a }|ga@sfdZddlZddlZddlZddlZddlmZddlmZddlZddl m Z ddl m Z ddl m Zddl mZdd lmZddlm Z dd lmZdd lmZdd lmZdd lmZGdddejZGdddejZejddfddZ GdddejZ!GdddejZ"GdddejZ#ddZ$ddZ%e&dkrbe'e(ej)dde*gdS) z)Tests for certbot._internal.auth_handler.N)mock) b64encode) challenges)client)errors)messages) achallenges)obj)common) acme_util)utilc@s,eZdZddZddZddZddZd S) ChallengeFactoryTestcCsFddlm}|ddtjddg|_ttjdtj tjgd|_ dS)Nr AuthHandlerZmock_key)keytest) certbot._internal.auth_handlerrrMockhandlerr gen_authzrrSTATUS_PENDING CHALLENGESauthzrselfrrM/usr/lib/python3.9/site-packages/certbot/_internal/tests/auth_handler_test.pysetUps    zChallengeFactoryTest.setUpcCs8|j|jtdttj}dd|Dtjks4JdS)NrcSsg|] }|jqSrchall.0Zachallrrr (z1ChallengeFactoryTest.test_all..)r_challenge_factoryrrangelenr rrachallsrrrtest_all$szChallengeFactoryTest.test_allcCs0|j|jdg}dd|Dtjgks,JdS)NrcSsg|] }|jqSrrr!rrrr#-r$z6ChallengeFactoryTest.test_one_http..)rr%rr HTTP01r(rrr test_one_http*sz"ChallengeFactoryTest.test_one_httpcCsLttjdtjdddgtjg}|j|dg}t|dt j ksHJdS)Nrr Z unrecognized)r typr) r rrrrrrr%typerZOther)rrr)rrrtest_unrecognized/sz&ChallengeFactoryTest.test_unrecognizedN)__name__ __module__ __qualname__rr*r,r/rrrrr s r c@seZdZdZddZddZddZdd Zd d Zd d Z ddZ ddZ ddZ ddZ edddZddZddZddZdd Zd!d"Zd#d$Zd%d&Zd'd(Zd)d*Zd+d,Zd-S).HandleAuthorizationsTestzmhandle_authorizations test. This tests everything except for all functions under _poll_challenges. cCsddlm}t|_tjdd|_t|jtjdd|_ t j g|j j _ t|j j_t|_tjtjd|_tjj|jj_||j |j|jg|_ttjdS)NrrF)debug_challengesZ Authenticatorname)spec)rrrr mock_display mock_config display_objZ set_display MagicMock mock_authrr+get_chall_pref return_value gen_auth_respperform side_effect mock_account acme_clientZClientV2mock_netZ retry_afterrloggingdisableZCRITICALrrrrr@s     zHandleAuthorizationsTest.setUpcCsttjdSNrErFZNOTSETrrrrtearDownVsz!HandleAuthorizationsTest.tearDowncCstdtjd}tj|gd}tddd|jj_t d}|j ||j }|jj jdks\J|jjjdksnJ|jjdks~J|jjdd d dksJ|jjdd d d ksJ|jjjdksJ|jjjd d d jd ksJt|dksJWdn1s0YdS) N0domainZchallsZauthorizations)retry wait_valuez#certbot._internal.auth_handler.timerhttp-01)gen_dom_authzrr rrr;_gen_mock_on_pollrDpollrApatchrhandle_authorizationsr9answer_challenge call_countsleepcall_args_listr<cleanup call_argsr-r')rr mock_orderZ mock_timerrr_test_name1_http_01_1_commonYs  z5HandleAuthorizationsTest._test_name1_http_01_1_commoncCs |dSrG)rbrIrrrtest_name1_http_01_1_acme_2qsz4HandleAuthorizationsTest.test_name1_http_01_1_acme_2cCst|jj_|jjjtj t dt j d}t j|gd}|j||j}|jjjdks\J|jjjdksnJ|jjjdksJ|jjjdd}t|dksJ|djdksJt|dksJdSNrKrLrNrOrrU)rWrDrXrAr<r=r>appendrDNS01rVr rrr;rrZr9r[r\r_r`r'r-)rrraZcleaned_up_achallsrrr!test_name1_http_01_1_dns_1_acme_2ts z:HandleAuthorizationsTest.test_name1_http_01_1_dns_1_acme_2cCstdtjdtdtjdtdtjdg}tj|d}t|jj_|j ||j }|jj j dksbJ|jjj dkstJ|jjj dksJt|dksJdS)NrKrL12rNrTrO)rVr rrr;rWrDrXrArrZr9r[r\r<r_r')rauthzrsrarrrr"test_name3_http_01_3_common_acme_2s     