설명 없음
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

tests.py 11KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351
  1. import unittest
  2. from time import sleep
  3. import uuid
  4. import socket
  5. import requests
  6. import os
  7. TEST_SERVER = 'sovereign.local'
  8. TEST_ADDRESS = 'sovereign@sovereign.local'
  9. TEST_PASSWORD = 'foo'
  10. CA_BUNDLE = 'roles/common/files/wildcard_ca.pem'
  11. socket.setdefaulttimeout(5)
  12. os.environ['REQUESTS_CA_BUNDLE'] = CA_BUNDLE
  13. class SSHTests(unittest.TestCase):
  14. def test_ssh_banner(self):
  15. """SSH is responding with its banner"""
  16. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  17. s.connect((TEST_SERVER, 22))
  18. data = s.recv(1024)
  19. s.close()
  20. self.assertRegexpMatches(data, '^SSH-2.0-OpenSSH')
  21. class WebTests(unittest.TestCase):
  22. def test_blog_http(self):
  23. """Blog is redirecting to https"""
  24. # FIXME: requests won't verify sovereign.local with *.sovereign.local cert
  25. r = requests.get('http://' + TEST_SERVER, verify=False)
  26. # We should be redirected to https
  27. self.assertEquals(r.history[0].status_code, 301)
  28. self.assertEquals(r.url, 'https://' + TEST_SERVER + '/')
  29. # 403 - Since there is no documents in the blog directory
  30. self.assertEquals(r.status_code, 403)
  31. def test_webmail_http(self):
  32. """Webmail is redirecting to https and displaying login page"""
  33. r = requests.get('http://mail.' + TEST_SERVER)
  34. # We should be redirected to https
  35. self.assertEquals(r.history[0].status_code, 301)
  36. self.assertEquals(r.url, 'https://mail.' + TEST_SERVER + '/')
  37. # 200 - We should be at the login page
  38. self.assertEquals(r.status_code, 200)
  39. self.assertIn(
  40. 'Welcome to Roundcube Webmail',
  41. r.content
  42. )
  43. def test_zpush_http_unauthorized(self):
  44. r = requests.get('http://mail.' + TEST_SERVER + '/Microsoft-Server-ActiveSync')
  45. # We should be redirected to https
  46. self.assertEquals(r.history[0].status_code, 301)
  47. self.assertEquals(r.url, 'https://mail.' + TEST_SERVER + '/Microsoft-Server-ActiveSync')
  48. # Unauthorized
  49. self.assertEquals(r.status_code, 401)
  50. def test_zpush_https(self):
  51. r = requests.post('https://mail.' + TEST_SERVER + '/Microsoft-Server-ActiveSync',
  52. auth=('sovereign@sovereign.local', 'foo'),
  53. params={
  54. 'DeviceId': '1234',
  55. 'DeviceType': 'testbot',
  56. 'Cmd': 'Ping',
  57. })
  58. self.assertEquals(r.headers['content-type'],
  59. 'application/vnd.ms-sync.wbxml')
  60. self.assertEquals(r.headers['ms-server-activesync'],
  61. '14.0')
  62. def test_owncloud_http(self):
  63. """ownCloud is redirecting to https and displaying login page"""
  64. r = requests.get('http://cloud.' + TEST_SERVER)
  65. # We should be redirected to https
  66. self.assertEquals(r.history[0].status_code, 301)
  67. self.assertEquals(r.url, 'https://cloud.' + TEST_SERVER + '/')
  68. # 200 - We should be at the login page
  69. self.assertEquals(r.status_code, 200)
  70. self.assertIn(
  71. 'ownCloud',
  72. r.content
  73. )
  74. def test_selfoss_http(self):
  75. """selfoss is redirecting to https and displaying login page"""
  76. r = requests.get('http://news.' + TEST_SERVER)
  77. # We should be redirected to https
  78. self.assertEquals(r.history[0].status_code, 301)
  79. self.assertEquals(r.url, 'https://news.' + TEST_SERVER + '/')
  80. # 200 - We should be at the login page
  81. self.assertEquals(r.status_code, 200)
  82. self.assertIn(
  83. 'selfoss',
  84. r.content
  85. )
  86. self.assertIn(
  87. 'login',
  88. r.content
  89. )
  90. def test_znc_http(self):
