gl-johnson
commented
2 years ago In the interest of maintaining compatibility between the Ruby and Python CLI's handling of .conjurrc, conjur-api-python#37 allows the SSL verification to work with the system trust store regardless of the cert_file value. The cert_file property can still be used via the --self-signed flag to trust a self-signed cert, and via the --ca-cert flag to trust a root CA outside of the system trust store. But if the pem file it points to isn't a root CA or self-signed cert, the connection can still succeed if the system trust store contains the associated CA.
We should re-evaluate the associated tests in the Conjur CLI to verify this behavior against a CA-signed certificate.
Summary
We have two tests that do no pass (and should not pass) when running against a Conjur server machine/LB that has been configured with a CA signed certificate.
test_https_cli_fails_if_cert_is_badandtest_https_cli_fails_if_cert_is_not_provided. The reason they should not pass is because these two tests check the cert_file field of the conjurrc and with the CA signed cert flow, we do not use that field to verify certificates. Instead we verify the certificate provided by the server on each request against known CA bundles on the machine. In other words, we don't use the cert_file field contentsFYI @eladkug
Steps to Reproduce
Steps to reproduce the behavior:
Pack the cli and the test runner
pyinstaller -F test/util/test_runners/integrations_tests_runner.pyandpyinstaller -D ./pkg_bin/conjuron macOSRun ./dist/integrations_tests_runner \ --identifier test_with_process \ --urlhttps://sigallb.aim-dev.conjur.net/ \ --account cucumber \ --login admin \ --password blah \ --files-folder test \ --cli-to-test ./dist/conjur/conjur
See first two tests failing
Expected Results
Either fix the flow or add a filter on the tests that should be run
Reproducible