Commit dfa31185 authored by Max Beckett's avatar Max Beckett
Browse files

Update to default configuration that disables OCSP.

To use OCSP, the client accessing EFS must be able to reach the Amazon Certificate
Authority (CA). To maximize file system availability in the event that the CA is
not reachable from your VPC, the EFS mount helper no longer enables OCSP by default.

See here for more info:

https://aws.amazon.com/about-aws/whats-new/2019/07/configuration-update-for-amazon-efs-encryption-data-in-transit/
parent 563efc29
......@@ -112,7 +112,7 @@ For more information on mounting with the mount helper, see the [documentation](
## Upgrading stunnel for RHEL/CentOS
By default, when using the EFS mount helper with TLS, it enforces use of the Online Certificate Status Protocol (OCSP) and certificate hostname checking. The EFS mount helper uses the `stunnel` program for its TLS functionality. Please note that some versions of Linux do not include a version of `stunnel` that supports these TLS features by default. When using such a Linux version, mounting an EFS file system using TLS will fail.
By default, when using the EFS mount helper with TLS, it enforces certificate hostname checking. The EFS mount helper uses the `stunnel` program for its TLS functionality. Please note that some versions of Linux do not include a version of `stunnel` that supports TLS features by default. When using such a Linux version, mounting an EFS file system using TLS will fail.
Once you’ve installed the `amazon-efs-utils` package, to upgrade your system’s version of `stunnel`, see [Upgrading Stunnel](https://docs.aws.amazon.com/efs/latest/ug/using-amazon-efs-utils.html#upgrading-stunnel).
......
......@@ -11,7 +11,7 @@ set -ex
BASE_DIR=$(pwd)
BUILD_ROOT=${BASE_DIR}/build/debbuild
VERSION=1.7
VERSION=1.10
echo 'Cleaning deb build workspace'
rm -rf ${BUILD_ROOT}
......
Package: amazon-efs-utils
Architecture: all
Version: 1.7
Version: 1.10
Section: utils
Depends: python|python2, nfs-common, stunnel4 (>= 4.56)
Priority: optional
......
......@@ -20,7 +20,7 @@
%endif
Name : amazon-efs-utils
Version : 1.7
Version : 1.10
Release : 1%{?dist}
Summary : This package provides utilities for simplifying the use of EFS file systems
......
......@@ -21,7 +21,7 @@ stunnel_debug_enabled = false
stunnel_check_cert_hostname = true
# Use OCSP to check certificate validity. This option is not supported by certain stunnel versions.
stunnel_check_cert_validity = true
stunnel_check_cert_validity = false
# Define the port range that the TLS tunnel will choose from
port_range_lower_bound = 20049
......
......@@ -76,6 +76,11 @@ Configure the TLS relay to listen on the specified port\&.
\fBverify=\fR\fIn\fR
Verify TLS certificates using the specified stunnel verify level\&. For \
more information, see \fBstunnel(8)\fR\&.
.TP
\fBocsp / noocsp\fR
Selects whether to perform OCSP validation on TLS certificates\&, \
overriding /etc/amazon/efs/efs-utils.conf. \
For more information, see \fBstunnel(8)\fR\&.
.if n \{\
.RE
.\}
......@@ -97,6 +102,10 @@ sudo mount -t efs -o tls,verify=0 fs-abcd1234 /mnt/efs
Mount an EFS file system with file system ID "fs-abcd1234" at mount point \
"/mnt/efs" using encryption of data in transit and a verify level of 0\&.
.TP
sudo mount -t efs -o tls,ocsp fs-abcd1234 /mnt/efs
Mount an EFS file system with file system ID "fs-abcd1234" at mount point \
"/mnt/efs" using encryption of data in transit and with OCSP validation enabled\&.
.TP
sudo mount -t efs custom-cname.example.com /mnt/efs
Mount an EFS file system using the custom DNS name \
"custom-cname\&.example\&.com" \(em which has to \
......
