Mercurial > hg-stable
diff tests/test-url.py @ 43076:2372284d9457
formatting: blacken the codebase
This is using my patch to black
(https://github.com/psf/black/pull/826) so we don't un-wrap collection
literals.
Done with:
hg files 'set:**.py - mercurial/thirdparty/** - "contrib/python-zstandard/**"' | xargs black -S
# skip-blame mass-reformatting only
# no-check-commit reformats foo_bar functions
Differential Revision: https://phab.mercurial-scm.org/D6971
| author | Augie Fackler <augie@google.com> |
|---|---|
| date | Sun, 06 Oct 2019 09:45:02 -0400 |
| parents | d088810c496e |
| children | d2e1dcd4490d |
line wrap: on
line diff
--- a/tests/test-url.py Sat Oct 05 10:29:34 2019 -0400 +++ b/tests/test-url.py Sun Oct 06 09:45:02 2019 -0400 @@ -4,146 +4,170 @@ import doctest import os + def check(a, b): if a != b: print((a, b)) + def cert(cn): return {'subject': ((('commonName', cn),),)} -from mercurial import ( - sslutil, -) + +from mercurial import sslutil _verifycert = sslutil._verifycert # Test non-wildcard certificates -check(_verifycert(cert('example.com'), 'example.com'), - None) -check(_verifycert(cert('example.com'), 'www.example.com'), - b'certificate is for example.com') -check(_verifycert(cert('www.example.com'), 'example.com'), - b'certificate is for www.example.com') +check(_verifycert(cert('example.com'), 'example.com'), None) +check( + _verifycert(cert('example.com'), 'www.example.com'), + b'certificate is for example.com', +) +check( + _verifycert(cert('www.example.com'), 'example.com'), + b'certificate is for www.example.com', +) # Test wildcard certificates -check(_verifycert(cert('*.example.com'), 'www.example.com'), - None) -check(_verifycert(cert('*.example.com'), 'example.com'), - b'certificate is for *.example.com') -check(_verifycert(cert('*.example.com'), 'w.w.example.com'), - b'certificate is for *.example.com') +check(_verifycert(cert('*.example.com'), 'www.example.com'), None) +check( + _verifycert(cert('*.example.com'), 'example.com'), + b'certificate is for *.example.com', +) +check( + _verifycert(cert('*.example.com'), 'w.w.example.com'), + b'certificate is for *.example.com', +) # Test subjectAltName -san_cert = {'subject': ((('commonName', 'example.com'),),), - 'subjectAltName': (('DNS', '*.example.net'), - ('DNS', 'example.net'))} -check(_verifycert(san_cert, 'example.net'), - None) -check(_verifycert(san_cert, 'foo.example.net'), - None) +san_cert = { + 'subject': ((('commonName', 'example.com'),),), + 'subjectAltName': (('DNS', '*.example.net'), ('DNS', 'example.net')), +} +check(_verifycert(san_cert, 'example.net'), None) +check(_verifycert(san_cert, 'foo.example.net'), None) # no fallback to subject commonName when subjectAltName has DNS -check(_verifycert(san_cert, 'example.com'), - b'certificate is for *.example.net, example.net') +check( + _verifycert(san_cert, 'example.com'), + b'certificate is for *.example.net, example.net', +) # fallback to subject commonName when no DNS in subjectAltName -san_cert = {'subject': ((('commonName', 'example.com'),),), - 'subjectAltName': (('IP Address', '8.8.8.8'),)} +san_cert = { + 'subject': ((('commonName', 'example.com'),),), + 'subjectAltName': (('IP Address', '8.8.8.8'),), +} check(_verifycert(san_cert, 'example.com'), None) # Avoid some pitfalls -check(_verifycert(cert('*.foo'), 'foo'), - b'certificate is for *.foo') +check(_verifycert(cert('*.foo'), 'foo'), b'certificate is for *.foo') check(_verifycert(cert('*o'), 'foo'), None) -check(_verifycert({'subject': ()}, - 'example.com'), - b'no commonName or subjectAltName found in certificate') -check(_verifycert(None, 'example.com'), - b'no certificate received') +check( + _verifycert({'subject': ()}, 'example.com'), + b'no commonName or subjectAltName found in certificate', +) +check(_verifycert(None, 'example.com'), b'no certificate received') # Unicode (IDN) certname isn't supported -check(_verifycert(cert(u'\u4f8b.jp'), 'example.jp'), - b'IDN in certificate not supported') +check( + _verifycert(cert(u'\u4f8b.jp'), 'example.jp'), + b'IDN in certificate not supported', +) # The