M/edZddlZddlmZddlZddlZddlmZddlmZddl m Z ddl m Z ddl m Z dd l mZdd lmZdd lmZdd lmZdd lmZddlmZddlmZGddej6ZGddej6ZGddej<Ze dk(r4ejBejDejFdde$gzyy)z.Test for certbot_nginx._internal.configurator.N)mock) challenges)messages) achallenges) crypto_util)errors)osutil)obj)parser)_redirect_block_for_domain) UnspacedList) test_utilceZdZdZfdZej ddZdZej dej ddZ dZ ej dd Z ej d ej d d Z d Z dZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZej d d!Z d"Z!d#Z"ej d$ej d%ej d&d'Z#ej dd(Z$ej dd)Z%ej dej d*d+Z&ej dej d,d-Z'ej dd.Z(ej d/d0Z)ej d/d1Z*ej d2d3Z+ej d4d5Z,ej d6d7Z-ej d8d9Z.d:Z/d;Z0d<Z1d=Z2d>Z3d?Z4d@Z5ej dAdBZ6dCZ7dDZ8dEZ9dFZ:dGZ;dHZdKZ?dLZ@dMZAdNZBej dOej dPdQZCdRZDdSZEdTZFej dUdVZGej dUdWZHej dUdXZIej dUdYZJdZZKd[ZLxZMS)\NginxConfiguratorTestz(Test a semi complex vhost configuration.c.t||j|j|j|j |j |_tjd}|j|_ |j|jy)Nz8certbot_nginx._internal.configurator.display_util.notify)supersetUpget_nginx_configurator config_path config_dirwork_dirlogs_dirconfigrpatchstart mock_notify addCleanupstop)selfr __class__s Q/usr/lib/python3/dist-packages/certbot_nginx/_internal/tests/configurator_test.pyrzNginxConfiguratorTest.setUpsi  11   doot}}dmmM  UV ;;=  #z4certbot_nginx._internal.configurator.util.exe_existscd|_tjtj5|j j dddy#1swYyxYw)NF) return_valuepytestraisesrNoInstallationErrorrprepare)r!mock_exe_existss r#test_prepare_no_installz-NginxConfiguratorTest.test_prepare_no_install#sA',$ ]]655 6 " KK   ! " " "s AAcd|jjk(sJdt|jjjk(sJy)N)rversionlenr parsedr!s r# test_preparez"NginxConfiguratorTest.test_prepare)s=DKK/////S++223333r$z3certbot_nginx._internal.configurator.subprocess.runcJd|j_djgd|j_d|_d|j_t j|j_|jjd|jj k(sJy)N )znginx version: nginx/1.6.2:built by clang 6.0 (clang-600.0.56) (based on LLVM 3.5svn)TLS SNI support enabledRconfigure arguments: --prefix=/usr/local/Cellar/nginx/1.6.2 --with-http_ssl_moduleTr.) r&stdoutjoinstderrrr3rMock config_testr*)r!mock_runr+s r# test_prepare_initializes_versionz6NginxConfiguratorTest.test_prepare_initializes_version-s(*$'+yyA(B$(,$" "&))+  DKK/////r$c|jjd}ddlm}|j|j t j|j_tj|j|y)N server-rootrr ) rconfcertbotr _LOCKSreleaserrArBcertbot_test_util lock_and_call_test_prepare_locked)r! server_root certbot_utils r#test_prepare_lockedz)NginxConfiguratorTest.test_prepare_locked@sZkk&&}5 0K(002"&))+ ''(A(A;Or$c |jj|jdy#tj$r:}t |}d|vsJ|jj d|vsJYd}~yd}~wwxYw)NzException wasn't raised!lockrF)rr*failr PluginErrorstrrG)r!unused_exe_existserrerr_msgs r#rMz*NginxConfiguratorTest._test_prepare_lockedPsr 2 KK   ! II0 1 !! >#hGW$ $$;;##M2g= == >s.A;0A66A;z7certbot_nginx._internal.configurator.socket.gethostnamez9certbot_nginx._internal.configurator.socket.gethostbyaddrcldggf|_d|_|jj}|hdk(sJy)N155.225.50.69.nephoscale.net example.net> sslon.com ipv6ssl.com globalssl.comwww.example.orgglobalsslsetssl.comipv6.com geese.com summer.comr[ headers.com ssl.both.com another.alias migration.comrZ)r&r get_all_names)r!mock_gethostbyaddrmock_gethostnamenamess r#test_get_all_namesz(NginxConfiguratorTest.test_get_all_names[sG,J2r*R')6% ))+;; ;;r$cFgd|jjk(sJy)N)redirectensure-http-header staple-ocsp)rsupported_enhancementsr6s r#test_supported_enhancementsz1NginxConfiguratorTest.test_supported_enhancementsgs$@;;=> >>r$ctjtj5|jj dddddy#1swYyxYw)Nmyhostunknown_enhancementr'r(rrTrenhancer6s r# test_enhancez"NginxConfiguratorTest.test_enhanceksB ]]6-- . A KK  *? @ A A As A  Acbtjg|jjdk(sJy)Nrt)rHTTP01rget_chall_prefr6s r#test_get_chall_prefz)NginxConfiguratorTest.test_get_chall_prefos/!!"33H=> >>r$c |jjjd}tj|dddddhddg}|jjj |gdg|jj |jjj|d}dgd d gd d gd dgd dggd dtjgggg|dk(sJy)Nsites-enabled/example.com .example.com example.