Quelle  test_750_eab.py   Sprache: Python

import json.encoder
import os
import re

import pytest

from .md_conf import MDConf
from .md_env import MDTestEnv


@pytest.mark.skipif(condition=not MDTestEnv.has_acme_eab(),
                    reason="ACME test server does not support External Account Binding")
class TestEab:

    @pytest.fixture(autouse=True, scope='class')
    def _class_scope(self, env, acme):
        acme.start(config='eab')
        env.check_acme()
        env.clear_store()
        MDConf(env).install()
        assert env.apache_restart() == 0, f'{env.apachectl_stderr}'

    @pytest.fixture(autouse=True, scope='function')
    def _method_scope(self, env, request):
        env.clear_store()
        self.test_domain = env.get_request_domain(request)

    def test_md_750_001(self, env):
        # md without EAB configured
        domain = self.test_domain
        domains = [domain]
        conf = MDConf(env)
        conf.add_md(domains)
        conf.add_vhost(domains=domains)
        conf.install()
        assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
        md = env.await_error(domain)
        assert md['renewal']['errors'] > 0
        assert md['renewal']['last']['problem'] == 'urn:ietf:params:acme:error:externalAccountRequired'
        #
        env.httpd_error_log.ignore_recent(
            lognos = [
                "AH10056"   # ACME server policy requires newAccount requests must include a value for the 'externalAccountBinding' field
            ],
            matches = [
                r'.*urn:ietf:params:acme:error:externalAccountRequired.*'
            ]
        )

    def test_md_750_002(self, env):
        # md with known EAB KID and non base64 hmac key configured
        domain = self.test_domain
        domains = [domain]
        conf = MDConf(env)
        conf.add("MDExternalAccountBinding kid-1 äöüß")
        conf.add_md(domains)
        conf.add_vhost(domains=domains)
        conf.install()
        assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
        md = env.await_error(domain)
        assert md['renewal']['errors'] > 0
        assert md['renewal']['last']['problem'] == 'apache:eab-hmac-invalid'
        #
        env.httpd_error_log.ignore_recent(
            lognos = [
                "AH10056"   # external account binding HMAC value is not valid base64
            ],
            matches = [
                r'.*problem\[apache:eab-hmac-invalid\].*'
            ]
        )

    def test_md_750_003(self, env):
        # md with empty EAB KID configured
        domain = self.test_domain
        domains = [domain]
        conf = MDConf(env)
        conf.add("MDExternalAccountBinding \" \" bm90IGEgdmFsaWQgaG1hYwo=")
        conf.add_md(domains)
        conf.add_vhost(domains=domains)
        conf.install()
        assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
        md = env.await_error(domain)
        assert md['renewal']['errors'] > 0
        assert md['renewal']['last']['problem'] in [
            'urn:ietf:params:acme:error:unauthorized',
            'urn:ietf:params:acme:error:malformed',
        ]
        #
        env.httpd_error_log.ignore_recent(
            lognos = [
                "AH10056"   # the field 'kid' references a key that is not known to the ACME server
            ],
            matches = [
                r'.*urn:ietf:params:acme:error:(unauthorized|malformed).*'
            ]
        )

    def test_md_750_004(self, env):
        # md with unknown EAB KID configured
        domain = self.test_domain
        domains = [domain]
        conf = MDConf(env)
        conf.add("MDExternalAccountBinding key-x bm90IGEgdmFsaWQgaG1hYwo=")
        conf.add_md(domains)
        conf.add_vhost(domains=domains)
        conf.install()
        assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
        md = env.await_error(domain)
        assert md['renewal']['errors'] > 0
        assert md['renewal']['last']['problem'] in [
            'urn:ietf:params:acme:error:unauthorized',
            'urn:ietf:params:acme:error:malformed',
        ]
        #
        env.httpd_error_log.ignore_recent(
            lognos = [
                "AH10056"   # the field 'kid' references a key that is not known to the ACME server
            ],
            matches = [
                r'.*urn:ietf:params:acme:error:(unauthorized|malformed).*'
            ]
        )

