-
Notifications
You must be signed in to change notification settings - Fork 20
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[uss_qualifier] netrid: DSS0020 - check DSS endpoints are encrypted
- Loading branch information
Showing
15 changed files
with
225 additions
and
23 deletions.
There are no files selected for viewing
85 changes: 85 additions & 0 deletions
85
monitoring/uss_qualifier/scenarios/astm/netrid/common/dss/endpoint_encryption.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
from urllib.parse import urlparse | ||
|
||
import requests | ||
|
||
from monitoring.uss_qualifier.resources.astm.f3411.dss import DSSInstanceResource | ||
from monitoring.uss_qualifier.scenarios.scenario import GenericTestScenario | ||
from monitoring.uss_qualifier.suites.suite import ExecutionContext | ||
|
||
|
||
class EndpointEncryption(GenericTestScenario): | ||
""" | ||
Ensures that the endpoints of a DSS are not accessible unencrypted. | ||
TODO: also check that available ciphers are reasonable. | ||
""" | ||
|
||
def __init__( | ||
self, | ||
dss: DSSInstanceResource, | ||
): | ||
super().__init__() | ||
self._dss = dss.dss_instance | ||
|
||
def run(self, context: ExecutionContext): | ||
self.begin_test_scenario(context) | ||
|
||
if not self._dss.base_url.startswith("https://"): | ||
self.record_note( | ||
"encrypted_endpoints", | ||
"Cannot check encryption requirement when DSS endpoint is specified with http:// URL", | ||
) | ||
self.end_test_scenario() | ||
return | ||
|
||
self._case_http_unavailable_or_redirect() | ||
|
||
self.end_test_scenario() | ||
|
||
def _case_http_unavailable_or_redirect(self): | ||
self.begin_test_case("Connect to HTTP port") | ||
self.begin_test_step("Attempt to connect to the DSS instance on the HTTP port") | ||
|
||
parsed_url = urlparse(self._dss.base_url) | ||
hostname = parsed_url.hostname | ||
|
||
if hostname is not None: | ||
with self.check( | ||
"Connection to HTTP port fails or redirects to HTTPS port", | ||
self._dss.participant_id, | ||
) as check: | ||
try: | ||
response = requests.get( | ||
f"http://{hostname}/{parsed_url.path}", | ||
timeout=10, | ||
allow_redirects=False, | ||
) | ||
# If we can connect, we want to check that we are being redirected: | ||
if response.status_code not in [301, 308]: | ||
check.record_failed( | ||
"Connection to HTTP port did not redirect", | ||
details=f"Was expecting a 301 or 308 response, but obtained status code: {response.status_code}", | ||
) | ||
if "Location" not in response.headers: | ||
check.record_failed( | ||
"Location header missing in redirect response", | ||
details="Was expecting a Location header in the response, but it was not present", | ||
) | ||
if response.headers.get("Location").startswith("http://"): | ||
check.record_failed( | ||
"Connection to HTTP port redirected to HTTP", | ||
details=f"Was expecting a redirection to an https:// URL. Location header: {response.headers.get('Location')}", | ||
) | ||
if not response.headers.get("Location").startswith( | ||
f"https://{parsed_url.hostname}/{parsed_url.path}" | ||
): | ||
check.record_failed( | ||
"Redirect to unexpected destination", | ||
details=f"Was expecting a redirection to https://{parsed_url.hostname}/{parsed_url.path}, was {response.headers.get('Location')}", | ||
) | ||
except requests.RequestException: | ||
# Connection was impossible: all is good | ||
pass | ||
|
||
self.end_test_step() | ||
self.end_test_case() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
26 changes: 26 additions & 0 deletions
26
monitoring/uss_qualifier/scenarios/astm/netrid/v19/dss/endpoint_encryption.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# ASTM NetRID DSS: Endpoint encryption test scenario | ||
|
||
## Overview | ||
|
||
Ensures that a DSS only exposes its endpoints via HTTPS. | ||
|
||
## Resources | ||
|
||
### dss | ||
|
||
[`DSSInstanceResource`](../../../../../resources/astm/f3411/dss.py) to be tested in this scenario. | ||
|
||
|
||
## Connect to HTTP port test case | ||
|
||
Tries to connect to the http port (80) of the DSS instance, and expects either a refusal of the connection, | ||
or a redirection to the https port (443). | ||
|
||
Note: this test case will be skipped if the DSS instance is configured to use HTTP. | ||
|
||
### Attempt to connect to the DSS instance on the HTTP port test step | ||
|
||
#### 🛑 Connection to HTTP port fails or redirects to HTTPS port check | ||
|
||
If the DSS instance accepts the connection on the HTTP port and does not immediately redirect to the HTTPS port | ||
upon reception of an HTTP request, it is in violation of **[astm.f3411.v19.DSS0020](../../../../../requirements/astm/f3411/v19.md)**. |
8 changes: 8 additions & 0 deletions
8
monitoring/uss_qualifier/scenarios/astm/netrid/v19/dss/endpoint_encryption.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
from monitoring.uss_qualifier.scenarios.astm.netrid.common.dss.endpoint_encryption import ( | ||
EndpointEncryption as CommonEndpointEncryption, | ||
) | ||
from monitoring.uss_qualifier.scenarios.scenario import TestScenario | ||
|
||
|
||
class EndpointEncryption(TestScenario, CommonEndpointEncryption): | ||
pass |
25 changes: 25 additions & 0 deletions
25
monitoring/uss_qualifier/scenarios/astm/netrid/v22a/dss/endpoint_encryption.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# ASTM NetRID DSS: Endpoint encryption test scenario | ||
|
||
## Overview | ||
|
||
Ensures that a DSS only exposes its endpoints via HTTPS. | ||
|
||
## Resources | ||
|
||
### dss | ||
|
||
[`DSSInstanceResource`](../../../../../resources/astm/f3411/dss.py) to be tested in this scenario. | ||
|
||
## Connect to HTTP port test case | ||
|
||
Tries to connect to the http port (80) of the DSS instance, and expects either a refusal of the connection, | ||
or a redirection to the https port (443). | ||
|
||
Note: this test case will be skipped if the DSS instance is configured to use HTTP. | ||
|
||
### Attempt to connect to the DSS instance on the HTTP port test step | ||
|
||
#### 🛑 Connection to HTTP port fails or redirects to HTTPS port check | ||
|
||
If the DSS instance accepts the connection on the HTTP port and does not immediately redirect to the HTTPS port | ||
upon reception of an HTTP request, it is in violation of **[astm.f3411.v22a.DSS0020](../../../../../requirements/astm/f3411/v22a.md)**. |
8 changes: 8 additions & 0 deletions
8
monitoring/uss_qualifier/scenarios/astm/netrid/v22a/dss/endpoint_encryption.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
from monitoring.uss_qualifier.scenarios.astm.netrid.common.dss.endpoint_encryption import ( | ||
EndpointEncryption as CommonEndpointEncryption, | ||
) | ||
from monitoring.uss_qualifier.scenarios.scenario import TestScenario | ||
|
||
|
||
class EndpointEncryption(TestScenario, CommonEndpointEncryption): | ||
pass |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.