*r)listen 5001rsslT)overrideserverr69.50.225.155:9000 127.0.0.1 server_namerrr#) rr abs_pathr VirtualHostadd_server_directivessave _parse_filesCOMMENT)r!filep mock_vhostr5s r# test_savezNginxConfiguratorTest.test_savess ""++,GH__U%)4&4k%B%)A30  00  0 1 3 ##000F%';<%{3*N;*K85 &..1 345 # ##r$c(|jddy)Nalias server_conf_test_choose_vhosts_commonr6s r#test_choose_vhosts_aliasz.NginxConfiguratorTest.test_choose_vhosts_aliass ''?r$c(|jddy)N example.com example_confrr6s r#test_choose_vhosts_example_comz4NginxConfiguratorTest.test_choose_vhosts_example_coms '' ~Fr$c(|jddy)N localhostlocalhost_confrr6s r#test_choose_vhosts_localhostz2NginxConfiguratorTest.test_choose_vhosts_localhosts '' 5EFr$c(|jddy)Nexample.com.uk.testrrr6s r#&test_choose_vhosts_example_com_uk_testzJr$c(|jddy)Ntest.www.example.comfoo_confrr6s r#'test_choose_vhosts_test_www_example_comz=NginxConfiguratorTest.test_choose_vhosts_test_www_example_coms ''(> Kr$c(|jddy)Nabc.www.foo.comrrr6s r#"test_choose_vhosts_abc_www_foo_comz8NginxConfiguratorTest.test_choose_vhosts_abc_www_foo_coms ''(9:Fr$c(|jddy)N www.bar.co.ukrrr6s r# test_choose_vhosts_www_bar_co_ukz6NginxConfiguratorTest.test_choose_vhosts_www_bar_co_uks ''9IJr$c(|jddy)Nra ipv6_confrr6s r#test_choose_vhosts_ipv6_comz1NginxConfiguratorTest.test_choose_vhosts_ipv6_coms '' K@r$c ddhhdddhddhdhd }d d d d d d d d d d }|jDcic]%\}}|tjj|'}}}|jj |d}tjj |j|j}|||jk(sJ|||k(sJ|dk(r1|jsJtd|jDsJyycc}}w)Nrz~^(www\.)?(example|bar)\.>rsomenamerfrrz *.www.foo.comz*.www.example.comra)rrrrrzetc_nginx/nginx.confz#etc_nginx/sites-enabled/example.comzetc_nginx/foo.confz etc_nginx/sites-enabled/ipv6.com) rrrrrrrrrarc3TK|] }|js|jsd"yw)TN)ripv6).0xs r# zCNginxConfiguratorTest._test_choose_vhosts_common..sEAEEafftEs ( (() itemsr pathnormpathr choose_vhostsrelpathrtemp_dirrk ipv6_enabledanyaddrs) r!namerG conf_names conf_pathkeyvaluevhostrs r#rz0NginxConfiguratorTest._test_choose_vhosts_commons!)46R(S F"0+!>-/BC)l , #92"G*O&K+?&:$:AC ENOODUVjc5S"''**511V V ))$/2wwu{{DMM:$5;;...$&&& : %%' ''EU[[EE EE Ws*Dcgd}|D]d}|j|5tjtj5|j j |ddddddfy#1swYxYw#1swY}xYw)N)z www.foo.comexamplez t.www.bar.coz69.255.225.155)r)subTestr'r(rMisconfigurationErrorrr)r! bad_resultsrs r#test_choose_vhosts_badz,NginxConfiguratorTest.test_choose_vhosts_bads{)   4D4( 4]]6#?#?@4KK--d34 4 4 444 4 4s#$A;A/A;/A8 4A;;B cd|jjdk(sJd|jjdk(sJy)N)TF80)TT443)r ipv6_infor6s r# test_ipv6onlyz#NginxConfiguratorTest.test_ipv6onlys< 5 5d ;;;;t{{44U;;;;r$cd|j_|jjddddd|jjddjD]}|j sJy)Nr/r/raexample/cert.pemexample/key.pemexample/chain.pemexample/fullchain.pemr)rr3 deploy_certrripv6only)r!addrs r#test_ipv6only_detectionz-NginxConfiguratorTest.test_ipv6only_detectionsg'       #  %KK--j9!<BB %D}} $$ %r$c@d|jjvsJy)N nginx.conf)r more_infor6s r#test_more_infoz$NginxConfiguratorTest.test_more_infost{{446666r$cd|j_tjtj 5|jj ddddddddy#1swYyxYw)Nrrrrr)rr3r'r(rrTrr6s r#(test_deploy_cert_requires_fullchain_pathz>NginxConfiguratorTest.test_deploy_cert_requires_fullchain_pathsV'  ]]6-- .  KK # #$5          AA'zJcertbot_nginx._internal.parser.NginxParser.update_or_add_server_directivesctj|_tjtj 5|j jddddddddy#1swYyxYw)Nrgrrrr)rr side_effectr'r(rTrr)r!$mock_update_or_add_server_directivess r##test_deploy_cert_raise_on_add_errorz9NginxConfiguratorTest.test_deploy_cert_raise_on_add_errors[;A;W;W;Y,8 ]]6-- . % KK # #O    #  % % % %s A&&A/c|jjjd}|jjjd}|jjjd}d|j_|jj ddddd |jj d d d d d|jj |jjj tj|jjj|}tj|jjj|}tj|jjj|}dgddgddgddgddggddd gddgd|jjgd|jjgg gg|k(sJgdg|k(sJtj|dgddgddgddgddgd d!ggd"gggdddgdd gd|jjgd|jjgg gd#sJy)$Nz server.confrr~rrrrrrrfz/etc/nginx/cert.pemz/etc/nginx/key.pemz/etc/nginx/chain.pemz/etc/nginx/fullchain.pemrrrrrrrrssl_certificatessl_certificate_keyinclude ssl_dhparam)rrrrf8000z somename:8080location/roothtmlindexz index.htmlz index.htmr1) rr rr3rrloadr filter_commentsr5 mod_ssl_conf ssl_dhparamscontains_at_depth)r!r nginx_confrparsed_example_confparsed_server_confparsed_nginx_confs r#test_deploy_certz&NginxConfiguratorTest.test_deploy_certsykk((11-@ [[''00> {{))223NO '       #  %   ! " &  (  !"224;;3E3E3L3L\3Z[!11$++2D2D2K2KK2XY 001C1C1J1J:1VW%';<%{3*N;*K85.0GH24EF& (@(@A*DKK,D,DE    - - - -FF+, ,,%% Z )-(C  467( "<=$&:;$++223dkk667   ! r$c |jjjd}|jjddddd|jj |jjj t j|jjj|}dgdd gddgd d ggd d dgddgd|jjgd|jjggg|dk(sJy)Nsites-enabled/migration.comrczsummer/cert.pemzsummer/key.pemzsummer/chain.pemzsummer/fullchain.pemrrrgrrrrrrrr) rr rrrrr rr5rr)r!migration_confparsed_migration_confs r#$test_deploy_cert_add_explicit_listenz:NginxConfiguratorTest.test_deploy_cert_add_explicit_listen0s++445RS      "  $  ! $ 4 4T[[5G5G5N5N~5^ _ )?;)<8$d+4-/EF13CD%t{{'?'?@)4;;+C+CD  /q1 2 2 2r$z@certbot_nginx._internal.configurator.http_01.NginxHttp01.performz>certbot_nginx._internal.configurator.NginxConfigurator.restartzNcertbot_nginx._internal.configurator.NginxConfigurator.revert_challenge_configc (tjtjt j ddtj dd|j}|j|jg}|dd|_ |jj|g}|jdk(sJ||k(sJ|jj|gd |jjk(sJ|jdk(sJ|jd k(sJy) Nsm8TdO1qik4JVFtgPPurJmg)tokenzhttps://ca.org/chall1_uripending)challuristatusr)challbdomain account_keyr/rr1)r"KeyAuthorizationAnnotatedChallenger ChallengeBodyrrzStatus rsa512jwkresponser&rperform call_countcleanup _chall_out)r! mock_revert mock_restartmock_http_performachallexpected responsess r#test_perform_and_cleanupz.NginxConfiguratorTest.test_perform_and_cleanupIs ??)) ''.GH/y1$ A OODNN + *2!&KK''1  ++q000H$$$ VH%DKK*****%%***&&!+++r$c<d|j_djgd|j_|jj dk(sJd|j_djgd|j_|jj dk(sJd|j_djgd|j_t jtj5|jj dddd|j_djdd g|j_t jtj5|jj dddd|j_djgd |j_t jtj5|jj dddd|j_djgd |j_t jtj5|jj dddtd |_ t jtj5|jj dddy#1swYxYw#1swY`xYw#1swYxYw#1swYxYw#1swYyxYw) Nr9r:)nginx version: nginx/1.4.2r;r<r=)r/r1)znginx version: nginx/0.9r;r<+configure arguments: --with-http_ssl_module)r )z blah 0.0.1r;r<r$r"r<)r"r;r$)znginx version: nginx/0.8.1r;r<r$Can't find program) r&r>r?r@r get_versionr'r(rrTNotSupportedErrorOSErrorrr!rCs r#test_get_versionz&NginxConfiguratorTest.test_get_versiones~')$'+yyA(B${{&&(I555')$'+yyJ(K$ {{&&(F222')$'+yyJ(K$ ]]6-- . & KK # # % &(*$'+yy746(7$]]6-- . & KK # # % &(*$'+yyJ(K$ ]]6-- . & KK # # % &(*$'+yyJ(K$ ]]633 4 & KK # # % & '';< ]]6-- . & KK # # % & &= & & & & & & & & & &s<;K 4K--K:&L<L K*-K7:LLLcd|j_d|j_|jj dk(sJd|j_d|j_|jj dk(sJd|j_d|j_|jj dk(sJd|j_d|j_|jj d k(sJd|j_d |j_|jj dk(sJd|j_d |j_|jj dk(sJy) Nr9a nginx version: nginx/1.15.5 built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) built with