    def test_md_750_005(self, env):
        # md with known EAB KID but wrong HMAC configured
        domain = self.test_domain
        domains = [domain]
        conf = MDConf(env)
        conf.add("MDExternalAccountBinding kid-1 bm90IGEgdmFsaWQgaG1hYwo=")
        conf.add_md(domains)
        conf.add_vhost(domains=domains)
        conf.install()
        assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
        md = env.await_error(domain)
        assert md['renewal']['errors'] > 0
        assert md['renewal']['last']['problem'] in [
            'urn:ietf:params:acme:error:unauthorized',
            'urn:ietf:params:acme:error:malformed',
        ]
        #
        env.httpd_error_log.ignore_recent(
            lognos = [
                "AH10056"   # external account binding JWS verification error: square/go-jose: error in cryptographic primitive
            ],
            matches = [
                r'.*urn:ietf:params:acme:error:(unauthorized|malformed).*'
            ]
        )

    def test_md_750_010(self, env):
        # md with correct EAB configured
        domain = self.test_domain
        domains = [domain]
        conf = MDConf(env)
        # this is one of the values in conf/pebble-eab.json
        conf.add("MDExternalAccountBinding kid-1 zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W")
        conf.add_md(domains)
        conf.add_vhost(domains=domains)
        conf.install()
        assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
        assert env.await_completion(domains)

    def test_md_750_011(self, env):
        # first one md with EAB, then one without, works only for the first
        # as the second is unable to reuse the account
        domain_a = f"a{self.test_domain}"
        domain_b = f"b{self.test_domain}"
        conf = MDConf(env)
        conf.start_md([domain_a])
        conf.add("MDExternalAccountBinding kid-1 zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W")
        conf.end_md()
        conf.add_vhost(domains=[domain_a])
        conf.add_md([domain_b])
        conf.add_vhost(domains=[domain_b])
        conf.install()
        assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
        assert env.await_completion([domain_a], restart=False)
        md = env.await_error(domain_b)
        assert md['renewal']['errors'] > 0
        assert md['renewal']['last']['problem'] == 'urn:ietf:params:acme:error:externalAccountRequired'
        #
        env.httpd_error_log.ignore_recent(
            lognos = [
                "AH10056"   # ACME server policy requires newAccount requests must include a value for the 'externalAccountBinding' field
            ],
            matches = [
                r'.*urn:ietf:params:acme:error:externalAccountRequired.*'
            ]
        )

    def test_md_750_012(self, env):
        # first one md without EAB, then one with
        # first one fails, second works
        domain_a = f"a{self.test_domain}"
        domain_b = f"b{self.test_domain}"
        conf = MDConf(env)
        conf.add_md([domain_a])
        conf.add_vhost(domains=[domain_a])
        conf.start_md([domain_b])
        conf.add("MDExternalAccountBinding kid-1 zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W")
        conf.end_md()
        conf.add_vhost(domains=[domain_b])
        conf.install()
        assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
        assert env.await_completion([domain_b], restart=False)
        md = env.await_error(domain_a)
        assert md['renewal']['errors'] > 0
        assert md['renewal']['last']['problem'] == 'urn:ietf:params:acme:error:externalAccountRequired'
        #
        env.httpd_error_log.ignore_recent(
            lognos = [
                "AH10056"   # ACME server policy requires newAccount requests must include a value for the 'externalAccountBinding' field
            ],
            matches = [
                r'.*urn:ietf:params:acme:error:externalAccountRequired.*'
            ]
        )

    def test_md_750_013(self, env):
        # 2 mds with the same EAB, should one create a single account
        domain_a = f"a{self.test_domain}"
        domain_b = f"b{self.test_domain}"
        conf = MDConf(env)
        conf.start_md([domain_a])
        conf.add("MDExternalAccountBinding kid-1 zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W")
        conf.end_md()
        conf.add_vhost(domains=[domain_a])
        conf.start_md([domain_b])
        conf.add("MDExternalAccountBinding kid-1 zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W")
        conf.end_md()
        conf.add_vhost(domains=[domain_b])
        conf.install()
        assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
        assert env.await_completion([domain_a, domain_b])
        md_a = env.get_md_status(domain_a)
        md_b = env.get_md_status(domain_b)
        assert md_a['ca'] == md_b['ca']

