Google Git
Sign in
apache / httpd / 8ffa19a1f7eb03b156e6bdbda65b3d2a2de9dfe8 / . / test / modules / md / test_750_eab.py
blob: aec7e89b8c2542fe7fa6dac0bc8d14f732c595cf [file] [log] [blame]
import json.encoder
import os
import re
import pytest
from .md_conf import MDConf
from .md_env import MDTestEnv
@pytest.mark.skipif(condition=not MDTestEnv.has_acme_eab(),
reason="ACME test server does not support External Account Binding")
class TestEab:
@pytest.fixture(autouse=True, scope='class')
def _class_scope(self, env, acme):
acme.start(config='eab')
env.check_acme()
env.clear_store()
MDConf(env).install()
assert env.apache_restart() == 0
@pytest.fixture(autouse=True, scope='function')
def _method_scope(self, env, request):
env.clear_store()
self.test_domain = env.get_request_domain(request)
def test_md_750_001(self, env):
# md without EAB configured
domain = self.test_domain
domains = [domain]
conf = MDConf(env)
conf.add_md(domains)
conf.add_vhost(domains=domains)
conf.install()
assert env.apache_restart() == 0
md = env.await_error(domain)
assert md['renewal']['errors'] > 0
assert md['renewal']['last']['problem'] == 'urn:ietf:params:acme:error:externalAccountRequired'
#
env.httpd_error_log.ignore_recent(
lognos = [
"AH10056" # ACME server policy requires newAccount requests must include a value for the 'externalAccountBinding' field
],
matches = [
r'.*urn:ietf:params:acme:error:externalAccountRequired.*'
]
)
def test_md_750_002(self, env):
# md with known EAB KID and non base64 hmac key configured
domain = self.test_domain
domains = [domain]
conf = MDConf(env)
conf.add("MDExternalAccountBinding kid-1 äöüß")
conf.add_md(domains)
conf.add_vhost(domains=domains)
conf.install()
assert env.apache_restart() == 0
md = env.await_error(domain)
assert md['renewal']['errors'] > 0
assert md['renewal']['last']['problem'] == 'apache:eab-hmac-invalid'
#
env.httpd_error_log.ignore_recent(
lognos = [
"AH10056" # external account binding HMAC value is not valid base64
],
matches = [
r'.*problem\[apache:eab-hmac-invalid\].*'
]
)
def test_md_750_003(self, env):
# md with empty EAB KID configured
domain = self.test_domain
domains = [domain]
conf = MDConf(env)
conf.add("MDExternalAccountBinding \" \" bm90IGEgdmFsaWQgaG1hYwo=")
conf.add_md(domains)
conf.add_vhost(domains=domains)
conf.install()
assert env.apache_restart() == 0
md = env.await_error(domain)
assert md['renewal']['errors'] > 0
assert md['renewal']['last']['problem'] in [
'urn:ietf:params:acme:error:unauthorized',
'urn:ietf:params:acme:error:malformed',
]
#
env.httpd_error_log.ignore_recent(
lognos = [
"AH10056" # the field 'kid' references a key that is not known to the ACME server
],
matches = [
r'.*urn:ietf:params:acme:error:(unauthorized|malformed).*'
]
)
def test_md_750_004(self, env):
# md with unknown EAB KID configured
domain = self.test_domain
domains = [domain]
conf = MDConf(env)
conf.add("MDExternalAccountBinding key-x bm90IGEgdmFsaWQgaG1hYwo=")
conf.add_md(domains)
conf.add_vhost(domains=domains)
conf.install()
assert env.apache_restart() == 0
md = env.await_error(domain)
assert md['renewal']['errors'] > 0
assert md['renewal']['last']['problem'] in [
'urn:ietf:params:acme:error:unauthorized',
'urn:ietf:params:acme:error:malformed',
]
#
env.httpd_error_log.ignore_recent(
lognos = [
"AH10056" # the field 'kid' references a key that is not known to the ACME server
],
matches = [
r'.*urn:ietf:params:acme:error:(unauthorized|malformed).*'
]
)
def test_md_750_005(self, env):
# md with known EAB KID but wrong HMAC configured
domain = self.test_domain
domains = [domain]
conf = MDConf(env)
conf.add("MDExternalAccountBinding kid-1 bm90IGEgdmFsaWQgaG1hYwo=")
conf.add_md(domains)
conf.add_vhost(domains=domains)
conf.install()
assert env.apache_restart() == 0
md = env.await_error(domain)
assert md['renewal']['errors'] > 0
assert md['renewal']['last']['problem'] in [
'urn:ietf:params:acme:error:unauthorized',
'urn:ietf:params:acme:error:malformed',
]
#
env.httpd_error_log.ignore_recent(
lognos = [
"AH10056" # external account binding JWS verification error: square/go-jose: error in cryptographic primitive
],
matches = [
r'.*urn:ietf:params:acme:error:(unauthorized|malformed).*'
]
)
def test_md_750_010(self, env):
# md with correct EAB configured
domain = self.test_domain
domains = [domain]
conf = MDConf(env)
# this is one of the values in conf/pebble-eab.json
conf.add("MDExternalAccountBinding kid-1 zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W")
conf.add_md(domains)
conf.add_vhost(domains=domains)
conf.install()
assert env.apache_restart() == 0
assert env.await_completion(domains)
