File: test_tls.py

package info (click to toggle)
python-vertica 1.4.0-2
links: PTS, VCS
area: contrib
in suites: forky, sid
size: 948 kB
sloc: python: 6,914; makefile: 4
file content (318 lines) | stat: -rw-r--r-- 14,554 bytes
parent folder | download | duplicates (2)
# Copyright (c) 2023-2024 Open Text.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

from __future__ import print_function, division, absolute_import, annotations

import os
import socket
import ssl
from tempfile import NamedTemporaryFile

from ... import errors
from .base import VerticaPythonIntegrationTestCase


class TlsTestCase(VerticaPythonIntegrationTestCase):
    SSL_STATE_SQL = 'SELECT ssl_state FROM sessions WHERE session_id=current_session()'

    def tearDown(self):
        # Use a non-TLS connection here so cleanup can happen
        # even if mutual mode is configured
        self._conn_info['tlsmode'] = 'disable'
        with self._connect() as conn:
            cur = conn.cursor()
            cur.execute("ALTER TLS CONFIGURATION server CERTIFICATE NULL TLSMODE 'DISABLE'")
            if hasattr(self, 'client_cert'):
                os.remove(self.client_cert.name)
                cur.execute("ALTER TLS CONFIGURATION server REMOVE CA CERTIFICATES vp_CA_cert")
            if hasattr(self, 'client_key'):
                os.remove(self.client_key.name)
                cur.execute("DROP KEY IF EXISTS vp_client_key CASCADE")
            if hasattr(self, 'CA_cert'):
                os.remove(self.CA_cert.name)
            cur.execute("DROP KEY IF EXISTS vp_server_key CASCADE")
            cur.execute("DROP KEY IF EXISTS vp_CA_key CASCADE")

        for key in ('tlsmode', 'ssl', 'tls_cafile', 'tls_certfile', 'tls_keyfile'):
            if key in self._conn_info:
                del self._conn_info[key]
        super(TlsTestCase, self).tearDown()

    def _generate_and_set_certificates(self, mutual_mode=False):
        with self._connect() as conn:
            cur = conn.cursor()

            # Generate a root CA private key
            cur.execute("CREATE KEY vp_CA_key TYPE 'RSA' LENGTH 4096")
            # Generate a root CA certificate
            cur.execute("CREATE CA CERTIFICATE vp_CA_cert "
                    "SUBJECT '/C=US/ST=Massachusetts/L=Burlington/O=OpenText/OU=Vertica/CN=Vertica Root CA' "
                    "VALID FOR 3650 EXTENSIONS 'nsComment' = 'Self-signed root CA cert' KEY vp_CA_key")
            cur.execute("SELECT certificate_text FROM CERTIFICATES WHERE name='vp_CA_cert'")
            vp_CA_cert = cur.fetchone()[0]
            with NamedTemporaryFile(delete=False) as self.CA_cert:
                    self.CA_cert.write(vp_CA_cert.encode())

            # Generate a server private key
            cur.execute("CREATE KEY vp_server_key TYPE 'RSA' LENGTH 4096")
            # Generate a server certificate
            host = self._conn_info['host']
            hostname_for_verify = ('IP:' if host.count('.') == 3 else 'DNS:') + host
            cur.execute("CREATE CERTIFICATE vp_server_cert "
                    "SUBJECT '/C=US/ST=MA/L=Cambridge/O=Foo/OU=Vertica/CN=Vertica server/emailAddress=abc@example.com' "
                    "SIGNED BY vp_CA_cert EXTENSIONS 'nsComment' = 'Vertica server cert', 'extendedKeyUsage' = 'serverAuth', "
                    f"'subjectAltName' = '{hostname_for_verify}' KEY vp_server_key")

            if mutual_mode:
                # Generate a client private key
                cur.execute("CREATE KEY vp_client_key TYPE 'RSA' LENGTH 4096")
                cur.execute("SELECT key FROM CRYPTOGRAPHIC_KEYS WHERE name='vp_client_key'")
                vp_client_key = cur.fetchone()[0]
                with NamedTemporaryFile(delete=False) as self.client_key:
                    self.client_key.write(vp_client_key.encode())
                # Generate a client certificate
                cur.execute("CREATE CERTIFICATE vp_client_cert "
                        "SUBJECT '/C=US/ST=MA/L=Boston/O=Bar/OU=Vertica/CN=Vertica client/emailAddress=def@example.com' "
                        "SIGNED BY vp_CA_cert EXTENSIONS 'nsComment' = 'Vertica client cert', 'extendedKeyUsage' = 'clientAuth' "
                        "KEY vp_client_key")
                cur.execute("SELECT certificate_text FROM CERTIFICATES WHERE name='vp_client_cert'")
                vp_client_cert = cur.fetchone()[0]
                with NamedTemporaryFile(delete=False) as self.client_cert:
                    self.client_cert.write(vp_client_cert.encode())

