import base64 import os import urllib import time import re import random import json import requests import socket import tempfile import shutil import atexit import errno import subprocess import challtestsrv challSrv = challtestsrv.ChallTestServer() tempdir = tempfile.mkdtemp() @atexit.register def stop(): shutil.rmtree(tempdir) config_dir = os.environ.get('BOULDER_CONFIG_DIR', '') if config_dir == '': raise Exception("BOULDER_CONFIG_DIR was not set") CONFIG_NEXT = config_dir.startswith("test/config-next") def temppath(name): """Creates and returns a closed file inside the tempdir.""" f = tempfile.NamedTemporaryFile( dir=tempdir, suffix='.{0}'.format(name), mode='w+', delete=False ) f.close() return f def fakeclock(date): return date.strftime("%a %b %d %H:%M:%S UTC %Y") def get_future_output(cmd, date): return subprocess.check_output(cmd, stderr=subprocess.STDOUT, env={'FAKECLOCK': fakeclock(date)}).decode() def random_domain(): """Generate a random domain for testing (to avoid rate limiting).""" return "rand.%x.xyz" % random.randrange(2**32) def run(cmd, **kwargs): return subprocess.check_call(cmd, stderr=subprocess.STDOUT, **kwargs) def fetch_ocsp(request_bytes, url): """Fetch an OCSP response using POST, GET, and GET with URL encoding. Returns a tuple of the responses. """ ocsp_req_b64 = base64.b64encode(request_bytes).decode() # Make the OCSP request three different ways: by POST, by GET, and by GET with # URL-encoded parameters. All three should have an identical response. get_response = requests.get("%s/%s" % (url, ocsp_req_b64)).content get_encoded_response = requests.get("%s/%s" % (url, urllib.parse.quote(ocsp_req_b64, safe = ""))).content post_response = requests.post("%s/" % (url), data=request_bytes).content return (post_response, get_response, get_encoded_response) def make_ocsp_req(cert_file, issuer_file): """Return the bytes of an OCSP request for the given certificate file.""" with tempfile.NamedTemporaryFile(dir=tempdir) as f: run(["openssl", "ocsp", "-no_nonce", "-issuer", issuer_file, "-cert", cert_file, "-reqout", f.name]) ocsp_req = f.read() return ocsp_req def ocsp_verify(cert_file, issuer_file, ocsp_response): with tempfile.NamedTemporaryFile(dir=tempdir, delete=False) as f: f.write(ocsp_response) f.close() output = subprocess.check_output([ 'openssl', 'ocsp', '-no_nonce', '-issuer', issuer_file, '-cert', cert_file, '-verify_other', issuer_file, '-CAfile', '/hierarchy/root-cert-rsa.pem', '-respin', f.name], stderr=subprocess.STDOUT).decode() # OpenSSL doesn't always return non-zero when response verify fails, so we # also look for the string "Response Verify Failure" verify_failure = "Response Verify Failure" if re.search(verify_failure, output): print(output) raise(Exception("OCSP verify failure")) return output def verify_ocsp(cert_file, issuer_file, url, status="revoked", reason=None): ocsp_request = make_ocsp_req(cert_file, issuer_file) responses = fetch_ocsp(ocsp_request, url) # Verify all responses are the same for resp in responses: if resp != responses[0]: raise(Exception("OCSP responses differed: %s vs %s" %( base64.b64encode(responses[0]), base64.b64encode(resp)))) # Check response is for the correct certificate and is correct # status resp = responses[0] verify_output = ocsp_verify(cert_file, issuer_file, resp) if status is not None: if not re.search("%s: %s" % (cert_file, status), verify_output): print(verify_output) raise(Exception("OCSP response wasn't '%s'" % status)) if reason is not None: if not re.search("Reason: %s" % reason, verify_output): print(verify_output) raise(Exception("OCSP response wasn't '%s'" % reason)) return verify_output def reset_akamai_purges(): requests.post("http://localhost:6789/debug/reset-purges", data="{}") def verify_akamai_purge(): deadline = time.time() + .4 while True: time.sleep(0.05) if time.time() > deadline: raise(Exception("Timed out waiting for Akamai purge")) response = requests.get("http://localhost:6789/debug/get-purges") purgeData = response.json() if len(purgeData["V3"]) == 0: continue break reset_akamai_purges() twenty_days_ago_functions = [ ] def register_twenty_days_ago(f): """Register a function to be run during "setup_twenty_days_ago." This allows test cases to define their own custom setup. """ twenty_days_ago_functions.append(f) def setup_twenty_days_ago(): """Do any setup that needs to happen 20 day in the past, for tests that will run in the 'present'. """ for f in twenty_days_ago_functions: f() six_months_ago_functions = [] def register_six_months_ago(f): six_months_ago_functions.append(f) def setup_six_months_ago(): [f() for f in six_months_ago_functions] def waitport(port, prog, perTickCheck=None): """Wait until a port on localhost is open.""" for _ in range(1000): try: time.sleep(0.1) if perTickCheck is not None and not perTickCheck(): return False s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('localhost', port)) s.close() return True except socket.error as e: if e.errno == errno.ECONNREFUSED: print("Waiting for debug port %d (%s)" % (port, prog)) else: raise raise(Exception("timed out waiting for debug port %d (%s)" % (port, prog))) def waithealth(prog, addr): subprocess.check_call([ './bin/health-checker', '-addr', addr, '-config', os.path.join(config_dir, 'health-checker.json')])