OpenSSL 1.0.2g 1 Mar 2016 TLS SNI support enabled configure arguments: 1.0.2ga  nginx version: nginx/1.15.5 built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) built with OpenSSL 1.0.2-beta1 1 Mar 2016 TLS SNI support enabled configure arguments: z 1.0.2-beta1a nginx version: nginx/1.15.5 built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) built with OpenSSL 1.0.2 1 Mar 2016 TLS SNI support enabled configure arguments: z1.0.2a2 nginx version: nginx/1.15.5 built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) built with OpenSSL 1.0.2g 1 Mar 2016 (running with OpenSSL 1.0.2a 1 Mar 2016) TLS SNI support enabled configure arguments: z1.0.2az nginx version: nginx/1.15.5 built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) built with LibreSSL 2.2.2 TLS SNI support enabled configure arguments: z nginx version: nginx/1.15.5 built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) TLS SNI support enabled configure arguments: )r&r>r@r_get_openssl_versionr*s r#test_get_openssl_versionz.NginxConfiguratorTest.test_get_openssl_versionsf(*$(${{//1X===')$(${{//1]BBB')$(${{//1W<<<')$(${{//1X===')$(${{//1R777')$($ {{//1R777r$z)certbot_nginx._internal.configurator.timec|j}d|_d|_d|_|jj |j dk(sJ|jjdy)Nr9rr/gSt$?) r&r>r@ returncoderrestartrsleepassert_called_once_with)r! mock_timerCmockeds r#test_nginx_restartz(NginxConfiguratorTest.test_nginx_restarts[&&   ""a'''//7r$z1certbot_nginx._internal.configurator.logger.debugc0|j}d|_d|_d|_t j t j5|jjddd|jdk(sJ|jddy#1swY-xYw)Nr9r/r1znginx reload failed: %s) r&r>r@r1r'r(rrrr2rr4)r!mock_log_debugrCr6s r#test_nginx_restart_failz-NginxConfiguratorTest.test_nginx_restart_fails&&   ]]677 8 " KK   ! """a'''../I2N " "s B  Bctd|_tjtj 5|j jdddy#1swYyxYw)Nr&)r)rr'r(rrrr2r*s r#test_no_nginx_startz)NginxConfiguratorTest.test_no_nginx_startsG&';< ]]677 8 " KK   ! " " "s AA!zcertbot.util.run_scriptctj|_tjtj 5|j jdddy#1swYyxYwN)rSubprocessErrorrr'r(rrrB)r!mock_run_scripts r#test_config_test_bad_processz2NginxConfiguratorTest.test_config_test_bad_processsG&,&<&<# ]]677 8 & KK # # % & & &s AA&c8|jjyr>)rrB)r!_s r#test_config_testz&NginxConfiguratorTest.test_config_tests !r$z*certbot.reverter.Reverter.recovery_routinectjd|_tjtj 5|j jdddy#1swYyxYwNfoo)r ReverterErrorrr'r(rTrrecovery_routine)r!mock_recovery_routines r#0test_recovery_routine_throws_error_from_reverterzFNginxConfiguratorTest.test_recovery_routine_throws_error_from_revertersM,2,@,@,G) ]]6-- . + KK ( ( * + + + A""A+z.certbot.reverter.Reverter.rollback_checkpointsctjd|_tjtj 5|j jdddy#1swYyxYwrF)rrHrr'r(rTrrollback_checkpoints)r!mock_rollback_checkpointss r#4test_rollback_checkpoints_throws_error_from_reverterzJNginxConfiguratorTest.test_rollback_checkpoints_throws_error_from_reverter sM060D0DU0K!- ]]6-- . / KK , , . / / /rLz1certbot.reverter.Reverter.revert_temporary_configctjd|_tjtj 5|j jdddy#1swYyxYwrF)rrHrr'r(rTrrevert_challenge_config)r!mock_revert_temporary_configs r#7test_revert_challenge_config_throws_error_from_reverterzMNginxConfiguratorTest.test_revert_challenge_config_throws_error_from_revertersM393G3G3N$0 ]]6-- . 2 KK / / 1 2 2 2rLz+certbot.reverter.Reverter.add_to_checkpointctjd|_tjtj 5|j jdddy#1swYyxYwrF)rrHrr'r(rTrr)r!mock_add_to_checkpoints r#$test_save_throws_error_from_reverterz:NginxConfiguratorTest.test_save_throws_error_from_revertersM-3-A-A%-H* ]]6-- .  