_errors`
Added validator code 2015-07-22 16:47:09 -04:00
Finished basic Apache test framework 2015-07-22 21:25:09 -04:00			`logger = logging.getLogger(__name__)`


Stop inheriting from object. It's unneeded on Python 3+. (#8675) 2021-02-25 17:59:00 -05:00			`class Validator:`
Added validator code 2015-07-22 16:47:09 -04:00			`"""Collection of functions to test a live webserver's configuration"""`

Fully type certbot-compatibility-test (#9133) * Finish typing the module * Use cast * Precise type 2021-12-13 20:14:11 -05:00			`def certificate(self, cert: crypto.X509, name: Union[str, bytes],`
			`alt_host: Optional[str] = None, port: int = 443) -> bool:`
Finished basic Apache test framework 2015-07-22 21:25:09 -04:00			`"""Verifies the certificate presented at name is cert"""`
encode to bytes as necessary in Validator.certificate (#4026) 2017-01-17 15:13:10 -05:00			`if alt_host is None:`
Fully type certbot-compatibility-test (#9133) * Finish typing the module * Use cast * Precise type 2021-12-13 20:14:11 -05:00			`# In fact, socket.gethostbyname accepts both bytes and str, but types do not know that.`
			`host = socket.gethostbyname(cast(str, name)).encode()`
Remove dependency on six (#8650) Fixes https://github.com/certbot/certbot/issues/8494. I left the `six` dependency pinned in `tests/letstest/requirements.txt` and `tools/oldest_constraints.txt` because `six` is still a transitive dependency with our current pinnings. The extra moving around of imports is due to me using `isort` to help me keep dependencies in sorted order after replacing imports of `six`. * remove some six usage in acme * remove six from acme * remove six.add_metaclass usage * fix six.moves.zip * fix six.moves.builtins.open * six.moves server fixes * 's/six\.moves\.range/range/g' * stop using six.moves.xrange * fix urllib imports * s/six\.binary_type/bytes/g * s/six\.string_types/str/g * 's/six\.text_type/str/g' * fix six.iteritems usage * fix itervalues usage * switch from six.StringIO to io.StringIO * remove six imports * misc fixes * stop using six.reload_module * no six.PY2 * rip out six * keep six pinned in oldest constraints * fix log_test.py * update changelog 2021-02-09 14:43:15 -05:00			`elif isinstance(alt_host, bytes):`
encode to bytes as necessary in Validator.certificate (#4026) 2017-01-17 15:13:10 -05:00			`host = alt_host`
			`else:`
			`host = alt_host.encode()`
Remove dependency on six (#8650) Fixes https://github.com/certbot/certbot/issues/8494. I left the `six` dependency pinned in `tests/letstest/requirements.txt` and `tools/oldest_constraints.txt` because `six` is still a transitive dependency with our current pinnings. The extra moving around of imports is due to me using `isort` to help me keep dependencies in sorted order after replacing imports of `six`. * remove some six usage in acme * remove six from acme * remove six.add_metaclass usage * fix six.moves.zip * fix six.moves.builtins.open * six.moves server fixes * 's/six\.moves\.range/range/g' * stop using six.moves.xrange * fix urllib imports * s/six\.binary_type/bytes/g * s/six\.string_types/str/g * 's/six\.text_type/str/g' * fix six.iteritems usage * fix itervalues usage * switch from six.StringIO to io.StringIO * remove six imports * misc fixes * stop using six.reload_module * no six.PY2 * rip out six * keep six pinned in oldest constraints * fix log_test.py * update changelog 2021-02-09 14:43:15 -05:00			`name = name if isinstance(name, bytes) else name.encode()`
encode to bytes as necessary in Validator.certificate (#4026) 2017-01-17 15:13:10 -05:00
Finished basic Apache test framework 2015-07-22 21:25:09 -04:00			`try:`
			`presented_cert = crypto_util.probe_sni(name, host, port)`
			`except acme_errors.Error as error:`
Get mypy passing with check_untyped_defs everywhere (#6021) * unchecked_typed_defs everywhere * fix mypy for lock_test * add magic_typing * fix mypy in letshelp * fix validator errors in compat test * fix mypy for test_driver.py * fix mypy in util.py * delint 2018-05-21 23:23:21 -04:00			`logger.exception(str(error))`
Finished basic Apache test framework 2015-07-22 21:25:09 -04:00			`return False`

