Commit 7c1e2b3a authored by Nick Fiacco's avatar Nick Fiacco
Browse files

Add support for disabling OCSP and hostname checking

* Add a manpage for mount.efs
* Improve warning messages in the mount helper
* Improve stunnel cleanup functionality
parent e1673be6
......@@ -33,6 +33,9 @@ tarball: clean
cp -rp src/mount_efs $(PACKAGE_NAME)/src
cp -rp src/watchdog $(PACKAGE_NAME)/src
mkdir -p ${PACKAGE_NAME}/man
cp -rp man/mount.efs.8 ${PACKAGE_NAME}/man
tar -czf $(SOURCE_TARBALL) $(PACKAGE_NAME)/*
.PHONY: specfile
......@@ -60,4 +63,4 @@ deb:
.PHONY: test
test:
pytest
flake8
\ No newline at end of file
flake8
......@@ -11,7 +11,7 @@ set -ex
BASE_DIR=$(pwd)
BUILD_ROOT=${BASE_DIR}/build/debbuild
VERSION=1.2
VERSION=1.3
echo 'Cleaning deb build workspace'
rm -rf ${BUILD_ROOT}
......@@ -24,6 +24,7 @@ mkdir -p ${BUILD_ROOT}/etc/systemd/system
mkdir -p ${BUILD_ROOT}/sbin
mkdir -p ${BUILD_ROOT}/usr/bin
mkdir -p ${BUILD_ROOT}/var/log/amazon/efs
mkdir -p ${BUILD_ROOT}/usr/share/man/man8
echo 'Copying application files'
install -p -m 644 dist/amazon-efs-mount-watchdog.conf ${BUILD_ROOT}/etc/init
......@@ -44,6 +45,9 @@ install -p -m 644 dist/amazon-efs-utils.control ${BUILD_ROOT}/control
echo 'Copying conffiles'
install -p -m 644 dist/amazon-efs-utils.conffiles ${BUILD_ROOT}/conffiles
echo 'Copying manpages'
install -p -m 644 man/mount.efs.8 ${BUILD_ROOT}/usr/share/man/man8/mount.efs.8
echo 'Creating deb binary file'
echo '2.0'> ${BUILD_ROOT}/debian-binary
......
Package: amazon-efs-utils
Architecture: all
Version: 1.2
Version: 1.3
Section: utils
Depends: python|python2, nfs-common, stunnel4 (>= 4.56)
Priority: optional
......
......@@ -20,7 +20,7 @@
%endif
Name : amazon-efs-utils
Version : 1.2
Version : 1.3
Release : 1%{?dist}
Summary : This package provides utilities for simplifying the use of EFS file systems
......@@ -67,11 +67,13 @@ install -p -m 644 %{_builddir}/%{name}/dist/amazon-efs-mount-watchdog.conf %{bui
mkdir -p %{buildroot}/sbin
mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_localstatedir}/log/amazon/efs
mkdir -p %{buildroot}%{_mandir}/man8
install -p -m 644 %{_builddir}/%{name}/dist/efs-utils.conf %{buildroot}%{_sysconfdir}/amazon/efs
install -p -m 444 %{_builddir}/%{name}/dist/efs-utils.crt %{buildroot}%{_sysconfdir}/amazon/efs
install -p -m 755 %{_builddir}/%{name}/src/mount_efs/__init__.py %{buildroot}/sbin/mount.efs
install -p -m 755 %{_builddir}/%{name}/src/watchdog/__init__.py %{buildroot}%{_bindir}/amazon-efs-mount-watchdog
install -p -m 644 %{_builddir}/%{name}/man/mount.efs.8 %{buildroot}%{_mandir}/man8
%files
%defattr(-,root,root,-)
......@@ -84,6 +86,7 @@ install -p -m 755 %{_builddir}/%{name}/src/watchdog/__init__.py %{buildroot}%{_b
/sbin/mount.efs
%{_bindir}/amazon-efs-mount-watchdog
/var/log/amazon
%{_mandir}/man8/mount.efs.8.gz
%config(noreplace) %{_sysconfdir}/amazon/efs/efs-utils.conf
......
