File: //snap/google-cloud-cli/396/platform/gsutil/third_party/urllib3/test/test_ssl.py
from __future__ import annotations
import ssl
import typing
from unittest import mock
import pytest
from urllib3.exceptions import ProxySchemeUnsupported, SSLError
from urllib3.util import ssl_
class TestSSL:
@pytest.mark.parametrize(
"addr",
[
# IPv6
"::1",
"::",
"FE80::8939:7684:D84b:a5A4%251",
# IPv4
"127.0.0.1",
"8.8.8.8",
b"127.0.0.1",
# IPv6 w/ Zone IDs
"FE80::8939:7684:D84b:a5A4%251",
b"FE80::8939:7684:D84b:a5A4%251",
"FE80::8939:7684:D84b:a5A4%19",
b"FE80::8939:7684:D84b:a5A4%19",
],
)
def test_is_ipaddress_true(self, addr: bytes | str) -> None:
assert ssl_.is_ipaddress(addr)
@pytest.mark.parametrize(
"addr",
[
"www.python.org",
b"www.python.org",
"v2.sg.media-imdb.com",
b"v2.sg.media-imdb.com",
],
)
def test_is_ipaddress_false(self, addr: bytes | str) -> None:
assert not ssl_.is_ipaddress(addr)
def test_create_urllib3_context_set_ciphers(
self, monkeypatch: pytest.MonkeyPatch
) -> None:
ciphers = "ECDH+AESGCM:ECDH+CHACHA20"
context = mock.create_autospec(ssl_.SSLContext)
context.set_ciphers = mock.Mock()
context.options = 0
monkeypatch.setattr(ssl_, "SSLContext", lambda *_, **__: context)
assert ssl_.create_urllib3_context(ciphers=ciphers) is context
assert context.set_ciphers.call_count == 1
assert context.set_ciphers.call_args == mock.call(ciphers)
def test_create_urllib3_no_context(self) -> None:
with mock.patch("urllib3.util.ssl_.SSLContext", None):
with pytest.raises(TypeError):
ssl_.create_urllib3_context()
def test_wrap_socket_given_context_no_load_default_certs(self) -> None:
context = mock.create_autospec(ssl_.SSLContext)
context.load_default_certs = mock.Mock()
sock = mock.Mock()
ssl_.ssl_wrap_socket(sock, ssl_context=context)
context.load_default_certs.assert_not_called()
def test_wrap_socket_given_ca_certs_no_load_default_certs(
self, monkeypatch: pytest.MonkeyPatch
) -> None:
context = mock.create_autospec(ssl_.SSLContext)
context.load_default_certs = mock.Mock()
context.options = 0
monkeypatch.setattr(ssl_, "SSLContext", lambda *_, **__: context)
sock = mock.Mock()
ssl_.ssl_wrap_socket(sock, ca_certs="/tmp/fake-file")
context.load_default_certs.assert_not_called()
context.load_verify_locations.assert_called_with("/tmp/fake-file", None, None)
def test_wrap_socket_default_loads_default_certs(
self, monkeypatch: pytest.MonkeyPatch
) -> None:
context = mock.create_autospec(ssl_.SSLContext)
context.load_default_certs = mock.Mock()
context.options = 0
monkeypatch.setattr(ssl_, "SSLContext", lambda *_, **__: context)
sock = mock.Mock()
ssl_.ssl_wrap_socket(sock)
context.load_default_certs.assert_called_with()
def test_wrap_socket_no_ssltransport(self) -> None:
with mock.patch("urllib3.util.ssl_.SSLTransport", None):
with pytest.raises(ProxySchemeUnsupported):
sock = mock.Mock()
ssl_.ssl_wrap_socket(sock, tls_in_tls=True)
@pytest.mark.parametrize(
["pha", "expected_pha", "cert_reqs"],
[
(None, None, None),
(None, None, ssl.CERT_NONE),
(None, None, ssl.CERT_OPTIONAL),
(None, None, ssl.CERT_REQUIRED),