z;HandleAuthorizationsTest.test_name3_http_01_3_common_acme_2cCstjddd}tdtjdg}tj|d}d}||jjj_ t |j j _ |j|||j jjdksfJ|jjjdksxJd |jjjddvsJd |djjjd t|djjdjj|jjjddvsJt||jjjddvsJdS) NTrr4Z verbose_countrKrLrN foobarbazrOPass "-v" for more infohttp:///.well-known/acme-challenge/)rrrVr rr;rBr thumbprintr>rWrDrXrArrZr[r\r8 notificationr`body identifiervaluerrr tokendecoderZconfigrjraZaccount_key_thumbprintrrrtest_debug_challengess(    z.HandleAuthorizationsTest.test_debug_challengescCstjddd}tdtjgdtdtjgdg}tj|d}d}||jjj _ t |j j _tjtjg|jj_ |j|||j jjd ksJ|jjjdksJd |jjjd d vsJd |d jjjd t|d jjd jj|jjjd d vsJt||jjjd d vs Jd|djjj|jjjd d vsLJ|djjd  |jj|jjjd d vs~JdS)NTrOrlrKrLrhrNrmrSrnrrorpz_acme-challenge.)!rrrVr r+rfr;rBrrqr>rWrDrXrArr<r=rrZr[r\r8rrr`rsrtrurr rvrwZ validationrxrrrtest_debug_challenges_verboses>       z6HandleAuthorizationsTest.test_debug_challenges_verbosecCshtdtjdg}tj|d}tj|jj_ t tj |j ||jWdn1sZ0YdSNrKrLrN)rVr rrr;rAuthorizationErrorr<r@rApytestraisesrrZr9rrjrarrrtest_perform_failures   z-HandleAuthorizationsTest.test_perform_failurecCsttdtjdg}tj|d}tdd|jj_t j t j dd$|j ||jdd Wdn1sf0YdS) NrKrLrNrS)rQ0All authorizations were not finalized by the CA.matchFrO)rVr rrr;rWrDrXrAr}r~rr|rrZr9rrrrtest_max_retries_exceededs z2HandleAuthorizationsTest.test_max_retries_exceededz)certbot._internal.auth_handler.time.sleepc sdtdtjdg}tj|d}tjjddifdd}||_fdd }tjd d j }t t j |d |j j_tjtjd dTtd*}||j_|j||jdWdn1s0YWdn1s0Y|jdksJ|jddddks Jt|jddd|ddks4Jt|jddd|dddks`JdS)NrKrLrN time_sleptrcsd|7<dS)Nrr)Zsecs)staterrmock_sleep_effectszJHandleAuthorizationsTest.test_deadline_exceeded..mock_sleep_effectcstjddS)Nr)seconds)datetime timedeltarZorig_nowrrrmock_now_effectszHHandleAuthorizationsTest.test_deadline_exceeded..mock_now_effect)Zminutes)statusrRrrz0certbot._internal.auth_handler.datetime.datetimeFrTrOrS)rVr rrr;rZnowrArrrWrrrDrXr}r~rr|rYrrZr9r\r^abs)rZ mock_sleeprjrarrintervalZmock_dtrrrtest_deadline_exceededs*    N(z/HandleAuthorizationsTest.test_deadline_exceededcCsLtjgd}ttj |j||jWdn1s>0YdS)NrN) rr;r}r~rr|rrZr9)rrarrrtest_no_domainss z(HandleAuthorizationsTest.test_no_domainscCstdtjdg}tj|d}|jjjt j |j j t j jt jjft|jj_|j ||j|jjjdksvJ|jjjdddjdksJdSrd)rVr rrr;r<r=r>rerr+r pref_challsextendr-rfrWrDrXrArZr9r_r\r`rrrr-test_preferred_challenge_choice_common_acme_2 s  zFHandleAuthorizationsTest.test_preferred_challenge_choice_common_acme_2cCsntdtjdg}tj|d}|jjtj j t t j |j||jWdn1s`0YdSr{)rVr rrr;rrrerrfr-r}r~rr|rZr9rrrr.test_preferred_challenges_not_supported_acme_2s  zGHandleAuthorizationsTest.test_preferred_challenges_not_supported_acme_2cCs^tdtjgdg}tj|d}ttj |j ||j Wdn1sP0YdSr{) rVr rfrr;r}r~rr|rrZr9rrrr%test_dns_only_challenge_not_supporteds z>HandleAuthorizationsTest.test_dns_only_challenge_not_supportedcCstj|jj_tdtjd}tj |gd}t tj |j ||jWdn1sZ0Y|jjjdksvJ|jjjdddjdksJdSrd)rr|r<r@rArVr rrr;r}r~rrZr9r_r\r`r-rrrarrrtest_perform_error%s .z+HandleAuthorizationsTest.test_perform_errorcCstj|jj_tdtjdg}tj |d}t tj |j ||jWdn1sZ0Y|jjjdksvJ|jjjdddjdksJdSrd)rr|rDr[rArVr rrr;r}r~rrZr9r<r_r\r`r-rrrrtest_answer_error0s  .z*HandleAuthorizationsTest.test_answer_errorc Cstdtjdg}tj|d}ttjd|jj _ t Rt jtjdd"|j||jdWdn1sp0YWdn1s0Y|jjjdksJ|jjjd d d jd ksJdS) NrKrLrNrzSome challenges have failed.rFrOrrU)rVr rrr;rWrSTATUS_INVALIDrDrXrA test_utilpatch_display_utilr}r~rr|rrZr9r<r_r\r`r-rrrrtest_incomplete_authzr_error;s  Nz5HandleAuthorizationsTest.test_incomplete_authzr_errorc Csdd}tdtjdtdtjdg}||jj_tj|d}td"}|j ||j d}Wdn1sl0Yt |d ksJ|j d ksJttjd |jj_tRtjtjd d "|j ||j dWdn1s0YWdn1s0YdS) NcSs2ttj}ttj}|jjjdkr*||S||S)zBThis mock will invalidate one authzr, and invalidate the other onewill-be-invalid)rWr STATUS_VALIDrrsrtru)rZ valid_mockZ invalid_mockrrr_conditional_mock_on_pollGs   zLHandleAuthorizationsTest.test_best_effort.._conditional_mock_on_pollz will-be-validrLrrNzAcertbot._internal.auth_handler.AuthHandler._report_failed_authzrsTrOrzAll challenges have failed.r)rVr rrDrXrArr;rYrrZr9r'r\rWrrrrr}r~rr|)rrrjraZ mock_reportZ valid_authzrrrrtest_best_effortFs     0 z)HandleAuthorizationsTest.test_best_effortcCsttjdtjgtjg}tj|gd}tt j  |j ||j Wdn1sZ0Yttjdtjgtjg}tj|gd}|j ||j dS)NrKrN)r rrrrfrr;r}r~rr|rrZr9rrrrr"test_validated_challenge_not_rerunfs.z;HandleAuthorizationsTest.test_validated_challenge_not_reruncCsdd}dtjfdtjfdtjfg}dd|D}tj|d}||jj_|j |\}}|jjj d ksjJt |d kszJt |d ksJ|d j j jdksJ|d j jtjksJ|d j j jdksJ|d j jtjksJd S) zWhen we deactivate valid authzrs in an orderr, we expect them to become deactivated and to receive a list of deactivated authzrs in return.cSsR|jjtjkrD|jjjdkr&td|jjtj d}tj |d}n t d|S)Nis_valid_but_will_failzMock deactivation ACME errorr)rsz Can't deactivate non-valid authz) rsrrrrtru acme_errorsErrorupdateSTATUS_DEACTIVATEDZAuthorizationResourcer)rZauthzbrrr_mock_deactivate~s  zQHandleAuthorizationsTest.test_valid_authzrs_deactivated.._mock_deactivateZis_validZ is_pendingrc Ss.g|]&}t|d|dtjg|dgqS)rOr)r rr+)r"arrrr#szKHandleAuthorizationsTest.test_valid_authzrs_deactivated..rNrSrOrN)rrrrr;rDZdeactivate_authorizationrArZdeactivate_valid_authorizationsr\r'rsrtrurr)rrZ to_deactivateZorderrrjZfailedrrrtest_valid_authzrs_deactivated{s$   z7HandleAuthorizationsTest.test_valid_authzrs_deactivatedN)r0r1r2__doc__rrJrbrcrgrkryrzrrrrYrrrrrrrrrrrrrrrr39s.       r3rOcsd|ifdd}|S)Ncountcspddd<ddkr ntj}t||jjjdd|jjD|gt|jj}|t j dt idfS)NrrOrcSsg|] }|jqSrr)r"challbrrrr#r$z4_gen_mock_on_poll.._mock..z Retry-After)Zheaders) rrr rrsrtrurr'rr;str)rZeffective_statusZ updated_azrrrrRrr_mocksz _gen_mock_on_poll.._mockr)rrQrRrrrrrWs rWc@s eZdZdZddZddZdS)ChallbToAchallTestz:Tests for certbot._internal.auth_handler.challb_to_achall.cCsddlm}||ddS)Nr)challb_to_achall account_keyrM)rr)rrrrrr_calls zChallbToAchallTest._callcCs&|tjtjtjdddks"JdS)NrrM)rrrM)rr