if [ $(cat /proc/1/comm) = init ]; then
/sbin/restart amazon-efs-mount-watchdog &> /dev/null || true
elif [ $(cat /proc/1/comm) = systemd ]; then
systemctl try-restart amazon-efs-mount-watchdog.service &> /dev/null || true
fi
#!/bin/sh
set -e
if [ -n $2 ]; then
if [ "$(cat /proc/1/comm)" = "init" ]; then
/sbin/restart amazon-efs-mount-watchdog &> /dev/null || true
elif [ "$(cat /proc/1/comm)" = "systemd" ]; then
if systemctl is-active --quiet amazon-efs-mount-watchdog; then
systemctl try-restart amazon-efs-mount-watchdog.service &> /dev/null || true
fi
fi
fi
\ No newline at end of file
if [ -z "$2" ]; then
if [ $(cat /proc/1/comm) = systemd ]; then
#!/bin/sh
set -e
reload() {
if [ "$(cat /proc/1/comm)" = "systemd" ]; then
systemctl daemon-reload
fi
}
if [ "$1" = "remove" ]; then
reload
elif [ "$1" = "purge" ]; then
reload
rm -f /var/log/amazon/efs/*
fi
\ No newline at end of file
if [ -z "$2" ]; then
if [ $(cat /proc/1/comm) = init ]; then
#!/bin/sh
set -e
if [ "$1" = "remove" ] || [ "$1" = "purge" ]; then
if [ "$(cat /proc/1/comm)" = "init" ]; then
/sbin/stop amazon-efs-mount-watchdog &> /dev/null || true
elif [ $(cat /proc/1/comm) = systemd ]; then
systemctl --no-reload disable amazon-efs-mount-watchdog.service &> /dev/null || true
systemctl stop amazon-efs-mount-watchdog.service &> /dev/null || true
elif [ "$(cat /proc/1/comm)" = "systemd" ]; then
if systemctl is-active --quiet amazon-efs-mount-watchdog; then
systemctl --no-reload disable amazon-efs-mount-watchdog.service &> /dev/null || true
systemctl stop amazon-efs-mount-watchdog.service &> /dev/null || true
fi
fi
fi
fi
\ No newline at end of file
.TH "EFS" "8"
.SH "NAME"
\fBmount\&.efs\fR \- Mount helper for using Amazon EFS file systems\&.
.SH "SYNOPSIS"
.sp
\fBmount\&.efs\fR \fIfile\-system\-id\fR \fImount-point\fR [\fB\-o\fR \fIoptions\fR]
.SH "DESCRIPTION"
.sp
\fBmount\&.efs\fR is part of the \fBamazon\-efs\-utils\fR \
package, which simplifies using EFS file systems\&.
.sp
\fBmount\&.efs\fR is meant to be used through the \
\fBmount\fR(8) command for mounting EFS file systems\&.
.sp
\fIfile\-system\-id\fR is an EFS file system ID in the \
form of "fs\-abcd1234", generated when the file system \
is created\&. \fImount-point\fR is the local directory \
on which the file system will be mounted\&.
.sp
\fBmount\&.efs\fR automatically applies the following NFS options:
.sp
.if n \{\
.RS 4
.\}
.nf
nfsvers=4\&.1
rsize=1048576
wsize=1048576
hard
timeo=600
retrans=2
noresvport
.fi
.if n \{\
.RE
.\}
.sp
By default, when using the Amazon EFS mount helper with Transport \
Layer Security (TLS), the mount helper enforces the use of Online \
Certificate Status Protocol (OCSP) and certificate hostname checking\&. \
These options can be configured in the config file located at \
\fI/etc/amazon/efs/efs\-utils\&.conf\&\fR.
.sp
Additionally, the Amazon EFS mount helper has built\-in logging for \
troubleshooting purposes\&. These logs are located at \fI/var/log/amazon/efs\fR\&.