KK      rLcZ|jj\}}tjj |sJtjj |sJt |5}t jjt jj|jdddt |5}t jjt jj|jdddy#1swYdxYw#1swYyxYwr>) r_get_snakeoil_pathsr rexistsopenOpenSSLcryptoload_certificate FILETYPE_PEMreadload_privatekey)r!certr cert_filekey_files r#test_get_snakeoil_pathsz-NginxConfiguratorTest.test_get_snakeoil_pathssKK335 cww~~d###ww~~c""" $Z ?9 NN + +++Y^^-= ? ?#Y >( NN * *++X]]_ > > > ? ? > >s+ADAD!D!D*c\ttdd}|jjj d}|jj dd|jjj |}tj||ddusJ|jjj d}|jj ddttdd}|jjj |}tj||ddusJy) Nrrr~rnr1Trrg) rrrr rrwr5r r)r!rrgenerated_confrs r#test_redirect_enhancez+NginxConfiguratorTest.test_redirect_enhance+s :;L MNqQ{{))223NO  -z:++22<@%%nhBdJJJ++445RS OZ8 :? KLQO++22>B%%nhBdJJJr$c|jjjd}|jjddddd|jj dd|jjj |}d gd d gd d gggd ddgddgddgddgddgd|jj gddgd|jjgddgggggd ggdgdggddggddgddgd d gd d gddgddggggg gg|k(sJy)Nr~ example.orgrrrrrrnrrrrrr managed by Certbotrrrr)ifz($host=zwww.example.com))return301zhttps://$host$request_urirrrrn404rr rrrwr5rrr!rrgs r#test_split_for_redirectz-NginxConfiguratorTest.test_split_for_redirect@sw{{))223NO       #  % -z:++22<@~.{+R(30E*F!#:;cCX=Y%'89CAV;W4;;334s##--a03EF FF F F Fs >A%%A.ctjd5}|jjdddddjj dddk(sJy#1swY+xYw)Nrrbrnrz>No matching insecure server blocks listening on port %s found.)rrrrwrr)r!rs r#test_redirect_dont_enhancez0NginxConfiguratorTest.test_redirect_dont_enhancesh ZZE F 9+ KK   Z 8 9))!,Q/PQ QQ 9 9s AA&c|jjjd}|jjdd|jjddt t dd}t t dd}|jjj |}tj||dsJtj||dsJy)Nr~rrnrjrr1) rr rrwrrr5r r)r!r expected1 expected2rgs r#test_double_redirectz*NginxConfiguratorTest.test_double_redirects{{))223NO  M:6 M:6 !;M!JKAN  !;M!JKAN ++22<@%%niCCC%%niCCCr$cd|j_tjtj 5|jj ddddddy#1swYyxYw)Nrrrp chain_path)rr3r'r(rrTrwr6s r#test_staple_ocsp_bad_versionz2NginxConfiguratorTest.test_staple_ocsp_bad_versionsP'  ]]6-- . P KK   1=, O P P Ps AA%ctjtj5|jj ddddddy#1swYyxYw)Nrrprvr6s r#test_staple_ocsp_no_chain_pathz4NginxConfiguratorTest.test_staple_ocsp_no_chain_pathsD ]]6-- . H KK   1=$ G H H Hs A  Ac|jjdddtjtj 5|jjddddddy#1swYyxYw)Nrrprdifferent_path)rrwr'r(rrTr6s r#test_staple_ocsp_internal_errorz5NginxConfiguratorTest.test_staple_ocsp_internal_errors\ -}lK ]]6-- . T KK   1=BR S T T Trctd}|jjdd||jjjd}|jjj|}t j |ddgdsJt j |ddgdsJt j |d dgdsJy) Nrrrpr~ssl_trusted_certificater1 ssl_staplingonssl_stapling_verify)rrwr rr5r r)r!rrrgs r#test_staple_ocspz&NginxConfiguratorTest.test_staple_ocsps(  -}jI{{))223NO ++22<@%%  &(;  >>r$c t|jjjd}|jjjd}|jjj|ddddd=d|j_|jj ddd d d |jj |jjjtj|jjj|}d ggd gdddgddgddggdggggd gddgddgddgddgddggdgggddd gdd gd|jjgd|jjgg gg|k(sJ|jj ddd d d |jj |jjjtj|jjj|}tj|ddsJy) Nsites-enabled/defaultfoo.confr1r/rrwww.nomatch.comrrrrr)rrtdefault_server)r otherhostrrz"www.example.org"rrrrrrrtrrrrrr nomatch.comr) rr rr5r3rrrr rrrr)r! default_confrparsed_default_confs r# test_deploy_no_match_default_setz6NginxConfiguratorTest.test_deploy_no_match_default_setsL{{))223JK ;;%%..z: KK   % %h / 21 5a 8 ;A >'       #  %  !"224;;3E3E3L3L\3Z[BE*,?@(#.%v.BDEFG%:%x0%{3*,=>(#.%v.BDE6.0GH24EF& (@(@A*DKK,D,DE G HI&-'- --*      #  %  !"224;;3E3E3L3L\3Z[%%&9=!LLLr$c |jjjd}|jjjd}|jjj|ddd=|jjj|ddd=d|j_|jj dddd d |jj |jjjtj|jjj|}d ggd d dgddgddgdgddggggggdddgddggggdgggdgggdggdd gddgg g|dddk(sJy)Nrrrr/rrrrrrr)rz*:80rrrz/home/ubuntu/sites/foo/rz/statustypesz image/jpegjpg)r~zcase_sensitive\.php$rz index.phpz /var/root)rz~*zcase_insensitive\.php$)rrmzexact_match\.php$)rz^~zignore_regex\.php$rr) rr rr5r3rrrr r)r!rrparsed_foo_confs r#1test_deploy_no_match_default_set_multi_level_pathzGNginxConfiguratorTest.test_deploy_no_match_default_set_multi_level_paths{{))223JK ;;%%..z: KK   % %l 3A 6q 9! < KK   % %l 3A 6q 9! <'       #  %  !..t{{/A/A/H/H/RS 4(*;<!