class documentation
class ServiceIdentityTests(SynchronousTestCase):
Constructor: ServiceIdentityTests(methodName)
Tests for the verification of the peer's service's identity via the hostname argument to sslverify.OpenSSLCertificateOptions.
| Method | service |
Connect a server and a client. |
| Method | test_but |
ssl.optionsForClientTLS should be using ssl.platformTrust by default, so if we fake that out then it should trust ourselves again. |
| Method | test_client |
When the server verifies and the client presents an invalid certificate for that verification by passing it to sslverify.optionsForClientTLS, the connection cannot be established with an SSL error. |
| Method | test_client |
When the server verifies and the client presents a valid certificate for that verification by passing it to sslverify.optionsForClientTLS, communication proceeds. |
| Method | test |
sslverify.simpleVerifyHostname checks string equality on the commonName of a connection's certificate's subject, doing nothing if it matches and raising VerificationError if it doesn't. |
| Method | test_hostname |
Hostnames are encoded as IDNA. |
| Method | test_hostname |
Specifying the hostname argument to CertificateOptions also sets the Server Name Extension TLS indication field to the correct value. |
| Method | test_invalid |
When a certificate containing an invalid hostname is received from the server, the connection is immediately dropped. |
| Method | test_real |
If we use the default trust from the platform, our dinky certificate should really fail. |
| Method | test_surprise |
pyOpenSSL isn't always so great about reporting errors. If one occurs in the verification info callback, it should be logged and the connection should be shut down (if possible, anyway; the app_data could be clobbered but there's no point testing for that). |
| Method | test_valid |
Whenever a valid certificate containing a valid hostname is received, connection proceeds normally. |
| Method | test_valid |
When an invalid certificate containing a perfectly valid hostname is received, the connection is aborted with an OpenSSL error. |
| Instance Variable | client |
Undocumented |
| Instance Variable | server |
Undocumented |
Inherited from SynchronousTestCase:
| Method | __eq__ |
Override the comparison defined by the base TestCase which considers instances of the same class with the same _testMethodName to be equal. Since trial puts TestCase instances into a set, that definition of comparison makes it impossible to run the same test method twice... |
| Method | __hash__ |
Undocumented |
| Method | __init__ |
Undocumented |
| Method | add |
Add the given function to a list of functions to be called after the test has run, but before tearDown. |
| Method | call |
Call a function that should have been deprecated at a specific version and in favor of a specific alternative, and assert that it was thusly deprecated. |
| Method | flush |
Remove stored errors received from the log. |
| Method | flush |
Remove stored warnings from the list of captured warnings and return them. |
| Method | get |
Retrieve a module attribute which should have been deprecated, and assert that we saw the appropriate deprecation warning. |
| Method | get |
Return the skip reason set on this test, if any is set. Checks on the instance first, then the class, then the module, then packages. As soon as it finds something with a skip attribute, returns that in a tuple (... |
| Method | get |
Return a Todo object if the test is marked todo. Checks on the instance first, then the class, then the module, then packages. As soon as it finds something with a todo attribute, returns that. Returns ... |
| Method | mktemp |
Create a new path name which can be used for a new file or directory. |
| Method | patch |
Monkey patch an object for the duration of the test. |
| Method | run |
Run the test case, storing the results in result. |
| Method | run |
If no methodName argument is passed to the constructor, run will treat this method as the thing with the actual test inside. |
| Method | short |
Undocumented |
| Instance Variable | failure |
An exception class, defaulting to FailTest. If the test method raises this exception, it will be reported as a failure, rather than an exception. All of the assertion methods raise this if the assertion fails. |
| Instance Variable | skip |
None or a string explaining why this test is to be skipped. If defined, the test will not be run. Instead, it will be reported to the result object as 'skipped' (if the TestResult supports skipping). |
| Instance Variable | suppress |
None or a list of tuples of (args, kwargs) to be passed to warnings.filterwarnings. Use these to suppress warnings raised in a test. Useful for testing deprecated code. See also util.suppress. |
| Instance Variable | todo |
None, a string or a tuple of (errors, reason) where errors is either an exception class or an iterable of exception classes, and reason is a string. See Todo or makeTodo for more information. |
| Method | _get |
Return the reason to use for skipping a test method. |
| Method | _get |
Returns any warning suppressions set for this test. Checks on the instance first, then the class, then the module, then packages. As soon as it finds something with a suppress attribute, returns that. ... |
| Method | _install |
Undocumented |
| Method | _remove |
Undocumented |
| Method | _run |
Run a single method, either a test method or fixture. |
| Method | _run |
Synchronously run any cleanups which have been added. |
| Method | _run |
Run setUp, a test method, test cleanups, and tearDown. |