                # In order to use Mutual Mode, set a server and CA certificate.
                # This CA certificate is used to verify client certificates
                cur.execute('ALTER TLS CONFIGURATION server CERTIFICATE vp_server_cert ADD CA CERTIFICATES vp_CA_cert')
                # Enable TLS. Connection succeeds if Vertica verifies that the client certificate is from a trusted CA.
                # If the client does not present a client certificate, the connection is rejected.
                cur.execute("ALTER TLS CONFIGURATION server TLSMODE 'VERIFY_CA'")

            else:
                # In order to use Server Mode, set the server certificate for the server's TLS Configuration
                cur.execute('ALTER TLS CONFIGURATION server CERTIFICATE vp_server_cert')
                # Enable TLS. Server does not check client certificates.
                cur.execute("ALTER TLS CONFIGURATION server TLSMODE 'ENABLE'")

            # For debug
            # SELECT * FROM tls_configurations WHERE name='server';
            # SELECT * FROM CRYPTOGRAPHIC_KEYS;
            # SELECT * FROM CERTIFICATES;

            return vp_CA_cert

    ######################################################
    #### Test 'ssl' and 'tlsmode' options are not set ####
    ######################################################

    def test_option_default_server_disable(self):
        # TLS is disabled on the server
        with self._connect() as conn:
            cur = conn.cursor()
            res = self._query_and_fetchone(self.SSL_STATE_SQL)
            self.assertEqual(res[0], 'None')

    def test_option_default_server_enable(self):
        # Setting certificates with TLS configuration
        self._generate_and_set_certificates()

        # TLS is enabled on the server
        with self._connect() as conn:
            cur = conn.cursor()
            res = self._query_and_fetchone(self.SSL_STATE_SQL)
            self.assertEqual(res[0], 'Server')

    #######################################################
    #### Test 'ssl' and 'tlsmode' options are both set ####
    #######################################################

    def test_tlsmode_over_ssl(self):
        self._conn_info['tlsmode'] = 'disable'
        self._conn_info['ssl'] = True
        with self._connect() as conn:
            cur = conn.cursor()
            res = self._query_and_fetchone(self.SSL_STATE_SQL)
            self.assertEqual(res[0], 'None')

    ###############################################
    #### Test 'ssl' option with boolean values ####
    ###############################################

    def test_ssl_false(self):
        self._conn_info['ssl'] = False
        with self._connect() as conn:
            cur = conn.cursor()
            res = self._query_and_fetchone(self.SSL_STATE_SQL)
            self.assertEqual(res[0], 'None')

    def test_ssl_true_server_disable(self):
        # Requires that the server use TLS. If the TLS connection attempt fails, the client rejects the connection.
        self._conn_info['ssl'] = True
        self.assertConnectionFail(err_type=errors.SSLNotSupported,
                err_msg='SSL requested but disabled on the server')

    def test_ssl_true_server_enable(self):
        # Setting certificates with TLS configuration
        self._generate_and_set_certificates()

        self._conn_info['ssl'] = True
        with self._connect() as conn:
            cur = conn.cursor()
            res = self._query_and_fetchone(self.SSL_STATE_SQL)
            self.assertEqual(res[0], 'Server')

    ###############################
    #### Test 'tlsmode' option ####
    ###############################

    def test_TLSMode_disable(self):
        self._conn_info['tlsmode'] = 'disable'
        with self._connect() as conn:
            cur = conn.cursor()
            res = self._query_and_fetchone(self.SSL_STATE_SQL)
            self.assertEqual(res[0], 'None')

    def test_TLSMode_prefer_server_disable(self):
        # TLS is disabled on the server
        self._conn_info['tlsmode'] = 'prefer'
        with self._connect() as conn:
            cur = conn.cursor()
            res = self._query_and_fetchone(self.SSL_STATE_SQL)
            self.assertEqual(res[0], 'None')

    def test_TLSMode_prefer_server_enable(self):
        # Setting certificates with TLS configuration
        self._generate_and_set_certificates()

        self._conn_info['tlsmode'] = 'prefer'
        with self._connect() as conn:
            cur = conn.cursor()
            res = self._query_and_fetchone(self.SSL_STATE_SQL)
            self.assertEqual(res[0], 'Server')

    def test_TLSMode_require_server_disable(self):
        # Requires that the server use TLS. If the TLS connection attempt fails, the client rejects the connection.
        self._conn_info['tlsmode'] = 'require'
        self.assertConnectionFail(err_type=errors.SSLNotSupported,
                err_msg='SSL requested but disabled on the server')

