move tests to submodules and pytest

Author: mathiasertl

ca/django_ca/tests/base/assertions.py

@@ -30,7 +30,7 @@
 from cryptography.x509.oid import ExtensionOID
 from OpenSSL.crypto import FILETYPE_PEM, X509Store, X509StoreContext, load_certificate
 
-from django.core.exceptions import ImproperlyConfigured
+from django.core.exceptions import ImproperlyConfigured, ValidationError
 from django.core.management import CommandError
 
 import pytest
@@ -40,7 +40,7 @@
 from django_ca.deprecation import RemovedInDjangoCA220Warning
 from django_ca.key_backends.storages import UsePrivateKeyOptions
 from django_ca.models import Certificate, CertificateAuthority, X509CertMixin
-from django_ca.signals import post_create_ca, post_issue_cert, pre_create_ca, pre_sign_cert
+from django_ca.signals import post_create_ca, post_issue_cert, post_sign_cert, pre_create_ca, pre_sign_cert
 from django_ca.tests.base.mocks import mock_signal
 from django_ca.tests.base.utils import (
     authority_information_access,
@@ -122,23 +122,27 @@ def assert_ca_properties(
 
 
 def assert_certificate(
-    cert: Union[Certificate, CertificateAuthority],
+    cert: Union[x509.Certificate, CertificateAuthority, Certificate],
     subject: x509.Name,
     algorithm: type[hashes.HashAlgorithm] = hashes.SHA512,
-    parent: Optional[CertificateAuthority] = None,
+    signer: Optional[Union[CertificateAuthority, x509.Certificate]] = None,
 ) -> None:
     """Assert certificate properties."""
-    if isinstance(cert, Certificate):  # pragma: no cover  # pylint: disable=no-else-raise
-        parent = cert.ca
-        raise NotImplementedError("Remove no-cover pragma if this is caught.")
-    elif parent is None:
-        parent = cert
-    else:
-        parent = cert.parent
-    assert cert.pub.loaded.version == x509.Version.v3
-    assert cert.issuer == parent.subject  # type: ignore[union-attr]
+    if isinstance(cert, CertificateAuthority):
+        if cert.parent is not None:
+            signer = cert.parent
+        cert = cert.pub.loaded
+    elif isinstance(cert, Certificate):  # pragma: no cover  # not used, currently
+        signer = cert.ca
+        cert = cert.pub.loaded
+
+    if signer is None:
+        signer = cert
+
+    assert cert.version == x509.Version.v3
+    assert cert.issuer == signer.subject
     assert cert.subject == subject
-    assert isinstance(cert.algorithm, algorithm)
+    assert isinstance(cert.signature_hash_algorithm, algorithm)
 
 
 @contextmanager
@@ -177,7 +181,7 @@ def assert_create_cert_signals(pre: bool = True, post: bool = True) -> Iterator[
 
 
 def assert_crl(  # noqa: PLR0913
-    crl: bytes,
+    crl: Union[bytes, x509.CertificateRevocationList],
     expected: Optional[typing.Sequence[X509CertMixin]] = None,
     signer: Optional[CertificateAuthority] = None,
     expires: int = 86400,
@@ -221,7 +225,9 @@ def assert_crl(  # noqa: PLR0913
         )
     )
 
-    if encoding == Encoding.PEM:
+    if isinstance(crl, x509.CertificateRevocationList):
+        parsed_crl = crl
+    elif encoding == Encoding.PEM:
         parsed_crl = x509.load_pem_x509_crl(crl)
     else:
         parsed_crl = x509.load_der_x509_crl(crl)
@@ -386,6 +392,17 @@ def assert_revoked(
         assert cert.revoked_reason == reason
 
 
+@contextmanager
+def assert_sign_cert_signals(pre: bool = True, post: bool = True) -> Iterator[tuple[Mock, Mock]]:
+    """Context manager mocking both ``pre_create_ca`` and ``post_create_ca`` signals."""
+    with mock_signal(pre_sign_cert) as pre_sig, mock_signal(post_sign_cert) as post_sig:
+        try:
+            yield pre_sig, post_sig
+        finally:
+            assert pre_sig.called is pre
+            assert post_sig.called is post
+
+
 def assert_signature(
     chain: Iterable[CertificateAuthority], cert: Union[Certificate, CertificateAuthority]
 ) -> None:
@@ -425,3 +442,11 @@ def assert_removed_in_220(match: Optional[Union[str, "re.Pattern[str]"]] = None)
     """Assert that a ``RemovedInDjangoCA200Warning`` is emitted."""
     with pytest.warns(RemovedInDjangoCA220Warning, match=match):
         yield
+
+
+@contextmanager
+def assert_validation_error(errors: dict[str, list[str]]) -> Iterator[None]:
+    """Context manager to assert that a ValidationError is thrown."""
+    with pytest.raises(ValidationError) as excinfo:
+        yield
+    assert excinfo.value.message_dict == errors

