summary refs log tree commit diff
path: root/tests/config/test_tls.py
diff options
context:
space:
mode:
authorAmber Brown <hawkowl@atleastfornow.net>2019-09-14 04:58:38 +1000
committerGitHub <noreply@github.com>2019-09-14 04:58:38 +1000
commit850dcfd2d3a1d689042fb38c8a16b652244068c2 (patch)
tree933e1775746bb6d40320bdc664bc85547c6bb2e6 /tests/config/test_tls.py
parentAdd developer docs for using SAML without a server (#6032) (diff)
downloadsynapse-850dcfd2d3a1d689042fb38c8a16b652244068c2.tar.xz
Fix well-known lookups with the federation certificate whitelist (#5997)
Diffstat (limited to '')
-rw-r--r--tests/config/test_tls.py40
1 files changed, 40 insertions, 0 deletions
diff --git a/tests/config/test_tls.py b/tests/config/test_tls.py
index 8e0c4b9533..b02780772a 100644
--- a/tests/config/test_tls.py
+++ b/tests/config/test_tls.py
@@ -16,6 +16,7 @@
 
 import os
 
+import idna
 import yaml
 
 from OpenSSL import SSL
@@ -235,3 +236,42 @@ s4niecZKPBizL6aucT59CsunNmmb5Glq8rlAcU+1ZTZZzGYqVYhF6axB9Qg=
         )
 
         self.assertTrue(conf.acme_enabled)
+
+    def test_whitelist_idna_failure(self):
+        """
+        The federation certificate whitelist will not allow IDNA domain names.
+        """
+        config = {
+            "federation_certificate_verification_whitelist": [
+                "example.com",
+                "*.ドメイン.テスト",
+            ]
+        }
+        t = TestConfig()
+        e = self.assertRaises(
+            ConfigError, t.read_config, config, config_dir_path="", data_dir_path=""
+        )
+        self.assertIn("IDNA domain names", str(e))
+
+    def test_whitelist_idna_result(self):
+        """
+        The federation certificate whitelist will match on IDNA encoded names.
+        """
+        config = {
+            "federation_certificate_verification_whitelist": [
+                "example.com",
+                "*.xn--eckwd4c7c.xn--zckzah",
+            ]
+        }
+        t = TestConfig()
+        t.read_config(config, config_dir_path="", data_dir_path="")
+
+        cf = ClientTLSOptionsFactory(t)
+
+        # Not in the whitelist
+        opts = cf.get_options(b"notexample.com")
+        self.assertTrue(opts._verifier._verify_certs)
+
+        # Caught by the wildcard
+        opts = cf.get_options(idna.encode("テスト.ドメイン.テスト"))
+        self.assertFalse(opts._verifier._verify_certs)