Add type annotations to the certbot package (part 1) (#9084) * Extract from #9084 * Cast/ignore types during the transition * Fix after review * Fix lint 2021-11-11 22:27:46 -05:00			`# Despite documentation saying that bytes are expected for digest(), we must provide a str.`
Fully type certbot-compatibility-test (#9133) * Finish typing the module * Use cast * Precise type 2021-12-13 20:14:11 -05:00			`return presented_cert.digest(cast(bytes, "sha256")) == cert.digest(cast(bytes, "sha256"))`
Finished basic Apache test framework 2015-07-22 21:25:09 -04:00
Fully type certbot-compatibility-test (#9133) * Finish typing the module * Use cast * Precise type 2021-12-13 20:14:11 -05:00			`def redirect(self, name: str, port: int = 80,`
			`headers: Optional[Mapping[str, str]] = None) -> bool:`
Added validator code 2015-07-22 16:47:09 -04:00			`"""Test whether webserver redirects to secure connection."""`
Finished basic Apache test framework 2015-07-22 21:25:09 -04:00			`url = "http://{0}:{1}".format(name, port)`
			`if headers:`
			`response = requests.get(url, headers=headers, allow_redirects=False)`
			`else:`
			`response = requests.get(url, allow_redirects=False)`
Added validator code 2015-07-22 16:47:09 -04:00
			`redirect_location = response.headers.get("location", "")`
Allow validation of cross-domain redirects (#3561) * Update compatibility validator to pass redirect check when redirecting to a different domain, whether http or https. 2016-09-29 18:31:13 -04:00			`# We're checking that the redirect we added behaves correctly.`
			`# It's okay for some server configuration to redirect to an`
			`# http URL, as long as it's on some other domain.`
Added validator code 2015-07-22 16:47:09 -04:00			`if not redirect_location.startswith("https://"):`
Have validator only test domains without existing redirects 2016-09-30 17:55:52 -04:00			`return False`
Added validator code 2015-07-22 16:47:09 -04:00
			`if response.status_code != 301:`
Finished basic Apache test framework 2015-07-22 21:25:09 -04:00			`logger.error("Server did not redirect with permanent code")`
			`return False`
Added validator code 2015-07-22 16:47:09 -04:00
			`return True`

Fully type certbot-compatibility-test (#9133) * Finish typing the module * Use cast * Precise type 2021-12-13 20:14:11 -05:00			`def any_redirect(self, name: str, port: int = 80,`
			`headers: Optional[Mapping[str, str]] = None) -> bool:`
Have validator only test domains without existing redirects 2016-09-30 17:55:52 -04:00			`"""Test whether webserver redirects."""`
			`url = "http://{0}:{1}".format(name, port)`
			`if headers:`
			`response = requests.get(url, headers=headers, allow_redirects=False)`
			`else:`
			`response = requests.get(url, allow_redirects=False)`

Remove dependency on six (#8650) Fixes https://github.com/certbot/certbot/issues/8494. I left the `six` dependency pinned in `tests/letstest/requirements.txt` and `tools/oldest_constraints.txt` because `six` is still a transitive dependency with our current pinnings. The extra moving around of imports is due to me using `isort` to help me keep dependencies in sorted order after replacing imports of `six`. * remove some six usage in acme * remove six from acme * remove six.add_metaclass usage * fix six.moves.zip * fix six.moves.builtins.open * six.moves server fixes * 's/six\.moves\.range/range/g' * stop using six.moves.xrange * fix urllib imports * s/six\.binary_type/bytes/g * s/six\.string_types/str/g * 's/six\.text_type/str/g' * fix six.iteritems usage * fix itervalues usage * switch from six.StringIO to io.StringIO * remove six imports * misc fixes * stop using six.reload_module * no six.PY2 * rip out six * keep six pinned in oldest constraints * fix log_test.py * update changelog 2021-02-09 14:43:15 -05:00			`return response.status_code in range(300, 309)`
Have validator only test domains without existing redirects 2016-09-30 17:55:52 -04:00
Fully type certbot-compatibility-test (#9133) * Finish typing the module * Use cast * Precise type 2021-12-13 20:14:11 -05:00			`def hsts(self, name: str) -> bool:`
Added validator code 2015-07-22 16:47:09 -04:00			`"""Test for HTTP Strict Transport Security header"""`
Finished basic Apache test framework 2015-07-22 21:25:09 -04:00			`headers = requests.get("https://" + name).headers`
Added validator code 2015-07-22 16:47:09 -04:00			`hsts_header = headers.get("strict-transport-security")`

			`if not hsts_header:`
			`return False`

			`# Split directives following RFC6797, section 6.1`
			`directives = [d.split("=") for d in hsts_header.split(";")]`
			`max_age = [d for d in directives if d[0] == "max-age"]`

			`if not max_age:`
Finished basic Apache test framework 2015-07-22 21:25:09 -04:00			`logger.error("Server responded with invalid HSTS header field")`
			`return False`
Added validator code 2015-07-22 16:47:09 -04:00
			`try:`
Get mypy passing with check_untyped_defs everywhere (#6021) * unchecked_typed_defs everywhere * fix mypy for lock_test * add magic_typing * fix mypy in letshelp * fix validator errors in compat test * fix mypy for test_driver.py * fix mypy in util.py * delint 2018-05-21 23:23:21 -04:00			`max_age_value = int(max_age[0][1])`
Added validator code 2015-07-22 16:47:09 -04:00			`except ValueError:`
Finished basic Apache test framework 2015-07-22 21:25:09 -04:00			`logger.error("Server responded with invalid HSTS header field")`
			`return False`
Added validator code 2015-07-22 16:47:09 -04:00
			`# Test whether HSTS does not expire for at least two weeks.`
			`if max_age_value <= (2 * 7 * 24 * 3600):`
Finished basic Apache test framework 2015-07-22 21:25:09 -04:00			`logger.error("HSTS should not expire in less than two weeks")`
			`return False`
Added validator code 2015-07-22 16:47:09 -04:00
			`return True`

Fully type certbot-compatibility-test (#9133) * Finish typing the module * Use cast * Precise type 2021-12-13 20:14:11 -05:00			`def ocsp_stapling(self, name: str) -> None:`
Added validator code 2015-07-22 16:47:09 -04:00			`"""Verify ocsp stapling for domain."""`
			`raise NotImplementedError()`