......@@ -54,7 +54,7 @@ except ImportError:
from urllib.error import URLError
from urllib.request import urlopen
VERSION = '1.7'
VERSION = '1.10'
CONFIG_FILE = '/etc/amazon/efs/efs-utils.conf'
CONFIG_SECTION = 'mount'
......@@ -76,6 +76,8 @@ EFS_ONLY_OPTIONS = [
'tls',
'tlsport',
'verify',
'ocsp',
'noocsp'
]
UNSUPPORTED_OPTIONS = [
......@@ -169,19 +171,24 @@ def get_tls_port_range(config):
return lower_bound, upper_bound
def choose_tls_port(config):
lower_bound, upper_bound = get_tls_port_range(config)
def choose_tls_port(config, options):
if 'tlsport' in options:
try:
ports_to_try = [int(options['tlsport'])]
except ValueError:
fatal_error('tlsport option [%s] is not an integer' % options['tlsport'])
else:
lower_bound, upper_bound = get_tls_port_range(config)
tls_ports = list(range(lower_bound, upper_bound))
tls_ports = list(range(lower_bound, upper_bound))
# Choose a random midpoint, and then try ports in-order from there
mid = random.randrange(len(tls_ports))
# Choose a random midpoint, and then try ports in-order from there
mid = random.randrange(len(tls_ports))
ports_to_try = tls_ports[mid:] + tls_ports[:mid]
assert len(tls_ports) == len(ports_to_try)
ports_to_try = tls_ports[mid:] + tls_ports[:mid]
assert len(tls_ports) == len(ports_to_try)
sock = socket.socket()
for tls_port in ports_to_try:
try:
sock.bind(('localhost', tls_port))
......@@ -192,9 +199,22 @@ def choose_tls_port(config):
sock.close()
fatal_error('Failed to locate an available port in the range [%d, %d], '
'try specifying a different port range in %s'
% (lower_bound, upper_bound, CONFIG_FILE))
if 'tlsport' in options:
fatal_error('Specified port [%s] is unavailable. Try selecting a different port.' % options['tlsport'])
else:
fatal_error('Failed to locate an available port in the range [%d, %d], try specifying a different port range in %s'
% (lower_bound, upper_bound, CONFIG_FILE))
def is_ocsp_enabled(config, options):
if 'ocsp' in options and 'noocsp' in options:
fatal_error('The "ocsp" and "noocsp" options are mutually exclusive')
elif 'ocsp' in options:
return True
elif 'noocsp' in options:
return False
else:
return config.getboolean(CONFIG_SECTION, 'stunnel_check_cert_validity')
def get_mount_specific_filename(fs_id, mountpoint, tls_port):
......@@ -250,7 +270,8 @@ def get_version_specific_stunnel_options(config):
return check_host_supported, ocsp_aia_supported
def write_stunnel_config_file(config, state_file_dir, fs_id, mountpoint, tls_port, dns_name, verify_level, log_dir=LOG_DIR):
def write_stunnel_config_file(config, state_file_dir, fs_id, mountpoint, tls_port, dns_name, verify_level, ocsp_enabled,
log_dir=LOG_DIR):
"""
Serializes stunnel configuration to a file. Unfortunately this does not conform to Python's config file format, so we have to
hand-serialize it.
......@@ -282,7 +303,8 @@ def write_stunnel_config_file(config, state_file_dir, fs_id, mountpoint, tls_por
else:
fatal_error(tls_controls_message % 'stunnel_check_cert_hostname')
if config.getboolean(CONFIG_SECTION, 'stunnel_check_cert_validity'):
# Only use the config setting if the override is not set
if ocsp_enabled:
if ocsp_aia_supported:
efs_config['OCSPaia'] = 'yes'
else:
......@@ -411,12 +433,17 @@ def bootstrap_tls(config, init_system, dns_name, fs_id, mountpoint, options, sta
if not os.path.exists(state_file_dir):
create_state_file_dir(config, state_file_dir)
tls_port = choose_tls_port(config)
tls_port = choose_tls_port(config, options)
# override the tlsport option so that we can later override the port the NFS client uses to connect to stunnel.
# if the user has specified tlsport=X at the command line this will just re-set tlsport to X.
options['tlsport'] = tls_port
verify_level = int(options.get('verify', DEFAULT_STUNNEL_VERIFY_LEVEL))
options['verify'] = verify_level
ocsp_enabled = is_ocsp_enabled(config, options)
stunnel_config_file = write_stunnel_config_file(config, state_file_dir, fs_id, mountpoint, tls_port, dns_name, verify_level)
stunnel_config_file = write_stunnel_config_file(config, state_file_dir, fs_id, mountpoint, tls_port, dns_name, verify_level,
ocsp_enabled)
tunnel_args = ['stunnel', stunnel_config_file]
......