def test_md_750_011(self, env):
# first one md with EAB, then one without, works only for the first
# as the second is unable to reuse the account
domain_a = f"a{self.test_domain}"
domain_b = f"b{self.test_domain}"
conf = MDConf(env)
conf.start_md([domain_a])
conf.add("MDExternalAccountBinding kid-1 zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W")
conf.end_md()
conf.add_vhost(domains=[domain_a])
conf.add_md([domain_b])
conf.add_vhost(domains=[domain_b])
conf.install()
assert env.apache_restart() == 0
assert env.await_completion([domain_a], restart=False)
md = env.await_error(domain_b)
assert md['renewal']['errors'] > 0
assert md['renewal']['last']['problem'] == 'urn:ietf:params:acme:error:externalAccountRequired'
#
env.httpd_error_log.ignore_recent(
lognos = [
"AH10056" # ACME server policy requires newAccount requests must include a value for the 'externalAccountBinding' field
],
matches = [
r'.*urn:ietf:params:acme:error:externalAccountRequired.*'
]
)
def test_md_750_012(self, env):
# first one md without EAB, then one with
# first one fails, second works
domain_a = f"a{self.test_domain}"
domain_b = f"b{self.test_domain}"
conf = MDConf(env)
conf.add_md([domain_a])
conf.add_vhost(domains=[domain_a])
conf.start_md([domain_b])
conf.add("MDExternalAccountBinding kid-1 zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W")
conf.end_md()
conf.add_vhost(domains=[domain_b])
conf.install()
assert env.apache_restart() == 0
assert env.await_completion([domain_b], restart=False)
md = env.await_error(domain_a)
assert md['renewal']['errors'] > 0
assert md['renewal']['last']['problem'] == 'urn:ietf:params:acme:error:externalAccountRequired'
#
env.httpd_error_log.ignore_recent(
lognos = [
"AH10056" # ACME server policy requires newAccount requests must include a value for the 'externalAccountBinding' field
],
matches = [
r'.*urn:ietf:params:acme:error:externalAccountRequired.*'
]
)
def test_md_750_013(self, env):
# 2 mds with the same EAB, should one create a single account
domain_a = f"a{self.test_domain}"
domain_b = f"b{self.test_domain}"
conf = MDConf(env)
conf.start_md([domain_a])
conf.add("MDExternalAccountBinding kid-1 zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W")
conf.end_md()
conf.add_vhost(domains=[domain_a])
conf.start_md([domain_b])
conf.add("MDExternalAccountBinding kid-1 zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W")
conf.end_md()
conf.add_vhost(domains=[domain_b])
conf.install()
assert env.apache_restart() == 0
assert env.await_completion([domain_a, domain_b])
md_a = env.get_md_status(domain_a)
md_b = env.get_md_status(domain_b)
assert md_a['ca'] == md_b['ca']
def test_md_750_014(self, env):
# md with correct EAB, get cert, change to another correct EAB
# needs to create a new account
domain = self.test_domain
domains = [domain]
conf = MDConf(env)
conf.add("MDExternalAccountBinding kid-1 zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W")
conf.add_md(domains)
conf.add_vhost(domains=domains)
conf.install()
assert env.apache_restart() == 0
assert env.await_completion(domains)
md_1 = env.get_md_status(domain)
conf = MDConf(env)
# this is another one of the values in conf/pebble-eab.json
# add a dns name to force renewal
domains = [domain, f'www.{domain}']
conf.add("MDExternalAccountBinding kid-2 b10lLJs8l1GPIzsLP0s6pMt8O0XVGnfTaCeROxQM0BIt2XrJMDHJZBM5NuQmQJQH")
conf.add_md(domains)
conf.add_vhost(domains=domains)
conf.install()
assert env.apache_restart() == 0
assert env.await_completion(domains)
md_2 = env.get_md_status(domain)
assert md_1['ca'] != md_2['ca']
def test_md_750_015(self, env):
# md with correct EAB, get cert, change to no EAB
# needs to fail
domain = self.test_domain
domains = [domain]
conf = MDConf(env)
conf.add("MDExternalAccountBinding kid-1 zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W")
conf.add_md(domains)
conf.add_vhost(domains=domains)
conf.install()
assert env.apache_restart() == 0
assert env.await_completion(domains)
conf = MDConf(env)
# this is another one of the values in conf/pebble-eab.json
# add a dns name to force renewal
domains = [domain, f'www.{domain}']
conf.add_md(domains)
conf.add_vhost(domains=domains)
conf.install()
assert env.apache_restart() == 0
assert env.await_error(domain)
md = env.await_error(domain)
assert md['renewal']['errors'] > 0
assert md['renewal']['last']['problem'] == 'urn:ietf:params:acme:error:externalAccountRequired'
#
env.httpd_error_log.ignore_recent(
lognos = [
"AH10056" # ACME server policy requires newAccount requests must include a value for the 'externalAccountBinding' field
],