(False, True, None),
(False, True, ssl.CERT_NONE),
(False, True, ssl.CERT_OPTIONAL),
(False, True, ssl.CERT_REQUIRED),
(True, True, None),
(True, True, ssl.CERT_NONE),
(True, True, ssl.CERT_OPTIONAL),
(True, True, ssl.CERT_REQUIRED),
],
)
def test_create_urllib3_context_pha(
self,
monkeypatch: pytest.MonkeyPatch,
pha: bool | None,
expected_pha: bool | None,
cert_reqs: int | None,
) -> None:
context = mock.create_autospec(ssl_.SSLContext)
context.set_ciphers = mock.Mock()
context.options = 0
context.post_handshake_auth = pha
monkeypatch.setattr(ssl_, "SSLContext", lambda *_, **__: context)
assert ssl_.create_urllib3_context(cert_reqs=cert_reqs) is context
assert context.post_handshake_auth == expected_pha
def test_create_urllib3_context_default_ciphers(
self, monkeypatch: pytest.MonkeyPatch
) -> None:
context = mock.create_autospec(ssl_.SSLContext)
context.set_ciphers = mock.Mock()
context.options = 0
monkeypatch.setattr(ssl_, "SSLContext", lambda *_, **__: context)
ssl_.create_urllib3_context()
context.set_ciphers.assert_not_called()
@pytest.mark.parametrize(
"kwargs",
[
{
"ssl_version": ssl.PROTOCOL_TLSv1,
"ssl_minimum_version": ssl.TLSVersion.MINIMUM_SUPPORTED,
},
{
"ssl_version": ssl.PROTOCOL_TLSv1,
"ssl_maximum_version": ssl.TLSVersion.TLSv1,
},
{
"ssl_version": ssl.PROTOCOL_TLSv1,
"ssl_minimum_version": ssl.TLSVersion.MINIMUM_SUPPORTED,
"ssl_maximum_version": ssl.TLSVersion.MAXIMUM_SUPPORTED,
},
],
)
def test_create_urllib3_context_ssl_version_and_ssl_min_max_version_errors(
self, kwargs: dict[str, typing.Any]
) -> None:
with pytest.raises(ValueError) as e:
ssl_.create_urllib3_context(**kwargs)
assert str(e.value) == (
"Can't specify both 'ssl_version' and either 'ssl_minimum_version' or 'ssl_maximum_version'"
)
@pytest.mark.parametrize(
"kwargs",
[
{
"ssl_version": ssl.PROTOCOL_TLS,
"ssl_minimum_version": ssl.TLSVersion.MINIMUM_SUPPORTED,
},
{
"ssl_version": ssl.PROTOCOL_TLS_CLIENT,
"ssl_minimum_version": ssl.TLSVersion.MINIMUM_SUPPORTED,
},
{
"ssl_version": None,
"ssl_minimum_version": ssl.TLSVersion.MINIMUM_SUPPORTED,
},
],
)
def test_create_urllib3_context_ssl_version_and_ssl_min_max_version_no_warning(
self, kwargs: dict[str, typing.Any]
) -> None:
ssl_.create_urllib3_context(**kwargs)
@pytest.mark.parametrize(
"kwargs",
[
{"ssl_version": ssl.PROTOCOL_TLSv1, "ssl_minimum_version": None},
{"ssl_version": ssl.PROTOCOL_TLSv1, "ssl_maximum_version": None},
{
"ssl_version": ssl.PROTOCOL_TLSv1,
"ssl_minimum_version": None,
"ssl_maximum_version": None,
},
],
)
def test_create_urllib3_context_ssl_version_and_ssl_min_max_version_no_error(
self, kwargs: dict[str, typing.Any]
) -> None:
with pytest.warns(
DeprecationWarning,
match=r"'ssl_version' option is deprecated and will be removed in "
r"urllib3 v2\.1\.0\. Instead use 'ssl_minimum_version'",
):
ssl_.create_urllib3_context(**kwargs)
def test_assert_fingerprint_raises_exception_on_none_cert(self) -> None:
with pytest.raises(SSLError):
ssl_.assert_fingerprint(
cert=None, fingerprint="55:39:BF:70:05:12:43:FA:1F:D1:BF:4E:E8:1B:07:1D"
)