Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(257218)

Side by Side Diff: Lib/test/test_httplib.py

Issue 22417: PEP 476: verify HTTPS certificates by default
Patch Set: Created 4 years, 10 months ago
Left:
Right:
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View unified diff | Download patch
« no previous file with comments | « Lib/ssl.py ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 import errno 1 import errno
2 from http import client 2 from http import client
3 import io 3 import io
4 import os 4 import os
5 import array 5 import array
6 import socket 6 import socket
7 7
8 import unittest 8 import unittest
9 TestCase = unittest.TestCase 9 TestCase = unittest.TestCase
10 10
(...skipping 994 matching lines...) Expand 10 before | Expand all | Expand 10 after
1005 # simple test to check it's storing the timeout 1005 # simple test to check it's storing the timeout
1006 h = client.HTTPSConnection(HOST, TimeoutTest.PORT, timeout=30) 1006 h = client.HTTPSConnection(HOST, TimeoutTest.PORT, timeout=30)
1007 self.assertEqual(h.timeout, 30) 1007 self.assertEqual(h.timeout, 30)
1008 1008
1009 def _check_svn_python_org(self, resp): 1009 def _check_svn_python_org(self, resp):
1010 # Just a simple check that everything went fine 1010 # Just a simple check that everything went fine
1011 server_string = resp.getheader('server') 1011 server_string = resp.getheader('server')
1012 self.assertIn('Apache', server_string) 1012 self.assertIn('Apache', server_string)
1013 1013
1014 def test_networked(self): 1014 def test_networked(self):
1015 # Default settings: no cert verification is done 1015 # Default settings: requires a valid cert from a trusted CA
1016 import ssl
1016 support.requires('network') 1017 support.requires('network')
1017 with support.transient_internet('svn.python.org'): 1018 with support.transient_internet('svn.python.org'):
1018 h = client.HTTPSConnection('svn.python.org', 443) 1019 h = client.HTTPSConnection('svn.python.org', 443)
1020 with self.assertRaises(ssl.SSLError):
1021 h.request('GET', '/')
1022
1023 def test_networked_noverification(self):
1024 # Switch off cert verification
1025 import ssl
1026 support.requires('network')
1027 with support.transient_internet('svn.python.org'):
1028 context = ssl._create_unverified_context()
1029 h = client.HTTPSConnection('svn.python.org', 443, context=context)
1019 h.request('GET', '/') 1030 h.request('GET', '/')
1020 resp = h.getresponse() 1031 resp = h.getresponse()
1021 self._check_svn_python_org(resp) 1032 self._check_svn_python_org(resp)
1022 1033
1034 def test_networked_trusted_by_default_cert(self):
1035 # Default settings: requires a valid cert from a trusted CA
1036 support.requires('network')
1037 with support.transient_internet('www.python.org'):
1038 h = client.HTTPSConnection('www.python.org', 443)
1039 h.request('GET', '/')
1040 resp = h.getresponse()
1041 content_type = resp.getheader('content-type')
1042 self.assertIn('text/html', content_type)
1043
1023 def test_networked_good_cert(self): 1044 def test_networked_good_cert(self):
1024 # We feed a CA cert that validates the server's cert 1045 # We feed a CA cert that validates the server's cert
1025 import ssl 1046 import ssl
1026 support.requires('network') 1047 support.requires('network')
1027 with support.transient_internet('svn.python.org'): 1048 with support.transient_internet('svn.python.org'):
1028 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) 1049 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1029 context.verify_mode = ssl.CERT_REQUIRED 1050 context.verify_mode = ssl.CERT_REQUIRED
1030 context.load_verify_locations(CACERT_svn_python_org) 1051 context.load_verify_locations(CACERT_svn_python_org)
1031 h = client.HTTPSConnection('svn.python.org', 443, context=context) 1052 h = client.HTTPSConnection('svn.python.org', 443, context=context)
1032 h.request('GET', '/') 1053 h.request('GET', '/')
1033 resp = h.getresponse() 1054 resp = h.getresponse()
1034 self._check_svn_python_org(resp) 1055 self._check_svn_python_org(resp)
1035 1056
1036 def test_networked_bad_cert(self): 1057 def test_networked_bad_cert(self):
1037 # We feed a "CA" cert that is unrelated to the server's cert 1058 # We feed a "CA" cert that is unrelated to the server's cert
1038 import ssl 1059 import ssl
1039 support.requires('network') 1060 support.requires('network')
1040 with support.transient_internet('svn.python.org'): 1061 with support.transient_internet('svn.python.org'):
1041 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) 1062 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1042 context.verify_mode = ssl.CERT_REQUIRED 1063 context.verify_mode = ssl.CERT_REQUIRED
1043 context.load_verify_locations(CERT_localhost) 1064 context.load_verify_locations(CERT_localhost)
1044 h = client.HTTPSConnection('svn.python.org', 443, context=context) 1065 h = client.HTTPSConnection('svn.python.org', 443, context=context)
1045 with self.assertRaises(ssl.SSLError): 1066 with self.assertRaises(ssl.SSLError):
1046 h.request('GET', '/') 1067 h.request('GET', '/')