HTTP01_PrZ"KeyAuthorizationAnnotatedChallengerIrrrtest_its  zChallbToAchallTest.test_itN)r0r1r2rrrrrrrrsrc@s<eZdZdZddZddZeddZdd Zd d Z d S) GenChallengePathTestzBTests for certbot._internal.auth_handler.gen_challenge_path. cCsttjdSrG)rErFZFATALrIrrrrszGenChallengePathTest.setUpcCsttjdSrGrHrIrrrrJszGenChallengePathTest.tearDowncCsddlm}|||S)Nr)gen_challenge_path)rr)clschallbsZ preferencesrrrrrs zGenChallengePathTest._callcCsNtjtjf}tjtjg}|||dks,J||ddd|dksJJdS)z/Given DNS01 and HTTP01 with appropriate combos.)rN)rO)r DNS01_Prrrfr+rrrZprefsrrrtest_common_cases  z%GenChallengePathTest.test_common_casecCsLtjf}tjg}ttj|||Wdn1s>0YdSrG) r rrr+r}r~rr|rrrrrtest_not_supportedsz'GenChallengePathTest.test_not_supportedN) r0r1r2rrrJ classmethodrrrrrrrrs rc@sNeZdZdZddZedddZedddZedd d Z d S) ReportFailedAuthzrsTestzLTests for certbot._internal.auth_handler.AuthHandler._report_failed_authzrs.cCsddlm}tjtjdd|_d|j_d|jj_ ||jttg|_ t j dt jt jjddd d }|d jduszJt jfi|}t j |d <t jfi|}t|_d |jjj_||g|jj_t jjddd |d <t jfi|}t|_d|jjj_|g|jj_dS)NrrZbuzz)r7r6z the buzz hinturiZtlsdetail)r)r rrerrorrr z example.comZdnsseczfoo.bar)rrrr; plugin_commonZPluginr<r6 auth_hintr>rr r+rrrZ with_code descriptionZ ChallengeBodyauthzr1rsrtrurauthzr2)rrkwargsZhttp_01Z http_01_diffrrrrs,       zReportFailedAuthzrsTest.setUpz2certbot._internal.auth_handler.display_util.notifycCs|j|jg|ddS)Nz Certbot failed to authenticate some domains (authenticator: buzz). The Certificate Authority reported these problems: Domain: example.com Type: tls Detail: detail Domain: example.com Type: tls Detail: detail Hint: the buzz hint )r_report_failed_authzrsrassert_called_withr mock_notifyrrrtest_same_error_and_domainsz2ReportFailedAuthzrsTest.test_same_error_and_domaincCs4d|j_d|jj_|j|j|jg|ddS)NZquuxZquuuuuuxa' Certbot failed to authenticate some domains (authenticator: quux). The Certificate Authority reported these problems: Domain: foo.bar Type: dnssec Detail: detail Domain: example.com Type: tls Detail: detail Domain: example.com Type: tls Detail: detail Hint: quuuuuux ) r<r6rr>rrrrrrrrr!test_different_errors_and_domainss  z9ReportFailedAuthzrsTest.test_different_errors_and_domainscCshddlm}tjdd|_d|j_t|jj_||jttg|_ |j |j g|j dksdJdS)zMIf authenticator not derived from common.Plugin, we shouldn't call .auth_hintrrZquuzr5rON) rrrr;r<r6 ExceptionrrArrrr\)rrrrrr!test_non_subclassed_authenticator)s  z9ReportFailedAuthzrsTest.test_non_subclassed_authenticatorN) r0r1r2rrrrYrrrrrrrrs"  rcCsdd|DS)z(Generate a dummy authorization response.cSsg|]}d|jj|jfqS)z%s%s) __class__r0rM)r"r rrrr#8sz!gen_auth_resp..r)Z chall_listrrrr?6sr?cCsttj||tjgt|S)z!Generates new authzr for domains.)r rrrr'rLrrrrV<srV__main__)+rrrEsysZunittestrZjosepyrr}ZacmerrrCrrrZcertbotrZcertbot._internal.displayr r:Zcertbot.pluginsr rZ certbot.testsr r rZTestCaser r3rrWrrrr?rVr0exitmainargv__file__rrrrs:            "f \