#<=& 2wi'  ]]677 8 : KK # #$57IK\ !8 : : : :s  D,,D5cd|j_tjtj 5|jj ddddddddy#1swYyxYw)Nrrrrrr)rr3r'r(rrrr6s r#+test_deploy_no_match_fail_multiple_defaultszANginxConfiguratorTest.test_deploy_no_match_fail_multiple_defaults2sV'  ]]677 8 : KK # #$57IK\ !8 : : : :rc|jjjd}d|jjj|dddddd<d|j_|jj ddd d d y) Nrz*:5001r1r/rrrrrrr)rr rr5r3r)r!rs r#)test_deploy_no_match_multiple_defaults_okz?NginxConfiguratorTest.test_deploy_no_match_multiple_defaults_ok8s;;%%..z:@H !!(+A.q1!4Q7:1='   13EGX !8 :r$c|jjjd}|jjjd}|jjj|ddddd=d|j_|jj ddd d d |jj d dd d d |jj dd |jj|jjjttdd}|jjj|}tj||dsJy)Nrrr1r/rrrrrrrrrn) rr rr5r3rrwrrrrr r)r!rrrrgs r#!test_deploy_no_match_add_redirectz7NginxConfiguratorTest.test_deploy_no_match_add_redirect?s={{))223JK ;;%%..z: KK   % %h / 21 5a 8 ;A >'       #  %      #  % -z:  ! :;L MNqQ++22<@%%nhBBBr$zcertbot.reverter.loggerz/certbot_nginx._internal.parser.NginxParser.loadc|jj|jj|jj|jdk(sJy)Nr)rrIrRrNr)r!mock_parser_loadunused_mock_loggers r#'test_parser_reload_after_config_changesz=NginxConfiguratorTest.test_parser_reload_after_config_changes^sH $$& ++- ((***a///r$cd}tj|5}|jjj Dcgc]}d|j vr|c}d}|g|_|jjdd}||jddvsJt|dk(sJ|d|k(sJ dddycc}w#1swYyxYw)N9certbot_nginx._internal.display_ops.select_vhost_multiplercr*.comT prefer_sslr/ rrrr get_vhostsrkr&_choose_vhosts_wildcardrr4r! mock_pathmock_select_vhsrrvhss r#test_choose_vhosts_wildcardz1NginxConfiguratorTest.test_choose_vhosts_wildcardfsO ZZ " #o $ 2 2 = = ?*1(**+-E,17O (++55g@D6FCO55a8;; ;;s8q= =q6U? "? # #* # #'CB;AC;CC cd}tj|5}|jjj Dcgc]}d|j vr|c}d}|g|_|jjdd}||jddvsJt|dk(sJ|d|k(sJ dddycc}w#1swYyxYw)NrrcrrFrr/rrs r#$test_choose_vhosts_wildcard_redirectz:NginxConfiguratorTest.test_choose_vhosts_wildcard_redirectvsO ZZ " #o $ 2 2 = = ?*1(**+-E,17O (++55g@E6GCO55a8;; ;;s8q= =q6U? "? # #* # #rc tj}|jjj Dcgc]}d|j vr|c}d}|g|_||j_d}tj|5}|jjddddd|jsJt|jdk(sJ||jdddk(sJ dddycc}w#1swYyxYw)NrbrzCcertbot_nginx._internal.configurator.NginxConfigurator._deploy_certr /tmp/pathr/) r MagicMockrr rrkr&rrrcalledr4call_args_list)r!mock_choose_vhostsrrmock_dmock_deps r#test_deploy_cert_wildcardz/NginxConfiguratorTest.test_deploy_cert_wildcards!^^- KK..99;'qagg%''(*+0''.@ +V ZZ  =8 KK # #G[$/k K?? "?x../14 44H33A6q9!<< <<  = = '  = =sC4A"C99Drcg|_tjtj5|j j ddddddddy#1swYyxYw)Nz *.wild.catr)r&r'r(rrTrr)r! mock_dialogs r##test_deploy_cert_wildcard_no_vhostsz9NginxConfiguratorTest.test_deploy_cert_wildcard_no_vhostssP$&  ]]6-- . 5 KK # #L+{&  5 5 5 5s AAc|jjjDcgc]}d|jvr|c}d}|g|jjd<|jj ddd|j rJycc}w)Nrbrrrpr)rr rrk_wildcard_vhostsrwrr!rrrs r#(test_enhance_wildcard_ocsp_after_installz>NginxConfiguratorTest.test_enhance_wildcard_ocsp_after_installs!KK..99;'qagg%''(*16 $$W- G]4GH%%%%% 'sB c|jjjDcgc]}d|jvr|c}d}|g|_|jj ddd|j dusJycc}w)NrcrrrprT)rr rrkr&rwrrs r#1test_enhance_wildcard_redirect_or_ocsp_no_installzGNginxConfiguratorTest.test_enhance_wildcard_redirect_or_ocsp_no_installsz KK..99;(qqww&(()+$)7   G]4GH!!T))) (sA:c|jjjDcgc]}d|jvr|c}d}|g|jjd<|jj dd|j rJycc}w)Nrcrrrn)rr rrk_wildcard_redirect_vhostsrwrrs