ca/django_ca/tests/base/mixins.py

@@ -31,18 +31,16 @@
 from django.contrib.auth.models import User  # pylint: disable=imported-auth-user; for mypy
 from django.contrib.messages import get_messages
 from django.core.cache import cache
-from django.core.exceptions import ValidationError
 from django.test.testcases import SimpleTestCase
 from django.urls import reverse
 
 from freezegun import freeze_time
 from freezegun.api import FrozenDateTimeFactory, StepTickTimeFactory
 
 from django_ca.models import Certificate, CertificateAuthority, DjangoCAModel, X509CertMixin
-from django_ca.signals import post_revoke_cert, post_sign_cert, pre_sign_cert
+from django_ca.signals import post_revoke_cert
 from django_ca.tests.admin.assertions import assert_change_response, assert_changelist_response
 from django_ca.tests.base.constants import CERT_DATA
-from django_ca.tests.base.mocks import mock_signal
 from django_ca.tests.base.typehints import DjangoCAModelTypeVar
 
 if typing.TYPE_CHECKING:
@@ -154,18 +152,6 @@ def absolute_uri(self, name: str, hostname: Optional[str] = None, **kwargs: Any)
             name = f"django_ca{name}"
         return f"http://{hostname}{reverse(name, kwargs=kwargs)}"
 
-    @contextmanager
-    def assertSignCertSignals(  # pylint: disable=invalid-name
-        self, pre: bool = True, post: bool = True
-    ) -> Iterator[tuple[mock.Mock, mock.Mock]]:
-        """Context manager mocking both pre and post_create_ca signals."""
-        with mock_signal(pre_sign_cert) as pre_sig, mock_signal(post_sign_cert) as post_sig:
-            try:
-                yield pre_sig, post_sig
-            finally:
-                self.assertTrue(pre_sig.called is pre)
-                self.assertTrue(post_sig.called is post)
-
     def assertAuthorityInformationAccessEqual(  # pylint: disable=invalid-name
         self,
         first: x509.AuthorityInformationAccess,
@@ -260,15 +246,6 @@ def assertPostRevoke(self, post: mock.Mock, cert: Certificate) -> None:  # pylin
         """Assert that the post_revoke_cert signal was called."""
         post.assert_called_once_with(cert=cert, signal=post_revoke_cert, sender=Certificate)
 
-    @contextmanager
-    def assertValidationError(  # pylint: disable=invalid-name; unittest standard
-        self, errors: dict[str, list[str]]
-    ) -> Iterator[None]:
-        """Context manager to assert that a ValidationError is thrown."""
-        with self.assertRaises(ValidationError) as cmex:
-            yield
-        self.assertEqual(cmex.exception.message_dict, errors)
-
     def crl_distribution_points(
         self,
         full_name: Optional[Iterable[x509.GeneralName]] = None,
@@ -433,7 +410,7 @@ def patch_object(self, *args: Any, **kwargs: Any) -> Iterator[Any]:
     def usable_cas(self) -> Iterator[tuple[str, CertificateAuthority]]:
         """Yield loaded generated certificates."""
         for name, ca in self.cas.items():
-            if CERT_DATA[name]["key_filename"]:
+            if CERT_DATA[name]["key_filename"]:  # pragma: no branch
                 yield name, ca
 
