mirror of
https://github.com/certbot/certbot.git
synced 2026-06-06 07:12:54 -04:00
6f27c32db1
Streamline and reorganize Certbot's CLI output.
This change is a substantial command-line UX overhaul,
based on previous user research. The main goal was to streamline
and clarify output. To see more verbose output, use the -v or -vv flags.
---
* nginx,apache: CLI logging changes
- Add "Successfully deployed ..." message using display_util
- Remove IReporter usage and replace with display_util
- Standardize "... could not find a VirtualHost ..." error
This changes also bumps the version of certbot required by certbot-nginx
and certbot-apache to take use of the new display_util function.
* fix certbot_compatibility_test
since the http plugins now require IDisplay, we need to inject it
* fix dependency version on certbot
* use better asserts
* try fix oldest deps
because certbot 1.10.0 depends on acme>=1.8.0, we need to use
acme==1.8.0 in the -oldest tests
* cli: redesign output of new certificate reporting
Changes the output of run, certonly and certonly --csr. No longer uses
IReporter.
* cli: redesign output of failed authz reporting
* fix problem sorting to be stable between py2 & 3
* add some catch-all error text
* cli: dont use IReporter for EFF donation prompt
* add per-authenticator hints
* pass achalls to auth_hint, write some tests
* exclude static auth hints from coverage
* dont call auth_hint unless derived from .Plugin
* dns fallback hint: dont assume --dns-blah works
--dns-blah won't work for third-party plugins, they need to be specified
using --authenticator dns-blah.
* add code comments about the auth_hint interface
* renew: don't restart the installer for dry-runs
Prevents Certbot from superfluously invoking the installer restart
during dry-run renewals. (This does not affect authenticator restarts).
Additionally removes some CLI output that was reporting the fullchain
path of the renewed certificate.
* update CHANGELOG.md
* cli: redesign output when cert installation failed
- Display a message when certificate installation begins.
- Don't use IReporter, just log errors immediately if restart/rollback
fails.
- Prompt the user with a command to retry the installation process once
they have fixed any underlying problems.
* vary by preconfigured_renewal
and move expiry date to be above the renewal advice
* update code comment
Co-authored-by: ohemorange <ebportnoy@gmail.com>
* update code comment
Co-authored-by: ohemorange <ebportnoy@gmail.com>
* fix lint
* derve cert name from cert_path, if possible
* fix type annotation
* text change in nginx hint
Co-authored-by: ohemorange <ebportnoy@gmail.com>
* print message when restarting server after renewal
* log: print "advice" when exiting with an error
When running in non-quiet mode.
* try fix -oldest lock_test.py
* fix docstring
* s/Restarting/Reloading/ when notifying the user
* fix test name
Co-authored-by: ohemorange <ebportnoy@gmail.com>
* type annotations
* s/using the {} plugin/installer: {}/
* copy: avoid "plugin" where possible
* link to user guide#automated-renewals
when not running with --preconfigured-renewal
* cli: reduce default logging verbosity
* fix lock_test: -vv is needed to see logger.debug
* Change comment in log.py to match the change to default verbosity
* Audit and adjust logging levels in apache module
* Audit and adjust logging levels in nginx module
* Audit, adjust logging levels, and improve logging calls in certbot module
* Fix tests to mock correct methods and classes
* typo in non-preconfigured-renewal message
Co-authored-by: ohemorange <ebportnoy@gmail.com>
* fix test
* revert acme version bump
* catch up to python3 changes
* Revert "revert acme version bump"
This reverts commit fa83d6a51c.
* Change ocsp check error to warning since it's non-fatal
* Update storage_test in parallel with last change
* get rid of leading newline on "Deploying [...]"
* shrink renewal and installation success messages
* print logfile rather than logdir in exit handler
* Decrease logging level to info for idempotent operation where enhancement is already set
* Display cert not yet due for renewal message when renewing and no other action will be taken, and change cert to certificate
* also write to logger so it goes in the log file
* Don't double write to log file; fix main test
* cli: remove trailing newline on new cert reporting
* ignore type error
* revert accidental changes to dependencies
* Pass tests in any timezone by using utcfromtimestamp
* Add changelog entry
* fix nits
* Improve wording of try again message
* minor wording change to changelog
* hooks: send hook stdout to CLI stdout
includes both --manual and --{pre,post,renew} hooks
* update docstrings and remove TODO
* add a pending deprecation on execute_command
* add test coverage for both
* update deprecation text
Co-authored-by: ohemorange <ebportnoy@gmail.com>
Co-authored-by: Alex Zorin <alex@zorin.id.au>
Co-authored-by: alexzorin <alex@zor.io>
1134 lines
51 KiB
Python
1134 lines
51 KiB
Python
"""Test for certbot_nginx._internal.configurator."""
|
|
import unittest
|
|
|
|
try:
|
|
import mock
|
|
except ImportError: # pragma: no cover
|
|
from unittest import mock # type: ignore
|
|
import OpenSSL
|
|
|
|
from acme import challenges
|
|
from acme import messages
|
|
from certbot import achallenges
|
|
from certbot import crypto_util
|
|
from certbot import errors
|
|
from certbot.compat import os
|
|
from certbot.tests import util as certbot_test_util
|
|
from certbot_nginx._internal import obj
|
|
from certbot_nginx._internal import parser
|
|
from certbot_nginx._internal.configurator import _redirect_block_for_domain
|
|
from certbot_nginx._internal.nginxparser import UnspacedList
|
|
import test_util as util
|
|
|
|
|
|
class NginxConfiguratorTest(util.NginxTest):
|
|
"""Test a semi complex vhost configuration."""
|
|
|
|
|
|
def setUp(self):
|
|
super().setUp()
|
|
|
|
self.config = self.get_nginx_configurator(
|
|
self.config_path, self.config_dir, self.work_dir, self.logs_dir)
|
|
|
|
patch = mock.patch('certbot_nginx._internal.configurator.display_util.notify')
|
|
self.mock_notify = patch.start()
|
|
self.addCleanup(patch.stop)
|
|
|
|
@mock.patch("certbot_nginx._internal.configurator.util.exe_exists")
|
|
def test_prepare_no_install(self, mock_exe_exists):
|
|
mock_exe_exists.return_value = False
|
|
self.assertRaises(
|
|
errors.NoInstallationError, self.config.prepare)
|
|
|
|
def test_prepare(self):
|
|
self.assertEqual((1, 6, 2), self.config.version)
|
|
self.assertEqual(13, len(self.config.parser.parsed))
|
|
|
|
@mock.patch("certbot_nginx._internal.configurator.util.exe_exists")
|
|
@mock.patch("certbot_nginx._internal.configurator.subprocess.run")
|
|
def test_prepare_initializes_version(self, mock_run, mock_exe_exists):
|
|
mock_run.return_value.stdout = ""
|
|
mock_run.return_value.stderr = "\n".join(
|
|
["nginx version: nginx/1.6.2",
|
|
"built by clang 6.0 (clang-600.0.56)"
|
|
" (based on LLVM 3.5svn)",
|
|
"TLS SNI support enabled",
|
|
"configure arguments: --prefix=/usr/local/Cellar/"
|
|
"nginx/1.6.2 --with-http_ssl_module"])
|
|
|
|
mock_exe_exists.return_value = True
|
|
|
|
self.config.version = None
|
|
self.config.config_test = mock.Mock()
|
|
self.config.prepare()
|
|
self.assertEqual((1, 6, 2), self.config.version)
|
|
|
|
def test_prepare_locked(self):
|
|
server_root = self.config.conf("server-root")
|
|
|
|
from certbot import util as certbot_util
|
|
certbot_util._LOCKS[server_root].release() # pylint: disable=protected-access
|
|
|
|
self.config.config_test = mock.Mock()
|
|
certbot_test_util.lock_and_call(self._test_prepare_locked, server_root)
|
|
|
|
@mock.patch("certbot_nginx._internal.configurator.util.exe_exists")
|
|
def _test_prepare_locked(self, unused_exe_exists):
|
|
try:
|
|
self.config.prepare()
|
|
except errors.PluginError as err:
|
|
err_msg = str(err)
|
|
self.assertTrue("lock" in err_msg)
|
|
self.assertTrue(self.config.conf("server-root") in err_msg)
|
|
else: # pragma: no cover
|
|
self.fail("Exception wasn't raised!")
|
|
|
|
@mock.patch("certbot_nginx._internal.configurator.socket.gethostname")
|
|
@mock.patch("certbot_nginx._internal.configurator.socket.gethostbyaddr")
|
|
def test_get_all_names(self, mock_gethostbyaddr, mock_gethostname):
|
|
mock_gethostbyaddr.return_value = ('155.225.50.69.nephoscale.net', [], [])
|
|
mock_gethostname.return_value = ('example.net')
|
|
names = self.config.get_all_names()
|
|
self.assertEqual(names, {
|
|
"155.225.50.69.nephoscale.net", "www.example.org", "another.alias",
|
|
"migration.com", "summer.com", "geese.com", "sslon.com",
|
|
"globalssl.com", "globalsslsetssl.com", "ipv6.com", "ipv6ssl.com",
|
|
"headers.com", "example.net", "ssl.both.com"})
|
|
|
|
def test_supported_enhancements(self):
|
|
self.assertEqual(['redirect', 'ensure-http-header', 'staple-ocsp'],
|
|
self.config.supported_enhancements())
|
|
|
|
def test_enhance(self):
|
|
self.assertRaises(
|
|
errors.PluginError, self.config.enhance, 'myhost', 'unknown_enhancement')
|
|
|
|
def test_get_chall_pref(self):
|
|
self.assertEqual([challenges.HTTP01],
|
|
self.config.get_chall_pref('myhost'))
|
|
|
|
def test_save(self):
|
|
filep = self.config.parser.abs_path('sites-enabled/example.com')
|
|
mock_vhost = obj.VirtualHost(filep,
|
|
None, None, None,
|
|
{'.example.com', 'example.*'},
|
|
None, [0])
|
|
self.config.parser.add_server_directives(
|
|
mock_vhost,
|
|
[['listen', ' ', '5001', ' ', 'ssl']])
|
|
self.config.save()
|
|
|
|
# pylint: disable=protected-access
|
|
parsed = self.config.parser._parse_files(filep, override=True)
|
|
self.assertEqual([[['server'],
|
|
[['listen', '69.50.225.155:9000'],
|
|
['listen', '127.0.0.1'],
|
|
['server_name', '.example.com'],
|
|
['server_name', 'example.*'],
|
|
['listen', '5001', 'ssl'],
|
|
['#', parser.COMMENT]]]],
|
|
parsed[0])
|
|
|
|
def test_choose_vhosts_alias(self):
|
|
self._test_choose_vhosts_common('alias', 'server_conf')
|
|
|
|
def test_choose_vhosts_example_com(self):
|
|
self._test_choose_vhosts_common('example.com', 'example_conf')
|
|
|
|
def test_choose_vhosts_localhost(self):
|
|
self._test_choose_vhosts_common('localhost', 'localhost_conf')
|
|
|
|
def test_choose_vhosts_example_com_uk_test(self):
|
|
self._test_choose_vhosts_common('example.com.uk.test', 'example_conf')
|
|
|
|
def test_choose_vhosts_www_example_com(self):
|
|
self._test_choose_vhosts_common('www.example.com', 'example_conf')
|
|
|
|
def test_choose_vhosts_test_www_example_com(self):
|
|
self._test_choose_vhosts_common('test.www.example.com', 'foo_conf')
|
|
|
|
def test_choose_vhosts_abc_www_foo_com(self):
|
|
self._test_choose_vhosts_common('abc.www.foo.com', 'foo_conf')
|
|
|
|
def test_choose_vhosts_www_bar_co_uk(self):
|
|
self._test_choose_vhosts_common('www.bar.co.uk', 'localhost_conf')
|
|
|
|
def test_choose_vhosts_ipv6_com(self):
|
|
self._test_choose_vhosts_common('ipv6.com', 'ipv6_conf')
|
|
|
|
def _test_choose_vhosts_common(self, name, conf):
|
|
conf_names = {'localhost_conf': {'localhost', r'~^(www\.)?(example|bar)\.'},
|
|
'server_conf': {'somename', 'another.alias', 'alias'},
|
|
'example_conf': {'.example.com', 'example.*'},
|
|
'foo_conf': {'*.www.foo.com', '*.www.example.com'},
|
|
'ipv6_conf': {'ipv6.com'}}
|
|
|
|
conf_path = {'localhost': "etc_nginx/nginx.conf",
|
|
'alias': "etc_nginx/nginx.conf",
|
|
'example.com': "etc_nginx/sites-enabled/example.com",
|
|
'example.com.uk.test': "etc_nginx/sites-enabled/example.com",
|
|
'www.example.com': "etc_nginx/sites-enabled/example.com",
|
|
'test.www.example.com': "etc_nginx/foo.conf",
|
|
'abc.www.foo.com': "etc_nginx/foo.conf",
|
|
'www.bar.co.uk': "etc_nginx/nginx.conf",
|
|
'ipv6.com': "etc_nginx/sites-enabled/ipv6.com"}
|
|
conf_path = {key: os.path.normpath(value) for key, value in conf_path.items()}
|
|
|
|
vhost = self.config.choose_vhosts(name)[0]
|
|
path = os.path.relpath(vhost.filep, self.temp_dir)
|
|
|
|
self.assertEqual(conf_names[conf], vhost.names)
|
|
self.assertEqual(conf_path[name], path)
|
|
# IPv6 specific checks
|
|
if name == "ipv6.com":
|
|
self.assertTrue(vhost.ipv6_enabled())
|
|
# Make sure that we have SSL enabled also for IPv6 addr
|
|
self.assertTrue(
|
|
any(True for x in vhost.addrs if x.ssl and x.ipv6))
|
|
|
|
def test_choose_vhosts_bad(self):
|
|
bad_results = ['www.foo.com', 'example', 't.www.bar.co',
|
|
'69.255.225.155']
|
|
|
|
for name in bad_results:
|
|
self.assertRaises(errors.MisconfigurationError,
|
|
self.config.choose_vhosts, name)
|
|
|
|
def test_ipv6only(self):
|
|
# ipv6_info: (ipv6_active, ipv6only_present)
|
|
self.assertEqual((True, False), self.config.ipv6_info("80"))
|
|
# Port 443 has ipv6only=on because of ipv6ssl.com vhost
|
|
self.assertEqual((True, True), self.config.ipv6_info("443"))
|
|
|
|
def test_ipv6only_detection(self):
|
|
self.config.version = (1, 3, 1)
|
|
|
|
self.config.deploy_cert(
|
|
"ipv6.com",
|
|
"example/cert.pem",
|
|
"example/key.pem",
|
|
"example/chain.pem",
|
|
"example/fullchain.pem")
|
|
|
|
for addr in self.config.choose_vhosts("ipv6.com")[0].addrs:
|
|
self.assertFalse(addr.ipv6only)
|
|
|
|
def test_more_info(self):
|
|
self.assertTrue('nginx.conf' in self.config.more_info())
|
|
|
|
def test_deploy_cert_requires_fullchain_path(self):
|
|
self.config.version = (1, 3, 1)
|
|
self.assertRaises(errors.PluginError, self.config.deploy_cert,
|
|
"www.example.com",
|
|
"example/cert.pem",
|
|
"example/key.pem",
|
|
"example/chain.pem",
|
|
None)
|
|
|
|
@mock.patch('certbot_nginx._internal.parser.NginxParser.update_or_add_server_directives')
|
|
def test_deploy_cert_raise_on_add_error(self, mock_update_or_add_server_directives):
|
|
mock_update_or_add_server_directives.side_effect = errors.MisconfigurationError()
|
|
self.assertRaises(
|
|
errors.PluginError,
|
|
self.config.deploy_cert,
|
|
"migration.com",
|
|
"example/cert.pem",
|
|
"example/key.pem",
|
|
"example/chain.pem",
|
|
"example/fullchain.pem")
|
|
|
|
def test_deploy_cert(self):
|
|
server_conf = self.config.parser.abs_path('server.conf')
|
|
nginx_conf = self.config.parser.abs_path('nginx.conf')
|
|
example_conf = self.config.parser.abs_path('sites-enabled/example.com')
|
|
self.config.version = (1, 3, 1)
|
|
|
|
# Get the default SSL vhost
|
|
self.config.deploy_cert(
|
|
"www.example.com",
|
|
"example/cert.pem",
|
|
"example/key.pem",
|
|
"example/chain.pem",
|
|
"example/fullchain.pem")
|
|
self.config.deploy_cert(
|
|
"another.alias",
|
|
"/etc/nginx/cert.pem",
|
|
"/etc/nginx/key.pem",
|
|
"/etc/nginx/chain.pem",
|
|
"/etc/nginx/fullchain.pem")
|
|
self.config.save()
|
|
|
|
self.config.parser.load()
|
|
|
|
parsed_example_conf = util.filter_comments(self.config.parser.parsed[example_conf])
|
|
parsed_server_conf = util.filter_comments(self.config.parser.parsed[server_conf])
|
|
parsed_nginx_conf = util.filter_comments(self.config.parser.parsed[nginx_conf])
|
|
|
|
self.assertEqual([[['server'],
|
|
[
|
|
['listen', '69.50.225.155:9000'],
|
|
['listen', '127.0.0.1'],
|
|
['server_name', '.example.com'],
|
|
['server_name', 'example.*'],
|
|
|
|
['listen', '5001', 'ssl'],
|
|
['ssl_certificate', 'example/fullchain.pem'],
|
|
['ssl_certificate_key', 'example/key.pem'],
|
|
['include', self.config.mod_ssl_conf],
|
|
['ssl_dhparam', self.config.ssl_dhparams],
|
|
]]],
|
|
parsed_example_conf)
|
|
self.assertEqual([['server_name', 'somename', 'alias', 'another.alias']],
|
|
parsed_server_conf)
|
|
self.assertTrue(util.contains_at_depth(
|
|
parsed_nginx_conf,
|
|
[['server'],
|
|
[
|
|
['listen', '8000'],
|
|
['listen', 'somename:8080'],
|
|
['include', 'server.conf'],
|
|
[['location', '/'],
|
|
[['root', 'html'],
|
|
['index', 'index.html', 'index.htm']]],
|
|
['listen', '5001', 'ssl'],
|
|
['ssl_certificate', '/etc/nginx/fullchain.pem'],
|
|
['ssl_certificate_key', '/etc/nginx/key.pem'],
|
|
['include', self.config.mod_ssl_conf],
|
|
['ssl_dhparam', self.config.ssl_dhparams],
|
|
]],
|
|
2))
|
|
|
|
def test_deploy_cert_add_explicit_listen(self):
|
|
migration_conf = self.config.parser.abs_path('sites-enabled/migration.com')
|
|
self.config.deploy_cert(
|
|
"summer.com",
|
|
"summer/cert.pem",
|
|
"summer/key.pem",
|
|
"summer/chain.pem",
|
|
"summer/fullchain.pem")
|
|
self.config.save()
|
|
self.config.parser.load()
|
|
parsed_migration_conf = util.filter_comments(self.config.parser.parsed[migration_conf])
|
|
self.assertEqual([['server'],
|
|
[
|
|
['server_name', 'migration.com'],
|
|
['server_name', 'summer.com'],
|
|
|
|
['listen', '80'],
|
|
['listen', '5001', 'ssl'],
|
|
['ssl_certificate', 'summer/fullchain.pem'],
|
|
['ssl_certificate_key', 'summer/key.pem'],
|
|
['include', self.config.mod_ssl_conf],
|
|
['ssl_dhparam', self.config.ssl_dhparams],
|
|
]],
|
|
parsed_migration_conf[0])
|
|
|
|
@mock.patch("certbot_nginx._internal.configurator.http_01.NginxHttp01.perform")
|
|
@mock.patch("certbot_nginx._internal.configurator.NginxConfigurator.restart")
|
|
@mock.patch("certbot_nginx._internal.configurator.NginxConfigurator.revert_challenge_config")
|
|
def test_perform_and_cleanup(self, mock_revert, mock_restart, mock_http_perform):
|
|
# Only tests functionality specific to configurator.perform
|
|
# Note: As more challenges are offered this will have to be expanded
|
|
achall = achallenges.KeyAuthorizationAnnotatedChallenge(
|
|
challb=messages.ChallengeBody(
|
|
chall=challenges.HTTP01(token=b"m8TdO1qik4JVFtgPPurJmg"),
|
|
uri="https://ca.org/chall1_uri",
|
|
status=messages.Status("pending"),
|
|
), domain="example.com", account_key=self.rsa512jwk)
|
|
|
|
expected = [
|
|
achall.response(self.rsa512jwk),
|
|
]
|
|
|
|
mock_http_perform.return_value = expected[:]
|
|
responses = self.config.perform([achall])
|
|
|
|
self.assertEqual(mock_http_perform.call_count, 1)
|
|
self.assertEqual(responses, expected)
|
|
|
|
self.config.cleanup([achall])
|
|
self.assertEqual(0, self.config._chall_out) # pylint: disable=protected-access
|
|
self.assertEqual(mock_revert.call_count, 1)
|
|
self.assertEqual(mock_restart.call_count, 2)
|
|
|
|
@mock.patch("certbot_nginx._internal.configurator.subprocess.run")
|
|
def test_get_version(self, mock_run):
|
|
mock_run.return_value.stdout = ""
|
|
mock_run.return_value.stderr = "\n".join(
|
|
["nginx version: nginx/1.4.2",
|
|
"built by clang 6.0 (clang-600.0.56)"
|
|
" (based on LLVM 3.5svn)",
|
|
"TLS SNI support enabled",
|
|
"configure arguments: --prefix=/usr/local/Cellar/"
|
|
"nginx/1.6.2 --with-http_ssl_module"])
|
|
self.assertEqual(self.config.get_version(), (1, 4, 2))
|
|
|
|
mock_run.return_value.stdout = ""
|
|
mock_run.return_value.stderr = "\n".join(
|
|
["nginx version: nginx/0.9",
|
|
"built by clang 6.0 (clang-600.0.56)"
|
|
" (based on LLVM 3.5svn)",
|
|
"TLS SNI support enabled",
|
|
"configure arguments: --with-http_ssl_module"])
|
|
self.assertEqual(self.config.get_version(), (0, 9))
|
|
|
|
mock_run.return_value.stdout = ""
|
|
mock_run.return_value.stderr = "\n".join(
|
|
["blah 0.0.1",
|
|
"built by clang 6.0 (clang-600.0.56)"
|
|
" (based on LLVM 3.5svn)",
|
|
"TLS SNI support enabled",
|
|
"configure arguments: --with-http_ssl_module"])
|
|
self.assertRaises(errors.PluginError, self.config.get_version)
|
|
|
|
mock_run.return_value.stdout = ""
|
|
mock_run.return_value.stderr = "\n".join(
|
|
["nginx version: nginx/1.4.2",
|
|
"TLS SNI support enabled"])
|
|
self.assertRaises(errors.PluginError, self.config.get_version)
|
|
|
|
mock_run.return_value.stdout = ""
|
|
mock_run.return_value.stderr = "\n".join(
|
|
["nginx version: nginx/1.4.2",
|
|
"built by clang 6.0 (clang-600.0.56)"
|
|
" (based on LLVM 3.5svn)",
|
|