following tests are from CPython's test_ssl.py. check(_verifycert(cert('example.com'), 'example.com'), None) check(_verifycert(cert('example.com'), 'ExAmple.cOm'), None) -check(_verifycert(cert('example.com'), 'www.example.com'), - b'certificate is for example.com') -check(_verifycert(cert('example.com'), '.example.com'), - b'certificate is for example.com') -check(_verifycert(cert('example.com'), 'example.org'), - b'certificate is for example.com') -check(_verifycert(cert('example.com'), 'exampleXcom'), - b'certificate is for example.com') +check( + _verifycert(cert('example.com'), 'www.example.com'), + b'certificate is for example.com', +) +check( + _verifycert(cert('example.com'), '.example.com'), + b'certificate is for example.com', +) +check( + _verifycert(cert('example.com'), 'example.org'), + b'certificate is for example.com', +) +check( + _verifycert(cert('example.com'), 'exampleXcom'), + b'certificate is for example.com', +) check(_verifycert(cert('*.a.com'), 'foo.a.com'), None) -check(_verifycert(cert('*.a.com'), 'bar.foo.a.com'), - b'certificate is for *.a.com') -check(_verifycert(cert('*.a.com'), 'a.com'), - b'certificate is for *.a.com') -check(_verifycert(cert('*.a.com'), 'Xa.com'), - b'certificate is for *.a.com') -check(_verifycert(cert('*.a.com'), '.a.com'), - b'certificate is for *.a.com') +check( + _verifycert(cert('*.a.com'), 'bar.foo.a.com'), b'certificate is for *.a.com' +) +check(_verifycert(cert('*.a.com'), 'a.com'), b'certificate is for *.a.com') +check(_verifycert(cert('*.a.com'), 'Xa.com'), b'certificate is for *.a.com') +check(_verifycert(cert('*.a.com'), '.a.com'), b'certificate is for *.a.com') # only match one left-most wildcard check(_verifycert(cert('f*.com'), 'foo.com'), None) check(_verifycert(cert('f*.com'), 'f.com'), None) -check(_verifycert(cert('f*.com'), 'bar.com'), - b'certificate is for f*.com') -check(_verifycert(cert('f*.com'), 'foo.a.com'), - b'certificate is for f*.com') -check(_verifycert(cert('f*.com'), 'bar.foo.com'), - b'certificate is for f*.com') +check(_verifycert(cert('f*.com'), 'bar.com'), b'certificate is for f*.com') +check(_verifycert(cert('f*.com'), 'foo.a.com'), b'certificate is for f*.com') +check(_verifycert(cert('f*.com'), 'bar.foo.com'), b'certificate is for f*.com') # NULL bytes are bad, CVE-2013-4073 -check(_verifycert(cert('null.python.org\x00example.org'), - 'null.python.org\x00example.org'), None) -check(_verifycert(cert('null.python.org\x00example.org'), - 'example.org'), - b'certificate is for null.python.org\x00example.org') -check(_verifycert(cert('null.python.org\x00example.org'), - 'null.python.org'), - b'certificate is for null.python.org\x00example.org') +check( + _verifycert( + cert('null.python.org\x00example.org'), 'null.python.org\x00example.org' + ), + None, +) +check( + _verifycert(cert('null.python.org\x00example.org'), 'example.org'), + b'certificate is for null.python.org\x00example.org', +) +check( + _verifycert(cert('null.python.org\x00example.org'), 'null.python.org'), + b'certificate is for null.python.org\x00example.org', +) # error cases with wildcards -check(_verifycert(cert('*.*.a.com'), 'bar.foo.a.com'), - b'certificate is for *.*.a.com') -check(_verifycert(cert('*.*.a.com'), 'a.com'), - b'certificate is for *.*.a.com') -check(_verifycert(cert('*.*.a.com'), 'Xa.com'), - b'certificate is for *.*.a.com') -check(_verifycert(cert('*.*.a.com'), '.a.com'), - b'certificate is for *.*.a.com') +check( + _verifycert(cert('*.*.a.com'), 'bar.foo.a.com'), + b'certificate is for *.*.a.com', +) +check(_verifycert(cert('*.*.a.com'), 'a.com'), b'certificate is for *.*.a.com') +check(_verifycert(cert('*.*.a.com'), 'Xa.com'), b'certificate is for *.*.a.com') +check(_verifycert(cert('*.*.a.com'), '.a.com'), b'certificate is for *.*.a.com') -check(_verifycert(cert('a.*.com'), 'a.foo.com'), - b'certificate is for a.*.com') -check(_verifycert(cert('a.*.com'), 'a..com'), - b'certificate is for a.*.com') -check(_verifycert(cert('a.*.com'), 'a.com'), - b'certificate is for a.*.com') +check(_verifycert(cert('a.*.com'), 'a.foo.com'), b'certificate is for a.