diff options
| author | Amber Brown <hawkowl@atleastfornow.net> | 2019-09-14 04:58:38 +1000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-09-14 04:58:38 +1000 |
| commit | 850dcfd2d3a1d689042fb38c8a16b652244068c2 (patch) | |
| tree | 933e1775746bb6d40320bdc664bc85547c6bb2e6 /tests/config | |
| parent | Add developer docs for using SAML without a server (#6032) (diff) | |
| download | synapse-850dcfd2d3a1d689042fb38c8a16b652244068c2.tar.xz | |
Fix well-known lookups with the federation certificate whitelist (#5997)
Diffstat (limited to 'tests/config')
| -rw-r--r-- | tests/config/test_tls.py | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/tests/config/test_tls.py b/tests/config/test_tls.py index 8e0c4b9533..b02780772a 100644 --- a/tests/config/test_tls.py +++ b/tests/config/test_tls.py @@ -16,6 +16,7 @@ import os +import idna import yaml from OpenSSL import SSL @@ -235,3 +236,42 @@ s4niecZKPBizL6aucT59CsunNmmb5Glq8rlAcU+1ZTZZzGYqVYhF6axB9Qg= ) self.assertTrue(conf.acme_enabled) + + def test_whitelist_idna_failure(self): + """ + The federation certificate whitelist will not allow IDNA domain names. + """ + config = { + "federation_certificate_verification_whitelist": [ + "example.com", + "*.ドメイン.テスト", + ] + } + t = TestConfig() + e = self.assertRaises( + ConfigError, t.read_config, config, config_dir_path="", data_dir_path="" + ) + self.assertIn("IDNA domain names", str(e)) + + def test_whitelist_idna_result(self): + """ + The federation certificate whitelist will match on IDNA encoded names. + """ + config = { + "federation_certificate_verification_whitelist": [ + "example.com", + "*.xn--eckwd4c7c.xn--zckzah", + ] + } + t = TestConfig() + t.read_config(config, config_dir_path="", data_dir_path="") + + cf = ClientTLSOptionsFactory(t) + + # Not in the whitelist + opts = cf.get_options(b"notexample.com") + self.assertTrue(opts._verifier._verify_certs) + + # Caught by the wildcard + opts = cf.get_options(idna.encode("テスト.ドメイン.テスト")) + self.assertFalse(opts._verifier._verify_certs) |