.sp
It is possible to configure your Amazon EC2 instance to automatically \
remount your Amazon EFS file system when it reboots. For more information, \
see the online documentation at: \
\fIhttps://docs\&.aws\&.amazon\&.com/efs/latest/ug/mount\-fs\-auto\-mount\-onreboot\&.html\fR\&.
.SH "OPTIONS"
.sp
\fB\-o\fR, Options are specified with a \fB\-o\fR flag followed by a \
comma separated string of options\&. All of the options specified in \
\fBnfs(5)\fR are available, in addition to the following EFS-specific \
options:
.if n \{\
.RS 4
.\}
.TP
\fBtls\fR
Mounts the EFS file system over TLS\&.
.TP
\fBtlsport=\fR\fIn\fR
Configure the TLS relay to listen on the specified port\&.
.TP
\fBverify=\fR\fIn\fR
Verify TLS certificates using the specified stunnel verify level\&. For \
more information, see \fBstunnel(8)\fR\&.
.if n \{\
.RE
.\}
.SH "EXAMPLES"
.TP
sudo mount -t efs fs-abcd1234 /mnt/efs
Mount an EFS file system with file system ID "fs-abcd1234" at mount point \
"/mnt/efs" without encryption of data in transit\&.
.TP
sudo mount -t efs fs-abcd1234:/child /mnt/efs
Mount a non-root directory of an EFS file system with file system ID \
"fs-abcd1234" at mount point "/mnt/efs" without encryption of data in transit\&.
.TP
sudo mount -t efs -o tls fs-abcd1234 /mnt/efs
Mount an EFS file system with file system ID "fs-abcd1234" at mount point \
"/mnt/efs" using encryption of data in transit\&.
.TP
sudo mount -t efs -o tls,verify=0 fs-abcd1234 /mnt/efs
Mount an EFS file system with file system ID "fs-abcd1234" at mount point \
"/mnt/efs" using encryption of data in transit and a verify level of 0\&.
.SH "FILES"
.TP
\fI/sbin/mount.efs\fR
The executable for the Amazon EFS mount helper\&.
.TP
\fI/usr/bin/amazon-efs-mount-watchdog\fR
The executable for the supervisor process that monitors the network relay\&.
.TP
\fI/etc/amazon/efs/efs-utils.conf\fR
The configuration file for the Amazon EFS mount helper\&.
.TP
\fI/etc/amazon/efs/efs-utils.crt\fR
The default Certificate Authority file used by the Amazon EFS mount helper\&.
.TP
\fI/etc/init/amazon-efs-mount-watchdog.conf\fR
The configuration file for the supervisor process\&.
.TP
\fI/var/log/amazon/efs/\fR
The directory where logs for the Amazon EFS mount helper, the stunnel network \
relay, and the supervisor process are stored\&.
.TP
\fI/usr/share/man/man8/mount.efs.8\fR
The man page for the Amazon EFS mount helper\&.
.SH "NOTES"
.sp
For more information on using the \fBamazon\-efs\-utils\fR package, see \
\fIhttps://docs\&.aws\&.amazon\&.com/efs/latest/ug/using\-amazon\-efs\-utils\&.html\fR \
in the Amazon EFS User Guide\&.
.SH "SEE ALSO"
.sp
\fBnfs(8)\fR, \fBstunnel(8)\fR, \fBfstab(5)\fR
.SH "COPYING"
.sp
Copyright 2017\-2018 Amazon\&.com, Inc\&. and its affiliates\&. All Rights Reserved\&.
