mirror of
https://github.com/certbot/certbot.git
synced 2025-07-30 09:03:08 +03:00
Added certbot-ci to lint section. Silenced and fixed linting warnings. (#8450)
This commit is contained in:
Mads Jensen
GitHub
@ -186,6 +186,7 @@ def probe_sni(name, host, port=443, timeout=300, # pylint: disable=too-many-argu
|
||||
raise errors.Error(error)
|
||||
return client_ssl.get_peer_certificate()
|
||||
|
||||
|
||||
def make_csr(private_key_pem, domains, must_staple=False):
|
||||
"""Generate a CSR containing a list of domains as subjectAltNames.
|
||||
|
||||
@ -217,6 +218,7 @@ def make_csr(private_key_pem, domains, must_staple=False):
|
||||
return crypto.dump_certificate_request(
|
||||
crypto.FILETYPE_PEM, csr)
|
||||
|
||||
|
||||
def _pyopenssl_cert_or_req_all_names(loaded_cert_or_req):
|
||||
common_name = loaded_cert_or_req.get_subject().CN
|
||||
sans = _pyopenssl_cert_or_req_san(loaded_cert_or_req)
|
||||
@ -225,6 +227,7 @@ def _pyopenssl_cert_or_req_all_names(loaded_cert_or_req):
|
||||
return sans
|
||||
return [common_name] + [d for d in sans if d != common_name]
|
||||
|
||||
|
||||
def _pyopenssl_cert_or_req_san(cert_or_req):
|
||||
"""Get Subject Alternative Names from certificate or CSR using pyOpenSSL.
|
||||
|
||||
@ -317,6 +320,7 @@ def gen_ss_cert(key, domains, not_before=None,
|
||||
cert.sign(key, "sha256")
|
||||
return cert
|
||||
|
||||
|
||||
def dump_pyopenssl_chain(chain, filetype=crypto.FILETYPE_PEM):
|
||||
"""Dump certificate chain into a bundle.
|
||||
|
||||
|
||||
@ -1,3 +1,4 @@
|
||||
# pylint: disable=missing-module-docstring
|
||||
import pytest
|
||||
|
||||
# Custom assertions defined in the following package need to be registered to be properly
|
||||
|
||||
@ -29,8 +29,9 @@ from certbot_integration_tests.certbot_tests.assertions import EVERYBODY_SID
|
||||
from certbot_integration_tests.utils import misc
|
||||
|
||||
|
||||
@pytest.fixture()
|
||||
def context(request):
|
||||
@pytest.fixture(name='context')
|
||||
def test_context(request):
|
||||
# pylint: disable=missing-function-docstring
|
||||
# Fixture request is a built-in pytest fixture describing current test request.
|
||||
integration_test_context = certbot_context.IntegrationTestsContext(request)
|
||||
try:
|
||||
@ -222,14 +223,16 @@ def test_renew_files_propagate_permissions(context):
|
||||
if os.name != 'nt':
|
||||
os.chmod(privkey1, 0o444)
|
||||
else:
|
||||
import win32security
|
||||
import ntsecuritycon
|
||||
import win32security # pylint: disable=import-error
|
||||
import ntsecuritycon # pylint: disable=import-error
|
||||
# Get the current DACL of the private key
|
||||
security = win32security.GetFileSecurity(privkey1, win32security.DACL_SECURITY_INFORMATION)
|
||||
dacl = security.GetSecurityDescriptorDacl()
|
||||
# Create a read permission for Everybody group
|
||||
everybody = win32security.ConvertStringSidToSid(EVERYBODY_SID)
|
||||
dacl.AddAccessAllowedAce(win32security.ACL_REVISION, ntsecuritycon.FILE_GENERIC_READ, everybody)
|
||||
dacl.AddAccessAllowedAce(
|
||||
win32security.ACL_REVISION, ntsecuritycon.FILE_GENERIC_READ, everybody
|
||||
)
|
||||
# Apply the updated DACL to the private key
|
||||
security.SetSecurityDescriptorDacl(1, dacl, 0)
|
||||
win32security.SetFileSecurity(privkey1, win32security.DACL_SECURITY_INFORMATION, security)
|
||||
@ -238,12 +241,14 @@ def test_renew_files_propagate_permissions(context):
|
||||
|
||||
assert_cert_count_for_lineage(context.config_dir, certname, 2)
|
||||
if os.name != 'nt':
|
||||
# On Linux, read world permissions + all group permissions will be copied from the previous private key
|
||||
# On Linux, read world permissions + all group permissions
|
||||
# will be copied from the previous private key
|
||||
assert_world_read_permissions(privkey2)
|
||||
assert_equals_world_read_permissions(privkey1, privkey2)
|
||||
assert_equals_group_permissions(privkey1, privkey2)
|
||||
else:
|
||||
# On Windows, world will never have any permissions, and group permission is irrelevant for this platform
|
||||