*.com') +check(_verifycert(cert('a.*.com'), 'a..com'), b'certificate is for a.*.com') +check(_verifycert(cert('a.*.com'), 'a.com'), b'certificate is for a.*.com') # wildcard doesn't match IDNA prefix 'xn--' idna = u'püthon.python.org'.encode('idna').decode('ascii') check(_verifycert(cert(idna), idna), None) -check(_verifycert(cert('x*.python.org'), idna), - b'certificate is for x*.python.org') -check(_verifycert(cert('xn--p*.python.org'), idna), - b'certificate is for xn--p*.python.org') +check( + _verifycert(cert('x*.python.org'), idna), + b'certificate is for x*.python.org', +) +check( + _verifycert(cert('xn--p*.python.org'), idna), + b'certificate is for xn--p*.python.org', +) # wildcard in first fragment and IDNA A-labels in sequent fragments # are supported. idna = u'www*.pythön.org'.encode('idna').decode('ascii') -check(_verifycert(cert(idna), - u'www.pythön.org'.encode('idna').decode('ascii')), - None) -check(_verifycert(cert(idna), - u'www1.pythön.org'.encode('idna').decode('ascii')), - None) -check(_verifycert(cert(idna), - u'ftp.pythön.org'.encode('idna').decode('ascii')), - b'certificate is for www*.xn--pythn-mua.org') -check(_verifycert(cert(idna), - u'pythön.org'.encode('idna').decode('ascii')), - b'certificate is for www*.xn--pythn-mua.org') +check( + _verifycert(cert(idna), u'www.pythön.org'.encode('idna').decode('ascii')), + None, +) +check( + _verifycert(cert(idna), u'www1.pythön.org'.encode('idna').decode('ascii')), + None, +) +check( + _verifycert(cert(idna), u'ftp.pythön.org'.encode('idna').decode('ascii')), + b'certificate is for www*.xn--pythn-mua.org', +) +check( + _verifycert(cert(idna), u'pythön.org'.encode('idna').decode('ascii')), + b'certificate is for www*.xn--pythn-mua.org', +) c = { 'notAfter': 'Jun 26 21:41:46 2011 GMT', @@ -152,16 +176,20 @@ ('DNS', 'linuxfr.org'), ('DNS', 'linuxfr.com'), ('othername', '<unsupported>'), - ) + ), } check(_verifycert(c, 'linuxfr.org'), None) check(_verifycert(c, 'linuxfr.com'), None) # Not a "DNS" entry -check(_verifycert(c, '<unsupported>'), - b'certificate is for linuxfr.org, linuxfr.com') +check( + _verifycert(c, '<unsupported>'), + b'certificate is for linuxfr.org, linuxfr.com', +) # When there is a subjectAltName, commonName isn't used -check(_verifycert(c, 'linuxfrz.org'), - b'certificate is for linuxfr.org, linuxfr.com') +check( + _verifycert(c, 'linuxfrz.org'), + b'certificate is for linuxfr.org, linuxfr.com', +) # A pristine real-world example c = { @@ -190,8 +218,10 @@ ((u'organizationName', u'Google Inc'),), ), } -check(_verifycert(c, 'mail.google.com'), - b'no commonName or subjectAltName found in certificate') +check( + _verifycert(c, 'mail.google.com'), + b'no commonName or subjectAltName found in certificate', +) # No DNS entry in subjectAltName but a commonName c = { @@ -217,8 +247,10 @@ ), 'subjectAltName': (('othername', 'blabla'),), } -check(_verifycert(c, 'google.com'), - b'no commonName or subjectAltName found in certificate') +check( + _verifycert(c, 'google.com'), + b'no commonName or subjectAltName found in certificate', +) # Empty cert / no cert check(_verifycert(None, 'example.com'), b'no certificate received') @@ -226,13 +258,19 @@ # avoid denials of service by refusing more than one # wildcard per fragment. -check(_verifycert({'subject': (((u'commonName', u'a*b.com'),),)}, - 'axxb.com'), None) -check(_verifycert({'subject': (((u'commonName', u'a*b.co*'),),)}, - 'axxb.com'), b'certificate is for a*b.co*') -check(_verifycert({'subject': (((u'commonName', u'a*b*.com'),),)}, - 'axxbxxc.com'), - b'too many wildcards in certificate DNS name: a*b*.com') +check( + _verifycert({'subject': (((u'commonName', u'a*b.com'),),)}, 'axxb.com'), + None, +) +check( + _verifycert({'subject': (((u'commonName', u'a*b.co*'),),)}, 'axxb.com'), + b'certificate is for a*b.co*', +) +check( + _verifycert({'subject': (((u'commonName', u'a*b*.com'),),)}, 'axxbxxc.com'), + b'too many wildcards in certificate DNS name: a*b*.com', +) + def test_url(): """ @@ -418,6 +456,7 @@ 'foo/bar/baz' """ + if 'TERM' in os.environ: del os.environ['TERM']