......@@ -54,7 +54,7 @@ except ImportError:
from urllib.error import URLError
from urllib.request import urlopen
VERSION = '1.2'
VERSION = '1.3'
CONFIG_FILE = '/etc/amazon/efs/efs-utils.conf'
CONFIG_SECTION = 'mount'
......@@ -72,13 +72,16 @@ DEFAULT_STUNNEL_VERIFY_LEVEL = 2
DEFAULT_STUNNEL_CAFILE = '/etc/amazon/efs/efs-utils.crt'
EFS_ONLY_OPTIONS = [
'cafile',
'capath',
'tls',
'tlsport',
'verify',
]
UNSUPPORTED_OPTIONS = [
'cafile',
'capath',
]
STUNNEL_GLOBAL_CONFIG = {
'fips': 'no',
'foreground': 'yes',
......@@ -130,7 +133,10 @@ def get_region():
return instance_identity['region']
except URLError as e:
_fatal_error('Unable to reach instance metadata service at %s: %s' % (INSTANCE_METADATA_SERVICE_URL, e))
_fatal_error('Unable to reach the instance metadata service at %s. If this is an on-premises instance, replace '
'"{region}" in the "dns_name_format" option in %s with the region of the EFS file system you are mounting.\n'
'See %s for more detail. %s'
% (INSTANCE_METADATA_SERVICE_URL, CONFIG_FILE, 'https://docs.aws.amazon.com/console/efs/direct-connect', e))
except ValueError as e:
_fatal_error('Error parsing json: %s' % (e,))
except KeyError as e:
......@@ -233,9 +239,9 @@ def get_version_specific_stunnel_options(config):
stunnel_output = err.splitlines()
check_host_supported = is_stunnel_option_supported(stunnel_output, 'checkHost')
oscp_aia_supported = is_stunnel_option_supported(stunnel_output, 'OCSPaia')
ocsp_aia_supported = is_stunnel_option_supported(stunnel_output, 'OCSPaia')
return check_host_supported, oscp_aia_supported
return check_host_supported, ocsp_aia_supported
def write_stunnel_config_file(config, state_file_dir, fs_id, mountpoint, tls_port, dns_name, verify_level, log_dir=LOG_DIR):
......@@ -258,21 +264,23 @@ def write_stunnel_config_file(config, state_file_dir, fs_id, mountpoint, tls_por
if verify_level > 0:
add_stunnel_ca_options(efs_config)
check_host, oscp_aia = get_version_specific_stunnel_options(config)
check_host_supported, ocsp_aia_supported = get_version_specific_stunnel_options(config)
tls_controls_message = 'WARNING: Your client lacks sufficient controls to properly enforce TLS. Please upgrade stunnel, ' \
'or disable "%%s" in %s.\nSee %s for more detail.' % (CONFIG_FILE,
'https://docs.aws.amazon.com/console/efs/troubleshooting-tls')
if check_host:
efs_config['checkHost'] = dns_name
elif config.getboolean(CONFIG_SECTION, 'stunnel_check_cert_hostname'):
fatal_error(tls_controls_message % 'stunnel_check_cert_hostname')
if config.getboolean(CONFIG_SECTION, 'stunnel_check_cert_hostname'):
if check_host_supported:
efs_config['checkHost'] = dns_name
else:
fatal_error(tls_controls_message % 'stunnel_check_cert_hostname')
if oscp_aia:
efs_config['OCSPaia'] = 'yes'
elif config.getboolean(CONFIG_SECTION, 'stunnel_check_cert_validity'):
fatal_error(tls_controls_message % 'stunnel_check_cert_validity')
if config.getboolean(CONFIG_SECTION, 'stunnel_check_cert_validity'):
if ocsp_aia_supported:
efs_config['OCSPaia'] = 'yes'
else:
fatal_error(tls_controls_message % 'stunnel_check_cert_validity')
stunnel_config = '\n'.join(serialize_stunnel_config(global_config) + serialize_stunnel_config(efs_config, 'efs'))
logging.debug('Writing stunnel configuration:\n%s', stunnel_config)
......@@ -406,6 +414,7 @@ def bootstrap_tls(config, init_system, dns_name, fs_id, mountpoint, options, sta
def get_nfs_mount_options(options):
# If you change these options, update the man page as well at man/mount.efs.8
if 'nfsvers' not in options and 'vers' not in options:
options['nfsvers'] = '4.1'
if 'rsize' not in options:
......@@ -418,6 +427,8 @@ def get_nfs_mount_options(options):
options['timeo'] = '600'
if 'retrans' not in options:
options['retrans'] = '2'
if 'noresvport' not in options:
options['noresvport'] = None
if 'tls' in options:
if 'port' in options:
......@@ -577,6 +588,16 @@ def mount_tls(config, init_system, dns_name, path, fs_id, mountpoint, options):
t.join()
def check_unsupported_options(options):
for unsupported_option in UNSUPPORTED_OPTIONS:
if unsupported_option in options:
warn_message = 'The "%s" option is not supported and has been ignored, as amazon-efs-utils relies on a built-in ' \
'trust store.' % unsupported_option
sys.stderr.write('WARN: %s\n' % warn_message)
logging.warn(warn_message)
del options[unsupported_option]
def main():
fs_id, path, mountpoint, options = parse_arguments()
assert_root()
......@@ -585,6 +606,7 @@ def main():
bootstrap_logging(config)
logging.info('version=%s options=%s', VERSION, options)
check_unsupported_options(options)
init_system = get_init_system()
check_network_status(fs_id, init_system)
......