......@@ -25,7 +25,7 @@ try:
except ImportError:
from configparser import ConfigParser
VERSION = '1.7'
VERSION = '1.10'
CONFIG_FILE = '/etc/amazon/efs/efs-utils.conf'
CONFIG_SECTION = 'mount-watchdog'
......
......@@ -10,8 +10,6 @@ import mount_efs
import os
import tempfile
import pytest
from mock import MagicMock
FS_ID = 'fs-deadbeef'
......@@ -28,27 +26,25 @@ INIT_SYSTEM = 'upstart'
MOCK_CONFIG = MagicMock()
@pytest.fixture(autouse=True)
def setup(mocker):
def setup_mocks(mocker):
mocker.patch('mount_efs.start_watchdog')
mocker.patch('mount_efs.get_tls_port_range', return_value=(DEFAULT_TLS_PORT, DEFAULT_TLS_PORT + 10))
mocker.patch('mount_efs.choose_tls_port', return_value=DEFAULT_TLS_PORT)
mocker.patch('socket.socket', return_value=MagicMock())
mocker.patch('mount_efs.write_tls_tunnel_state_file')
mocker.patch('mount_efs.write_stunnel_config_file', return_value=EXPECTED_STUNNEL_CONFIG_FILE)
mocker.patch('os.rename')
mocker.patch('os.kill')
process_mock = MagicMock()
process_mock.communicate.return_value = ('stdout', 'stderr', )
process_mock.returncode = 0
def _mock_popen(mocker, returncode=0):
popen_mock = MagicMock()
popen_mock.communicate.return_value = ('stdout', 'stderr', )
popen_mock.returncode = returncode
return mocker.patch('subprocess.Popen', return_value=popen_mock)
popen_mock = mocker.patch('subprocess.Popen', return_value=process_mock)
write_config_mock = mocker.patch('mount_efs.write_stunnel_config_file', return_value=EXPECTED_STUNNEL_CONFIG_FILE)
return popen_mock, write_config_mock
def test_bootstrap_tls_state_file_dir_exists(mocker, tmpdir):
popen_mock = _mock_popen(mocker)
mocker.patch('os.kill')
popen_mock, _ = setup_mocks(mocker)
state_file_dir = str(tmpdir)
with mount_efs.bootstrap_tls(MOCK_CONFIG, INIT_SYSTEM, DNS_NAME, FS_ID, MOUNT_POINT, {}, state_file_dir):
......@@ -62,8 +58,7 @@ def test_bootstrap_tls_state_file_dir_exists(mocker, tmpdir):
def test_bootstrap_tls_state_file_nonexistent_dir(mocker, tmpdir):
_mock_popen(mocker)
mocker.patch('os.kill')
popen_mock, _ = setup_mocks(mocker)
state_file_dir = str(tmpdir.join(tempfile.mktemp()))
def config_get_side_effect(section, field):
......@@ -83,32 +78,83 @@ def test_bootstrap_tls_state_file_nonexistent_dir(mocker, tmpdir):
def test_bootstrap_tls_non_default_port(mocker, tmpdir):
popen_mock = _mock_popen(mocker)
mocker.patch('os.kill')
popen_mock, write_config_mock = setup_mocks(mocker)
state_file_dir = str(tmpdir)
tls_port = 1000
with mount_efs.bootstrap_tls(MOCK_CONFIG, INIT_SYSTEM, DNS_NAME, FS_ID, MOUNT_POINT, {'tlsport': tls_port}, state_file_dir):
pass
args, _ = popen_mock.call_args
args = args[0]
popen_args, _ = popen_mock.call_args
popen_args = popen_args[0]
write_config_args, _ = write_config_mock.call_args
assert 'stunnel' in args
assert EXPECTED_STUNNEL_CONFIG_FILE in args
assert 'stunnel' in popen_args
assert EXPECTED_STUNNEL_CONFIG_FILE in popen_args
assert 1000 == write_config_args[4] # positional argument for tls_port
def test_bootstrap_tls_non_default_verify_level(mocker, tmpdir):
popen_mock = _mock_popen(mocker)
mocker.patch('os.kill')
popen_mock, write_config_mock = setup_mocks(mocker)
state_file_dir = str(tmpdir)
verify = 0
