Skip to content

Commit f582849

Browse files
committed
[tests] Authmanager Postgres PKI test
1 parent 74f49dd commit f582849

File tree

5 files changed

+301
-19
lines changed

5 files changed

+301
-19
lines changed

tests/src/python/CMakeLists.txt

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -159,5 +159,7 @@ IF (WITH_SERVER)
159159
ADD_PYTHON_TEST(PyQgsServerAccessControl test_qgsserver_accesscontrol.py)
160160
ADD_PYTHON_TEST(PyQgsServerWFST test_qgsserver_wfst.py)
161161
ADD_PYTHON_TEST(PyQgsOfflineEditingWFS test_offline_editing_wfs.py)
162-
ADD_PYTHON_TEST(PyQgsAuthManagerEndpointTest test_authmanager_endpoint.py)
162+
ADD_PYTHON_TEST(PyQgsAuthManagerPasswordOWSTest test_authmanager_password_ows.py)
163+
#ADD_PYTHON_TEST(PyQgsAuthManagerPKIOWSTest test_authmanager_pki_ows.py)
164+
ADD_PYTHON_TEST(PyQgsAuthManagerPKIPostgresTest test_authmanager_pki_postgres.py)
163165
ENDIF (WITH_SERVER)

tests/src/python/qgis_wrapped_server.py

Lines changed: 44 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
QGIS Server HTTP wrapper
44
55
This script launches a QGIS Server listening on port 8081 or on the port
6-
specified on the environment variable QGIS_SERVER_PORT
6+
specified on the environment variable QGIS_SERVER_PORT.
77
QGIS_SERVER_HOST (defaults to 127.0.0.1)
88
99
For testing purposes, HTTP Basic can be enabled by setting the following
@@ -13,6 +13,21 @@
1313
* QGIS_SERVER_USERNAME (default ="username")
1414
* QGIS_SERVER_PASSWORD (default ="password")
1515
16+
PKI authentication with HTTPS can be enabled with:
17+
18+
* QGIS_SERVER_PKI_CERTIFICATE (server certificate)
19+
* QGIS_SERVER_PKI_KEY (server private key)
20+
* QGIS_SERVER_PKI_AUTHORITY (root CA)
21+
* QGIS_SERVER_PKI_USERNAME (valid username)
22+
23+
Sample run:
24+
25+
QGIS_SERVER_PKI_USERNAME=Gerardus QGIS_SERVER_PORT=47547 QGIS_SERVER_HOST=localhost \
26+
QGIS_SERVER_PKI_KEY=/home/$USER/dev/QGIS/tests/testdata/auth_system/certs_keys/localhost_ssl_key.pem \
27+
QGIS_SERVER_PKI_CERTIFICATE=/home/$USER/dev/QGIS/tests/testdata/auth_system/certs_keys/localhost_ssl_cert.pem \
28+
QGIS_SERVER_PKI_AUTHORITY=/home/$USER/dev/QGIS/tests/testdata/auth_system/certs_keys/chains_subissuer-issuer-root_issuer2-root2.pem \
29+
python3 /home/$USER/dev/QGIS/tests/src/python/qgis_wrapped_server.py
30+
1631
.. note:: This program is free software; you can redistribute it and/or modify
1732
it under the terms of the GNU General Public License as published by
1833
the Free Software Foundation; either version 2 of the License, or
@@ -32,13 +47,29 @@
3247
import os
3348
import sys
3449
import signal
50+
import ssl
3551
import urllib.parse
3652
from http.server import BaseHTTPRequestHandler, HTTPServer
3753
from qgis.core import QgsApplication
3854
from qgis.server import QgsServer
3955