......@@ -25,7 +25,7 @@ try:
except ImportError:
from configparser import ConfigParser
VERSION = '1.2'
VERSION = '1.3'
CONFIG_FILE = '/etc/amazon/efs/efs-utils.conf'
CONFIG_SECTION = 'mount-watchdog'
......@@ -78,17 +78,19 @@ def bootstrap_logging(config, log_dir=LOG_DIR):
logging.error('Malformed logging level "%s", setting logging level to %s', raw_level, level)
def get_file_safe_mountpoint(mountpoint):
mountpoint = os.path.abspath(mountpoint).replace(os.sep, '.')
def get_file_safe_mountpoint(mount):
mountpoint = os.path.abspath(mount.mountpoint).replace(os.sep, '.')
if mountpoint.startswith('.'):
mountpoint = mountpoint[1:]
return mountpoint
port = mount.options[mount.options.find('port'):].split(',')[0].split('=')[1]
return mountpoint + '.' + port
def get_current_local_nfs_mounts(mount_file='/proc/mounts'):
"""
Return a dict of the current NFS mounts for servers running on localhost, keyed by the mountpoint as it appears in EFS
watchdog state files.
Return a dict of the current NFS mounts for servers running on localhost, keyed by the mountpoint and port as it
appears in EFS watchdog state files.
"""
mounts = []
......@@ -100,13 +102,15 @@ def get_current_local_nfs_mounts(mount_file='/proc/mounts'):
mount_dict = {}
for m in mounts:
mount_dict[get_file_safe_mountpoint(m.mountpoint)] = m
mount_dict[get_file_safe_mountpoint(m)] = m
return mount_dict
def get_state_files(state_file_dir):
"""Return a dict of the absolute path of state files in state_file_dir, keyed by the mountpoint portion of the filename."""
"""
Return a dict of the absolute path of state files in state_file_dir, keyed by the mountpoint and port portion of the filename.
"""
state_files = {}
if os.path.isdir(state_file_dir):
......@@ -114,11 +118,12 @@ def get_state_files(state_file_dir):
if not sf.startswith('fs-'):
continue
# This translates the state file name "fs-deadbeaf.home.user.mnt.12345"
# into file-safe mountpoint "home.user.mnt.12345"
first_period = sf.find('.')
last_period = sf.rfind('.')
mount_point = sf[first_period + 1:last_period]
logging.debug('Translating "%s" into mount point "%s"', sf, mount_point)
state_files[mount_point] = sf
mount_point_and_port = sf[first_period + 1:]
logging.debug('Translating "%s" into mount point and port "%s"', sf, mount_point_and_port)
state_files[mount_point_and_port] = sf
return state_files
......