    def test_md_750_014(self, env):
        # md with correct EAB, get cert, change to another correct EAB
        # needs to create a new account
        domain = self.test_domain
        domains = [domain]
        conf = MDConf(env)
        conf.add("MDExternalAccountBinding kid-1 zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W")
        conf.add_md(domains)
        conf.add_vhost(domains=domains)
        conf.install()
        assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
        assert env.await_completion(domains)
        md_1 = env.get_md_status(domain)
        conf = MDConf(env)
        # this is another one of the values in conf/pebble-eab.json
        # add a dns name to force renewal
        domains = [domain, f'www.{domain}']
        conf.add("MDExternalAccountBinding kid-2 b10lLJs8l1GPIzsLP0s6pMt8O0XVGnfTaCeROxQM0BIt2XrJMDHJZBM5NuQmQJQH")
        conf.add_md(domains)
        conf.add_vhost(domains=domains)
        conf.install()
        assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
        assert env.await_completion(domains)
        md_2 = env.get_md_status(domain)
        assert md_1['ca'] != md_2['ca']

    def test_md_750_015(self, env):
        # md with correct EAB, get cert, change to no EAB
        # needs to fail
        domain = self.test_domain
        domains = [domain]
        conf = MDConf(env)
        conf.add("MDExternalAccountBinding kid-1 zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W")
        conf.add_md(domains)
        conf.add_vhost(domains=domains)
        conf.install()
        assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
        assert env.await_completion(domains)
        conf = MDConf(env)
        # this is another one of the values in conf/pebble-eab.json
        # add a dns name to force renewal
        domains = [domain, f'www.{domain}']
        conf.add_md(domains)
        conf.add_vhost(domains=domains)
        conf.install()
        assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
        assert env.await_error(domain)
        md = env.await_error(domain)
        assert md['renewal']['errors'] > 0
        assert md['renewal']['last']['problem'] == 'urn:ietf:params:acme:error:externalAccountRequired'
        #
        env.httpd_error_log.ignore_recent(
            lognos = [
                "AH10056"   # ACME server policy requires newAccount requests must include a value for the 'externalAccountBinding' field
            ],
            matches = [
                r'.*urn:ietf:params:acme:error:externalAccountRequired.*'
            ]
        )

    def test_md_750_016(self, env):
        # md with correct EAB, get cert, change to invalid EAB
        # needs to fail
        domain = self.test_domain
        domains = [domain]
        conf = MDConf(env)
        conf.add("MDExternalAccountBinding kid-1 zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W")
        conf.add_md(domains)
        conf.add_vhost(domains=domains)
        conf.install()
        assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
        assert env.await_completion(domains)
        conf = MDConf(env)
        # this is another one of the values in conf/pebble-eab.json
        # add a dns name to force renewal
        domains = [domain, f'www.{domain}']
        conf.add("MDExternalAccountBinding kid-invalud blablabalbalbla")
        conf.add_md(domains)
        conf.add_vhost(domains=domains)
        conf.install()
        assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
        assert env.await_error(domain)
        md = env.await_error(domain)
        assert md['renewal']['errors'] > 0
        assert md['renewal']['last']['problem'] == 'urn:ietf:params:acme:error:unauthorized'
        #
        env.httpd_error_log.ignore_recent(
            lognos = [
                "AH10056"   # the field 'kid' references a key that is not known to the ACME server
            ],
            matches = [
                r'.*urn:ietf:params:acme:error:unauthorized.*'
            ]
        )