# On Windows, world will never have any permissions, and
|
||||
# group permission is irrelevant for this platform
|
||||
assert_world_no_permissions(privkey2)
|
||||
|
||||
|
||||
@ -609,14 +614,17 @@ def test_revoke_multiple_lineages(context):
|
||||
with open(join(context.config_dir, 'renewal', '{0}.conf'.format(cert2)), 'r') as file:
|
||||
data = file.read()
|
||||
|
||||
data = re.sub('archive_dir = .*\n',
|
||||
'archive_dir = {0}\n'.format(join(context.config_dir, 'archive', cert1).replace('\\', '\\\\')),
|
||||
data)
|
||||
data = re.sub(
|
||||
'archive_dir = .*\n',
|
||||
'archive_dir = {0}\n'.format(
|
||||
join(context.config_dir, 'archive', cert1).replace('\\', '\\\\')
|
||||
), data
|
||||
)
|
||||
|
||||
with open(join(context.config_dir, 'renewal', '{0}.conf'.format(cert2)), 'w') as file:
|
||||
file.write(data)
|
||||
|
||||
output = context.certbot([
|
||||
context.certbot([
|
||||
'revoke', '--cert-path', join(context.config_dir, 'live', cert1, 'cert.pem')
|
||||
])
|
||||
|
||||
|
||||
@ -13,7 +13,6 @@ import sys
|
||||
|
||||
from certbot_integration_tests.utils import acme_server as acme_lib
|
||||
from certbot_integration_tests.utils import dns_server as dns_lib
|
||||
from certbot_integration_tests.utils.dns_server import DNSServer
|
||||
|
||||
|
||||
def pytest_addoption(parser):
|
||||
@ -92,8 +91,10 @@ def _setup_primary_node(config):
|
||||
try:
|
||||
subprocess.check_output(['docker-compose', '-v'], stderr=subprocess.STDOUT)
|
||||
except (subprocess.CalledProcessError, OSError):
|
||||
raise ValueError('Error: docker-compose is required in PATH to launch the integration tests, '
|
||||
'but is not installed or not available for current user.')
|
||||
raise ValueError(
|
||||
'Error: docker-compose is required in PATH to launch the integration tests, '
|
||||
'but is not installed or not available for current user.'
|
||||
)
|
||||
|
||||
# Parameter numprocesses is added to option by pytest-xdist
|
||||
workers = ['primary'] if not config.option.numprocesses\
|
||||
|
||||
@ -1,3 +1,4 @@
|
||||
"""Module to handle the context of nginx integration tests."""
|
||||
import os
|
||||
import subprocess
|
||||
|
||||
|
||||
@ -7,8 +7,8 @@ import pytest
|
||||
from certbot_integration_tests.nginx_tests import context as nginx_context
|
||||
|
||||
|
||||
@pytest.fixture()
|
||||
def context(request):
|
||||
@pytest.fixture(name='context')
|
||||
def test_context(request):
|
||||
# Fixture request is a built-in pytest fixture describing current test request.
|
||||
integration_test_context = nginx_context.IntegrationTestsContext(request)
|
||||
try:
|
||||
@ -27,7 +27,9 @@ def context(request):
|
||||
# No matching server block; default_server does not exist
|
||||
('nginx5.{0}.wtf', ['--preferred-challenges', 'http'], {'default_server': False}),
|
||||
# Multiple domains, mix of matching and not
|
||||
('nginx6.{0}.wtf,nginx7.{0}.wtf', ['--preferred-challenges', 'http'], {'default_server': False}),
|
||||
('nginx6.{0}.wtf,nginx7.{0}.wtf', [
|
||||
'--preferred-challenges', 'http'
|
||||
], {'default_server': False}),
|
||||
], indirect=['context'])
|
||||
def test_certificate_deployment(certname_pattern, params, context):
|
||||
# type: (str, list, nginx_context.IntegrationTestsContext) -> None
|
||||
@ -41,7 +43,9 @@ def test_certificate_deployment(certname_pattern, params, context):
|
||||
|
||||
lineage = domains.split(',')[0]
|
||||
server_cert = ssl.get_server_certificate(('localhost', context.tls_alpn_01_port))
|
||||
with open(os.path.join(context.workspace, 'conf/live/{0}/cert.pem'.format(lineage)), 'r') as file:
|
||||
with open(os.path.join(
|
||||
context.workspace, 'conf/live/{0}/cert.pem'.format(lineage)), 'r'
|
||||
) as file:
|
||||
certbot_cert = file.read()
|
||||
|
||||
assert server_cert == certbot_cert
|
||||
|
||||
@ -1,7 +1,10 @@
|
||||
from contextlib import contextmanager
|
||||
from pytest import skip
|
||||
from pkg_resources import resource_filename
|
||||
"""Module to handle the context of RFC2136 integration tests."""