with mount_efs.bootstrap_tls(MOCK_CONFIG, INIT_SYSTEM, DNS_NAME, FS_ID, MOUNT_POINT, {'verify': verify}, state_file_dir):
pass
args, _ = popen_mock.call_args
args = args[0]
popen_args, _ = popen_mock.call_args
popen_args = popen_args[0]
write_config_args, _ = write_config_mock.call_args
assert 'stunnel' in args
assert EXPECTED_STUNNEL_CONFIG_FILE in args
assert 'stunnel' in popen_args
assert EXPECTED_STUNNEL_CONFIG_FILE in popen_args
assert 0 == write_config_args[6] # positional argument for verify_level
def test_bootstrap_tls_ocsp_option(mocker, tmpdir):
popen_mock, write_config_mock = setup_mocks(mocker)
state_file_dir = str(tmpdir)
with mount_efs.bootstrap_tls(MOCK_CONFIG, INIT_SYSTEM, DNS_NAME, FS_ID, MOUNT_POINT, {'ocsp': None}, state_file_dir):
pass
popen_args, _ = popen_mock.call_args
popen_args = popen_args[0]
write_config_args, _ = write_config_mock.call_args
assert 'stunnel' in popen_args
assert EXPECTED_STUNNEL_CONFIG_FILE in popen_args
# positional argument for ocsp_override
assert write_config_args[7] is True
def test_bootstrap_tls_noocsp_option(mocker, tmpdir):
popen_mock, write_config_mock = setup_mocks(mocker)
state_file_dir = str(tmpdir)
with mount_efs.bootstrap_tls(MOCK_CONFIG, INIT_SYSTEM, DNS_NAME, FS_ID, MOUNT_POINT, {'noocsp': None}, state_file_dir):
pass
popen_args, _ = popen_mock.call_args
popen_args = popen_args[0]
write_config_args, _ = write_config_mock.call_args
assert 'stunnel' in popen_args
assert EXPECTED_STUNNEL_CONFIG_FILE in popen_args
# positional argument for ocsp_override
assert write_config_args[7] is False
def test_bootstrap_tls_ocsp_and_noocsp_option(mocker, tmpdir):
setup_mocks(mocker)
state_file_dir = str(tmpdir)
exception_thrown = False
try:
with mount_efs.bootstrap_tls(MOCK_CONFIG, INIT_SYSTEM, DNS_NAME, FS_ID, MOUNT_POINT, {'ocsp': None, 'noocsp': None},
state_file_dir):
pass
except SystemExit:
exception_thrown = True
assert exception_thrown
......@@ -28,8 +28,9 @@ def _get_config():
def test_choose_tls_port_first_try(mocker):
mocker.patch('socket.socket', return_value=MagicMock())
options = {}
tls_port = mount_efs.choose_tls_port(_get_config())
tls_port = mount_efs.choose_tls_port(_get_config(), options)
assert DEFAULT_TLS_PORT_RANGE_LOW <= tls_port <= DEFAULT_TLS_PORT_RANGE_HIGH
......@@ -37,10 +38,11 @@ def test_choose_tls_port_first_try(mocker):
def test_choose_tls_port_second_try(mocker):
bad_sock = MagicMock()
bad_sock.bind.side_effect = [socket.error, None]
options = {}
mocker.patch('socket.socket', return_value=bad_sock)
tls_port = mount_efs.choose_tls_port(_get_config())
tls_port = mount_efs.choose_tls_port(_get_config(), options)
assert DEFAULT_TLS_PORT_RANGE_LOW <= tls_port <= DEFAULT_TLS_PORT_RANGE_HIGH
assert 2 == bad_sock.bind.call_count
......@@ -49,11 +51,12 @@ def test_choose_tls_port_second_try(mocker):
def test_choose_tls_port_never_succeeds(mocker, capsys):
bad_sock = MagicMock()
bad_sock.bind.side_effect = socket.error()
options = {}
mocker.patch('socket.socket', return_value=bad_sock)
with pytest.raises(SystemExit) as ex:
mount_efs.choose_tls_port(_get_config())
mount_efs.choose_tls_port(_get_config(), options)
assert 0 != ex.value.code
......@@ -61,3 +64,30 @@ def test_choose_tls_port_never_succeeds(mocker, capsys):