"configure arguments: --with-http_ssl_module"])
|
|
self.assertRaises(errors.PluginError, self.config.get_version)
|
|
|
|
mock_run.return_value.stdout = ""
|
|
mock_run.return_value.stderr = "\n".join(
|
|
["nginx version: nginx/0.8.1",
|
|
"built by clang 6.0 (clang-600.0.56)"
|
|
" (based on LLVM 3.5svn)",
|
|
"TLS SNI support enabled",
|
|
"configure arguments: --with-http_ssl_module"])
|
|
self.assertRaises(errors.NotSupportedError, self.config.get_version)
|
|
|
|
mock_run.side_effect = OSError("Can't find program")
|
|
self.assertRaises(errors.PluginError, self.config.get_version)
|
|
|
|
@mock.patch("certbot_nginx._internal.configurator.subprocess.run")
|
|
def test_get_openssl_version(self, mock_run):
|
|
# pylint: disable=protected-access
|
|
mock_run.return_value.stdout = ""
|
|
mock_run.return_value.stderr = """
|
|
nginx version: nginx/1.15.5
|
|
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9)
|
|
built with OpenSSL 1.0.2g 1 Mar 2016
|
|
TLS SNI support enabled
|
|
configure arguments:
|
|
"""
|
|
self.assertEqual(self.config._get_openssl_version(), "1.0.2g")
|
|
|
|
mock_run.return_value.stdout = ""
|
|
mock_run.return_value.stderr = """
|
|
nginx version: nginx/1.15.5
|
|
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9)
|
|
built with OpenSSL 1.0.2-beta1 1 Mar 2016
|
|
TLS SNI support enabled
|
|
configure arguments:
|
|
"""
|
|
self.assertEqual(self.config._get_openssl_version(), "1.0.2-beta1")
|
|
|
|
mock_run.return_value.stdout = ""
|
|
mock_run.return_value.stderr = """
|
|
nginx version: nginx/1.15.5
|
|
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9)
|
|
built with OpenSSL 1.0.2 1 Mar 2016
|
|
TLS SNI support enabled
|
|
configure arguments:
|
|
"""
|
|
self.assertEqual(self.config._get_openssl_version(), "1.0.2")
|
|
|
|
mock_run.return_value.stdout = ""
|
|
mock_run.return_value.stderr = """
|
|
nginx version: nginx/1.15.5
|
|
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9)
|
|
built with OpenSSL 1.0.2g 1 Mar 2016 (running with OpenSSL 1.0.2a 1 Mar 2016)
|
|
TLS SNI support enabled
|
|
configure arguments:
|
|
"""
|
|
self.assertEqual(self.config._get_openssl_version(), "1.0.2a")
|
|
|
|
mock_run.return_value.stdout = ""
|
|
mock_run.return_value.stderr = """
|
|
nginx version: nginx/1.15.5
|
|
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9)
|
|
built with LibreSSL 2.2.2
|
|
TLS SNI support enabled
|
|
configure arguments:
|
|
"""
|
|
self.assertEqual(self.config._get_openssl_version(), "")
|
|
|
|
mock_run.return_value.stdout = ""
|
|
mock_run.return_value.stderr = """
|
|
nginx version: nginx/1.15.5
|
|
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9)
|
|
TLS SNI support enabled
|
|
configure arguments:
|
|
"""
|
|
self.assertEqual(self.config._get_openssl_version(), "")
|
|
|
|
@mock.patch("certbot_nginx._internal.configurator.subprocess.run")
|
|
@mock.patch("certbot_nginx._internal.configurator.time")
|
|
def test_nginx_restart(self, mock_time, mock_run):
|
|
mocked = mock_run.return_value
|
|
mocked.stdout = ''
|
|
mocked.stderr = ''
|
|
mocked.returncode = 0
|
|
self.config.restart()
|
|
self.assertEqual(mock_run.call_count, 1)
|
|
mock_time.sleep.assert_called_once_with(0.1234)
|
|
|
|
@mock.patch("certbot_nginx._internal.configurator.subprocess.run")
|
|
@mock.patch("certbot_nginx._internal.configurator.logger.debug")
|
|
def test_nginx_restart_fail(self, mock_log_debug, mock_run):
|
|
mocked = mock_run.return_value
|
|
mocked.stdout = ''
|
|
mocked.stderr = ''
|
|
mocked.returncode = 1
|
|
self.assertRaises(errors.MisconfigurationError, self.config.restart)
|
|
self.assertEqual(mock_run.call_count, 2)
|
|
mock_log_debug.assert_called_once_with("nginx reload failed:\n%s", "")
|
|
|
|
@mock.patch("certbot_nginx._internal.configurator.subprocess.run")
|
|
def test_no_nginx_start(self, mock_run):
|
|
mock_run.side_effect = OSError("Can't find program")
|
|
self.assertRaises(errors.MisconfigurationError, self.config.restart)
|
|
|
|
@mock.patch("certbot.util.run_script")
|
|
def test_config_test_bad_process(self, mock_run_script):
|
|
mock_run_script.side_effect = errors.SubprocessError
|
|
self.assertRaises(errors.MisconfigurationError, self.config.config_test)
|
|
|
|
@mock.patch("certbot.util.run_script")
|
|
def test_config_test(self, _):
|
|
self.config.config_test()
|
|
|
|
@mock.patch("certbot.reverter.Reverter.recovery_routine")
|
|
def test_recovery_routine_throws_error_from_reverter(self, mock_recovery_routine):
|
|
mock_recovery_routine.side_effect = errors.ReverterError("foo")
|
|
self.assertRaises(errors.PluginError, self.config.recovery_routine)
|
|
|
|
@mock.patch("certbot.reverter.Reverter.rollback_checkpoints")
|
|
def test_rollback_checkpoints_throws_error_from_reverter(self, mock_rollback_checkpoints):
|
|
mock_rollback_checkpoints.side_effect = errors.ReverterError("foo")
|
|
self.assertRaises(errors.PluginError, self.config.rollback_checkpoints)
|
|
|
|
@mock.patch("certbot.reverter.Reverter.revert_temporary_config")
|
|
def test_revert_challenge_config_throws_error_from_reverter(self, mock_revert_temporary_config):
|
|
mock_revert_temporary_config.side_effect = errors.ReverterError("foo")
|
|
self.assertRaises(errors.PluginError, self.config.revert_challenge_config)
|
|
|
|
@mock.patch("certbot.reverter.Reverter.add_to_checkpoint")
|
|
def test_save_throws_error_from_reverter(self, mock_add_to_checkpoint):
|
|
mock_add_to_checkpoint.side_effect = errors.ReverterError("foo")
|
|
self.assertRaises(errors.PluginError, self.config.save)
|
|
|
|
def test_get_snakeoil_paths(self):
|
|
# pylint: disable=protected-access
|
|
cert, key = self.config._get_snakeoil_paths()
|
|
self.assertTrue(os.path.exists(cert))
|
|
self.assertTrue(os.path.exists(key))
|
|
with open(cert) as cert_file:
|
|