|
||||
|
||||
import tempfile
|
||||
from contextlib import contextmanager
|
||||
|
||||
from pkg_resources import resource_filename
|
||||
from pytest import skip
|
||||
|
||||
from certbot_integration_tests.certbot_tests import context as certbot_context
|
||||
from certbot_integration_tests.utils import certbot_call
|
||||
@ -33,7 +36,6 @@ class IntegrationTestsContext(certbot_context.IntegrationTestsContext):
|
||||
|
||||
@contextmanager
|
||||
def rfc2136_credentials(self, label='default'):
|
||||
# type: (str) -> str
|
||||
"""
|
||||
Produces the contents of a certbot-dns-rfc2136 credentials file.
|
||||
:param str label: which RFC2136 credential to use
|
||||
@ -52,10 +54,10 @@ class IntegrationTestsContext(certbot_context.IntegrationTestsContext):
|
||||
)
|
||||
|
||||
with tempfile.NamedTemporaryFile('w+', prefix='rfc2136-creds-{}'.format(label),
|
||||
suffix='.ini', dir=self.workspace) as f:
|
||||
f.write(contents)
|
||||
f.flush()
|
||||
yield f.name
|
||||
suffix='.ini', dir=self.workspace) as fp:
|
||||
fp.write(contents)
|
||||
fp.flush()
|
||||
yield fp.name
|
||||
|
||||
def skip_if_no_bind9_server(self):
|
||||
"""Skips the test if there was no RFC2136-capable DNS server configured
|
||||
|
||||
@ -4,8 +4,9 @@ import pytest
|
||||
from certbot_integration_tests.rfc2136_tests import context as rfc2136_context
|
||||
|
||||
|
||||
@pytest.fixture()
|
||||
def context(request):
|
||||
@pytest.fixture(name="context")
|
||||
def pytest_context(request):
|
||||
# pylint: disable=missing-function-docstring
|
||||
# Fixture request is a built-in pytest fixture describing current test request.
|
||||
integration_test_context = rfc2136_context.IntegrationTestsContext(request)
|
||||
try:
|
||||
|
||||
@ -7,7 +7,6 @@ import errno
|
||||
import json
|
||||
import os
|
||||
from os.path import join
|
||||
import re
|
||||
import shutil
|
||||
import subprocess
|
||||
import sys
|
||||
@ -16,9 +15,11 @@ import time
|
||||
|
||||
import requests
|
||||
|
||||
from acme.magic_typing import List
|
||||
from certbot_integration_tests.utils import misc
|
||||
from certbot_integration_tests.utils import pebble_artifacts
|
||||
from certbot_integration_tests.utils import proxy
|
||||
# pylint: disable=wildcard-import,unused-wildcard-import
|
||||
from certbot_integration_tests.utils.constants import *
|
||||
|
||||
|
||||
@ -31,8 +32,8 @@ class ACMEServer(object):
|
||||
ACMEServer gives access the acme_xdist parameter, listing the ports and directory url to use
|
||||
for each pytest node. It exposes also start and stop methods in order to start the stack, and
|
||||
stop it with proper resources cleanup.
|
||||
ACMEServer is also a context manager, and so can be used to ensure ACME server is started/stopped
|
||||
upon context enter/exit.
|
||||
ACMEServer is also a context manager, and so can be used to ensure ACME server is
|
||||
started/stopped upon context enter/exit.