r#%test_enhance_wildcard_double_redirectz;NginxConfiguratorTest.test_enhance_wildcard_double_redirects!KK..99;(qqww&(()+:? --g6 GZ0%%%%% (sB cd}tj|5}g|_|jj dddt |j dddk(sJ dddy#1swYyxYw)NrrFr)rno_ssl_filter_portr)rrr&rrr4r)r!rrs r#.test_choose_vhosts_wildcard_no_ssl_filter_portzDNginxConfiguratorTest.test_choose_vhosts_wildcard_no_ssl_filter_portswO ZZ " =o+-O ( KK / /;@CG 0 I003A671< <<  = = =s AA((A1c||jjd\}}t|dk(sJt|dk(sJ|djdhk(sJ|djdhk(sJ|djdhk(sJ|djdhk(sJ|djdhk(sJ|djdhk(sJy) zFchoose_auth_vhosts correctly selects duplicative and HTTP/HTTPS vhostsrer#r1rr/rz *.both.comN)rchoose_auth_vhostsr4rk)r!httphttpss r#test_choose_auth_vhostsz-NginxConfiguratorTest.test_choose_auth_vhostsskk44^D e4yA~~5zQAw}} 0000Aw}} 0000Aw}} 0000Aw}}...Qx~~.!1111Qx~~,///r$)N__name__ __module__ __qualname____doc__rrrr,r7rDrPrMrlrrrxr|rrrrrrrrrrrrrrrrrrrr r+r/r7r:r<rArDrKrPrTrWrerhrsryr|rrrrrrrrrrrrrrrrrrrrrrrrr __classcell__r"s@r#rrs2$TZZFG"H" 4TZZFGTZZEF0GH0"P TZZFG2H2TZZIJTZZKL;MK;>A>#,@GGOKLGKAF:4< %7TZZ\]%^%;z22TZZRSTZZPQTZZ`a,bRT,2TZZEF:&G:&xTZZEF;8G;8zTZZEFTZZ;<8=G8TZZEFTZZCDOEGOTZZEF"G" TZZ)*&+& TZZ)*"+"TZZ<=+>+ TZZ@A/B/ TZZCD2E2 TZZ=>? >K*<<KK?TZZGHFIFQ DP HT >3Mj2B :: :C>TZZ)*TZZAB0C+0 # # =TZZKL5M5TZZKL&M&TZZKL*M*TZZKL&M& = 0r$rcpeZdZdZfdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZxZS)InstallSslOptionsConfTestzLTest that the options-ssl-nginx.conf file is installed and updated properly.ct||j|j|j|j |j |_yr>)rrrrrrrr)r!r"s r#rzInstallSslOptionsConfTest.setUps:  11   doot}}dmmM r$c|jj|jj|jjyr>)rinstall_ssl_options_confrupdated_mod_ssl_conf_digestr6s r#_callzInstallSslOptionsConfTest._calls- ,,T[[-E-E KK 3 3 5r$cTtj|jjSr>)r sha256sumrmod_ssl_conf_srcr6s r#_current_ssl_options_hashz3InstallSslOptionsConfTest._current_ssl_options_hashs$$T[[%A%ABBr$ctjj|jjsJt j |jj|jk(sJyr>)r risfilerrrrrr6s r#_assert_current_filez.InstallSslOptionsConfTest._assert_current_filesUww~~dkk66777$$T[[%=%=>  * * ,- --r$c |jtj|jjtj j |jjrJ|j|jyr>)rr removerrrrrr6s r# test_no_filez&InstallSslOptionsConfTest.test_no_filesY !!# $++**+77>>$++":":;;;  !!#r$cd|j|j|jyr>)rrr6s r#test_current_filez+InstallSslOptionsConfTest.test_current_files# !!#  !!#r$ctjjd5}|jddddtj fd}|S#1swY"xYw)NwboguscJ|jjk(r|SSr>)rr)filename fake_hashr!sha256s r#_hashzGInstallSslOptionsConfTest._mock_hash_except_ssl_conf_src.._hashs%'/4;;3O3O'O6(# ^U^ ^r$)r[rrwriterr)r!rfr rs`` @r#_mock_hash_except_ssl_conf_srcz8InstallSslOptionsConfTest._mock_hash_except_ssl_conf_srcsR$++**C 0 A GGG  && _   s AA cddlm}tjd|j |d5|j ddd|j y#1swYxYw)NrALL_SSL_OPTIONS_HASHEScertbot.crypto_util.sha256sumnew)!certbot_nginx._internal.constantsrrrr rrr!rs r#!test_prev_file_updates_to_currentz;InstallSslOptionsConfTest.test_prev_file_updates_to_currentsUL ZZ7778Nq8QRT  JJL  !!#  s AA#cddlm}d|j_t j d|j |d5|jddd|jy#1swYxYw)Nrrr/rrr) rrrr3rrr rrrs r#+test_prev_file_updates_to_current_old_nginxzEInstallSslOptionsConfTest.test_prev_file_updates_to_current_old_nginxsaL'  ZZ7778Nq8QRT  JJL  !!