OpenSSL.crypto.load_certificate(
|
|
OpenSSL.crypto.FILETYPE_PEM, cert_file.read())
|
|
with open(key) as key_file:
|
|
OpenSSL.crypto.load_privatekey(
|
|
OpenSSL.crypto.FILETYPE_PEM, key_file.read())
|
|
|
|
def test_redirect_enhance(self):
|
|
# Test that we successfully add a redirect when there is
|
|
# a listen directive
|
|
expected = UnspacedList(_redirect_block_for_domain("www.example.com"))[0]
|
|
|
|
example_conf = self.config.parser.abs_path('sites-enabled/example.com')
|
|
self.config.enhance("www.example.com", "redirect")
|
|
|
|
generated_conf = self.config.parser.parsed[example_conf]
|
|
self.assertTrue(util.contains_at_depth(generated_conf, expected, 2))
|
|
|
|
# Test that we successfully add a redirect when there is
|
|
# no listen directive
|
|
migration_conf = self.config.parser.abs_path('sites-enabled/migration.com')
|
|
self.config.enhance("migration.com", "redirect")
|
|
|
|
expected = UnspacedList(_redirect_block_for_domain("migration.com"))[0]
|
|
|
|
generated_conf = self.config.parser.parsed[migration_conf]
|
|
self.assertTrue(util.contains_at_depth(generated_conf, expected, 2))
|
|
|
|
def test_split_for_redirect(self):
|
|
example_conf = self.config.parser.abs_path('sites-enabled/example.com')
|
|
self.config.deploy_cert(
|
|
"example.org",
|
|
"example/cert.pem",
|
|
"example/key.pem",
|
|
"example/chain.pem",
|
|
"example/fullchain.pem")
|
|
self.config.enhance("www.example.com", "redirect")
|
|
generated_conf = self.config.parser.parsed[example_conf]
|
|
self.assertEqual(
|
|
[[['server'], [
|
|
['server_name', '.example.com'],
|
|
['server_name', 'example.*'], [],
|
|
['listen', '5001', 'ssl'], ['#', ' managed by Certbot'],
|
|
['ssl_certificate', 'example/fullchain.pem'], ['#', ' managed by Certbot'],
|
|
['ssl_certificate_key', 'example/key.pem'], ['#', ' managed by Certbot'],
|
|
['include', self.config.mod_ssl_conf], ['#', ' managed by Certbot'],
|
|
['ssl_dhparam', self.config.ssl_dhparams], ['#', ' managed by Certbot'],
|
|
[], []]],
|
|
[['server'], [
|
|
[['if', '($host', '=', 'www.example.com)'], [
|
|
['return', '301', 'https://$host$request_uri']]],
|
|
['#', ' managed by Certbot'], [],
|
|
['listen', '69.50.225.155:9000'],
|
|
['listen', '127.0.0.1'],
|
|
['server_name', '.example.com'],
|
|
['server_name', 'example.*'],
|
|
['return', '404'], ['#', ' managed by Certbot'], [], [], []]]],
|
|
generated_conf)
|
|
|
|
def test_split_for_headers(self):
|
|
example_conf = self.config.parser.abs_path('sites-enabled/example.com')
|
|
self.config.deploy_cert(
|
|
"example.org",
|
|
"example/cert.pem",
|
|
"example/key.pem",
|
|
"example/chain.pem",
|
|
"example/fullchain.pem")
|
|
self.config.enhance("www.example.com", "ensure-http-header", "Strict-Transport-Security")
|
|
generated_conf = self.config.parser.parsed[example_conf]
|
|
self.assertEqual(
|
|
[[['server'], [
|
|
['server_name', '.example.com'],
|
|
['server_name', 'example.*'], [],
|
|
['listen', '5001', 'ssl'], ['#', ' managed by Certbot'],
|
|
['ssl_certificate', 'example/fullchain.pem'], ['#', ' managed by Certbot'],
|
|
['ssl_certificate_key', 'example/key.pem'], ['#', ' managed by Certbot'],
|
|
['include', self.config.mod_ssl_conf], ['#', ' managed by Certbot'],
|
|
['ssl_dhparam', self.config.ssl_dhparams], ['#', ' managed by Certbot'],
|
|
[], [],
|
|
['add_header', 'Strict-Transport-Security', '"max-age=31536000"', 'always'],
|
|
['#', ' managed by Certbot'],
|
|
[], []]],
|
|
[['server'], [
|
|
['listen', '69.50.225.155:9000'],
|
|
['listen', '127.0.0.1'],
|
|
['server_name', '.example.com'],
|
|
['server_name', 'example.*'],
|
|
[], [], []]]],
|
|
generated_conf)
|
|
|
|
def test_http_header_hsts(self):
|
|
example_conf = self.config.parser.abs_path('sites-enabled/example.com')
|
|
self.config.enhance("www.example.com", "ensure-http-header",
|
|
"Strict-Transport-Security")
|
|
expected = ['add_header', 'Strict-Transport-Security', '"max-age=31536000"', 'always']
|
|
generated_conf = self.config.parser.parsed[example_conf]
|
|
self.assertTrue(util.contains_at_depth(generated_conf, expected, 2))
|
|
|
|
def test_multiple_headers_hsts(self):
|
|
headers_conf = self.config.parser.abs_path('sites-enabled/headers.com')
|
|
self.config.enhance("headers.com", "ensure-http-header",
|
|
"Strict-Transport-Security")
|
|
expected = ['add_header', 'Strict-Transport-Security', '"max-age=31536000"', 'always']
|
|
generated_conf = self.config.parser.parsed[headers_conf]
|
|
self.assertTrue(util.contains_at_depth(generated_conf, expected, 2))
|
|
|
|
def test_http_header_hsts_twice(self):
|
|
self.config.enhance("www.example.com", "ensure-http-header",
|
|
"Strict-Transport-Security")
|
|
self.assertRaises(
|
|
errors.PluginEnhancementAlreadyPresent,
|
|
self.config.enhance, "www.example.com",
|
|
"ensure-http-header", "Strict-Transport-Security")
|
|
|
|
|
|
@mock.patch('certbot_nginx._internal.obj.VirtualHost.contains_list')
|
|
def test_certbot_redirect_exists(self, mock_contains_list):
|
|
# Test that we add no redirect statement if there is already a
|
|
# redirect in the block that is managed by certbot
|
|
# Has a certbot redirect
|
|
mock_contains_list.return_value = True
|
|
with mock.patch("certbot_nginx._internal.configurator.logger") as mock_logger:
|
|
self.config.enhance("www.example.com", "redirect")
|
|
self.assertEqual(mock_logger.info.call_args[0][0],
|
|
"Traffic on port %s already redirecting to ssl in %s")
|
|
|
|
def test_redirect_dont_enhance(self):
|
|
# Test that we don't accidentally add redirect to ssl-only block
|
|
with mock.patch("certbot_nginx._internal.configurator.logger") as mock_logger:
|
|
self.config.enhance("geese.com", "redirect")
|
|
self.assertEqual(mock_logger.info.call_args[0][0],
|
|
'No matching insecure server blocks listening on port %s found.')