|
||||
"""
|
||||
def __init__(self, acme_server, nodes, http_proxy=True, stdout=False, dns_server=None):
|
||||
"""
|
||||
@ -48,7 +49,7 @@ class ACMEServer(object):
|
||||
self._acme_type = 'pebble' if acme_server == 'pebble' else 'boulder'
|
||||
self._proxy = http_proxy
|
||||
self._workspace = tempfile.mkdtemp()
|
||||
self._processes = []
|
||||
self._processes = [] # type: List
|
||||
self._stdout = sys.stdout if stdout else open(os.devnull, 'w')
|
||||
self._dns_server = dns_server
|
||||
|
||||
@ -107,19 +108,26 @@ class ACMEServer(object):
|
||||
"""Generate and return the acme_xdist dict"""
|
||||
acme_xdist = {'acme_server': acme_server, 'challtestsrv_port': CHALLTESTSRV_PORT}
|
||||
|
||||
# Directory and ACME port are set implicitly in the docker-compose.yml files of Boulder/Pebble.
|
||||
# Directory and ACME port are set implicitly in the docker-compose.yml
|
||||
# files of Boulder/Pebble.
|
||||
if acme_server == 'pebble':
|
||||
acme_xdist['directory_url'] = PEBBLE_DIRECTORY_URL
|
||||
else: # boulder
|
||||
acme_xdist['directory_url'] = BOULDER_V2_DIRECTORY_URL \
|
||||
if acme_server == 'boulder-v2' else BOULDER_V1_DIRECTORY_URL
|
||||
|
||||
acme_xdist['http_port'] = {node: port for (node, port)
|
||||
in zip(nodes, range(5200, 5200 + len(nodes)))}
|
||||
acme_xdist['https_port'] = {node: port for (node, port)
|
||||
in zip(nodes, range(5100, 5100 + len(nodes)))}
|
||||
acme_xdist['other_port'] = {node: port for (node, port)
|
||||
in zip(nodes, range(5300, 5300 + len(nodes)))}
|
||||
acme_xdist['http_port'] = {
|
||||
node: port for (node, port) in # pylint: disable=unnecessary-comprehension
|
||||
zip(nodes, range(5200, 5200 + len(nodes)))
|
||||
}
|
||||
acme_xdist['https_port'] = {
|
||||
node: port for (node, port) in # pylint: disable=unnecessary-comprehension
|
||||
zip(nodes, range(5100, 5100 + len(nodes)))
|
||||
}
|
||||
acme_xdist['other_port'] = {
|
||||
node: port for (node, port) in # pylint: disable=unnecessary-comprehension
|
||||
zip(nodes, range(5300, 5300 + len(nodes)))
|
||||
}
|
||||
|
||||
self.acme_xdist = acme_xdist
|
||||
|
||||
@ -150,9 +158,9 @@ class ACMEServer(object):
|
||||
env=environ)
|
||||
|
||||
# pebble_ocsp_server is imported here and not at the top of module in order to avoid a
|
||||
# useless ImportError, in the case where cryptography dependency is too old to support ocsp,
|
||||
# but Boulder is used instead of Pebble, so pebble_ocsp_server is not used. This is the
|
||||
# typical situation of integration-certbot-oldest tox testenv.
|
||||
# useless ImportError, in the case where cryptography dependency is too old to support
|
||||
# ocsp, but Boulder is used instead of Pebble, so pebble_ocsp_server is not used. This is
|
||||
# the typical situation of integration-certbot-oldest tox testenv.
|
||||
from certbot_integration_tests.utils import pebble_ocsp_server
|
||||
self._launch_process([sys.executable, pebble_ocsp_server.__file__])
|
||||
|
||||
@ -195,13 +203,16 @@ class ACMEServer(object):
|
||||
|
||||
if not self._dns_server:
|
||||
# Configure challtestsrv to answer any A record request with ip of the docker host.
|
||||
response = requests.post('http://localhost:{0}/set-default-ipv4'.format(CHALLTESTSRV_PORT),
|
||||
json={'ip': '10.77.77.1'})
|
||||
response = requests.post('http://localhost:{0}/set-default-ipv4'.format(
|
||||
CHALLTESTSRV_PORT), json={'ip': '10.77.77.1'}
|
||||
)
|
||||
response.raise_for_status()
|
||||
except BaseException:
|
||||
# If we failed to set up boulder, print its logs.
|
||||
print('=> Boulder setup failed. Boulder logs are:')
|
||||
process = self._launch_process(['docker-compose', 'logs'], cwd=instance_path, force_stderr=True)
|
||||
process = self._launch_process([
|
||||
'docker-compose', 'logs'], cwd=instance_path, force_stderr=True
|
||||
)
|
||||
process.wait()
|
||||
raise
|
||||
|
||||
@ -221,12 +232,15 @@ class ACMEServer(object):
|
||||
if not env:
|
||||
env = os.environ
|
||||
stdout = sys.stderr if force_stderr else self._stdout
|
||||
process = subprocess.Popen(command, stdout=stdout, stderr=subprocess.STDOUT, cwd=cwd, env=env)
|
||||
process = subprocess.Popen(
|
||||
command, stdout=stdout, stderr=subprocess.STDOUT, cwd=cwd, env=env
|
||||
)
|
||||
self._processes.append(process)
|
||||
return process
|
||||
|
||||
|
||||
def main():
|
||||
# pylint: disable=missing-function-docstring
|
||||
parser = argparse.ArgumentParser(
|
||||
description='CLI tool to start a local instance of Pebble or Boulder CA server.')
|
||||
parser.add_argument('--server-type', '-s',
|
||||
@ -239,7 +253,10 @@ def main():
|
||||
'resolve domains to localhost.')
|
||||
args = parser.parse_args()
|
||||
|
||||
acme_server = ACMEServer(args.server_type, [], http_proxy=False, stdout=True, dns_server=args.dns_server)
|
||||
acme_server = ACMEServer(
|
||||
args.server_type, [], http_proxy=False, stdout=True,
|
||||
dns_server=args.dns_server
|
||||
)
|
||||
|
||||
try:
|
||||
with acme_server as acme_xdist:
|
||||
|
||||
@ -2,12 +2,13 @@
|
||||
"""Module to call certbot in test mode"""
|
||||
from __future__ import absolute_import
|
||||
|
||||
from distutils.version import LooseVersion
|
||||
import os
|
||||
import subprocess
|
||||
import sys
|
||||
from distutils.version import LooseVersion
|
||||
|
||||
import certbot_integration_tests
|
||||
# pylint: disable=wildcard-import,unused-wildcard-import
|
||||
from certbot_integration_tests.utils.constants import *
|
||||
|
||||
|
||||
@ -35,6 +36,8 @@ def certbot_test(certbot_args, directory_url, http_01_port, tls_alpn_01_port,
|
||||
|
||||
|
||||
def _prepare_environ(workspace):
|
||||
# pylint: disable=missing-function-docstring
|
||||
|
||||
new_environ = os.environ.copy()
|
||||
new_environ['TMPDIR'] = workspace
|
||||
|
||||
@ -58,8 +61,13 @@ def _prepare_environ(workspace):
|
||||
# certbot_integration_tests.__file__ is:
|
||||
# '/path/to/certbot/certbot-ci/certbot_integration_tests/__init__.pyc'
|
||||
# ... and we want '/path/to/certbot'
|
||||
certbot_root = os.path.dirname(os.path.dirname(os.path.dirname(certbot_integration_tests.__file__)))
|
||||
python_paths = [path for path in new_environ['PYTHONPATH'].split(':') if path != certbot_root]
|
||||
certbot_root = os.path.dirname(os.path.dirname(
|
||||
os.path.dirname(certbot_integration_tests.__file__))
|
||||
)
|
||||
python_paths = [
|
||||
path for path in new_environ['PYTHONPATH'].split(':')
|
||||
if path != certbot_root
|
||||
]
|
||||
new_environ['PYTHONPATH'] = ':'.join(python_paths)
|
||||
|
||||
return new_environ
|
||||
@ -70,7 +78,8 @@ def _compute_additional_args(workspace, environ, force_renew):
|
||||
output = subprocess.check_output(['certbot', '--version'],
|
||||
universal_newlines=True, stderr=subprocess.STDOUT,
|
||||
cwd=workspace, env=environ)
|
||||
version_str = output.split(' ')[1].strip() # Typical response is: output = 'certbot 0.31.0.dev0'
|
||||
# Typical response is: output = 'certbot 0.31.0.dev0'
|
||||
version_str = output.split(' ')[1].strip()
|
||||
if LooseVersion(version_str) >= LooseVersion('0.30.0'):
|
||||
additional_args.append('--no-random-sleep-on-renew')
|
||||
|
||||
@ -113,6 +122,7 @@ def _prepare_args_env(certbot_args, directory_url, http_01_port, tls_alpn_01_por
|
||||
|
||||
|
||||
def main():
|
||||
# pylint: disable=missing-function-docstring
|
||||
args = sys.argv[1:]
|
||||
|
||||
# Default config is pebble
|
||||
|
||||
@ -4,7 +4,6 @@ from __future__ import print_function
|
||||
|
||||
import os
|
||||
import os.path
|
||||
from pkg_resources import resource_filename
|
||||
import shutil
|
||||
import socket
|
||||
import subprocess
|
||||
@ -12,13 +11,14 @@ import sys
|
||||
import tempfile
|
||||
import time
|
||||
|
||||
from pkg_resources import resource_filename
|
||||
|
||||
BIND_DOCKER_IMAGE = 'internetsystemsconsortium/bind9:9.16'
|
||||
BIND_BIND_ADDRESS = ('127.0.0.1', 45953)
|
||||
BIND_DOCKER_IMAGE = "internetsystemsconsortium/bind9:9.16"
|
||||
BIND_BIND_ADDRESS = ("127.0.0.1", 45953)