#
# Copyright 2017-2018 Amazon.com, Inc. and its affiliates. All Rights Reserved.
#
# Licensed under the MIT License. See the LICENSE accompanying this file
# for the specific language governing permissions and limitations under
# the License.
#
import mount_efs
import tempfile
def create_temp_file(tmpdir, content=''):
temp_file = tmpdir.join(tempfile.mktemp())
temp_file.write(content, ensure=True)
return temp_file
def test_no_unsupported_options(capsys):
options = {}
mount_efs.check_unsupported_options(options)
out, err = capsys.readouterr()
assert not out
def test_cafile_unsupported(capsys):
options = {'capath': '/capath'}
mount_efs.check_unsupported_options(options)
out, err = capsys.readouterr()
assert 'not supported' in err
assert 'capath' in err
assert 'capath' not in options
def test_capath_unsupported(capsys):
options = {'cafile': '/cafile'}
mount_efs.check_unsupported_options(options)
out, err = capsys.readouterr()
assert 'not supported' in err
assert 'cafile' in err
assert 'cafile' not in options
......@@ -81,7 +81,7 @@ def _validate_config(stunnel_config_file, expected_global_config, expected_efs_c
def _get_expected_efs_config(port=PORT, dns_name=DNS_NAME, verify=mount_efs.DEFAULT_STUNNEL_VERIFY_LEVEL,
check_cert_hostname=True, check_cert_status=True):
check_cert_hostname=True, check_cert_validity=True):
expected_efs_config = dict(mount_efs.STUNNEL_EFS_CONFIG)
expected_efs_config['accept'] = expected_efs_config['accept'] % port
......@@ -91,13 +91,43 @@ def _get_expected_efs_config(port=PORT, dns_name=DNS_NAME, verify=mount_efs.DEFA
if check_cert_hostname:
expected_efs_config['checkHost'] = dns_name
if check_cert_status:
if check_cert_validity:
expected_efs_config['OCSPaia'] = 'yes'
return expected_efs_config
def test_write_stunnel_config_file(mocker, tmpdir):
def _test_check_cert_hostname(mocker, tmpdir, stunnel_check_cert_hostname_supported, stunnel_check_cert_hostname,
expected_check_cert_hostname_config_value):
ca_mocker = mocker.patch('mount_efs.add_stunnel_ca_options')
config_file = mount_efs.write_stunnel_config_file(
_get_config(mocker, stunnel_check_cert_hostname_supported=stunnel_check_cert_hostname_supported,
stunnel_check_cert_hostname=stunnel_check_cert_hostname),
str(tmpdir), FS_ID, MOUNT_POINT, PORT, DNS_NAME, VERIFY_LEVEL)
ca_mocker.assert_called_once()
_validate_config(config_file, mount_efs.STUNNEL_GLOBAL_CONFIG,
_get_expected_efs_config(check_cert_hostname=expected_check_cert_hostname_config_value))
def _test_check_cert_validity(mocker, tmpdir, stunnel_check_cert_validity_supported, stunnel_check_cert_validity,
expected_check_cert_validity_config_value):
ca_mocker = mocker.patch('mount_efs.add_stunnel_ca_options')
config_file = mount_efs.write_stunnel_config_file(
_get_config(mocker, stunnel_check_cert_validity_supported=stunnel_check_cert_validity_supported,
stunnel_check_cert_validity=stunnel_check_cert_validity),
str(tmpdir), FS_ID, MOUNT_POINT, PORT, DNS_NAME, VERIFY_LEVEL)
ca_mocker.assert_called_once()
_validate_config(config_file, mount_efs.STUNNEL_GLOBAL_CONFIG,
_get_expected_efs_config(check_cert_validity=expected_check_cert_validity_config_value))
def _test_write_stunnel_config_file(mocker, tmpdir):
ca_mocker = mocker.patch('mount_efs.add_stunnel_ca_options')
state_file_dir = str(tmpdir)
......@@ -125,18 +155,33 @@ def test_write_stunnel_config_with_debug(mocker, tmpdir):
_validate_config(config_file, expected_global_config, _get_expected_efs_config())