 

ca/django_ca/tests/base/utils.py

@@ -506,7 +506,7 @@ def subject_key_identifier(
     cert: Union[X509CertMixin, x509.Certificate],
 ) -> x509.Extension[x509.SubjectKeyIdentifier]:
     """Shortcut for getting a SubjectKeyIdentifier extension."""
-    if isinstance(cert, X509CertMixin):
+    if isinstance(cert, X509CertMixin):  # pragma: no branch - usually full certificate is passed.
         cert = cert.pub.loaded
 
     ski = x509.SubjectKeyIdentifier.from_public_key(cert.public_key())

ca/django_ca/tests/models/__init__.py

@@ -0,0 +1,35 @@
+# This file is part of django-ca (https://github.com/mathiasertl/django-ca).
+#
+# django-ca is free software: you can redistribute it and/or modify it under the terms of the GNU General
+# Public License as published by the Free Software Foundation, either version 3 of the License, or (at your
+# option) any later version.
+#
+# django-ca is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the
+# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+#
+# You should have received a copy of the GNU General Public License along with django-ca. If not, see
+# <http://www.gnu.org/licenses/>.
+
+"""Common functions for testing models."""
+
+from django_ca.models import X509CertMixin
+from django_ca.tests.base.constants import CERT_PEM_REGEX
+
+
+def assert_bundle(chain: list[X509CertMixin], cert: X509CertMixin) -> None:
+    """Assert that a bundle contains the expected certificates."""
+    encoded_chain = [c.pub.pem.encode() for c in chain]
+
+    # Make sure that all PEMs end with a newline. RFC 7468 does not mandate a newline at the end, but it
+    # seems in practice we always get one. We want to detect if that ever changes
+    for member in encoded_chain:
+        assert member.endswith(b"\n")
+
+    bundle = cert.bundle_as_pem
+    assert isinstance(bundle, str)
+    assert bundle.endswith("\n")
+
+    # Test the regex used by certbot to make sure certbot finds the expected certificates
+    found = CERT_PEM_REGEX.findall(bundle.encode())
+    assert encoded_chain == found