#  s A++A4ct|jjd5}|jddddt j d5}|j |jjrJ dddtjj|jjsJtj|jj|jk(sJtj|jj|jk7sJy#1swYxYw#1swYxYw)Naa new line for the wrong hash certbot.plugins.common.logger)r[rrr rrrwarningrr rrrrrr)r!rrs r#3test_manually_modified_current_file_does_not_updatezMInstallSslOptionsConfTest.test_manually_modified_current_file_does_not_update s  $++**C 0 BL   @ A B ZZ7 8 2K JJL"**11 111 2ww~~dkk66777$$T[[%A%AB  * * ,- --$$T[[%=%=>  * * ,- -- B B 2 2sD0)D<0D9<Ect|jjd5}|jddddt|jjd5}|jddddt j d5}|j|jjdddk(sJ dddtj|jj|jk(sJt j d5}|j|jjrJ dddy#1swYxYw#1swYxYw#1swYxYw#1swYyxYw)Nrrrhashofanoldversionrrzh%s has been manually modified; updated file saved to %s. We recommend updating %s for security purposes.)r[rrr rrrrrrrrrrr)r!rr rs r#&test_manually_modified_past_file_warnsz@InstallSslOptionsConfTest.test_manually_modified_past_file_warnss[ $++**C 0 BL   @ A B $++993 ? *1 GG( ) * ZZ7 8 OK JJL&&003A6OO OO O $$T[[%A%AB  * * ,- --ZZ7 8 2K JJL"**11 111 2 2 B B * * O O 2 2s/E E 2E")E. EE"E+.E7cBddlm}|j|vsJdy)NrrzvConstants.ALL_SSL_OPTIONS_HASHES must be appended with the sha256 hash of self.config.mod_ssl_conf when it is updated.)rrrrs r#$test_current_file_hash_in_all_hashesz>InstallSslOptionsConfTest.test_current_file_hash_in_all_hashes(s,L--/3II T T TIr$ctjdk\rddlm}nddl}ddlm}|jdjdd}|j|5}tj|D]D}tjtjj||}||vr;Jd|d  dddy#1swYyxYw) aa It is really critical that all TLS Nginx config files have their SHA256 hash registered in constants.ALL_SSL_OPTIONS_HASHES. Otherwise Certbot will mistakenly assume that the config file has been manually edited by the user, and will refuse to update it. This test ensures that all necessary hashes are present. )rr%rNr certbot_nginx _internal tls_configszJConstants.ALL_SSL_OPTIONS_HASHES must be appended with the sha256 hash of z when it is updated.)sys version_infoimportlib.resources resourcesimportlib_resourcesrrfilesjoinpathas_filer listdirrrrr?)r!r-rtls_configs_reftls_configs_dirtls_config_file file_hashs r#(test_ssl_config_files_hash_in_all_hasheszBInstallSslOptionsConfTest.test_ssl_config_files_hash_in_all_hashes.s   v % = &L-33ODMM ( ( ( 9 E_#%::o#> E'11"'',,P_2`a  $::E.//CEE: E E E EsAB>( B>>Ccrd|j_d|j_tjj |jj dk(sJ|j|jd|j_d|j_tjj |jj dk(sJ|j|jd|j_tjj |jj dk(sJ|j|jd|j_d |j_tjj |jj d k(sJy) Nrr-zoptions-ssl-nginx-old.conf)r/rr%z1.0.2lz!options-ssl-nginx-tls12-only.conf)r/ rzoptions-ssl-nginx.confz1.0.2kz+options-ssl-nginx-tls13-session-tix-on.conf) rr3openssl_versionr rbasenamerrrr6s r#&test_nginx_version_uses_correct_configz@InstallSslOptionsConfTest.test_nginx_version_uses_correct_configEsP' &. #ww < <=56 66  !!#' &. #ww < <=<= ==  !!#( ww < <=12 22  !!#( &. #ww < <=FG GGr$)rrrrrrrrrrr rrrr"r$r6r;rrs@r#rrsQVM 5C- $$ $$ -2"T E.Gr$rceZdZdZdZej jejddidZ ej jejidZ dZ y) DetermineDefaultServerRootTestzNTests for certbot_nginx._internal.configurator._determine_default_server_root.cddlm}|S)Nr)_determine_default_server_root)$certbot_nginx._internal.configuratorr?)r!r?s r#rz$DetermineDefaultServerRootTest._call`sW-//r$ CERTBOT_DOCS1c(|jdy)NTexpect_both_values_testr6s r#test_docs_valuez.DetermineDefaultServerRootTest.test_docs_valueds d +r$c(|jdy)NFrDrFr6s r#test_real_valuesz/DetermineDefaultServerRootTest.test_real_valueshs e ,r$cN|j}|r d|vsJd|vsJy|dvsJy)N/usr/local/etc/nginx /etc/nginx)rMrL)r)r!rErNs r#rGz$DetermineDefaultServerRootTest._testls;jjl )[8 88;. .."HH HHr$N) rrrrrrrdictr environrHrJrGr$r#r=r=]scX0 ZZ__RZZ.#!67,8, ZZ__RZZ$-%-Ir$r=__main__r/)%rr)unittestrr\r'acmerrrHrrrcertbot.compatr certbot.testsr rKcertbot_nginx._internalr r r@r#certbot_nginx._internal.nginxparserrcertbot_nginx._internal.testsr NginxTestrrConfigTestCaser=rexitmainargv__file__rPr$r#r_s4  3'*K<;v0DNNv0rKGKG\I%6%E%EI2 z CHH[V[[!" 2 34r$