def test_write_stunnel_config_with_check_cert_hostname(mocker, tmpdir):
ca_mocker = mocker.patch('mount_efs.add_stunnel_ca_options')
def test_write_stunnel_config_check_cert_hostname_supported_flag_not_set(mocker, tmpdir):
_test_check_cert_hostname(mocker, tmpdir, stunnel_check_cert_hostname_supported=True, stunnel_check_cert_hostname=None,
expected_check_cert_hostname_config_value=True)
config_file = mount_efs.write_stunnel_config_file(_get_config(mocker, stunnel_check_cert_hostname=True), str(tmpdir), FS_ID,
MOUNT_POINT, PORT, DNS_NAME, VERIFY_LEVEL)
ca_mocker.assert_called_once()
_validate_config(config_file, mount_efs.STUNNEL_GLOBAL_CONFIG, _get_expected_efs_config(check_cert_hostname=True))
def test_write_stunnel_config_check_cert_hostname_supported_flag_set_false(mocker, capsys, tmpdir):
_test_check_cert_hostname(mocker, tmpdir, stunnel_check_cert_hostname_supported=True, stunnel_check_cert_hostname=False,
expected_check_cert_hostname_config_value=False)
def test_write_stunnel_config_without_check_cert_hostname(mocker, capsys, tmpdir):
ca_mocker = mocker.patch('mount_efs.add_stunnel_ca_options')
def test_write_stunnel_config_check_cert_hostname_supported_flag_set_true(mocker, tmpdir):
_test_check_cert_hostname(mocker, tmpdir, stunnel_check_cert_hostname_supported=True, stunnel_check_cert_hostname=True,
expected_check_cert_hostname_config_value=True)
def test_write_stunnel_config_check_cert_hostname_not_supported_flag_not_specified(mocker, capsys, tmpdir):
_test_check_cert_hostname(mocker, tmpdir, stunnel_check_cert_hostname_supported=False, stunnel_check_cert_hostname=None,
expected_check_cert_hostname_config_value=False)
def test_write_stunnel_config_check_cert_hostname_not_supported_flag_set_false(mocker, capsys, tmpdir):
_test_check_cert_hostname(mocker, tmpdir, stunnel_check_cert_hostname_supported=False, stunnel_check_cert_hostname=False,
expected_check_cert_hostname_config_value=False)
def test_write_stunnel_config_check_cert_hostname_not_supported_flag_set_true(mocker, capsys, tmpdir):
mocker.patch('mount_efs.add_stunnel_ca_options')
with pytest.raises(SystemExit) as ex:
mount_efs.write_stunnel_config_file(_get_config(mocker, stunnel_check_cert_hostname_supported=False,
......@@ -150,18 +195,33 @@ def test_write_stunnel_config_without_check_cert_hostname(mocker, capsys, tmpdir
assert 'stunnel_check_cert_hostname' in err
def test_write_stunnel_config_with_check_cert_status(mocker, tmpdir):
ca_mocker = mocker.patch('mount_efs.add_stunnel_ca_options')
def test_write_stunnel_config_check_cert_validity_supported_flag_not_set(mocker, capsys, tmpdir):
_test_check_cert_validity(mocker, tmpdir, stunnel_check_cert_validity_supported=True, stunnel_check_cert_validity=None,
expected_check_cert_validity_config_value=True)
config_file = mount_efs.write_stunnel_config_file(_get_config(mocker, stunnel_check_cert_validity=True), str(tmpdir), FS_ID,
MOUNT_POINT, PORT, DNS_NAME, VERIFY_LEVEL)
ca_mocker.assert_called_once()
_validate_config(config_file, mount_efs.STUNNEL_GLOBAL_CONFIG, _get_expected_efs_config(check_cert_status=True))
def test_write_stunnel_config_check_cert_validity_supported_flag_set_false(mocker, capsys, tmpdir):
_test_check_cert_validity(mocker, tmpdir, stunnel_check_cert_validity_supported=True, stunnel_check_cert_validity=False,
expected_check_cert_validity_config_value=False)
def test_write_stunnel_config_without_check_cert_status(mocker, capsys, tmpdir):
ca_mocker = mocker.patch('mount_efs.add_stunnel_ca_options')