matches = [
r'.*urn:ietf:params:acme:error:externalAccountRequired.*'
]
)
def test_md_750_016(self, env):
# md with correct EAB, get cert, change to invalid EAB
# needs to fail
domain = self.test_domain
domains = [domain]
conf = MDConf(env)
conf.add("MDExternalAccountBinding kid-1 zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W")
conf.add_md(domains)
conf.add_vhost(domains=domains)
conf.install()
assert env.apache_restart() == 0
assert env.await_completion(domains)
conf = MDConf(env)
# this is another one of the values in conf/pebble-eab.json
# add a dns name to force renewal
domains = [domain, f'www.{domain}']
conf.add("MDExternalAccountBinding kid-invalud blablabalbalbla")
conf.add_md(domains)
conf.add_vhost(domains=domains)
conf.install()
assert env.apache_restart() == 0
assert env.await_error(domain)
md = env.await_error(domain)
assert md['renewal']['errors'] > 0
assert md['renewal']['last']['problem'] == 'urn:ietf:params:acme:error:unauthorized'
#
env.httpd_error_log.ignore_recent(
lognos = [
"AH10056" # the field 'kid' references a key that is not known to the ACME server
],
matches = [
r'.*urn:ietf:params:acme:error:unauthorized.*'
]
)
def test_md_750_017(self, env):
# md without EAB explicitly set to none
domain = self.test_domain
domains = [domain]
conf = MDConf(env)
conf.add("MDExternalAccountBinding kid-1 zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W")
conf.start_md(domains)
conf.add("MDExternalAccountBinding none")
conf.end_md()
conf.add_vhost(domains=domains)
conf.install()
assert env.apache_restart() == 0
md = env.await_error(domain)
assert md['renewal']['errors'] > 0
assert md['renewal']['last']['problem'] == 'urn:ietf:params:acme:error:externalAccountRequired'
#
env.httpd_error_log.ignore_recent(
lognos = [
"AH10056" # ACME server policy requires newAccount requests must include a value for the 'externalAccountBinding' field
],
matches = [
r'.*urn:ietf:params:acme:error:externalAccountRequired.*'
]
)
def test_md_750_018(self, env):
# md with EAB file that does not exist
domain = self.test_domain
domains = [domain]
conf = MDConf(env)
conf.add("MDExternalAccountBinding does-not-exist")
conf.add_md(domains)
conf.add_vhost(domains=domains)
conf.install()
assert env.apache_fail() == 0
assert re.search(r'.*file not found:', env.apachectl_stderr), env.apachectl_stderr
def test_md_750_019(self, env):
# md with EAB file that is not valid JSON
domain = self.test_domain
domains = [domain]
eab_file = os.path.join(env.server_dir, 'eab.json')
with open(eab_file, 'w') as fd:
fd.write("something not JSON\n")
conf = MDConf(env)
conf.add("MDExternalAccountBinding eab.json")
conf.add_md(domains)
conf.add_vhost(domains=domains)
conf.install()
assert env.apache_fail() == 0
assert re.search(r'.*error reading JSON file.*', env.apachectl_stderr), env.apachectl_stderr
def test_md_750_020(self, env):
# md with EAB file that is JSON, but missind kid
domain = self.test_domain
domains = [domain]
eab_file = os.path.join(env.server_dir, 'eab.json')
with open(eab_file, 'w') as fd:
eab = {'something': 1, 'other': 2}
fd.write(json.encoder.JSONEncoder().encode(eab))
conf = MDConf(env)
conf.add("MDExternalAccountBinding eab.json")
conf.add_md(domains)
conf.add_vhost(domains=domains)
conf.install()
assert env.apache_fail() == 0
assert re.search(r'.*JSON does not contain \'kid\' element.*', env.apachectl_stderr), env.apachectl_stderr
def test_md_750_021(self, env):
# md with EAB file that is JSON, but missind hmac
domain = self.test_domain
domains = [domain]
eab_file = os.path.join(env.server_dir, 'eab.json')
with open(eab_file, 'w') as fd:
eab = {'kid': 'kid-1', 'other': 2}
fd.write(json.encoder.JSONEncoder().encode(eab))
conf = MDConf(env)
conf.add("MDExternalAccountBinding eab.json")
conf.add_md(domains)
conf.add_vhost(domains=domains)
conf.install()
assert env.apache_fail() == 0
assert re.search(r'.*JSON does not contain \'hmac\' element.*', env.apachectl_stderr), env.apachectl_stderr
def test_md_750_022(self, env):
# md with EAB file that has correct values
domain = self.test_domain
domains = [domain]
eab_file = os.path.join(env.server_dir, 'eab.json')
with open(eab_file, 'w') as fd:
eab = {'kid': 'kid-1', 'hmac': 'zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W'}
fd.write(json.encoder.JSONEncoder().encode(eab))
domain = self.test_domain
domains = [domain]
conf = MDConf(env)
# this is one of the values in conf/pebble-eab.json
conf.add("MDExternalAccountBinding eab.json")
conf.add_md(domains)
conf.add_vhost(domains=domains)
conf.install()
assert env.apache_restart() == 0
assert env.await_completion(domains)