    def test_TLSMode_require_server_enable(self):
        # Setting certificates with TLS configuration
        self._generate_and_set_certificates()

        self._conn_info['tlsmode'] = 'require'
        with self._connect() as conn:
            cur = conn.cursor()
            res = self._query_and_fetchone(self.SSL_STATE_SQL)
            self.assertEqual(res[0], 'Server')

    def test_TLSMode_verify_ca(self):
        # Setting certificates with TLS configuration
        CA_cert = self._generate_and_set_certificates()

        self._conn_info['tlsmode'] = 'verify-ca'
        self._conn_info['tls_cafile'] = self.CA_cert.name
        with self._connect() as conn:
            cur = conn.cursor()
            res = self._query_and_fetchone(self.SSL_STATE_SQL)
            self.assertEqual(res[0], 'Server')

    def test_TLSMode_verify_full(self):
        # Setting certificates with TLS configuration
        CA_cert = self._generate_and_set_certificates()

        self._conn_info['tlsmode'] = 'verify-full'
        self._conn_info['tls_cafile'] = self.CA_cert.name
        with self._connect() as conn:
            cur = conn.cursor()
            res = self._query_and_fetchone(self.SSL_STATE_SQL)
            self.assertEqual(res[0], 'Server')

    def test_TLSMode_mutual_TLS(self):
        # Setting certificates with TLS configuration
        CA_cert = self._generate_and_set_certificates(mutual_mode=True)

        self._conn_info['tlsmode'] = 'verify-full'
        self._conn_info['tls_cafile'] = self.CA_cert.name  # CA certificate used to verify server certificate
        self._conn_info['tls_certfile'] = self.client_cert.name  # client certificate
        self._conn_info['tls_keyfile'] = self.client_key.name  # private key used for the client certificate
        with self._connect() as conn:
            cur = conn.cursor()
            res = self._query_and_fetchone(self.SSL_STATE_SQL)
            self.assertEqual(res[0], 'Mutual')

    ######################################################
    #### Test 'ssl' option with ssl.SSLContext object ####
    ######################################################

    def test_sslcontext_require(self):
        # Setting certificates with TLS configuration
        self._generate_and_set_certificates()

        ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
        ssl_context.check_hostname = False
        ssl_context.verify_mode = ssl.CERT_NONE
        self._conn_info['ssl'] = ssl_context
        with self._connect() as conn:
            cur = conn.cursor()
            res = self._query_and_fetchone(self.SSL_STATE_SQL)
            self.assertEqual(res[0], 'Server')

    def test_sslcontext_verify_ca(self):
        # Setting certificates with TLS configuration
        CA_cert = self._generate_and_set_certificates()

        ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
        ssl_context.verify_mode = ssl.CERT_REQUIRED
        ssl_context.check_hostname = False
        ssl_context.load_verify_locations(cadata=CA_cert) # CA certificate used to verify server certificate
        self._conn_info['ssl'] = ssl_context

        with self._connect() as conn:
            cur = conn.cursor()
            res = self._query_and_fetchone(self.SSL_STATE_SQL)
            self.assertEqual(res[0], 'Server')

    def test_sslcontext_verify_full(self):
        # Setting certificates with TLS configuration
        CA_cert = self._generate_and_set_certificates()

        ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
        ssl_context.verify_mode = ssl.CERT_REQUIRED
        ssl_context.check_hostname = True  # hostname in server cert's subjectAltName
        ssl_context.load_verify_locations(cadata=CA_cert) # CA certificate used to verify server certificate

        self._conn_info['ssl'] = ssl_context
        with self._connect() as conn:
            cur = conn.cursor()
            res = self._query_and_fetchone(self.SSL_STATE_SQL)
            self.assertEqual(res[0], 'Server')

    def test_sslcontext_mutual_TLS(self):
        # Setting certificates with TLS configuration
        CA_cert = self._generate_and_set_certificates(mutual_mode=True)

        ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
        ssl_context.verify_mode = ssl.CERT_REQUIRED
        ssl_context.check_hostname = True  # hostname in server cert's subjectAltName
        ssl_context.load_verify_locations(cadata=CA_cert) # CA certificate used to verify server certificate
        ssl_context.load_cert_chain(certfile=self.client_cert.name, keyfile=self.client_key.name)

        self._conn_info['ssl'] = ssl_context
        with self._connect() as conn:
            cur = conn.cursor()
            res = self._query_and_fetchone(self.SSL_STATE_SQL)
            self.assertEqual(res[0], 'Mutual')


exec(TlsTestCase.createPrepStmtClass())