|
|
|
|
def test_double_redirect(self):
|
|
# Test that we add one redirect for each domain
|
|
example_conf = self.config.parser.abs_path('sites-enabled/example.com')
|
|
self.config.enhance("example.com", "redirect")
|
|
self.config.enhance("example.org", "redirect")
|
|
|
|
expected1 = UnspacedList(_redirect_block_for_domain("example.com"))[0]
|
|
expected2 = UnspacedList(_redirect_block_for_domain("example.org"))[0]
|
|
|
|
generated_conf = self.config.parser.parsed[example_conf]
|
|
self.assertTrue(util.contains_at_depth(generated_conf, expected1, 2))
|
|
self.assertTrue(util.contains_at_depth(generated_conf, expected2, 2))
|
|
|
|
def test_staple_ocsp_bad_version(self):
|
|
self.config.version = (1, 3, 1)
|
|
self.assertRaises(errors.PluginError, self.config.enhance,
|
|
"www.example.com", "staple-ocsp", "chain_path")
|
|
|
|
def test_staple_ocsp_no_chain_path(self):
|
|
self.assertRaises(errors.PluginError, self.config.enhance,
|
|
"www.example.com", "staple-ocsp", None)
|
|
|
|
def test_staple_ocsp_internal_error(self):
|
|
self.config.enhance("www.example.com", "staple-ocsp", "chain_path")
|
|
# error is raised because the server block has conflicting directives
|
|
self.assertRaises(errors.PluginError, self.config.enhance,
|
|
"www.example.com", "staple-ocsp", "different_path")
|
|
|
|
def test_staple_ocsp(self):
|
|
chain_path = "example/chain.pem"
|
|
self.config.enhance("www.example.com", "staple-ocsp", chain_path)
|
|
|
|
example_conf = self.config.parser.abs_path('sites-enabled/example.com')
|
|
generated_conf = self.config.parser.parsed[example_conf]
|
|
|
|
self.assertTrue(util.contains_at_depth(
|
|
generated_conf,
|
|
['ssl_trusted_certificate', 'example/chain.pem'], 2))
|
|
self.assertTrue(util.contains_at_depth(
|
|
generated_conf, ['ssl_stapling', 'on'], 2))
|
|
self.assertTrue(util.contains_at_depth(
|
|
generated_conf, ['ssl_stapling_verify', 'on'], 2))
|
|
|
|
def test_deploy_no_match_default_set(self):
|
|
default_conf = self.config.parser.abs_path('sites-enabled/default')
|
|
foo_conf = self.config.parser.abs_path('foo.conf')
|
|
del self.config.parser.parsed[foo_conf][2][1][0][1][0] # remove default_server
|
|
self.config.version = (1, 3, 1)
|
|
|
|
self.config.deploy_cert(
|
|
"www.nomatch.com",
|
|
"example/cert.pem",
|
|
"example/key.pem",
|
|
"example/chain.pem",
|
|
"example/fullchain.pem")
|
|
self.config.save()
|
|
|
|
self.config.parser.load()
|
|
|
|
parsed_default_conf = util.filter_comments(self.config.parser.parsed[default_conf])
|
|
|
|
self.assertEqual([[['server'],
|
|
[['listen', 'myhost', 'default_server'],
|
|
['listen', 'otherhost', 'default_server'],
|
|
['server_name', '"www.example.org"'],
|
|
[['location', '/'],
|
|
[['root', 'html'],
|
|
['index', 'index.html', 'index.htm']]]]],
|
|
[['server'],
|
|
[['listen', 'myhost'],
|
|
['listen', 'otherhost'],
|
|
['server_name', 'www.nomatch.com'],
|
|
[['location', '/'],
|
|
[['root', 'html'],
|
|
['index', 'index.html', 'index.htm']]],
|
|
['listen', '5001', 'ssl'],
|
|
['ssl_certificate', 'example/fullchain.pem'],
|
|
['ssl_certificate_key', 'example/key.pem'],
|
|
['include', self.config.mod_ssl_conf],
|
|
['ssl_dhparam', self.config.ssl_dhparams]]]],
|
|
parsed_default_conf)
|
|
|
|
self.config.deploy_cert(
|
|
"nomatch.com",
|
|
"example/cert.pem",
|
|
"example/key.pem",
|
|
"example/chain.pem",
|
|
"example/fullchain.pem")
|
|
self.config.save()
|
|
|
|
self.config.parser.load()
|
|
|
|
parsed_default_conf = util.filter_comments(self.config.parser.parsed[default_conf])
|
|
|
|
self.assertTrue(util.contains_at_depth(parsed_default_conf, "nomatch.com", 3))
|
|
|
|
def test_deploy_no_match_default_set_multi_level_path(self):
|
|
default_conf = self.config.parser.abs_path('sites-enabled/default')
|
|
foo_conf = self.config.parser.abs_path('foo.conf')
|
|
del self.config.parser.parsed[default_conf][0][1][0]
|
|
del self.config.parser.parsed[default_conf][0][1][0]
|
|
self.config.version = (1, 3, 1)
|
|
|
|
self.config.deploy_cert(
|
|
"www.nomatch.com",
|
|
"example/cert.pem",
|
|
"example/key.pem",
|
|
"example/chain.pem",
|
|
"example/fullchain.pem")
|
|
self.config.save()
|
|
|
|
self.config.parser.load()
|
|
|
|
parsed_foo_conf = util.filter_comments(self.config.parser.parsed[foo_conf])
|
|
|
|
self.assertEqual([['server'],
|
|
[['listen', '*:80', 'ssl'],
|
|
['server_name', 'www.nomatch.com'],
|
|
['root', '/home/ubuntu/sites/foo/'],
|
|
[['location', '/status'], [[['types'], [['image/jpeg', 'jpg']]]]],
|
|
[['location', '~', 'case_sensitive\\.php$'], [['index', 'index.php'],
|
|
['root', '/var/root']]],
|
|
[['location', '~*', 'case_insensitive\\.php$'], []],
|
|
[['location', '=', 'exact_match\\.php$'], []],
|
|
[['location', '^~', 'ignore_regex\\.php$'], []],
|
|
['ssl_certificate', 'example/fullchain.pem'],
|
|
['ssl_certificate_key', 'example/key.pem']]],
|
|
parsed_foo_conf[1][1][1])
|
|
|
|
def test_deploy_no_match_no_default_set(self):
|
|
default_conf = self.config.parser.abs_path('sites-enabled/default')
|
|
foo_conf = self.config.parser.abs_path('foo.conf')
|
|
del self.config.parser.parsed[default_conf][0][1][0]
|
|
del self.config.parser.parsed[default_conf][0][1][0]
|
|
del self.config.parser.parsed[foo_conf][2][1][0][1][0]
|
|
self.config.version = (1, 3, 1)
|
|
|
|
self.assertRaises(errors.MisconfigurationError, self.config.deploy_cert,
|
|
"www.nomatch.com", "example/cert.pem", "example/key.pem",
|
|
"example/chain.pem", "example/fullchain.pem")
|
|
|
|
def test_deploy_no_match_fail_multiple_defaults(self):
|
|
self.config.version = (1, 3, 1)
|
|
self.assertRaises(errors.MisconfigurationError, self.config.deploy_cert,
|
|
"www.nomatch.com", "example/cert.pem", "example/key.pem",
|
|
"example/chain.pem", "example/fullchain.pem")
|
|
|
|
def test_deploy_no_match_multiple_defaults_ok(self):
|
|
foo_conf = self.config.parser.abs_path('foo.conf')
|
|
self.config.parser.parsed[foo_conf][2][1][0][1][0][1] = '*:5001'
|
|
self.config.version = (1, 3, 1)
|
|
self.config.deploy_cert("www.nomatch.com", "example/cert.pem", "example/key.pem",
|
|
"example/chain.pem", "example/fullchain.pem")
|
|
|
|
def test_deploy_no_match_add_redirect(self):