| Instance Variable | _cleanups |
Undocumented |
| Instance Variable | _observer |
Undocumented |
| Instance Variable | _parents |
Undocumented |
| Instance Variable | _passed |
Undocumented |
| Instance Variable | _test |
Undocumented |
| Instance Variable | _warnings |
Undocumented |
Inherited from _Assertions (via SynchronousTestCase):
| Method | assert |
Fail if the two objects are unequal as determined by their difference rounded to the given number of decimal places (default 7) and comparing to zero. |
| Method | assert |
Fail if first - second > tolerance |
| Method | assert |
Fail the test if first and second are not equal. |
| Method | assert |
Fail the test if condition evaluates to True. |
| Method | assert |
Fail the test if containee is not found in container. |
| Method | assert |
Fail the test if first is not second. This is an obect-identity-equality test, not an object equality (i.e. __eq__) test. |
| Method | assert |
Fail if instance is not an instance of the given class or of one of the given classes. |
| Method | assert |
Fail the test if first is second. This is an obect-identity-equality test, not an object equality (i.e. __eq__) test. |
| Method | assert |
Assert that deferred does not have a result at this point. |
| Method | assert |
Fail if the two objects are equal as determined by their difference rounded to the given number of decimal places (default 7) and comparing to zero. |
| Method | assert |
Fail the test if first == second. |
| Method | assert |
Fail the test if containee is found in container. |
| Method | assert |
Fail if instance is an instance of the given class or of one of the given classes. |
| Method | assert |
Fail if astring contains substring. |
| Method | assert |
Fail the test unless calling the function f with the given args and kwargs raises exception. The failure will report the traceback and call stack of the unexpected exception. |
| Method | assert |
Fail if substring does not exist within astring. |
| Method | assert |
Fail the test if condition evaluates to False. |
| Method | assert |
Fail if the given function doesn't generate the specified warning when called. It calls the function, checks the warning, and forwards the result of the function if everything is fine. |
| Method | fail |
Absolutely fail the test. Do not pass go, do not collect $200. |
| Method | failure |
Return the current failure result of deferred or raise self.failureException. |
| Method | success |
Return the current success result of deferred or raise self.failureException. |
def serviceIdentitySetup(self, clientHostname, serverHostname, serverContextSetup=lambda ctx: None, validCertificate=True, clientPresentsCertificate=False, validClientCertificate=True, serverVerifies=False, buggyInfoCallback=False, fakePlatformTrust=False, useDefaultTrust=False):
¶
Connect a server and a client.
| Parameters | |
clientunicode | The client's idea of the server's hostname; passed as the hostname to the sslverify.OpenSSLCertificateOptions instance. |
serverunicode | The server's own idea of the server's hostname; present in the certificate presented by the server. |
servercallable taking OpenSSL.SSL.Context returning None. | a 1-argument callable invoked with the OpenSSL.SSL.Context after it's produced. |
validbool | Is the server's certificate valid? True if so, False otherwise. |
clientbool | Should the client present a certificate to the server? Defaults to 'no'. |
validbool | If the client presents a certificate, should it actually be a valid one, i.e. signed by the same CA that the server is checking? Defaults to 'yes'. |
serverbool | Should the server verify the client's certificate? Defaults to 'no'. |
buggybool | Should we patch the implementation so that the info_callback passed to OpenSSL to have a bug and raise an exception (ZeroDivisionError)? Defaults to 'no'. |
fakebool | Should we fake the platformTrust to be the same as our fake server certificate authority, so that we can test it's being used? Defaults to 'no' and we just pass platform trust. |
usebool | Should we avoid passing the trustRoot to ssl.optionsForClientTLS? Defaults to 'no'. |
| Returns | |
5-tuple of 4 IProtocols and IOPump | the client TLS protocol, the client wrapped protocol, the server TLS protocol, the server wrapped protocol and an IOPump which, when its pump and flush methods are called, will move data between the created client and server protocol instances |
ssl.optionsForClientTLS should be using ssl.platformTrust by default, so if we fake that out then it should trust ourselves again.
When the server verifies and the client presents an invalid certificate for that verification by passing it to sslverify.optionsForClientTLS, the connection cannot be established with an SSL error.
When the server verifies and the client presents a valid certificate for that verification by passing it to sslverify.optionsForClientTLS, communication proceeds.
sslverify.simpleVerifyHostname checks string equality on the commonName of a connection's certificate's subject, doing nothing if it matches and raising VerificationError if it doesn't.
Specifying the hostname argument to CertificateOptions also sets the Server Name Extension TLS indication field to the correct value.
When a certificate containing an invalid hostname is received from the server, the connection is immediately dropped.
pyOpenSSL isn't always so great about reporting errors. If one occurs in the verification info callback, it should be logged and the connection should be shut down (if possible, anyway; the app_data could be clobbered but there's no point testing for that).