  91. """ZNC web interface is displaying login page"""
  92. # FIXME: requests won't verify sovereign.local with *.sovereign.local cert
  93. r = requests.get('https://' + TEST_SERVER + ':6697', verify=False)
  94. self.assertEquals(r.status_code, 200)
  95. self.assertIn(
  96. "Welcome to ZNC's web interface!",
  97. r.content
  98. )
  99. class IRCTests(unittest.TestCase):
  100. def test_irc_auth(self):
  101. """ZNC is accepting encrypted logins"""
  102. import ssl
  103. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  104. ssl_sock = ssl.wrap_socket(s, ca_certs=CA_BUNDLE, cert_reqs=ssl.CERT_REQUIRED)
  105. ssl_sock.connect((TEST_SERVER, 6697))
  106. # Check the encryption parameters
  107. cipher, version, bits = ssl_sock.cipher()
  108. self.assertEquals(cipher, 'AES256-SHA')
  109. self.assertEquals(version, 'TLSv1/SSLv3')
  110. self.assertEquals(bits, 256)
  111. # Login
  112. ssl_sock.send('CAP REQ sasl multi-prefix\r\n')
  113. ssl_sock.send('PASS foo\r\n')
  114. ssl_sock.send('NICK sovereign\r\n')
  115. ssl_sock.send('USER sovereign 0 * Sov\r\n')
  116. # Read until we see the ZNC banner (or timeout)
  117. while 1:
  118. r = ssl_sock.recv(1024)
  119. if 'Connected to ZNC' in r:
  120. break
  121. def new_message(from_email, to_email):
  122. """Creates an email (headers & body) with a random subject"""
  123. from email.mime.text import MIMEText
  124. msg = MIMEText('Testing')
  125. msg['Subject'] = uuid.uuid4().hex[:8]
  126. msg['From'] = from_email
  127. msg['To'] = to_email
  128. return msg.as_string(), msg['subject']
  129. class MailTests(unittest.TestCase):
  130. def assertEmailReceived(self, subject):
  131. """Connects with IMAP and asserts the existance of an email, then deletes it"""
  132. import imaplib
  133. sleep(1)
  134. # Login to IMAP
  135. m = imaplib.IMAP4_SSL(TEST_SERVER, 993)
  136. m.login(TEST_ADDRESS, TEST_PASSWORD)
  137. m.select()
  138. # Assert the message exist
  139. typ, data = m.search(None, '(SUBJECT \"{}\")'.format(subject))
  140. self.assertTrue(len(data[0].split()), 1)
  141. # Delete it & logout
  142. m.store(data[0].strip(), '+FLAGS', '\\Deleted')
  143. m.expunge()
  144. m.close()
  145. m.logout()
  146. def test_imap_requires_ssl(self):
  147. """IMAP without SSL is NOT available"""
  148. import imaplib
  149. with self.assertRaisesRegexp(socket.timeout, 'timed out'):
  150. imaplib.IMAP4(TEST_SERVER, 143)
  151. def test_smtps(self):
  152. """Email sent from an MUA via SMTPS is delivered"""
  153. import smtplib
  154. msg, subject = new_message(TEST_ADDRESS, 'root@sovereign.local')
  155. s = smtplib.SMTP_SSL(TEST_SERVER, 465)
  156. s.login(TEST_ADDRESS, TEST_PASSWORD)
  157. s.sendmail(TEST_ADDRESS, ['root@sovereign.local'], msg)
  158. s.quit()
  159. self.assertEmailReceived(subject)
  160. def test_smtps_delimiter_to(self):
  161. """Email sent to address with delimiter is delivered"""
  162. import smtplib
  163. msg, subject = new_message(TEST_ADDRESS, 'root+foo@sovereign.local')
  164. s = smtplib.SMTP_SSL(TEST_SERVER, 465)
  165. s.login(TEST_ADDRESS, TEST_PASSWORD)
  166. s.sendmail(TEST_ADDRESS, ['root+foo@sovereign.local'], msg)
  167. s.quit()
  168. self.assertEmailReceived(subject)
  169. def test_smtps_requires_auth(self):
  170. """SMTPS with no authentication is rejected"""
  171. import smtplib
  172. s = smtplib.SMTP_SSL(TEST_SERVER, 465)
  173. with self.assertRaisesRegexp(smtplib.SMTPRecipientsRefused, 'Access denied'):
  174. s.sendmail(TEST_ADDRESS, ['root@sovereign.local'], 'Test')
  175. s.quit()
  176. def test_smtp(self):
  177. """Email sent from an MTA is delivered"""
  178. import smtplib
  179. msg, subject = new_message('someone@example.com', TEST_ADDRESS)