ca/django_ca/tests/models/base.py

@@ -0,0 +1,176 @@
+# This file is part of django-ca (https://github.com/mathiasertl/django-ca).
+#
+# django-ca is free software: you can redistribute it and/or modify it under the terms of the GNU General
+# Public License as published by the Free Software Foundation, either version 3 of the License, or (at your
+# option) any later version.
+#
+# django-ca is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the
+# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+#
+# You should have received a copy of the GNU General Public License along with django-ca. If not, see
+# <http://www.gnu.org/licenses/>.
+
+"""Test the Certificate model."""
+
+from datetime import datetime, timedelta
+
+import josepy as jose
+
+from cryptography import x509
+from cryptography.hazmat.primitives import hashes
+
+from django.utils import timezone
+
+import pytest
+from _pytest.logging import LogCaptureFixture
+from pytest_django.fixtures import SettingsWrapper
+
+from django_ca.constants import ReasonFlags
+from django_ca.models import Certificate, CertificateAuthority
+from django_ca.tests.base.assertions import assert_validation_error
+from django_ca.tests.base.constants import CERT_DATA
+from django_ca.tests.models.base import assert_bundle
+
+
+def test_bundle_as_pem(
+    root: CertificateAuthority, root_cert: Certificate, child: CertificateAuthority, child_cert: Certificate
+) -> None:
+    """Test bundles of various CAs."""
+    assert_bundle([root_cert, root], root_cert)
+    assert_bundle([child_cert, child, root], child_cert)
+
+
+def test_revocation() -> None:
+    """Test getting a revociation for a non-revoked certificate."""
+    # Never really happens in real life, but should still be checked
+    cert = Certificate(revoked=False)
+
+    with pytest.raises(ValueError):
+        cert.get_revocation()
+
+
+def test_root(root: CertificateAuthority, root_cert: Certificate, child_cert: Certificate) -> None:
+    """Test the root property."""
+    assert root_cert.root == root
+    assert child_cert.root == root
+
+
+def test_serial(usable_cert: Certificate) -> None:
+    """Test getting the serial."""
+    cert_name = usable_cert.test_name  # type: ignore[attr-defined]
+    assert usable_cert.serial == CERT_DATA[cert_name].get("serial")
+
+
+@pytest.mark.freeze_time("2019-02-03 15:43:12")
+def test_get_revocation_time(settings: SettingsWrapper, root_cert: Certificate) -> None:
+    """Test getting the revocation time."""
+    assert root_cert.get_revocation_time() is None
+    root_cert.revoke()
+
+    # timestamp does not have a timezone regardless of USE_TZ
+    root_cert.revoked_date = timezone.now()
+    assert root_cert.get_revocation_time() == datetime(2019, 2, 3, 15, 43, 12)
+
+    settings.USE_TZ = False
+    root_cert.refresh_from_db()
+    assert root_cert.get_revocation_time() == datetime(2019, 2, 3, 15, 43, 12)
+
+
+@pytest.mark.freeze_time("2019-02-03 15:43:12")
+def test_get_compromised_time(settings: SettingsWrapper, root_cert: Certificate) -> None:
+    """Test getting the time when the certificate was compromised."""
+    assert root_cert.get_compromised_time() is None
+    root_cert.revoke(compromised=timezone.now())
+
+    # timestamp does not have a timezone regardless of USE_TZ
+    root_cert.compromised = timezone.now()
+    assert root_cert.get_compromised_time() == datetime(2019, 2, 3, 15, 43, 12)
+
+    settings.USE_TZ = False
+    root_cert.refresh_from_db()
+    assert root_cert.compromised == timezone.now()
+    assert root_cert.get_compromised_time() == datetime(2019, 2, 3, 15, 43, 12)
+
+
+def test_get_revocation_reason(root_cert: Certificate) -> None:
+    """Test getting the revocation reason."""
+    assert root_cert.get_revocation_reason() is None
+
+    for reason in ReasonFlags:
+        root_cert.revoke(reason)
+        got = root_cert.get_revocation_reason()
+        assert isinstance(got, x509.ReasonFlags)
+        assert got.name == reason.name
+
+
+def test_validate_past(root_cert: Certificate) -> None:
+    """Test that model validation blocks revoked_date or revoked_invalidity in the future."""
+    now = timezone.now()
+    future = now + timedelta(10)
+    past = now - timedelta(10)
+
+    # Validation works if we're not revoked
+    root_cert.full_clean()
+
+    # Validation works if date is in the past
+    root_cert.revoked_date = past
+    root_cert.compromised = past
+    root_cert.full_clean()
+
+    root_cert.revoked_date = future
+    root_cert.compromised = future
+    with assert_validation_error(
+        {
+            "compromised": ["Date must be in the past!"],
+            "revoked_date": ["Date must be in the past!"],
+        }
+    ):
+        root_cert.full_clean()
+
+
+@pytest.mark.parametrize("name,algorithm", (("sha256", hashes.SHA256()), ("sha512", hashes.SHA512())))
+def test_get_fingerprint(name: str, algorithm: hashes.HashAlgorithm, usable_cert: Certificate) -> None:
+    """Test getting the fingerprint value."""
+    cert_name = usable_cert.test_name  # type: ignore[attr-defined]
+    assert usable_cert.get_fingerprint(algorithm) == CERT_DATA[cert_name][name]
+
+
+def test_jwk(root_cert: Certificate, ec_cert: Certificate) -> None:
+    """Test JWK property."""
+    # josepy does not support loading DSA/Ed448/Ed25519 keys:
+    #   https://github.com/certbot/josepy/pull/98
+    assert isinstance(ec_cert.jwk, jose.jwk.JWKEC)
+    assert isinstance(root_cert.jwk, jose.jwk.JWKRSA)
+
+
+def test_jwk_with_unsupported_algorithm(
+    dsa_cert: Certificate, ed448_cert: Certificate, ed25519_cert: Certificate
+) -> None:
+    """Test the ValueError raised if called with an unsupported algorithm."""
+    with pytest.raises(ValueError, match="Unsupported algorithm"):
+        ed448_cert.jwk  # noqa: B018
+    with pytest.raises(ValueError, match="Unsupported algorithm"):
+        ed25519_cert.jwk  # noqa: B018
+    with pytest.raises(ValueError, match="Unsupported algorithm"):
+        dsa_cert.jwk  # noqa: B018
+
+
+def test_revocation_with_no_revocation_date(root_cert: Certificate) -> None:
+    """Test exception when no revocation date is set."""
+    root_cert.revoked = True
+    root_cert.save()
+
+    with pytest.raises(ValueError, match=r"^Certificate has no revocation date$"):
+        root_cert.get_revocation()
+
+
+def test_get_revocation_time_with_no_revocation_date(
+    caplog: LogCaptureFixture, root_cert: Certificate
+) -> None:
+    """Test warning log message when there is no revocation time set but the cert is revoked."""
+    root_cert.revoked = True
+    root_cert.save()
+
+    assert root_cert.get_revocation_time() is None
+    assert "Inconsistent model state: revoked=True and revoked_date=None." in caplog.text