4056
QGIS_SERVER_PORT = int(os.environ.get('QGIS_SERVER_PORT', '8081'))
4157
QGIS_SERVER_HOST = os.environ.get('QGIS_SERVER_HOST', '127.0.0.1')
58+
# PKI authentication
59+
QGIS_SERVER_PKI_CERTIFICATE = os.environ.get('QGIS_SERVER_PKI_CERTIFICATE')
60+
QGIS_SERVER_PKI_KEY = os.environ.get('QGIS_SERVER_PKI_KEY')
61+
QGIS_SERVER_PKI_AUTHORITY = os.environ.get('QGIS_SERVER_PKI_AUTHORITY')
62+
QGIS_SERVER_PKI_USERNAME = os.environ.get('QGIS_SERVER_PKI_USERNAME')
63+
64+
# Check if PKI - https is enabled
65+
https = (QGIS_SERVER_PKI_CERTIFICATE is not None and
66+
os.path.isfile(QGIS_SERVER_PKI_CERTIFICATE) and
67+
QGIS_SERVER_PKI_KEY is not None and
68+
os.path.isfile(QGIS_SERVER_PKI_KEY) and
69+
QGIS_SERVER_PKI_AUTHORITY is not None and
70+
os.path.isfile(QGIS_SERVER_PKI_AUTHORITY) and
71+
QGIS_SERVER_PKI_USERNAME)
72+
4273

4374
qgs_app = QgsApplication([], False)
4475
qgs_server = QgsServer()
@@ -75,6 +106,8 @@ def do_GET(self):
75106
for k, v in self.headers.items():
76107
qgs_server.putenv('HTTP_%s' % k.replace(' ', '-').replace('-', '_').replace(' ', '-').upper(), v)
77108
qgs_server.putenv('SERVER_PORT', str(self.server.server_port))
109+
if https:
110+
qgs_server.putenv('HTTPS', 'ON')
78111
qgs_server.putenv('SERVER_NAME', self.server.server_name)
79112
qgs_server.putenv('REQUEST_URI', self.path)
80113
parsed_path = urllib.parse.urlparse(self.path)
@@ -101,8 +134,16 @@ def do_POST(self):
101134

102135
if __name__ == '__main__':
103136
server = HTTPServer((QGIS_SERVER_HOST, QGIS_SERVER_PORT), Handler)
104-
print('Starting server on %s:%s, use <Ctrl-C> to stop' %
105-
(QGIS_SERVER_HOST, server.server_port), flush=True)
137+
if https:
138+
server.socket = ssl.wrap_socket(server.socket,
139+
certfile=QGIS_SERVER_PKI_CERTIFICATE,
140+
keyfile=QGIS_SERVER_PKI_KEY,
141+
ca_certs=QGIS_SERVER_PKI_AUTHORITY,
142+
cert_reqs=ssl.CERT_REQUIRED,
143+
server_side=True,
144+
ssl_version=ssl.PROTOCOL_TLSv1)
145+
print('Starting server on %s://%s:%s, use <Ctrl-C> to stop' %
146+
('https' if https else 'http', QGIS_SERVER_HOST, server.server_port), flush=True)
106147

107148
def signal_handler(signal, frame):
108149
global qgs_app

tests/src/python/test_authmanager_endpoint.py renamed to tests/src/python/test_authmanager_password_ows.py

Lines changed: 14 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
configuration to access an HTTP Basic protected endpoint.
99
1010
11-
From build dir, run: ctest -R PyQgsAuthManagerEndpointTest -V
11+
From build dir, run: ctest -R PyQgsAuthManagerPasswordOWSTest -V
1212
1313
.. note:: This program is free software; you can redistribute it and/or modify
1414
it under the terms of the GNU General Public License as published by
@@ -30,7 +30,6 @@
3030
# This will get replaced with a git SHA1 when you do a git archive
3131
__revision__ = '$Format:%H$'
3232

33-
from urllib.parse import quote
3433
from shutil import rmtree
3534

3635
from utilities import unitTestDataPath, waitServer
@@ -45,11 +44,10 @@
4544
unittest,
4645
)
4746

48-
4947
try:
5048
QGIS_SERVER_ENDPOINT_PORT = os.environ['QGIS_SERVER_ENDPOINT_PORT']
5149
except:
52-
QGIS_SERVER_ENDPOINT_PORT = '0' # Auto
50+
QGIS_SERVER_ENDPOINT_PORT = '0' # Auto
5351

