internet/community.crypto
3
0
Fork 0
mirror of https://github.com/ansible-collections/community.crypto.git synced 2026-03-26 21:33:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
aec1826c34051b9e7f8af7950489915b661e320b
community.crypto/tests/unit/plugins/module_utils/openssh/test_certificate.py
Felix Fontein aec1826c34 Reformat everything with black. 
I had to undo the u string prefix removals to not drop Python 2 compatibility.
That's why black isn't enabled in antsibull-nox.toml yet.
2025-04-28 10:48:00 +02:00

444 lines
16 KiB
Python
Raw Blame History

# -*- coding: utf-8 -*-
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
import pytest
from ansible_collections.community.crypto.plugins.module_utils.openssh.certificate import (
OpensshCertificate,
OpensshCertificateOption,
OpensshCertificateTimeParameters,
parse_option_list,
)
# Type: ssh-rsa-cert-v01@openssh.com user certificate
# Public key: RSA-CERT SHA256:SvUwwUer4AwsdePYseJR3LcZS8lnKi6BqiL51Dop030
# Signing CA: DSA SHA256:YCdJ2lYU+FSkWUud7zg1SJszprXoRGNU/GVcqXUjgC8
# Key ID: "test"
# Serial: 0
# Valid: forever
# Principals: (none)
# Critical Options: (none)
# Extensions:
# permit-X11-forwarding
# permit-agent-forwarding
# permit-port-forwarding
# permit-pty
# permit-user-rc
RSA_CERT_SIGNED_BY_DSA = (
b"ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgY9CvhGpyvBB611Lmx6hHPD+CmeJ0oW"
+ b"SSK1q6K3h5CS4AAAADAQABAAABAQDKYIJtpFaWpTNNifmuV3DM9BBdngMG28jWPy4C/SoZg4EP7mkYUsG6hN+LgjOL17YEF7bKDEWPl9sQS"
+ b"92iD+AuAPrjnHVQ9VG5hbTYiQAaicj6hxqBoNqGQWxDzhZL4B35MgqmoUOBGnzYA/fKgqhRVzOXbWFxKLtzSJzB+Z+kmeoBzq+4MazL4Bko"
+ b"yPZMrIMnvxiluv+kqE9SWeJ/5e7WXdtbYTnSR4WN3gW/BMKEoKQk/UGwuPvCiRq+y8LorJP4B1Wfwlm/meqtbTidXyCcQPR9xWpce3rRjLL"
+ b"T6cimUjWrbx7Q1SlsypdkclgPSTu9Jg457am8tnQUgnL7VdetAAAAAAAAAAAAAAABAAAABHRlc3QAAAAAAAAAAAAAAAD//////////wAAAA"
+ b"AAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0L"
+ b"WZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAGxAAAAB3NzaC1kc3MAAACBAPV/"
+ b"b5FknU8e56TWAGLRQ0v3c3f5jAS0txcwqtYLHLulTqyMcLL0MyzWxXv77MpjTMwEjWXLbfNWdk/qmsjfBynzs2nSZ7clVsqt/ZOadcBFEhq"
+ b"ZM0l+1ZCPkhQiqsD2aodGbkVcJgqL5Z5krzB5MTey7c8rlAAxKOjfs70Bg8MPAAAAFQCW466dSEu2Pf0u8AA5SHgH0i/xuwAAAIBc23gfmv"
+ b"GC+oaUAXiak17kH6NvOSJXZBdk/8CyGK6yL+CHKrKyffe6BbiVXwC6sUIa9j4YsFeyYwPFGBtfLuNUmgyKYTJcCM2zJLBykmTIvjSdRaYGN"
+ b"Rkyi8GnzVV2lWxQ+4m4UGeTPbPN/OG4B0NwDbBJGbVJv0xJPq2EBKoUdgAAAIAyrFxGDLtOZFZ2fgONVaKaapEpJ5f3qPhLDXxVQ/BKVUkU"
+ b"RA4AHHyXF2AMiiOOiHLrO5xsEGUyW+OISFm+6m17cEPNixA7G1fBniLvyVv2woyYW3kaY4J9z266kAFzFWVNgwr+T7MY0hEvct8VFA97JMR"
+ b"Q7c8c/tNDaL7uqV46QQAAADcAAAAHc3NoLWRzcwAAAChaQ94wqca+KhkHtbkLpjvGsfu0Gy03SAb0+o11Shk/BXnK7N/cwEVD "
+ b"ansible@ansible-host"
)
RSA_FINGERPRINT = "SHA256:SvUwwUer4AwsdePYseJR3LcZS8lnKi6BqiL51Dop030"
# Type: ssh-dss-cert-v01@openssh.com user certificate
# Public key: DSA-CERT SHA256:YCdJ2lYU+FSkWUud7zg1SJszprXoRGNU/GVcqXUjgC8
# Signing CA: ECDSA SHA256:w9lp4zGRJShhm4DzO3ulVm0BEcR0PMjrM6VanQo4C0w
# Key ID: "test"
# Serial: 0
# Valid: forever
# Principals: (none)
# Critical Options: (none)
# Extensions: (none)
DSA_CERT_SIGNED_BY_ECDSA_NO_OPTS = (
b"ssh-dss-cert-v01@openssh.com AAAAHHNzaC1kc3MtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgsKvMxIv4viCNQX7z8K4/R5jronpZGf"
+ b"ydpoBoh2Cx5dgAAACBAPV/b5FknU8e56TWAGLRQ0v3c3f5jAS0txcwqtYLHLulTqyMcLL0MyzWxXv77MpjTMwEjWXLbfNWdk/qmsjfBynzs"
+ b"2nSZ7clVsqt/ZOadcBFEhqZM0l+1ZCPkhQiqsD2aodGbkVcJgqL5Z5krzB5MTey7c8rlAAxKOjfs70Bg8MPAAAAFQCW466dSEu2Pf0u8AA5"
+ b"SHgH0i/xuwAAAIBc23gfmvGC+oaUAXiak17kH6NvOSJXZBdk/8CyGK6yL+CHKrKyffe6BbiVXwC6sUIa9j4YsFeyYwPFGBtfLuNUmgyKYTJ"
+ b"cCM2zJLBykmTIvjSdRaYGNRkyi8GnzVV2lWxQ+4m4UGeTPbPN/OG4B0NwDbBJGbVJv0xJPq2EBKoUdgAAAIAyrFxGDLtOZFZ2fgONVaKaap"
+ b"EpJ5f3qPhLDXxVQ/BKVUkURA4AHHyXF2AMiiOOiHLrO5xsEGUyW+OISFm+6m17cEPNixA7G1fBniLvyVv2woyYW3kaY4J9z266kAFzFWVNg"
+ b"wr+T7MY0hEvct8VFA97JMRQ7c8c/tNDaL7uqV46QQAAAAAAAAAAAAAAAQAAAAR0ZXN0AAAAAAAAAAAAAAAA//////////8AAAAAAAAAAAAA"
+ b"AAAAAABoAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOf55Wc0yzaJPtxXxBGZKmAUozbYXwxZGFS1c/FaJbwLpq/"
+ b"wvanQKM01uU73swNIt+ZFra9kRSi21xjzgMPn7U0AAABkAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAABJAAAAIGmlKa/riG7+EpoW6dTJY6"
+ b"0N8BrEcniKgOxdRM1EPJ2DAAAAIQDnK4stvbvS+Bn0/42Was7uOfJtnLYXs5EuB2L3uejPcQ== ansible@ansible-host"
)
DSA_FINGERPRINT = "SHA256:YCdJ2lYU+FSkWUud7zg1SJszprXoRGNU/GVcqXUjgC8"
# Type: ecdsa-sha2-nistp256-cert-v01@openssh.com user certificate
# Public key: ECDSA-CERT SHA256:w9lp4zGRJShhm4DzO3ulVm0BEcR0PMjrM6VanQo4C0w
# Signing CA: ED25519 SHA256:NP4JdfkCopbjwMepq0aPrpMz13cNmEd+uDOxC/j9N40
# Key ID: "test"
# Serial: 0
# Valid: forever
# Principals: (none)
# Critical Options:
# force-command /usr/bin/csh
# Extensions:
# permit-X11-forwarding
# permit-agent-forwarding
# permit-port-forwarding
# permit-pty
# permit-user-rc
ECDSA_CERT_SIGNED_BY_ED25519_VALID_OPTS = (
b"ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgtC"
+ b"ips7/sOOOTAgiawGlQhM6pb26t0FfQ1jG60m+tOg0AAAAIbmlzdHAyNTYAAABBBOf55Wc0yzaJPtxXxBGZKmAUozbYXwxZGFS1c/FaJbwLp"
+ b"q/wvanQKM01uU73swNIt+ZFra9kRSi21xjzgMPn7U0AAAAAAAAAAAAAAAEAAAAEdGVzdAAAAAAAAAAAAAAAAP//////////AAAAJQAAAA1m"
+ b"b3JjZS1jb21tYW5kAAAAEAAAAAwvdXNyL2Jpbi9jc2gAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW5"
+ b"0LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLX"
+ b"JjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAII3qYBforim0x87UXpaTDNFnhFTyb+TPCJVQpEAOHTL6AAAAUwAAAAtzc2gtZWQyN"
+ b"TUxOQAAAEAdp3eOLRN5t2wW29TBWbz604uuXg88jH4RA4HDhbRupa/x2rN3j6iZQ4VXPLA4JtdfIslHFkH6HUlxU8XsoJwP "
+ b"ansible@ansible-host"
)
ECDSA_FINGERPRINT = "SHA256:w9lp4zGRJShhm4DzO3ulVm0BEcR0PMjrM6VanQo4C0w"
# Type: ssh-ed25519-cert-v01@openssh.com user certificate
# Public key: ED25519-CERT SHA256:NP4JdfkCopbjwMepq0aPrpMz13cNmEd+uDOxC/j9N40
# Signing CA: RSA SHA256:SvUwwUer4AwsdePYseJR3LcZS8lnKi6BqiL51Dop030
# Key ID: "test"
# Serial: 0
# Valid: forever
# Principals: (none)
# Critical Options:
# test UNKNOWN OPTION (len 13)
# Extensions:
# test UNKNOWN OPTION (len 0)
ED25519_CERT_SIGNED_BY_RSA_INVALID_OPTS = (
b"ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIP034YpKn6BDcwxqFnVrKt"
+ b"kNX7k6X7hxZ7lADp5LAxHrAAAAII3qYBforim0x87UXpaTDNFnhFTyb+TPCJVQpEAOHTL6AAAAAAAAAAAAAAABAAAABHRlc3QAAAAAAAAAA"
+ b"AAAAAD//////////wAAABkAAAAEdGVzdAAAAA0AAAAJdW5kZWZpbmVkAAAADAAAAAR0ZXN0AAAAAAAAAAAAAAEXAAAAB3NzaC1yc2EAAAAD"
+ b"AQABAAABAQDKYIJtpFaWpTNNifmuV3DM9BBdngMG28jWPy4C/SoZg4EP7mkYUsG6hN+LgjOL17YEF7bKDEWPl9sQS92iD+AuAPrjnHVQ9VG"
+ b"5hbTYiQAaicj6hxqBoNqGQWxDzhZL4B35MgqmoUOBGnzYA/fKgqhRVzOXbWFxKLtzSJzB+Z+kmeoBzq+4MazL4BkoyPZMrIMnvxiluv+kqE"
+ b"9SWeJ/5e7WXdtbYTnSR4WN3gW/BMKEoKQk/UGwuPvCiRq+y8LorJP4B1Wfwlm/meqtbTidXyCcQPR9xWpce3rRjLLT6cimUjWrbx7Q1Slsy"
+ b"pdkclgPSTu9Jg457am8tnQUgnL7VdetAAABDwAAAAdzc2gtcnNhAAABAMZLNacwOMNexYUaFK1nU0JPQTv4fM73QDG3xURtDsIbI6DAcA1y"
+ b"KkvgjJcxlZHx0APJ+i1lWNAvPeOmuPTioymjIEuwxi0VGuAoVKgjmIy6aXH2z3YMxy9cGOq6LNfI4c58iBHR5ejVHAzvIg3rowypVsCGugL"
+ b"7WJpz3eypBJt4TglwRTJpp54IMN2CyDQm0N97x9ris8jQQHlCF2EgZp1u4aOiZJTSJ5d4hapO0uZwXOI9AIWy/lmx0/6jX07MWrs4iXpfiF"
+ b"5T4s6kEn7YW4SaJ0Z7xGp3V0vDOxh+jwHZGD5GM449Il6QxQwDY5BSJq+iMR467yaIjw2g8Kt4ZiU= ansible@ansible-host"
)
ED25519_FINGERPRINT = "SHA256:NP4JdfkCopbjwMepq0aPrpMz13cNmEd+uDOxC/j9N40"
# garbage
INVALID_DATA = (
b"yDspTN+BJzvIK2Q+CRD3qBDVSi+YqSxwyz432VEaHKlXbuLURirY0QpuBCqgR6tCtWW5vEGkXKZ3"
)
VALID_OPTS = [OpensshCertificateOption("critical", "force-command", "/usr/bin/csh")]
INVALID_OPTS = [OpensshCertificateOption("critical", "test", "undefined")]
VALID_EXTENSIONS = [
OpensshCertificateOption("extension", "permit-x11-forwarding", ""),
OpensshCertificateOption("extension", "permit-agent-forwarding", ""),
OpensshCertificateOption("extension", "permit-port-forwarding", ""),
OpensshCertificateOption("extension", "permit-pty", ""),
OpensshCertificateOption("extension", "permit-user-rc", ""),
]
INVALID_EXTENSIONS = [OpensshCertificateOption("extension", "test", "")]
VALID_TIME_PARAMETERS = [
(
0,
"always",
"always",
0,
0xFFFFFFFFFFFFFFFF,
"forever",
"forever",
253402300800,
"",
),
(
"always",
"always",
"always",
0,
"forever",
"forever",
"forever",
253402300800,
"",
),
(
315532800,
"1980-01-01T00:00:00",
"19800101000000",
315532800,
631152000,
"1990-01-01T00:00:00",
"19900101000000",
631152000,
"19800101000000:19900101000000",
),
(
"1980-01-01",
"1980-01-01T00:00:00",
"19800101000000",
315532800,
"1990-01-01",
"1990-01-01T00:00:00",
"19900101000000",
631152000,
"19800101000000:19900101000000",
),
(
"1980-01-01 00:00:00",
"1980-01-01T00:00:00",
"19800101000000",
315532800,
"1990-01-01 00:00:00",
"1990-01-01T00:00:00",
"19900101000000",
631152000,
"19800101000000:19900101000000",
),
(
"1980-01-01T00:00:00",
"1980-01-01T00:00:00",
"19800101000000",
315532800,
"1990-01-01T00:00:00",
"1990-01-01T00:00:00",
"19900101000000",
631152000,
"19800101000000:19900101000000",
),
(
"always",
"always",
"always",
0,
"1990-01-01T00:00:00",
"1990-01-01T00:00:00",
"19900101000000",
631152000,
"always:19900101000000",
),
(
"1980-01-01",
"1980-01-01T00:00:00",
"19800101000000",
315532800,
"forever",
"forever",
"forever",
253402300800,
"19800101000000:forever",
),
]
INVALID_TIME_PARAMETERS = [
(-1, 0xFFFFFFFFFFFFFFFFFF),
("never", "ever"),
("01-01-1980", "01-01-1990"),
(1, 0),
]
VALID_VALIDITY_TEST = [
("always", "forever", "2000-01-01"),
("1999-12-31", "2000-01-02", "2000-01-01"),
("1999-12-31 23:59:00", "2000-01-01 00:01:00", "2000-01-01 00:00:00"),
("1999-12-31 23:59:59", "2000-01-01 00:00:01", "2000-01-01 00:00:00"),
]
INVALID_VALIDITY_TEST = [
("always", "forever", "1969-12-31"),
("always", "2000-01-01", "2000-01-02"),
("2000-01-01", "forever", "1999-12-31"),
("2000-01-01 00:00:00", "2000-01-01 00:00:01", "2000-01-01 00:00:02"),
]
VALID_OPTIONS = [
(
"force-command=/usr/bin/csh",
OpensshCertificateOption("critical", "force-command", "/usr/bin/csh"),
),
(
"Force-Command=/Usr/Bin/Csh",
OpensshCertificateOption("critical", "force-command", "/Usr/Bin/Csh"),
),
(
"permit-x11-forwarding",
OpensshCertificateOption("extension", "permit-x11-forwarding", ""),
),
(
"permit-X11-forwarding",
OpensshCertificateOption("extension", "permit-x11-forwarding", ""),
),
("critical:foo=bar", OpensshCertificateOption("critical", "foo", "bar")),
("extension:foo", OpensshCertificateOption("extension", "foo", "")),
]
INVALID_OPTIONS = [
"foobar",
"foo=bar",
"foo:bar=baz",
[],
]
def test_rsa_certificate(tmpdir):
cert_file = tmpdir / "id_rsa-cert.pub"
cert_file.write(RSA_CERT_SIGNED_BY_DSA, mode="wb")
cert = OpensshCertificate.load(str(cert_file))
assert cert.key_id == "test"
assert cert.serial == 0
assert cert.type_string == "ssh-rsa-cert-v01@openssh.com"
assert cert.public_key == RSA_FINGERPRINT
assert cert.signing_key == DSA_FINGERPRINT
def test_dsa_certificate(tmpdir):
cert_file = tmpdir / "id_dsa-cert.pub"
cert_file.write(DSA_CERT_SIGNED_BY_ECDSA_NO_OPTS)
cert = OpensshCertificate.load(str(cert_file))
assert cert.type_string == "ssh-dss-cert-v01@openssh.com"
assert cert.public_key == DSA_FINGERPRINT
assert cert.signing_key == ECDSA_FINGERPRINT
assert cert.critical_options == []
assert cert.extensions == []
def test_ecdsa_certificate(tmpdir):
cert_file = tmpdir / "id_ecdsa-cert.pub"
cert_file.write(ECDSA_CERT_SIGNED_BY_ED25519_VALID_OPTS)
cert = OpensshCertificate.load(str(cert_file))
assert cert.type_string == "ecdsa-sha2-nistp256-cert-v01@openssh.com"
assert cert.public_key == ECDSA_FINGERPRINT
assert cert.signing_key == ED25519_FINGERPRINT
assert cert.critical_options == VALID_OPTS
assert cert.extensions == VALID_EXTENSIONS
def test_ed25519_certificate(tmpdir):
cert_file = tmpdir / "id_ed25519-cert.pub"
cert_file.write(ED25519_CERT_SIGNED_BY_RSA_INVALID_OPTS)
cert = OpensshCertificate.load(str(cert_file))
assert cert.type_string == "ssh-ed25519-cert-v01@openssh.com"
assert cert.public_key == ED25519_FINGERPRINT
assert cert.signing_key == RSA_FINGERPRINT
assert cert.critical_options == INVALID_OPTS
assert cert.extensions == INVALID_EXTENSIONS
def test_invalid_data(tmpdir):
result = False
cert_file = tmpdir / "invalid-cert.pub"
cert_file.write(INVALID_DATA)
try:
OpensshCertificate.load(str(cert_file))
except ValueError:
result = True
assert result
@pytest.mark.parametrize(
"valid_from,valid_from_hr,valid_from_openssh,valid_from_timestamp,"
+ "valid_to,valid_to_hr,valid_to_openssh,valid_to_timestamp,"
+ "validity_string",
VALID_TIME_PARAMETERS,
)
def test_valid_time_parameters(
valid_from,
valid_from_hr,
valid_from_openssh,
valid_from_timestamp,
valid_to,
valid_to_hr,
valid_to_openssh,
valid_to_timestamp,
validity_string,
):
time_parameters = OpensshCertificateTimeParameters(
valid_from=valid_from, valid_to=valid_to
)
assert time_parameters.valid_from(date_format="human_readable") == valid_from_hr
assert time_parameters.valid_from(date_format="openssh") == valid_from_openssh
assert time_parameters.valid_from(date_format="timestamp") == valid_from_timestamp
assert time_parameters.valid_to(date_format="human_readable") == valid_to_hr
assert time_parameters.valid_to(date_format="openssh") == valid_to_openssh