|
|
default_conf = self.config.parser.abs_path('sites-enabled/default')
|
|
foo_conf = self.config.parser.abs_path('foo.conf')
|
|
del self.config.parser.parsed[foo_conf][2][1][0][1][0] # remove default_server
|
|
self.config.version = (1, 3, 1)
|
|
|
|
self.config.deploy_cert(
|
|
"www.nomatch.com",
|
|
"example/cert.pem",
|
|
"example/key.pem",
|
|
"example/chain.pem",
|
|
"example/fullchain.pem")
|
|
|
|
self.config.deploy_cert(
|
|
"nomatch.com",
|
|
"example/cert.pem",
|
|
"example/key.pem",
|
|
"example/chain.pem",
|
|
"example/fullchain.pem")
|
|
|
|
self.config.enhance("www.nomatch.com", "redirect")
|
|
|
|
self.config.save()
|
|
|
|
self.config.parser.load()
|
|
|
|
expected = UnspacedList(_redirect_block_for_domain("www.nomatch.com"))[0]
|
|
|
|
generated_conf = self.config.parser.parsed[default_conf]
|
|
self.assertTrue(util.contains_at_depth(generated_conf, expected, 2))
|
|
|
|
@mock.patch('certbot.reverter.logger')
|
|
@mock.patch('certbot_nginx._internal.parser.NginxParser.load')
|
|
def test_parser_reload_after_config_changes(self, mock_parser_load, unused_mock_logger):
|
|
self.config.recovery_routine()
|
|
self.config.revert_challenge_config()
|
|
self.config.rollback_checkpoints()
|
|
self.assertEqual(mock_parser_load.call_count, 3)
|
|
|
|
def test_choose_vhosts_wildcard(self):
|
|
# pylint: disable=protected-access
|
|
mock_path = "certbot_nginx._internal.display_ops.select_vhost_multiple"
|
|
with mock.patch(mock_path) as mock_select_vhs:
|
|
vhost = [x for x in self.config.parser.get_vhosts()
|
|
if 'summer.com' in x.names][0]
|
|
mock_select_vhs.return_value = [vhost]
|
|
vhs = self.config._choose_vhosts_wildcard("*.com",
|
|
prefer_ssl=True)
|
|
# Check that the dialog was called with migration.com
|
|
self.assertTrue(vhost in mock_select_vhs.call_args[0][0])
|
|
|
|
# And the actual returned values
|
|
self.assertEqual(len(vhs), 1)
|
|
self.assertEqual(vhs[0], vhost)
|
|
|
|
def test_choose_vhosts_wildcard_redirect(self):
|
|
# pylint: disable=protected-access
|
|
mock_path = "certbot_nginx._internal.display_ops.select_vhost_multiple"
|
|
with mock.patch(mock_path) as mock_select_vhs:
|
|
vhost = [x for x in self.config.parser.get_vhosts()
|
|
if 'summer.com' in x.names][0]
|
|
mock_select_vhs.return_value = [vhost]
|
|
vhs = self.config._choose_vhosts_wildcard("*.com",
|
|
prefer_ssl=False)
|
|
# Check that the dialog was called with migration.com
|
|
self.assertTrue(vhost in mock_select_vhs.call_args[0][0])
|
|
|
|
# And the actual returned values
|
|
self.assertEqual(len(vhs), 1)
|
|
self.assertEqual(vhs[0], vhost)
|
|
|
|
def test_deploy_cert_wildcard(self):
|
|
# pylint: disable=protected-access
|
|
mock_choose_vhosts = mock.MagicMock()
|
|
vhost = [x for x in self.config.parser.get_vhosts()
|
|
if 'geese.com' in x.names][0]
|
|
mock_choose_vhosts.return_value = [vhost]
|
|
self.config._choose_vhosts_wildcard = mock_choose_vhosts
|
|
mock_d = "certbot_nginx._internal.configurator.NginxConfigurator._deploy_cert"
|
|
with mock.patch(mock_d) as mock_dep:
|
|
self.config.deploy_cert("*.com", "/tmp/path",
|
|
"/tmp/path", "/tmp/path", "/tmp/path")
|
|
self.assertTrue(mock_dep.called)
|
|
self.assertEqual(len(mock_dep.call_args_list), 1)
|
|
self.assertEqual(vhost, mock_dep.call_args_list[0][0][0])
|
|
|
|
@mock.patch("certbot_nginx._internal.display_ops.select_vhost_multiple")
|
|
def test_deploy_cert_wildcard_no_vhosts(self, mock_dialog):
|
|
# pylint: disable=protected-access
|
|
mock_dialog.return_value = []
|
|
self.assertRaises(errors.PluginError,
|
|
self.config.deploy_cert,
|
|
"*.wild.cat", "/tmp/path", "/tmp/path",
|
|
"/tmp/path", "/tmp/path")
|
|
|
|
@mock.patch("certbot_nginx._internal.display_ops.select_vhost_multiple")
|
|
def test_enhance_wildcard_ocsp_after_install(self, mock_dialog):
|
|
# pylint: disable=protected-access
|
|
vhost = [x for x in self.config.parser.get_vhosts()
|
|
if 'geese.com' in x.names][0]
|
|
self.config._wildcard_vhosts["*.com"] = [vhost]
|
|
self.config.enhance("*.com", "staple-ocsp", "example/chain.pem")
|
|
self.assertFalse(mock_dialog.called)
|
|
|
|
@mock.patch("certbot_nginx._internal.display_ops.select_vhost_multiple")
|
|
def test_enhance_wildcard_redirect_or_ocsp_no_install(self, mock_dialog):
|
|
vhost = [x for x in self.config.parser.get_vhosts()
|
|
if 'summer.com' in x.names][0]
|
|
mock_dialog.return_value = [vhost]
|
|
self.config.enhance("*.com", "staple-ocsp", "example/chain.pem")
|
|
self.assertTrue(mock_dialog.called)
|
|
|
|
@mock.patch("certbot_nginx._internal.display_ops.select_vhost_multiple")
|
|
def test_enhance_wildcard_double_redirect(self, mock_dialog):
|
|
# pylint: disable=protected-access
|
|
vhost = [x for x in self.config.parser.get_vhosts()
|
|
if 'summer.com' in x.names][0]
|
|
self.config._wildcard_redirect_vhosts["*.com"] = [vhost]
|
|
self.config.enhance("*.com", "redirect")
|
|
self.assertFalse(mock_dialog.called)
|
|
|
|
def test_choose_vhosts_wildcard_no_ssl_filter_port(self):
|
|
# pylint: disable=protected-access
|
|
mock_path = "certbot_nginx._internal.display_ops.select_vhost_multiple"
|
|
with mock.patch(mock_path) as mock_select_vhs:
|
|
mock_select_vhs.return_value = []
|
|
self.config._choose_vhosts_wildcard("*.com",
|
|
prefer_ssl=False,
|
|
no_ssl_filter_port='80')
|
|
# Check that the dialog was called with only port 80 vhosts
|
|
self.assertEqual(len(mock_select_vhs.call_args[0][0]), 8)
|
|
|
|
def test_choose_auth_vhosts(self):
|
|
"""choose_auth_vhosts correctly selects duplicative and HTTP/HTTPS vhosts"""
|
|
http, https = self.config.choose_auth_vhosts('ssl.both.com')
|
|
self.assertEqual(len(http), 4)
|
|
self.assertEqual(len(https), 2)
|
|
self.assertEqual(http[0].names, {'ssl.both.com'})
|
|
self.assertEqual(http[1].names, {'ssl.both.com'})
|
|
self.assertEqual(http[2].names, {'ssl.both.com'})
|
|
self.assertEqual(http[3].names, {'*.both.com'})
|
|
self.assertEqual(https[0].names, {'ssl.both.com'})
|
|
self.assertEqual(https[1].names, {'*.both.com'})
|
|
|
|
|
|
class InstallSslOptionsConfTest(util.NginxTest):
|
|
"""Test that the options-ssl-nginx.conf file is installed and updated properly."""