assert 'Failed to locate an available port' in err
assert DEFAULT_TLS_PORT_RANGE_HIGH - DEFAULT_TLS_PORT_RANGE_LOW == bad_sock.bind.call_count
def test_choose_tls_port_option_specified(mocker):
mocker.patch('socket.socket', return_value=MagicMock())
options = {'tlsport': 1000}
tls_port = mount_efs.choose_tls_port(_get_config(), options)
assert 1000 == tls_port
def test_choose_tls_port_option_specified_unavailable(mocker, capsys):
bad_sock = MagicMock()
bad_sock.bind.side_effect = socket.error()
options = {'tlsport': 1000}
mocker.patch('socket.socket', return_value=bad_sock)
with pytest.raises(SystemExit) as ex:
mount_efs.choose_tls_port(_get_config(), options)
assert 0 != ex.value.code
out, err = capsys.readouterr()
assert 'Specified port [1000] is unavailable' in err
assert 1 == bad_sock.bind.call_count
#
# Copyright 2017-2018 Amazon.com, Inc. and its affiliates. All Rights Reserved.
#
# Licensed under the MIT License. See the LICENSE accompanying this file
# for the specific language governing permissions and limitations under
# the License.
#
import mount_efs
import ConfigParser
import pytest
def _get_config(stunnel_check_cert_validity):
config = ConfigParser.SafeConfigParser()
config.add_section(mount_efs.CONFIG_SECTION)
if stunnel_check_cert_validity is not None:
config.set(mount_efs.CONFIG_SECTION, 'stunnel_check_cert_validity', str(stunnel_check_cert_validity))
return config
def test_is_ocsp_enabled_config_false_no_cli():
options = {}
ocsp_enabled = mount_efs.is_ocsp_enabled(_get_config(False), options)
assert ocsp_enabled is False
def test_is_ocsp_enabled_config_true_no_cli():
options = {}
ocsp_enabled = mount_efs.is_ocsp_enabled(_get_config(True), options)
assert ocsp_enabled is True
def test_is_ocsp_enabled_config_false_cli_true():
options = {'ocsp': None}
ocsp_enabled = mount_efs.is_ocsp_enabled(_get_config(False), options)
assert ocsp_enabled is True
def test_is_ocsp_enabled_config_true_cli_true():
options = {'ocsp': None}
ocsp_enabled = mount_efs.is_ocsp_enabled(_get_config(True), options)
assert ocsp_enabled is True
def test_is_ocsp_enabled_config_false_cli_false():
options = {'noocsp': None}
ocsp_enabled = mount_efs.is_ocsp_enabled(_get_config(False), options)
assert ocsp_enabled is False
def test_is_ocsp_enabled_config_true_cli_false():
options = {'noocsp': None}
ocsp_enabled = mount_efs.is_ocsp_enabled(_get_config(True), options)
assert ocsp_enabled is False
def test_is_ocsp_enabled_cli_both_options(capsys):
options = {'noocsp': None, 'ocsp': None}
with pytest.raises(SystemExit) as ex:
mount_efs.is_ocsp_enabled(_get_config(True), options)
assert 0 != ex.value.code
out, err = capsys.readouterr()
assert 'The "ocsp" and "noocsp" options are mutually exclusive' in err
......@@ -78,8 +78,8 @@ def test_parse_arguments_custom_path():
def test_parse_arguments_verbose():
fsid, path, mountpoint, options = mount_efs.parse_arguments(None,
['mount', 'fs-deadbeef:/home', '/dir', '-v', '-o', 'foo,bar=baz,quux'])
fsid, path, mountpoint, options = mount_efs.parse_arguments(None, ['mount', 'fs-deadbeef:/home', '/dir', '-v', '-o',
'foo,bar=baz,quux'])
assert 'fs-deadbeef' == fsid
assert '/home' == path
......
