diff options
| author | Seth Michael Larson <sethmichaellarson@gmail.com> | 2019-04-17 12:46:22 -0500 |
|---|---|---|
| committer | Andrey Petrov <andrey.petrov@shazow.net> | 2019-04-17 13:46:22 -0400 |
| commit | 1efadf43dc63317cd9eaa3e0fdb9e05ab07254b1 (patch) | |
| tree | 34f0dfde40af4843d35aadbd03b4f18b149baf94 /test | |
| parent | a6ec68a5c5c5743c59fe5c62c635c929586c429b (diff) | |
| download | urllib3-release.tar.gz | |
* Don't load system certificates by default when any other ``ca_certs``, ``ca_certs_dir`` or ``ssl_context`` parameters are specified.
* Remove Authorization header regardless of case when redirecting to cross-site. (Issue #1510)
* Add support for IPv6 addresses in subjectAltName section of certificates. (Issue #1269)
Diffstat (limited to 'test')
| -rw-r--r-- | test/contrib/test_pyopenssl.py | 5 | ||||
| -rw-r--r-- | test/test_retry.py | 6 | ||||
| -rw-r--r-- | test/test_ssl.py | 37 | ||||
| -rw-r--r-- | test/with_dummyserver/test_https.py | 20 | ||||
| -rw-r--r-- | test/with_dummyserver/test_poolmanager.py | 26 |
5 files changed, 89 insertions, 5 deletions
diff --git a/test/contrib/test_pyopenssl.py b/test/contrib/test_pyopenssl.py index 7fc296f3..f08aa018 100644 --- a/test/contrib/test_pyopenssl.py +++ b/test/contrib/test_pyopenssl.py @@ -31,7 +31,10 @@ def teardown_module(): pass -from ..with_dummyserver.test_https import TestHTTPS, TestHTTPS_TLSv1 # noqa: F401 +from ..with_dummyserver.test_https import ( # noqa: F401 + TestHTTPS, TestHTTPS_TLSv1, TestHTTPS_IPv6Addr, + TestHTTPS_IPSAN, TestHTTPS_NoSAN, TestHTTPS_IPV6SAN +) from ..with_dummyserver.test_socketlevel import ( # noqa: F401 TestSNI, TestSocketClosing, TestClientCerts ) diff --git a/test/test_retry.py b/test/test_retry.py index b4119b10..7546c43f 100644 --- a/test/test_retry.py +++ b/test/test_retry.py @@ -253,9 +253,9 @@ class TestRetry(object): def test_retry_default_remove_headers_on_redirect(self): retry = Retry() - assert list(retry.remove_headers_on_redirect) == ['Authorization'] + assert list(retry.remove_headers_on_redirect) == ['authorization'] def test_retry_set_remove_headers_on_redirect(self): - retry = Retry(remove_headers_on_redirect=['X-API-Secret']) + retry = Retry(remove_headers_on_redirect=['x-api-secret']) - assert list(retry.remove_headers_on_redirect) == ['X-API-Secret'] + assert list(retry.remove_headers_on_redirect) == ['x-api-secret'] diff --git a/test/test_ssl.py b/test/test_ssl.py index 47359717..6a46b4f3 100644 --- a/test/test_ssl.py +++ b/test/test_ssl.py @@ -88,3 +88,40 @@ def test_create_urllib3_context_set_ciphers(monkeypatch, ciphers, expected_ciphe assert context.set_ciphers.call_count == 1 assert context.set_ciphers.call_args == mock.call(expected_ciphers) + + +def test_wrap_socket_given_context_no_load_default_certs(): + context = mock.create_autospec(ssl_.SSLContext) + context.load_default_certs = mock.Mock() + + sock = mock.Mock() + ssl_.ssl_wrap_socket(sock, ssl_context=context) + + context.load_default_certs.assert_not_called() + + +def test_wrap_socket_given_ca_certs_no_load_default_certs(monkeypatch): + context = mock.create_autospec(ssl_.SSLContext) + context.load_default_certs = mock.Mock() + context.options = 0 + + monkeypatch.setattr(ssl_, "SSLContext", lambda *_, **__: context) + + sock = mock.Mock() + ssl_.ssl_wrap_socket(sock, ca_certs="/tmp/fake-file") + + context.load_default_certs.assert_not_called() + context.load_verify_locations.assert_called_with("/tmp/fake-file", None) + + +def test_wrap_socket_default_loads_default_certs(monkeypatch): + context = mock.create_autospec(ssl_.SSLContext) + context.load_default_certs = mock.Mock() + context.options = 0 + + monkeypatch.setattr(ssl_, "SSLContext", lambda *_, **__: context) + + sock = mock.Mock() + ssl_.ssl_wrap_socket(sock) + + context.load_default_certs.assert_called_with() diff --git a/test/with_dummyserver/test_https.py b/test/with_dummyserver/test_https.py index 082ede96..acc149c3 100644 --- a/test/with_dummyserver/test_https.py +++ b/test/with_dummyserver/test_https.py @@ -17,7 +17,7 @@ from dummyserver.server import (DEFAULT_CA, DEFAULT_CA_BAD, DEFAULT_CERTS, DEFAULT_CLIENT_NO_INTERMEDIATE_CERTS, NO_SAN_CERTS, NO_SAN_CA, DEFAULT_CA_DIR, IPV6_ADDR_CERTS, IPV6_ADDR_CA, HAS_IPV6, - IP_SAN_CERTS) + IP_SAN_CERTS, IPV6_SAN_CA, IPV6_SAN_CERTS) from test import ( onlyPy279OrNewer, @@ -625,5 +625,23 @@ class TestHTTPS_IPv6Addr(IPV6HTTPSDummyServerTestCase): self.assertEqual(r.status, 200) +class TestHTTPS_IPV6SAN(IPV6HTTPSDummyServerTestCase): + certs = IPV6_SAN_CERTS + + def test_can_validate_ipv6_san(self): + """Ensure that urllib3 can validate SANs with IPv6 addresses in them.""" + try: + import ipaddress # noqa: F401 + except ImportError: + pytest.skip("Only runs on systems with an ipaddress module") + + https_pool = HTTPSConnectionPool('[::1]', self.port, + cert_reqs='CERT_REQUIRED', + ca_certs=IPV6_SAN_CA) + self.addCleanup(https_pool.close) + r = https_pool.request('GET', '/') + self.assertEqual(r.status, 200) + + if __name__ == '__main__': unittest.main() diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py index 2a13722c..3c1eef8d 100644 --- a/test/with_dummyserver/test_poolmanager.py +++ b/test/with_dummyserver/test_poolmanager.py @@ -123,6 +123,17 @@ class TestPoolManager(HTTPDummyServerTestCase): self.assertNotIn('Authorization', data) + r = http.request('GET', '%s/redirect' % self.base_url, + fields={'target': '%s/headers' % self.base_url_alt}, + headers={'authorization': 'foo'}) + + self.assertEqual(r.status, 200) + + data = json.loads(r.data.decode('utf-8')) + + self.assertNotIn('authorization', data) + self.assertNotIn('Authorization', data) + def test_redirect_cross_host_no_remove_headers(self): http = PoolManager() self.addCleanup(http.clear) @@ -155,6 +166,21 @@ class TestPoolManager(HTTPDummyServerTestCase): self.assertNotIn('X-API-Secret', data) self.assertEqual(data['Authorization'], 'bar') + r = http.request('GET', '%s/redirect' % self.base_url, + fields={'target': '%s/headers' % self.base_url_alt}, + headers={'x-api-secret': 'foo', + 'authorization': 'bar'}, + retries=Retry(remove_headers_on_redirect=['X-API-Secret'])) + + self.assertEqual(r.status, 200) + + data = json.loads(r.data.decode('utf-8')) + + self.assertNotIn('x-api-secret', data) + self.assertNotIn('X-API-Secret', data) + + self.assertEqual(data['Authorization'], 'bar') + def test_raise_on_redirect(self): http = PoolManager() self.addCleanup(http.clear) |