|
|
|
|
def setUp(self):
|
|
super().setUp()
|
|
|
|
self.config = self.get_nginx_configurator(
|
|
self.config_path, self.config_dir, self.work_dir, self.logs_dir)
|
|
|
|
def _call(self):
|
|
self.config.install_ssl_options_conf(self.config.mod_ssl_conf,
|
|
self.config.updated_mod_ssl_conf_digest)
|
|
|
|
def _current_ssl_options_hash(self):
|
|
return crypto_util.sha256sum(self.config.mod_ssl_conf_src)
|
|
|
|
def _assert_current_file(self):
|
|
self.assertTrue(os.path.isfile(self.config.mod_ssl_conf))
|
|
self.assertEqual(crypto_util.sha256sum(self.config.mod_ssl_conf),
|
|
self._current_ssl_options_hash())
|
|
|
|
def test_no_file(self):
|
|
# prepare should have placed a file there
|
|
self._assert_current_file()
|
|
os.remove(self.config.mod_ssl_conf)
|
|
self.assertFalse(os.path.isfile(self.config.mod_ssl_conf))
|
|
self._call()
|
|
self._assert_current_file()
|
|
|
|
def test_current_file(self):
|
|
self._assert_current_file()
|
|
self._call()
|
|
self._assert_current_file()
|
|
|
|
def _mock_hash_except_ssl_conf_src(self, fake_hash):
|
|
# Write a bad file in place so that update tests fail if no update occurs.
|
|
# We're going to pretend this file (the currently installed conf file)
|
|
# actually hashes to `fake_hash` for the update tests.
|
|
with open(self.config.mod_ssl_conf, "w") as f:
|
|
f.write("bogus")
|
|
sha256 = crypto_util.sha256sum
|
|
def _hash(filename):
|
|
return sha256(filename) if filename == self.config.mod_ssl_conf_src else fake_hash
|
|
return _hash
|
|
|
|
def test_prev_file_updates_to_current(self):
|
|
from certbot_nginx._internal.constants import ALL_SSL_OPTIONS_HASHES
|
|
with mock.patch('certbot.crypto_util.sha256sum',
|
|
new=self._mock_hash_except_ssl_conf_src(ALL_SSL_OPTIONS_HASHES[0])):
|
|
self._call()
|
|
self._assert_current_file()
|
|
|
|
def test_prev_file_updates_to_current_old_nginx(self):
|
|
from certbot_nginx._internal.constants import ALL_SSL_OPTIONS_HASHES
|
|
self.config.version = (1, 5, 8)
|
|
with mock.patch('certbot.crypto_util.sha256sum',
|
|
new=self._mock_hash_except_ssl_conf_src(ALL_SSL_OPTIONS_HASHES[0])):
|
|
self._call()
|
|
self._assert_current_file()
|
|
|
|
def test_manually_modified_current_file_does_not_update(self):
|
|
with open(self.config.mod_ssl_conf, "a") as mod_ssl_conf:
|
|
mod_ssl_conf.write("a new line for the wrong hash\n")
|
|
with mock.patch("certbot.plugins.common.logger") as mock_logger:
|
|
self._call()
|
|
self.assertFalse(mock_logger.warning.called)
|
|
self.assertTrue(os.path.isfile(self.config.mod_ssl_conf))
|
|
self.assertEqual(crypto_util.sha256sum(self.config.mod_ssl_conf_src),
|
|
self._current_ssl_options_hash())
|
|
self.assertNotEqual(crypto_util.sha256sum(self.config.mod_ssl_conf),
|
|
self._current_ssl_options_hash())
|
|
|
|
def test_manually_modified_past_file_warns(self):
|
|
with open(self.config.mod_ssl_conf, "a") as mod_ssl_conf:
|
|
mod_ssl_conf.write("a new line for the wrong hash\n")
|
|
with open(self.config.updated_mod_ssl_conf_digest, "w") as f:
|
|
f.write("hashofanoldversion")
|
|
with mock.patch("certbot.plugins.common.logger") as mock_logger:
|
|
self._call()
|
|
self.assertEqual(mock_logger.warning.call_args[0][0],
|
|
"%s has been manually modified; updated file "
|
|
"saved to %s. We recommend updating %s for security purposes.")
|
|
self.assertEqual(crypto_util.sha256sum(self.config.mod_ssl_conf_src),
|
|
self._current_ssl_options_hash())
|
|
# only print warning once
|
|
with mock.patch("certbot.plugins.common.logger") as mock_logger:
|
|
self._call()
|
|
self.assertFalse(mock_logger.warning.called)
|
|
|
|
def test_current_file_hash_in_all_hashes(self):
|
|
from certbot_nginx._internal.constants import ALL_SSL_OPTIONS_HASHES
|
|
self.assertTrue(self._current_ssl_options_hash() in ALL_SSL_OPTIONS_HASHES,
|
|
"Constants.ALL_SSL_OPTIONS_HASHES must be appended"
|
|
" with the sha256 hash of self.config.mod_ssl_conf when it is updated.")
|
|
|
|
def test_ssl_config_files_hash_in_all_hashes(self):
|
|
"""
|
|
It is really critical that all TLS Nginx config files have their SHA256 hash registered in
|
|
constants.ALL_SSL_OPTIONS_HASHES. Otherwise Certbot will mistakenly assume that the config
|
|
file has been manually edited by the user, and will refuse to update it.
|
|
This test ensures that all necessary hashes are present.
|
|
"""
|
|
from certbot_nginx._internal.constants import ALL_SSL_OPTIONS_HASHES
|
|
import pkg_resources
|
|
all_files = [
|
|
pkg_resources.resource_filename("certbot_nginx",
|
|
os.path.join("_internal", "tls_configs", x))
|
|
for x in ("options-ssl-nginx.conf",
|
|
"options-ssl-nginx-old.conf",
|
|
"options-ssl-nginx-tls12-only.conf")
|
|
]
|
|
self.assertTrue(all_files)
|
|
for one_file in all_files:
|
|
file_hash = crypto_util.sha256sum(one_file)
|
|
self.assertTrue(file_hash in ALL_SSL_OPTIONS_HASHES,
|
|
"Constants.ALL_SSL_OPTIONS_HASHES must be appended with the sha256 "
|
|
"hash of {0} when it is updated.".format(one_file))
|
|
|
|
def test_nginx_version_uses_correct_config(self):
|
|
self.config.version = (1, 5, 8)
|
|
self.config.openssl_version = "1.0.2g" # shouldn't matter
|
|
self.assertEqual(os.path.basename(self.config.mod_ssl_conf_src),
|
|
"options-ssl-nginx-old.conf")
|
|
self._call()
|
|
self._assert_current_file()
|
|
self.config.version = (1, 5, 9)
|
|
self.config.openssl_version = "1.0.2l"
|
|
self.assertEqual(os.path.basename(self.config.mod_ssl_conf_src),
|
|
"options-ssl-nginx-tls12-only.conf")
|
|
self._call()
|
|
self._assert_current_file()
|
|
self.config.version = (1, 13, 0)
|
|
self.assertEqual(os.path.basename(self.config.mod_ssl_conf_src),
|
|
"options-ssl-nginx.conf")
|
|
self._call()
|
|
self._assert_current_file()
|
|
self.config.version = (1, 13, 0)
|
|
self.config.openssl_version = "1.0.2k"
|
|
self.assertEqual(os.path.basename(self.config.mod_ssl_conf_src),
|
|
"options-ssl-nginx-tls13-session-tix-on.conf")
|
|
|
|
|
|
class DetermineDefaultServerRootTest(certbot_test_util.ConfigTestCase):
|
|
"""Tests for certbot_nginx._internal.configurator._determine_default_server_root."""
|
|
|
|
def _call(self):
|
|
from certbot_nginx._internal.configurator import _determine_default_server_root
|
|
return _determine_default_server_root()
|
|
|
|
@mock.patch.dict(os.environ, {"CERTBOT_DOCS": "1"})
|
|
def test_docs_value(self):
|
|
self._test(expect_both_values=True)
|
|
|
|
@mock.patch.dict(os.environ, {})
|
|
def test_real_values(self):
|
|
self._test(expect_both_values=False)
|
|
|
|
def _test(self, expect_both_values):
|
|
server_root = self._call()
|
|
|
|
if expect_both_values:
|
|
self.assertIn("/usr/local/etc/nginx", server_root)
|
|
self.assertIn("/etc/nginx", server_root)
|
|
else:
|
|
self.assertTrue(server_root in ("/etc/nginx", "/usr/local/etc/nginx"))
|
|
|
|
|
|
if __name__ == "__main__":
|
|
unittest.main() # pragma: no cover
|