|
||||
|
||||
# A TCP DNS message which is a query for '. CH A' transaction ID 0xcb37. This is used
|
||||
# by _wait_until_ready to check that BIND is responding without depending on dnspython.
|
||||
BIND_TEST_QUERY = bytearray.fromhex('0011cb37000000010000000000000000010003')
|
||||
BIND_TEST_QUERY = bytearray.fromhex("0011cb37000000010000000000000000010003")
|
||||
|
||||
|
||||
class DNSServer(object):
|
||||
@ -31,7 +31,7 @@ class DNSServer(object):
|
||||
future to support parallelization (https://github.com/certbot/certbot/issues/8455).
|
||||
"""
|
||||
|
||||
def __init__(self, nodes, show_output=False):
|
||||
def __init__(self, unused_nodes, show_output=False):
|
||||
"""
|
||||
Create an DNSServer instance.
|
||||
:param list nodes: list of node names that will be setup by pytest xdist
|
||||
@ -40,16 +40,13 @@ class DNSServer(object):
|
||||
|
||||
self.bind_root = tempfile.mkdtemp()
|
||||
|
||||
self.process = None
|
||||
self.process = None # type: subprocess.Popen
|
||||
|
||||
self.dns_xdist = {
|
||||
'address': BIND_BIND_ADDRESS[0],
|
||||
'port': BIND_BIND_ADDRESS[1]
|
||||
}
|
||||
self.dns_xdist = {"address": BIND_BIND_ADDRESS[0], "port": BIND_BIND_ADDRESS[1]}
|
||||
|
||||
# Unfortunately the BIND9 image forces everything to stderr with -g and we can't
|
||||
# modify the verbosity.
|
||||
self._output = sys.stderr if show_output else open(os.devnull, 'w')
|
||||
self._output = sys.stderr if show_output else open(os.devnull, "w")
|
||||
|
||||
def start(self):
|
||||
"""Start the DNS server"""
|
||||
@ -76,24 +73,38 @@ class DNSServer(object):
|
||||
|
||||
def _configure_bind(self):
|
||||
"""Configure the BIND9 server based on the prebaked configuration"""
|
||||
bind_conf_src = resource_filename('certbot_integration_tests', 'assets/bind-config')
|
||||
for dir in ('conf', 'zones'):
|
||||
shutil.copytree(os.path.join(bind_conf_src, dir), os.path.join(self.bind_root, dir))
|
||||
bind_conf_src = resource_filename(
|
||||
"certbot_integration_tests", "assets/bind-config"
|
||||
)
|
||||
for directory in ("conf", "zones"):
|
||||
shutil.copytree(
|
||||
os.path.join(bind_conf_src, directory), os.path.join(self.bind_root, directory)
|
||||
)
|
||||
|
||||
def _start_bind(self):
|
||||
"""Launch the BIND9 server as a Docker container"""
|
||||
addr_str = '{}:{}'.format(BIND_BIND_ADDRESS[0], BIND_BIND_ADDRESS[1])
|
||||
self.process = subprocess.Popen([
|
||||
'docker', 'run', '--rm',
|
||||
'-p', '{}:53/udp'.format(addr_str),
|
||||
'-p', '{}:53/tcp'.format(addr_str),
|
||||
'-v', '{}/conf:/etc/bind'.format(self.bind_root),
