pytests: import test_tls_no_cert (test14)

diff --git a/tests/pytests/conftest.py b/tests/pytests/conftest.py
index cbb89a4894cfa46ec3cd75776ea79bb9f94e69ee..b065f9d4339e280720a56d5ef2b950be4733683a 100644 (file)
--- a/tests/pytests/conftest.py
+++ b/tests/pytests/conftest.py
@@ -66,3 +66,11 @@ def make_kresd_sock(request, kresd):
 @pytest.fixture
 def kresd_sock(make_kresd_sock):
     return make_kresd_sock()
+
+
+@pytest.fixture(params=[
+    socket.AF_INET,
+    socket.AF_INET6,
+])
+def sock_family(request):
+    return request.param

diff --git a/tests/pytests/kresd.py b/tests/pytests/kresd.py
index 54617b8bce362151185717fe8eacfd3a603e610a..72b856810ff53441741f71e5609cf41feefff77f 100644 (file)
--- a/tests/pytests/kresd.py
+++ b/tests/pytests/kresd.py
@@ -2,7 +2,6 @@ from contextlib import ContextDecorator
 import os
 import re
 import socket
-import ssl
 import subprocess
 import time
 
@@ -26,21 +25,6 @@ def create_file_from_template(template_path, dest, data):
         fh.write(rendered_template)
 
 
-def make_ssl_context():
-    # set TLS v1.2+
-    context = ssl.SSLContext(ssl.PROTOCOL_TLS)
-    context.options |= ssl.OP_NO_SSLv2
-    context.options |= ssl.OP_NO_SSLv3
-    context.options |= ssl.OP_NO_TLSv1
-    context.options |= ssl.OP_NO_TLSv1_1
-
-    # turn off certificate verification
-    context.check_hostname = False
-    context.verify_mode = ssl.CERT_NONE
-
-    return context
-
-
 class Kresd(ContextDecorator):
     def __init__(self, workdir, port, tls_port, ip=None, ip6=None):
         if ip is None and ip6 is None:
@@ -154,7 +138,7 @@ class Kresd(ContextDecorator):
 
     def _tls_socket(self, family):
         sock, dest = self.stream_socket(family, tls=True)
-        ctx = make_ssl_context()
+        ctx = utils.make_ssl_context(insecure=True)
         ssock = ctx.wrap_socket(sock)
         try:
             ssock.connect(dest)

diff --git a/tests/pytests/test_tls_certs.py b/tests/pytests/test_tls_certs.py
new file mode 100644 (file)
index 0000000..a453696
--- /dev/null
+++ b/tests/pytests/test_tls_certs.py
@@ -0,0 +1,12 @@
+"""Tests with TLS certificates"""
+
+import utils
+
+
+def test_tls_no_cert(kresd, sock_family):
+    sock, dest = kresd.stream_socket(sock_family, tls=True)
+    ctx = utils.make_ssl_context(insecure=True)
+    ssock = ctx.wrap_socket(sock)
+    ssock.connect(dest)
+
+    utils.ping_alive(ssock)

diff --git a/tests/pytests/utils.py b/tests/pytests/utils.py
index 20218dfd5e1cc6ed328df19366d5ffd423d5c9d4..a809d78d45e0e8d1aec493ad09fe59f8359cd630 100644 (file)
--- a/tests/pytests/utils.py
+++ b/tests/pytests/utils.py
@@ -1,4 +1,5 @@
 from contextlib import contextmanager
+import ssl
 import struct
 import random
 
@@ -93,3 +94,25 @@ def expect_kresd_close(rst_ok=False):
                 raise BrokenPipeError
             else:
                 pytest.skip("kresd closed connection with TCP RST")
+
+
+def make_ssl_context(insecure=False, verify_location=None):
+    # set TLS v1.2+
+    context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+    context.options |= ssl.OP_NO_SSLv2
+    context.options |= ssl.OP_NO_SSLv3
+    context.options |= ssl.OP_NO_TLSv1
+    context.options |= ssl.OP_NO_TLSv1_1
+
+    if insecure:
+        # turn off certificate verification
+        context.check_hostname = False
+        context.verify_mode = ssl.CERT_NONE
+    else:
+        context.verify_mode = ssl.CERT_REQUIRED
+        context.check_hostname = True
+
+        if verify_location is not None:
+            context.load_verify_locations(verify_location)
+
+    return context