  180. s = smtplib.SMTP(TEST_SERVER, 25)
  181. s.sendmail('someone@example.com', [TEST_ADDRESS], msg)
  182. s.quit()
  183. self.assertEmailReceived(subject)
  184. def test_smtp_tls(self):
  185. """Email sent from an MTA via SMTP+TLS is delivered"""
  186. import smtplib
  187. msg, subject = new_message('someone@example.com', TEST_ADDRESS)
  188. s = smtplib.SMTP(TEST_SERVER, 25)
  189. s.starttls()
  190. s.sendmail('someone@example.com', [TEST_ADDRESS], msg)
  191. s.quit()
  192. self.assertEmailReceived(subject)
  193. def test_smtps_headers(self):
  194. """Email sent from an MUA has DKIM and TLS headers"""
  195. import smtplib
  196. import imaplib
  197. # Send a message to root
  198. msg, subject = new_message(TEST_ADDRESS, 'root@sovereign.local')
  199. s = smtplib.SMTP_SSL(TEST_SERVER, 465)
  200. s.login(TEST_ADDRESS, TEST_PASSWORD)
  201. s.sendmail(TEST_ADDRESS, ['root@sovereign.local'], msg)
  202. s.quit()
  203. sleep(1)
  204. # Get the message
  205. m = imaplib.IMAP4_SSL(TEST_SERVER, 993)
  206. m.login(TEST_ADDRESS, TEST_PASSWORD)
  207. m.select()
  208. _, res = m.search(None, '(SUBJECT \"{}\")'.format(subject))
  209. _, data = m.fetch(res[0], '(RFC822)')
  210. self.assertIn(
  211. 'DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sovereign.local;',
  212. data[0][1]
  213. )
  214. self.assertIn(
  215. 'DHE-RSA-AES256-SHA (256/256 bits)', # Also matches ECDHE-...
  216. data[0][1]
  217. )
  218. # Clean up
  219. m.store(res[0].strip(), '+FLAGS', '\\Deleted')
  220. m.expunge()
  221. m.close()
  222. m.logout()
  223. def test_smtp_headers(self):
  224. """Email sent from an MTA via SMTP+TLS has X-DSPAM and TLS headers"""
  225. import smtplib
  226. import imaplib
  227. # Send a message to root
  228. msg, subject = new_message('someone@example.com', TEST_ADDRESS)
  229. s = smtplib.SMTP(TEST_SERVER, 25)
  230. s.starttls()
  231. s.sendmail('someone@example.com', [TEST_ADDRESS], msg)
  232. s.quit()
  233. sleep(1)
  234. # Get the message
  235. m = imaplib.IMAP4_SSL(TEST_SERVER, 993)
  236. m.login(TEST_ADDRESS, TEST_PASSWORD)
  237. m.select()
  238. _, res = m.search(None, '(SUBJECT \"{}\")'.format(subject))
  239. _, data = m.fetch(res[0], '(RFC822)')
  240. self.assertIn(
  241. 'X-DSPAM-Result: ',
  242. data[0][1]
  243. )
  244. self.assertIn(
  245. 'DHE-RSA-AES256-SHA (256/256 bits)', # Also matches ECDHE-...
  246. data[0][1]
  247. )
  248. # Clean up
  249. m.store(res[0].strip(), '+FLAGS', '\\Deleted')
  250. m.expunge()
  251. m.close()
  252. m.logout()
  253. class XMPPTests(unittest.TestCase):
  254. def test_xmpp_c2s(self):
  255. """Prosody is listening on 5222 for clients and requiring TLS"""
  256. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  257. s.connect((TEST_SERVER, 5222))
  258. # Based off http://wiki.xmpp.org/web/Programming_Jabber_Clients
  259. s.send("<stream:stream xmlns:stream='http://etherx.jabber.org/streams' "
  260. "xmlns='jabber:client' to='sovereign.local' version='1.0'>")
  261. data = s.recv(1024)
  262. s.close()
  263. self.assertRegexpMatches(
  264. data,
  265. "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls>"
  266. )
  267. def test_xmpp_s2s(self):
  268. """Prosody is listening on 5269 for servers"""
  269. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  270. s.connect((TEST_SERVER, 5269))
  271. # Base off http://xmpp.org/extensions/xep-0114.html
  272. s.send("<stream:stream xmlns:stream='http://etherx.jabber.org/streams' "
  273. "xmlns='jabber:component:accept' to='sovereign.local'>")
  274. data = s.recv(1024)
  275. s.close()
  276. self.assertRegexpMatches(
  277. data,
  278. "from='sovereign.local'"
  279. )