tests/test-url.py
author Nicolas Bareil <nico@chdir.org>
Sat, 18 Jun 2011 01:03:03 +0200
changeset 14666 27b080aa880a
parent 14313 a389dd285282
child 15018 e89f62dcd723
permissions -rw-r--r--
sslutil: fall back to commonName when no dNSName in subjectAltName (issue2798) Any entries in subjectAltName would prevent fallback to using commonName, but RFC 2818 says: If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. We now only consider dNSNames in subjectAltName. (dNSName is known as 'DNS' in OpenSSL/Python.)

import sys

def check(a, b):
    if a != b:
        print (a, b)

def cert(cn):
    return dict(subject=((('commonName', cn),),))

from mercurial.sslutil import _verifycert

# Test non-wildcard certificates
check(_verifycert(cert('example.com'), 'example.com'),
      None)
check(_verifycert(cert('example.com'), 'www.example.com'),
      'certificate is for example.com')
check(_verifycert(cert('www.example.com'), 'example.com'),
      'certificate is for www.example.com')

# Test wildcard certificates
check(_verifycert(cert('*.example.com'), 'www.example.com'),
      None)
check(_verifycert(cert('*.example.com'), 'example.com'),
      'certificate is for *.example.com')
check(_verifycert(cert('*.example.com'), 'w.w.example.com'),
      'certificate is for *.example.com')

# Test subjectAltName
san_cert = {'subject': ((('commonName', 'example.com'),),),
            'subjectAltName': (('DNS', '*.example.net'),
                               ('DNS', 'example.net'))}
check(_verifycert(san_cert, 'example.net'),
      None)
check(_verifycert(san_cert, 'foo.example.net'),
      None)
# no fallback to subject commonName when subjectAltName has DNS
check(_verifycert(san_cert, 'example.com'),
      'certificate is for *.example.net, example.net')
# fallback to subject commonName when no DNS in subjectAltName
san_cert = {'subject': ((('commonName', 'example.com'),),),
            'subjectAltName': (('IP Address', '8.8.8.8'),)}
check(_verifycert(san_cert, 'example.com'), None)

# Avoid some pitfalls
check(_verifycert(cert('*.foo'), 'foo'),
      'certificate is for *.foo')
check(_verifycert(cert('*o'), 'foo'),
      'certificate is for *o')

check(_verifycert({'subject': ()},
                  'example.com'),
      'no commonName or subjectAltName found in certificate')
check(_verifycert(None, 'example.com'),
      'no certificate received')

# Unicode (IDN) certname isn't supported
check(_verifycert(cert(u'\u4f8b.jp'), 'example.jp'),
      'IDN in certificate not supported')

import doctest

def test_url():
    """
    >>> from mercurial.util import url

    This tests for edge cases in url.URL's parsing algorithm. Most of
    these aren't useful for documentation purposes, so they aren't
    part of the class's doc tests.

    Query strings and fragments:

    >>> url('http://host/a?b#c')
    <url scheme: 'http', host: 'host', path: 'a', query: 'b', fragment: 'c'>
    >>> url('http://host/a?')
    <url scheme: 'http', host: 'host', path: 'a'>
    >>> url('http://host/a#b#c')
    <url scheme: 'http', host: 'host', path: 'a', fragment: 'b#c'>
    >>> url('http://host/a#b?c')
    <url scheme: 'http', host: 'host', path: 'a', fragment: 'b?c'>
    >>> url('http://host/?a#b')
    <url scheme: 'http', host: 'host', path: '', query: 'a', fragment: 'b'>
    >>> url('http://host/?a#b', parsequery=False)
    <url scheme: 'http', host: 'host', path: '?a', fragment: 'b'>
    >>> url('http://host/?a#b', parsefragment=False)
    <url scheme: 'http', host: 'host', path: '', query: 'a#b'>
    >>> url('http://host/?a#b', parsequery=False, parsefragment=False)
    <url scheme: 'http', host: 'host', path: '?a#b'>

    IPv6 addresses:

    >>> url('ldap://[2001:db8::7]/c=GB?objectClass?one')
    <url scheme: 'ldap', host: '[2001:db8::7]', path: 'c=GB',
         query: 'objectClass?one'>
    >>> url('ldap://joe:xxx@[2001:db8::7]:80/c=GB?objectClass?one')
    <url scheme: 'ldap', user: 'joe', passwd: 'xxx', host: '[2001:db8::7]',
         port: '80', path: 'c=GB', query: 'objectClass?one'>

    Missing scheme, host, etc.:

    >>> url('://192.0.2.16:80/')
    <url path: '://192.0.2.16:80/'>
    >>> url('http://mercurial.selenic.com')
    <url scheme: 'http', host: 'mercurial.selenic.com'>
    >>> url('/foo')
    <url path: '/foo'>
    >>> url('bundle:/foo')
    <url scheme: 'bundle', path: '/foo'>
    >>> url('a?b#c')
    <url path: 'a?b', fragment: 'c'>
    >>> url('http://x.com?arg=/foo')
    <url scheme: 'http', host: 'x.com', query: 'arg=/foo'>
    >>> url('http://joe:xxx@/foo')
    <url scheme: 'http', user: 'joe', passwd: 'xxx', path: 'foo'>

    Just a scheme and a path:

    >>> url('mailto:John.Doe@example.com')
    <url scheme: 'mailto', path: 'John.Doe@example.com'>
    >>> url('a:b:c:d')
    <url path: 'a:b:c:d'>
    >>> url('aa:bb:cc:dd')
    <url scheme: 'aa', path: 'bb:cc:dd'>

    SSH examples:

    >>> url('ssh://joe@host//home/joe')
    <url scheme: 'ssh', user: 'joe', host: 'host', path: '/home/joe'>
    >>> url('ssh://joe:xxx@host/src')
    <url scheme: 'ssh', user: 'joe', passwd: 'xxx', host: 'host', path: 'src'>
    >>> url('ssh://joe:xxx@host')
    <url scheme: 'ssh', user: 'joe', passwd: 'xxx', host: 'host'>
    >>> url('ssh://joe@host')
    <url scheme: 'ssh', user: 'joe', host: 'host'>
    >>> url('ssh://host')
    <url scheme: 'ssh', host: 'host'>
    >>> url('ssh://')
    <url scheme: 'ssh'>
    >>> url('ssh:')
    <url scheme: 'ssh'>

    Non-numeric port:

    >>> url('http://example.com:dd')
    <url scheme: 'http', host: 'example.com', port: 'dd'>
    >>> url('ssh://joe:xxx@host:ssh/foo')
    <url scheme: 'ssh', user: 'joe', passwd: 'xxx', host: 'host', port: 'ssh',
         path: 'foo'>

    Bad authentication credentials:

    >>> url('http://joe@joeville:123@4:@host/a?b#c')
    <url scheme: 'http', user: 'joe@joeville', passwd: '123@4:',
         host: 'host', path: 'a', query: 'b', fragment: 'c'>
    >>> url('http://!*#?/@!*#?/:@host/a?b#c')
    <url scheme: 'http', host: '!*', fragment: '?/@!*#?/:@host/a?b#c'>
    >>> url('http://!*#?@!*#?:@host/a?b#c')
    <url scheme: 'http', host: '!*', fragment: '?@!*#?:@host/a?b#c'>
    >>> url('http://!*@:!*@@host/a?b#c')
    <url scheme: 'http', user: '!*@', passwd: '!*@', host: 'host',
         path: 'a', query: 'b', fragment: 'c'>

    File paths:

    >>> url('a/b/c/d.g.f')
    <url path: 'a/b/c/d.g.f'>
    >>> url('/x///z/y/')
    <url path: '/x///z/y/'>
    >>> url('/foo:bar')
    <url path: '/foo:bar'>
    >>> url('\\\\foo:bar')
    <url path: '\\\\foo:bar'>
    >>> url('./foo:bar')
    <url path: './foo:bar'>

    Non-localhost file URL:

    >>> u = url('file://mercurial.selenic.com/foo')
    Traceback (most recent call last):
      File "<stdin>", line 1, in ?
    Abort: file:// URLs can only refer to localhost

    Empty URL:

    >>> u = url('')
    >>> u
    <url path: ''>
    >>> str(u)
    ''

    Empty path with query string:

    >>> str(url('http://foo/?bar'))
    'http://foo/?bar'

    Invalid path:

    >>> u = url('http://foo/bar')
    >>> u.path = 'bar'
    >>> str(u)
    'http://foo/bar'

    >>> u = url('file:/foo/bar/baz')
    >>> u
    <url scheme: 'file', path: '/foo/bar/baz'>
    >>> str(u)
    'file:///foo/bar/baz'

    >>> u = url('file:///foo/bar/baz')
    >>> u
    <url scheme: 'file', path: '/foo/bar/baz'>
    >>> str(u)
    'file:///foo/bar/baz'

    >>> u = url('file:foo/bar/baz')
    >>> u
    <url scheme: 'file', path: 'foo/bar/baz'>
    >>> str(u)
    'file:foo/bar/baz'
    """

doctest.testmod(optionflags=doctest.NORMALIZE_WHITESPACE)