5452

5553
QGIS_AUTH_DB_DIR_PATH = tempfile.mkdtemp()
@@ -74,7 +72,7 @@ def setUpClass(cls):
7472
except KeyError:
7573
pass
7674
cls.testdata_path = unitTestDataPath('qgis_server') + '/'
77-
cls.project_path = quote(cls.testdata_path + "test_project.qgs")
75+
cls.project_path = cls.testdata_path + "test_project.qgs"
7876
# Enable auth
7977
#os.environ['QGIS_AUTH_PASSWORD_FILE'] = QGIS_AUTH_PASSWORD_FILE
8078
authm = QgsAuthManager.instance()
@@ -86,26 +84,30 @@ def setUpClass(cls):
8684
cls.auth_config.setConfig('username', cls.username)
8785
cls.auth_config.setConfig('password', cls.password)
8886
assert (authm.storeAuthenticationConfig(cls.auth_config)[0])
87+
cls.hostname = '127.0.0.1'
88+
cls.protocol = 'http'
8989

9090
os.environ['QGIS_SERVER_HTTP_BASIC_AUTH'] = '1'
9191
os.environ['QGIS_SERVER_USERNAME'] = cls.username
9292
os.environ['QGIS_SERVER_PASSWORD'] = cls.password
9393
os.environ['QGIS_SERVER_PORT'] = str(cls.port)
94+
os.environ['QGIS_SERVER_HOST'] = cls.hostname
95+
9496
server_path = os.path.dirname(os.path.realpath(__file__)) + \
9597
'/qgis_wrapped_server.py'
9698
cls.server = subprocess.Popen([sys.executable, server_path],
9799
env=os.environ, stdout=subprocess.PIPE)
100+
98101
line = cls.server.stdout.readline()
99102
cls.port = int(re.findall(b':(\d+)', line)[0])
100103
assert cls.port != 0
101104
# Wait for the server process to start
102-
assert waitServer('http://127.0.0.1:%s' % cls.port), "Server is not responding!"
105+
assert waitServer('%s://%s:%s' % (cls.protocol, cls.hostname, cls.port)), "Server is not responding! %s://%s:%s" % (cls.protocol, cls.hostname, cls.port)
103106

104107
@classmethod
105108
def tearDownClass(cls):
106109
"""Run after all tests"""
107110
cls.server.terminate()
108-
cls.server.wait()
109111
rmtree(QGIS_AUTH_DB_DIR_PATH)
110112
del cls.server
111113

@@ -127,7 +129,7 @@ def _getWFSLayer(cls, type_name, layer_name=None, authcfg=None):
127129
parms = {
128130
'srsname': 'EPSG:4326',
129131
'typename': type_name,
130-
'url': 'http://127.0.0.1:%s/?map=%s' % (cls.port, cls.project_path),
132+
'url': '%s://%s:%s/?map=%s' % (cls.protocol, cls.hostname, cls.port, cls.project_path),
131133
'version': 'auto',
132134
'table': '',
133135
}
@@ -146,12 +148,12 @@ def _getWMSLayer(cls, layers, layer_name=None, authcfg=None):
146148
layer_name = 'wms_' + layers.replace(',', '')
147149
parms = {
148150
'crs': 'EPSG:4326',
149-
'url': 'http://127.0.0.1:%s/?map=%s' % (cls.port, cls.project_path),
150-
'format': 'image/png',
151+
'url': '%s://%s:%s/?map=%s' % (cls.protocol, cls.hostname, cls.port, cls.project_path),
151152
# This is needed because of a really weird implementation in QGIS Server, that
152153
# replaces _ in the the real layer name with spaces
153-
'layers': urllib.parse.quote(layers).replace('_', ' '),
154+
'layers': urllib.parse.quote(layers.replace('_', ' ')),
154155
'styles': '',
156+
'version': 'auto',
155157
#'sql': '',
156158
}
157159
if authcfg is not None:
@@ -173,7 +175,7 @@ def testInvalidAuthAccess(self):
173175
"""
174176
Access the HTTP Basic protected layer with no credentials
175177
"""
176-
wfs_layer = self._getWFSLayer('testlayer_èé')
178+
wfs_layer = self._getWFSLayer('testlayer èé')
177179
self.assertFalse(wfs_layer.isValid())
178180
wms_layer = self._getWMSLayer('testlayer_èé')
179181
self.assertFalse(wms_layer.isValid())

0 commit comments

Comments
 (0)