1068
1069 def test_local_unknown_cert(self):
1070 # The custom cert isn't known to the default trust bundle
1071 import ssl
1072 server = self.make_server(CERT_localhost)
1073 h = client.HTTPSConnection('localhost', server.port)
1074 with self.assertRaises(ssl.SSLError):
1075 h.request('GET', '/')
1047 1076
1048 def test_local_good_hostname(self): 1077 def test_local_good_hostname(self):
1049 # The (valid) cert validates the HTTP hostname 1078 # The (valid) cert validates the HTTP hostname
1050 import ssl 1079 import ssl
1051 server = self.make_server(CERT_localhost) 1080 server = self.make_server(CERT_localhost)
1052 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) 1081 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1053 context.verify_mode = ssl.CERT_REQUIRED 1082 context.verify_mode = ssl.CERT_REQUIRED
1054 context.load_verify_locations(CERT_localhost) 1083 context.load_verify_locations(CERT_localhost)
1055 h = client.HTTPSConnection('localhost', server.port, context=context) 1084 h = client.HTTPSConnection('localhost', server.port, context=context)
1056 h.request('GET', '/nonexistent') 1085 h.request('GET', '/nonexistent')
1057 resp = h.getresponse() 1086 resp = h.getresponse()
1058 self.assertEqual(resp.status, 404) 1087 self.assertEqual(resp.status, 404)
1059 del server
1060 1088
1061 def test_local_bad_hostname(self): 1089 def test_local_bad_hostname(self):
1062 # The (valid) cert doesn't validate the HTTP hostname 1090 # The (valid) cert doesn't validate the HTTP hostname
1063 import ssl 1091 import ssl
1064 server = self.make_server(CERT_fakehostname) 1092 server = self.make_server(CERT_fakehostname)
1065 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) 1093 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
1066 context.verify_mode = ssl.CERT_REQUIRED 1094 context.verify_mode = ssl.CERT_REQUIRED
1067 context.load_verify_locations(CERT_fakehostname) 1095 context.load_verify_locations(CERT_fakehostname)
1068 h = client.HTTPSConnection('localhost', server.port, context=context) 1096 h = client.HTTPSConnection('localhost', server.port, context=context)
1069 with self.assertRaises(ssl.CertificateError): 1097 with self.assertRaises(ssl.CertificateError):
1070 h.request('GET', '/') 1098 h.request('GET', '/')
1071 # Same with explicit check_hostname=True 1099 # Same with explicit check_hostname=True
1072 h = client.HTTPSConnection('localhost', server.port, context=context, 1100 h = client.HTTPSConnection('localhost', server.port, context=context,
1073 check_hostname=True) 1101 check_hostname=True)
1074 with self.assertRaises(ssl.CertificateError): 1102 with self.assertRaises(ssl.CertificateError):
1075 h.request('GET', '/') 1103 h.request('GET', '/')
1076 # With check_hostname=False, the mismatching is ignored 1104 # With check_hostname=False, the mismatching is ignored
1077 h = client.HTTPSConnection('localhost', server.port, context=context, 1105 h = client.HTTPSConnection('localhost', server.port, context=context,
1078 check_hostname=False) 1106 check_hostname=False)
1079 h.request('GET', '/nonexistent') 1107 h.request('GET', '/nonexistent')
1080 resp = h.getresponse() 1108 resp = h.getresponse()
1081 self.assertEqual(resp.status, 404) 1109 self.assertEqual(resp.status, 404)
1082 del server
1083 1110
1084 @unittest.skipIf(not hasattr(client, 'HTTPSConnection'), 1111 @unittest.skipIf(not hasattr(client, 'HTTPSConnection'),
1085 'http.client.HTTPSConnection not available') 1112 'http.client.HTTPSConnection not available')
1086 def test_host_port(self): 1113 def test_host_port(self):
1087 # Check invalid host_port 1114 # Check invalid host_port
1088 1115
1089 for hp in ("www.python.org:abc", "user:password@www.python.org"): 1116 for hp in ("www.python.org:abc", "user:password@www.python.org"):
1090 self.assertRaises(client.InvalidURL, client.HTTPSConnection, hp) 1117 self.assertRaises(client.InvalidURL, client.HTTPSConnection, hp)
1091 1118
1092 for hp, h, p in (("[fe80::207:e9ff:fe9b]:8000", 1119 for hp, h, p in (("[fe80::207:e9ff:fe9b]:8000",
(...skipping 158 matching lines...) Expand 10 before | Expand all | Expand 10 after
1251 self.assertTrue(b'Host: destination.com' in conn.sock.data) 1278 self.assertTrue(b'Host: destination.com' in conn.sock.data)
1252 1279
1253 def test_main(verbose=None): 1280 def test_main(verbose=None):
1254 support.run_unittest(HeaderTests, OfflineTest, BasicTest, TimeoutTest, 1281 support.run_unittest(HeaderTests, OfflineTest, BasicTest, TimeoutTest,
1255 HTTPSTest, RequestBodyTest, SourceAddressTest, 1282 HTTPSTest, RequestBodyTest, SourceAddressTest,
1256 HTTPResponseTest, ExtendedReadTest, 1283 HTTPResponseTest, ExtendedReadTest,
1257 ExtendedReadTestChunked, TunnelTests) 1284 ExtendedReadTestChunked, TunnelTests)
1258 1285
1259 if __name__ == '__main__': 1286 if __name__ == '__main__':
1260 test_main() 1287 test_main()
OLDNEW
« no previous file with comments | « Lib/ssl.py ('k') | no next file » | no next file with comments »

RSS Feeds Recent Issues | This issue
This is Rietveld 894c83f36cb7+