|
||||
'-v', '{}/zones:/var/lib/bind'.format(self.bind_root),
|
||||
BIND_DOCKER_IMAGE
|
||||
], stdout=self._output, stderr=self._output)
|
||||
addr_str = "{}:{}".format(BIND_BIND_ADDRESS[0], BIND_BIND_ADDRESS[1])
|
||||
self.process = subprocess.Popen(
|
||||
[
|
||||
"docker",
|
||||
"run",
|
||||
"--rm",
|
||||
"-p",
|
||||
"{}:53/udp".format(addr_str),
|
||||
"-p",
|
||||
"{}:53/tcp".format(addr_str),
|
||||
"-v",
|
||||
"{}/conf:/etc/bind".format(self.bind_root),
|
||||
"-v",
|
||||
"{}/zones:/var/lib/bind".format(self.bind_root),
|
||||
BIND_DOCKER_IMAGE,
|
||||
],
|
||||
stdout=self._output,
|
||||
stderr=self._output,
|
||||
)
|
||||
|
||||
if self.process.poll():
|
||||
raise("BIND9 server stopped unexpectedly")
|
||||
raise ValueError("BIND9 server stopped unexpectedly")
|
||||
|
||||
try:
|
||||
self._wait_until_ready()
|
||||
@ -113,7 +124,7 @@ class DNSServer(object):
|
||||
"""
|
||||
for _ in range(attempts):
|
||||
if self.process.poll():
|
||||
raise ValueError('BIND9 server stopped unexpectedly')
|
||||
raise ValueError("BIND9 server stopped unexpectedly")
|
||||
|
||||
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
sock.settimeout(5.0)
|
||||
@ -126,15 +137,15 @@ class DNSServer(object):
|
||||
return
|
||||
# If we got a response but it wasn't the one we wanted, wait a little
|
||||
time.sleep(1)
|
||||
except:
|
||||
except: # pylint: disable=bare-except
|
||||
# If there was a network error, wait a little
|
||||
time.sleep(1)
|
||||
pass
|
||||
finally:
|
||||
sock.close()
|
||||
|
||||
raise ValueError(
|
||||
'Gave up waiting for DNS server {} to respond'.format(BIND_BIND_ADDRESS))
|
||||
"Gave up waiting for DNS server {} to respond".format(BIND_BIND_ADDRESS)
|
||||
)
|
||||
|
||||
def __enter__(self):
|
||||
self.start()
|
||||
|
||||
@ -39,6 +39,7 @@ def _suppress_x509_verification_warnings():
|
||||
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
||||
except ImportError:
|
||||
# Handle old versions of request with vendorized urllib3
|
||||
# pylint: disable=no-member
|
||||
from requests.packages.urllib3.exceptions import InsecureRequestWarning
|
||||
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
|
||||
|
||||
@ -256,7 +257,8 @@ def generate_csr(domains, key_path, csr_path, key_type=RSA_KEY_TYPE):
|
||||
|
||||
def read_certificate(cert_path):
|
||||
"""
|
||||
Load the certificate from the provided path, and return a human readable version of it (TEXT mode).
|
||||
Load the certificate from the provided path, and return a human readable version
|
||||
of it (TEXT mode).
