Mercurial > hg
changeset 29481:5caa415aa48b
tests: better testing of loaded certificates
Tests were failing on systems like RHEL 7 where loading the system
certificates results in CA certs being reported to Python. We add
a feature that detects when we're able to load *and detect* the
loading of system certificates. We update the tests to cover the
3 scenarios:
1) system CAs are loadable and detected
2) system CAs are loadable but not detected
3) system CAs aren't loadable
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Fri, 01 Jul 2016 19:27:34 -0700 |
| parents | 1e4512eac59e |
| children | 4e72995f6c9c |
| files | tests/hghave.py tests/test-https.t tests/test-patchbomb-tls.t |
| diffstat | 3 files changed, 65 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/tests/hghave.py Fri Jul 01 17:42:55 2016 +0200 +++ b/tests/hghave.py Fri Jul 01 19:27:34 2016 -0700 @@ -418,6 +418,25 @@ from mercurial import sslutil return sslutil._defaultcacerts() or sslutil._canloaddefaultcerts +@check("defaultcacertsloaded", "detected presence of loaded system CA certs") +def has_defaultcacertsloaded(): + import ssl + from mercurial import sslutil + + if not has_defaultcacerts(): + return False + if not has_sslcontext(): + return False + + cafile = sslutil._defaultcacerts() + ctx = ssl.create_default_context() + if cafile: + ctx.load_verify_locations(cafile=cafile) + else: + ctx.load_default_certs() + + return len(ctx.get_ca_certs()) > 0 + @check("windows", "Windows") def has_windows(): return os.name == 'nt'
--- a/tests/test-https.t Fri Jul 01 17:42:55 2016 +0200 +++ b/tests/test-https.t Fri Jul 01 19:27:34 2016 -0700 @@ -47,12 +47,26 @@ Our test cert is not signed by a trusted CA. It should fail to verify if we are able to load CA certs. -#if defaultcacerts +#if sslcontext defaultcacerts no-defaultcacertsloaded $ hg clone https://localhost:$HGPORT/ copy-pull (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) abort: error: *certificate verify failed* (glob) [255] -#else +#endif + +#if no-sslcontext defaultcacerts + $ hg clone https://localhost:$HGPORT/ copy-pull + abort: error: *certificate verify failed* (glob) + [255] +#endif + +#if defaultcacertsloaded + $ hg clone https://localhost:$HGPORT/ copy-pull + abort: error: *certificate verify failed* (glob) + [255] +#endif + +#if no-defaultcacerts $ hg clone https://localhost:$HGPORT/ copy-pull abort: localhost certificate error: no certificate received (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)
--- a/tests/test-patchbomb-tls.t Fri Jul 01 17:42:55 2016 +0200 +++ b/tests/test-patchbomb-tls.t Fri Jul 01 19:27:34 2016 -0700 @@ -43,7 +43,7 @@ Our test cert is not signed by a trusted CA. It should fail to verify if we are able to load CA certs: -#if defaultcacerts +#if sslcontext defaultcacerts no-defaultcacertsloaded $ try this patch series consists of 1 patches. @@ -53,6 +53,35 @@ [255] #endif +#if no-sslcontext defaultcacerts + $ try + this patch series consists of 1 patches. + + + (?i)abort: .*?certificate.verify.failed.* (re) + [255] +#endif + +#if defaultcacertsloaded + $ try + this patch series consists of 1 patches. + + + (?i)abort: .*?certificate.verify.failed.* (re) + [255] + +#endif + +#if no-defaultcacerts + $ try + this patch series consists of 1 patches. + + + abort: localhost certificate error: no certificate received + (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely) + [255] +#endif + $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true" Without certificates: