PyKMIP/kmip/tests/unit/services/test_auth.py

# Copyright (c) 2016 The Johns Hopkins University/Applied Physics Laboratory
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

import pytest
import ssl
import testtools

from kmip.services import auth


class TestBasicAuthenticationSuite(testtools.TestCase):
    """
    A test suite for the BasicAuthenticationSuite.
    """

    def setUp(self):
        super(TestBasicAuthenticationSuite, self).setUp()

    def tearDown(self):
        super(TestBasicAuthenticationSuite, self).tearDown()

    def test_init(self):
        auth.BasicAuthenticationSuite()

    def test_protocol(self):
        suite = auth.BasicAuthenticationSuite()
        protocol = suite.protocol

        self.assertIsInstance(protocol, int)
        self.assertEqual(ssl.PROTOCOL_TLSv1, suite.protocol)

    def test_ciphers(self):
        suite = auth.BasicAuthenticationSuite()
        ciphers = suite.ciphers

        self.assertIsInstance(ciphers, str)

        cipher_string = ':'.join((
            'AES128-SHA',
            'DES-CBC3-SHA',
            'AES256-SHA',
            'DHE-DSS-DES-CBC3-SHA',
            'DHE-RSA-DES-CBC3-SHA',
            'DH-DSS-AES128-SHA',
            'DH-RSA-AES128-SHA',
            'DHE-DSS-AES128-SHA',
            'DHE-RSA-AES128-SHA',
            'DH-RSA-AES256-SHA',
            'DHE-DSS-AES256-SHA',
            'DHE-RSA-AES256-SHA',
        ))

        self.assertEqual(cipher_string, ciphers)

    def test_custom_ciphers(self):
        """
        Test that providing a custom list of cipher suites yields the right
        cipher string for the Basic auth suite.
        """
        suite = auth.BasicAuthenticationSuite(
            [
                'TLS_RSA_WITH_AES_128_CBC_SHA',
                'TLS_RSA_WITH_AES_256_CBC_SHA',
                'TLS_DHE_PSK_WITH_AES_128_CBC_SHA',
                'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
                'DHE-DSS-AES256-SHA',
                'DHE-RSA-AES256-SHA'
            ]
        )
        ciphers = suite.ciphers

        self.assertIsInstance(ciphers, str)
        suites = ciphers.split(':')
        self.assertEqual(4, len(suites))
        self.assertIn('AES128-SHA', suites)
        self.assertIn('AES256-SHA', suites)
        self.assertIn('DHE-DSS-AES256-SHA', suites)
        self.assertIn('DHE-RSA-AES256-SHA', suites)

    def test_custom_ciphers_empty(self):
        """
        Test that providing a custom list of cipher suites that ultimately
        yields an empty suite list causes the default cipher suite list to
        be provided instead.
        """
        suite = auth.BasicAuthenticationSuite(
            [
                'TLS_RSA_WITH_AES_256_CBC_SHA256'
            ]
        )
        ciphers = suite.ciphers

        self.assertIsInstance(ciphers, str)
        suites = ciphers.split(':')
        self.assertEqual(12, len(suites))
        self.assertIn('AES128-SHA', suites)
        self.assertIn('DES-CBC3-SHA', suites)
        self.assertIn('AES256-SHA', suites)
        self.assertIn('DHE-DSS-DES-CBC3-SHA', suites)
        self.assertIn('DHE-RSA-DES-CBC3-SHA', suites)
        self.assertIn('DH-DSS-AES128-SHA', suites)
        self.assertIn('DH-RSA-AES128-SHA', suites)
        self.assertIn('DHE-DSS-AES128-SHA', suites)
        self.assertIn('DHE-RSA-AES128-SHA', suites)
        self.assertIn('DH-RSA-AES256-SHA', suites)
        self.assertIn('DHE-DSS-AES256-SHA', suites)
        self.assertIn('DHE-RSA-AES256-SHA', suites)


@pytest.mark.skipif(not hasattr(ssl, 'PROTOCOL_TLSv1_2'),
                    reason="Requires ssl.PROTOCOL_TLSv1_2")
class TestTLS12AuthenticationSuite(testtools.TestCase):
    """
    A test suite for the TLS12AuthenticationSuite.
    """

    def setUp(self):
        super(TestTLS12AuthenticationSuite, self).setUp()

    def tearDown(self):
        super(TestTLS12AuthenticationSuite, self).tearDown()

    def test_init(self):
        auth.TLS12AuthenticationSuite()

    def test_protocol(self):
        suite = auth.TLS12AuthenticationSuite()
        protocol = suite.protocol

        self.assertIsInstance(protocol, int)
        self.assertEqual(ssl.PROTOCOL_TLSv1_2, suite.protocol)

    def test_ciphers(self):
        suite = auth.TLS12AuthenticationSuite()
        ciphers = suite.ciphers

        self.assertIsInstance(ciphers, str)

        cipher_string = ':'.join((
            'AES128-SHA256',
            'AES256-SHA256',
            'DH-DSS-AES256-SHA256',
            'DH-DSS-AES128-SHA256',
            'DH-RSA-AES128-SHA256',
            'DHE-DSS-AES128-SHA256',
            'DHE-RSA-AES128-SHA256',
            'DH-DSS-AES256-SHA256',
            'DH-RSA-AES256-SHA256',
            'DHE-DSS-AES256-SHA256',
            'DHE-RSA-AES256-SHA256',
            'ECDH-ECDSA-AES128-SHA256',
            'ECDH-ECDSA-AES256-SHA256',
            'ECDHE-ECDSA-AES128-SHA256',
            'ECDHE-ECDSA-AES256-SHA384',
            'ECDH-RSA-AES128-SHA256',
            'ECDH-RSA-AES256-SHA384',
            'ECDHE-RSA-AES128-SHA256',
            'ECDHE-RSA-AES256-SHA384',
            'ECDHE-ECDSA-AES128-GCM-SHA256',
            'ECDHE-ECDSA-AES256-GCM-SHA384',
            'ECDHE-ECDSA-AES128-SHA256',
            'ECDHE-ECDSA-AES256-SHA384',
        ))

        self.assertEqual(cipher_string, ciphers)

    def test_custom_ciphers(self):
        """
        Test that providing a custom list of cipher suites yields the right
        cipher string.
        """
        suite = auth.TLS12AuthenticationSuite(
            [
                'TLS_RSA_WITH_AES_256_CBC_SHA256',
                'TLS_RSA_WITH_AES_256_CBC_SHA',
                'TLS_DHE_PSK_WITH_AES_128_CBC_SHA',
                'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
                'DHE-DSS-AES256-SHA',
                'DHE-RSA-AES256-SHA'
            ]
        )
        ciphers = suite.ciphers

        self.assertIsInstance(ciphers, str)
        suites = ciphers.split(':')
        self.assertEqual(1, len(suites))
        self.assertIn('AES256-SHA256', suites)

    def test_custom_ciphers_empty(self):
        """
        Test that providing a custom list of cipher suites that ultimately
        yields an empty suite list causes the default cipher suite list to
        be provided instead.
        """
        suite = auth.TLS12AuthenticationSuite(
            [
                'TLS_RSA_WITH_AES_256_CBC_SHA'
            ]
        )
        ciphers = suite.ciphers

        self.assertIsInstance(ciphers, str)
        suites = ciphers.split(':')
        self.assertEqual(23, len(suites))
        self.assertIn('AES128-SHA256', suites)
        self.assertIn('AES256-SHA256', suites)
        self.assertIn('DH-DSS-AES256-SHA256', suites)
        self.assertIn('DH-DSS-AES128-SHA256', suites)
        self.assertIn('DH-RSA-AES128-SHA256', suites)
        self.assertIn('DHE-DSS-AES128-SHA256', suites)
        self.assertIn('DHE-RSA-AES128-SHA256', suites)
        self.assertIn('DH-DSS-AES256-SHA256', suites)
        self.assertIn('DH-RSA-AES256-SHA256', suites)
        self.assertIn('DHE-DSS-AES256-SHA256', suites)
        self.assertIn('DHE-RSA-AES256-SHA256', suites)
        self.assertIn('ECDH-ECDSA-AES128-SHA256', suites)
        self.assertIn('ECDH-ECDSA-AES256-SHA256', suites)
        self.assertIn('ECDHE-ECDSA-AES128-SHA256', suites)
        self.assertIn('ECDHE-ECDSA-AES256-SHA384', suites)
        self.assertIn('ECDH-RSA-AES128-SHA256', suites)
        self.assertIn('ECDH-RSA-AES256-SHA384', suites)
        self.assertIn('ECDHE-RSA-AES128-SHA256', suites)
        self.assertIn('ECDHE-RSA-AES256-SHA384', suites)
        self.assertIn('ECDHE-ECDSA-AES128-GCM-SHA256', suites)
        self.assertIn('ECDHE-ECDSA-AES256-GCM-SHA384', suites)
        self.assertIn('ECDHE-ECDSA-AES128-SHA256', suites)
        self.assertIn('ECDHE-ECDSA-AES256-SHA384', suites)