assert time_parameters.valid_to(date_format="timestamp") == valid_to_timestamp
assert time_parameters.validity_string == validity_string
@pytest.mark.parametrize("valid_from,valid_to", INVALID_TIME_PARAMETERS)
def test_invalid_time_parameters(valid_from, valid_to):
with pytest.raises(ValueError):
OpensshCertificateTimeParameters(valid_from, valid_to)
@pytest.mark.parametrize("valid_from,valid_to,valid_at", VALID_VALIDITY_TEST)
def test_valid_validity_test(valid_from, valid_to, valid_at):
assert OpensshCertificateTimeParameters(valid_from, valid_to).within_range(valid_at)
@pytest.mark.parametrize("valid_from,valid_to,valid_at", INVALID_VALIDITY_TEST)
def test_invalid_validity_test(valid_from, valid_to, valid_at):
assert not OpensshCertificateTimeParameters(valid_from, valid_to).within_range(
valid_at
)
@pytest.mark.parametrize("option_string,option_object", VALID_OPTIONS)
def test_valid_options(option_string, option_object):
assert OpensshCertificateOption.from_string(option_string) == option_object
@pytest.mark.parametrize("option_string", INVALID_OPTIONS)
def test_invalid_options(option_string):
with pytest.raises(ValueError):
OpensshCertificateOption.from_string(option_string)
def test_parse_option_list():
critical_options, extensions = parse_option_list(["force-command=/usr/bin/csh"])
critical_option_objects = [
OpensshCertificateOption.from_string("force-command=/usr/bin/csh"),
]
extension_objects = [
OpensshCertificateOption.from_string("permit-x11-forwarding"),
OpensshCertificateOption.from_string("permit-agent-forwarding"),
OpensshCertificateOption.from_string("permit-port-forwarding"),
OpensshCertificateOption.from_string("permit-user-rc"),
OpensshCertificateOption.from_string("permit-pty"),
]
assert set(critical_options) == set(critical_option_objects)
assert set(extensions) == set(extension_objects)
def test_parse_option_list_with_directives():
critical_options, extensions = parse_option_list(
["clear", "no-pty", "permit-pty", "permit-user-rc"]
)
extension_objects = [
OpensshCertificateOption.from_string("permit-user-rc"),
OpensshCertificateOption.from_string("permit-pty"),
]
assert set(critical_options) == set()
assert set(extensions) == set(extension_objects)
def test_parse_option_list_case_sensitivity():
critical_options, extensions = parse_option_list(
["CLEAR", "no-X11-forwarding", "permit-X11-forwarding"]
)
extension_objects = [
OpensshCertificateOption.from_string("permit-x11-forwarding"),
]
assert set(critical_options) == set()
assert set(extensions) == set(extension_objects)
Reference in New Issue View Git Blame Copy Permalink