    def test_md_750_017(self, env):
        # md without EAB explicitly set to none
        domain = self.test_domain
        domains = [domain]
        conf = MDConf(env)
        conf.add("MDExternalAccountBinding kid-1 zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W")
        conf.start_md(domains)
        conf.add("MDExternalAccountBinding none")
        conf.end_md()
        conf.add_vhost(domains=domains)
        conf.install()
        assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
        md = env.await_error(domain)
        assert md['renewal']['errors'] > 0
        assert md['renewal']['last']['problem'] == 'urn:ietf:params:acme:error:externalAccountRequired'
        #
        env.httpd_error_log.ignore_recent(
            lognos = [
                "AH10056"   # ACME server policy requires newAccount requests must include a value for the 'externalAccountBinding' field
            ],
            matches = [
                r'.*urn:ietf:params:acme:error:externalAccountRequired.*'
            ]
        )

    def test_md_750_018(self, env):
        # md with EAB file that does not exist
        domain = self.test_domain
        domains = [domain]
        conf = MDConf(env)
        conf.add("MDExternalAccountBinding does-not-exist")
        conf.add_md(domains)
        conf.add_vhost(domains=domains)
        conf.install()
        assert env.apache_fail() == 0
        assert re.search(r'.*file not found:', env.apachectl_stderr), env.apachectl_stderr

    def test_md_750_019(self, env):
        # md with EAB file that is not valid JSON
        domain = self.test_domain
        domains = [domain]
        eab_file = os.path.join(env.server_dir, 'eab.json')
        with open(eab_file, 'w') as fd:
            fd.write("something not JSON\n")
        conf = MDConf(env)
        conf.add("MDExternalAccountBinding eab.json")
        conf.add_md(domains)
        conf.add_vhost(domains=domains)
        conf.install()
        assert env.apache_fail() == 0
        assert re.search(r'.*error reading JSON file.*', env.apachectl_stderr), env.apachectl_stderr

    def test_md_750_020(self, env):
        # md with EAB file that is JSON, but missind kid
        domain = self.test_domain
        domains = [domain]
        eab_file = os.path.join(env.server_dir, 'eab.json')
        with open(eab_file, 'w') as fd:
            eab = {'something': 1, 'other': 2}
            fd.write(json.encoder.JSONEncoder().encode(eab))
        conf = MDConf(env)
        conf.add("MDExternalAccountBinding eab.json")
        conf.add_md(domains)
        conf.add_vhost(domains=domains)
        conf.install()
        assert env.apache_fail() == 0
        assert re.search(r'.*JSON does not contain \'kid\' element.*', env.apachectl_stderr), env.apachectl_stderr

    def test_md_750_021(self, env):
        # md with EAB file that is JSON, but missind hmac
        domain = self.test_domain
        domains = [domain]
        eab_file = os.path.join(env.server_dir, 'eab.json')
        with open(eab_file, 'w') as fd:
            eab = {'kid': 'kid-1', 'other': 2}
            fd.write(json.encoder.JSONEncoder().encode(eab))
        conf = MDConf(env)
        conf.add("MDExternalAccountBinding eab.json")
        conf.add_md(domains)
        conf.add_vhost(domains=domains)
        conf.install()
        assert env.apache_fail() == 0
        assert re.search(r'.*JSON does not contain \'hmac\' element.*', env.apachectl_stderr), env.apachectl_stderr

    def test_md_750_022(self, env):
        # md with EAB file that has correct values
        domain = self.test_domain
        domains = [domain]
        eab_file = os.path.join(env.server_dir, 'eab.json')
        with open(eab_file, 'w') as fd:
            eab = {'kid': 'kid-1', 'hmac': 'zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W'}
            fd.write(json.encoder.JSONEncoder().encode(eab))
        domain = self.test_domain
        domains = [domain]
        conf = MDConf(env)
        # this is one of the values in conf/pebble-eab.json
        conf.add("MDExternalAccountBinding eab.json")
        conf.add_md(domains)
        conf.add_vhost(domains=domains)
        conf.install()
        assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
        assert env.await_completion(domains)