|
||||
:param str cert_path: the path to the certificate
|
||||
:returns: the TEXT version of the certificate, as it would be displayed by openssl binary
|
||||
"""
|
||||
|
||||
@ -1,3 +1,5 @@
|
||||
# pylint: disable=missing-module-docstring
|
||||
|
||||
import json
|
||||
import os
|
||||
import stat
|
||||
@ -12,6 +14,7 @@ ASSETS_PATH = pkg_resources.resource_filename('certbot_integration_tests', 'asse
|
||||
|
||||
|
||||
def fetch(workspace):
|
||||
# pylint: disable=missing-function-docstring
|
||||
suffix = 'linux-amd64' if os.name != 'nt' else 'windows-amd64.exe'
|
||||
|
||||
pebble_path = _fetch_asset('pebble', suffix)
|
||||
|
||||
@ -21,6 +21,7 @@ from certbot_integration_tests.utils.misc import GracefulTCPServer
|
||||
|
||||
|
||||
class _ProxyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
|
||||
# pylint: disable=missing-function-docstring
|
||||
def do_POST(self):
|
||||
request = requests.get(PEBBLE_MANAGEMENT_URL + '/intermediate-keys/0', verify=False)
|
||||
issuer_key = serialization.load_pem_private_key(request.content, None, default_backend())
|
||||
@ -35,20 +36,28 @@ class _ProxyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
|
||||
|
||||
ocsp_request = ocsp.load_der_ocsp_request(self.rfile.read(content_len))
|
||||
response = requests.get('{0}/cert-status-by-serial/{1}'.format(
|
||||
PEBBLE_MANAGEMENT_URL, str(hex(ocsp_request.serial_number)).replace('0x', '')), verify=False)
|
||||
PEBBLE_MANAGEMENT_URL, str(hex(ocsp_request.serial_number)).replace('0x', '')),
|
||||
verify=False
|
||||
)
|
||||
|
||||
if not response.ok:
|
||||
ocsp_response = ocsp.OCSPResponseBuilder.build_unsuccessful(ocsp.OCSPResponseStatus.UNAUTHORIZED)
|
||||
ocsp_response = ocsp.OCSPResponseBuilder.build_unsuccessful(
|
||||
ocsp.OCSPResponseStatus.UNAUTHORIZED
|
||||
)
|
||||
else:
|
||||
data = response.json()
|
||||
|
||||
now = datetime.datetime.utcnow()
|
||||
cert = x509.load_pem_x509_certificate(data['Certificate'].encode(), default_backend())
|
||||
if data['Status'] != 'Revoked':
|
||||
ocsp_status, revocation_time, revocation_reason = ocsp.OCSPCertStatus.GOOD, None, None
|
||||
ocsp_status = ocsp.OCSPCertStatus.GOOD
|
||||
revocation_time = None
|
||||
revocation_reason = None
|
||||
else:
|
||||
ocsp_status, revocation_reason = ocsp.OCSPCertStatus.REVOKED, x509.ReasonFlags.unspecified
|
||||
revoked_at = re.sub(r'( \+\d{4}).*$', r'\1', data['RevokedAt']) # "... +0000 UTC" => "+0000"
|
||||
ocsp_status = ocsp.OCSPCertStatus.REVOKED
|
||||
revocation_reason = x509.ReasonFlags.unspecified
|
||||
# "... +0000 UTC" => "+0000"
|
||||
revoked_at = re.sub(r'( \+\d{4}).*$', r'\1', data['RevokedAt'])
|
||||
revocation_time = parser.parse(revoked_at)
|
||||
|
||||
ocsp_response = ocsp.OCSPResponseBuilder().add_response(
|
||||
|
||||
@ -1,4 +1,6 @@
|
||||
#!/usr/bin/env python
|
||||
# pylint: disable=missing-module-docstring
|
||||
|
||||
import json
|
||||
import re
|
||||
import sys
|
||||
@ -10,7 +12,9 @@ from certbot_integration_tests.utils.misc import GracefulTCPServer
|
||||
|
||||
|
||||
def _create_proxy(mapping):
|
||||
# pylint: disable=missing-function-docstring
|
||||
class ProxyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
|
||||
# pylint: disable=missing-class-docstring
|
||||
def do_GET(self):
|
||||
headers = {key.lower(): value for key, value in self.headers.items()}
|
||||
backend = [backend for pattern, backend in mapping.items()
|
||||
|
||||
@ -10,7 +10,9 @@ from pylint.checkers import BaseChecker
|
||||
from pylint.interfaces import IAstroidChecker
|
||||
|
||||
# Modules in theses packages can import the os module.
|
||||
WHITELIST_PACKAGES = ['acme', 'certbot_compatibility_test', 'lock_test']
|
||||
WHITELIST_PACKAGES = [
|
||||
'acme', 'certbot_integration_tests', 'certbot_compatibility_test', 'lock_test'
|
||||
]
|
||||
|
||||
|
||||
class ForbidStandardOsModule(BaseChecker):
|
||||
@ -25,8 +27,8 @@ class ForbidStandardOsModule(BaseChecker):
|
||||
'E5001': (
|
||||
'Forbidden use of os module, certbot.compat.os must be used instead',
|
||||
'os-module-forbidden',
|
||||
'Some methods from the standard os module cannot be used for security reasons on Windows: '
|
||||
'the safe wrapper certbot.compat.os must be used instead in Certbot.'
|
||||
'Some methods from the standard os module cannot be used for security reasons on '
|
||||
'Windows: the safe wrapper certbot.compat.os must be used instead in Certbot.'
|
||||
)
|
||||
}
|
||||
priority = -1
|
||||
|
||||
Reference in New Issue
Block a user