Open sigalsax opened 3 years ago
In the interest of maintaining compatibility between the Ruby and Python CLI's handling of .conjurrc
, conjur-api-python#37 allows the SSL verification to work with the system trust store regardless of the cert_file
value. The cert_file
property can still be used via the --self-signed
flag to trust a self-signed cert, and via the --ca-cert
flag to trust a root CA outside of the system trust store. But if the pem file it points to isn't a root CA or self-signed cert, the connection can still succeed if the system trust store contains the associated CA.
We should re-evaluate the associated tests in the Conjur CLI to verify this behavior against a CA-signed certificate.
Summary
We have two tests that do no pass (and should not pass) when running against a Conjur server machine/LB that has been configured with a CA signed certificate.
test_https_cli_fails_if_cert_is_bad
andtest_https_cli_fails_if_cert_is_not_provided
. The reason they should not pass is because these two tests check the cert_file field of the conjurrc and with the CA signed cert flow, we do not use that field to verify certificates. Instead we verify the certificate provided by the server on each request against known CA bundles on the machine. In other words, we don't use the cert_file field contentsFYI @eladkug
Steps to Reproduce
Steps to reproduce the behavior:
Pack the cli and the test runner
pyinstaller -F test/util/test_runners/integrations_tests_runner.py
andpyinstaller -D ./pkg_bin/conjur
on macOSRun ./dist/integrations_tests_runner \ --identifier test_with_process \ --urlhttps://sigallb.aim-dev.conjur.net/ \ --account cucumber \ --login admin \ --password blah \ --files-folder test \ --cli-to-test ./dist/conjur/conjur
See first two tests failing
Expected Results
Either fix the flow or add a filter on the tests that should be run
Reproducible