......@@ -17,11 +17,12 @@ DNS_NAME = 'fs-deadbeef.com'
MOUNT_POINT = '/mnt'
PORT = 12345
VERIFY_LEVEL = 2
OCSP_ENABLED = False
def _get_config(mocker, stunnel_debug_enabled=False, stunnel_check_cert_hostname_supported=True,
stunnel_check_cert_validity_supported=True, stunnel_check_cert_hostname=None,
stunnel_check_cert_validity=None):
stunnel_check_cert_validity=False):
mocker.patch('mount_efs.get_version_specific_stunnel_options',
return_value=(stunnel_check_cert_hostname_supported, stunnel_check_cert_validity_supported, ))
......@@ -81,7 +82,7 @@ def _validate_config(stunnel_config_file, expected_global_config, expected_efs_c
def _get_expected_efs_config(port=PORT, dns_name=DNS_NAME, verify=mount_efs.DEFAULT_STUNNEL_VERIFY_LEVEL,
check_cert_hostname=True, check_cert_validity=True):
ocsp_override=True, check_cert_hostname=True, check_cert_validity=False):
expected_efs_config = dict(mount_efs.STUNNEL_EFS_CONFIG)
expected_efs_config['accept'] = expected_efs_config['accept'] % port
......@@ -91,7 +92,7 @@ def _get_expected_efs_config(port=PORT, dns_name=DNS_NAME, verify=mount_efs.DEFA
if check_cert_hostname:
expected_efs_config['checkHost'] = dns_name
if check_cert_validity:
if check_cert_validity and ocsp_override:
expected_efs_config['OCSPaia'] = 'yes'
return expected_efs_config
......@@ -104,7 +105,7 @@ def _test_check_cert_hostname(mocker, tmpdir, stunnel_check_cert_hostname_suppor
config_file = mount_efs.write_stunnel_config_file(
_get_config(mocker, stunnel_check_cert_hostname_supported=stunnel_check_cert_hostname_supported,
stunnel_check_cert_hostname=stunnel_check_cert_hostname),
str(tmpdir), FS_ID, MOUNT_POINT, PORT, DNS_NAME, VERIFY_LEVEL)
str(tmpdir), FS_ID, MOUNT_POINT, PORT, DNS_NAME, VERIFY_LEVEL, OCSP_ENABLED)
ca_mocker.assert_called_once()
......@@ -117,9 +118,8 @@ def _test_check_cert_validity(mocker, tmpdir, stunnel_check_cert_validity_suppor
ca_mocker = mocker.patch('mount_efs.add_stunnel_ca_options')
config_file = mount_efs.write_stunnel_config_file(
_get_config(mocker, stunnel_check_cert_validity_supported=stunnel_check_cert_validity_supported,
stunnel_check_cert_validity=stunnel_check_cert_validity),
str(tmpdir), FS_ID, MOUNT_POINT, PORT, DNS_NAME, VERIFY_LEVEL)
_get_config(mocker, stunnel_check_cert_validity_supported=stunnel_check_cert_validity_supported),
str(tmpdir), FS_ID, MOUNT_POINT, PORT, DNS_NAME, VERIFY_LEVEL, stunnel_check_cert_validity)
ca_mocker.assert_called_once()
......@@ -132,7 +132,7 @@ def _test_write_stunnel_config_file(mocker, tmpdir):
state_file_dir = str(tmpdir)
config_file = mount_efs.write_stunnel_config_file(_get_config(mocker), state_file_dir, FS_ID, MOUNT_POINT, PORT, DNS_NAME,
VERIFY_LEVEL)
VERIFY_LEVEL, OCSP_ENABLED)
ca_mocker.assert_called_once()
_validate_config(config_file, mount_efs.STUNNEL_GLOBAL_CONFIG, _get_expected_efs_config())
......@@ -143,7 +143,7 @@ def test_write_stunnel_config_with_debug(mocker, tmpdir):
state_file_dir = str(tmpdir)
config_file = mount_efs.write_stunnel_config_file(_get_config(mocker, stunnel_debug_enabled=True), state_file_dir, FS_ID,
MOUNT_POINT, PORT, DNS_NAME, VERIFY_LEVEL)
MOUNT_POINT, PORT, DNS_NAME, VERIFY_LEVEL, OCSP_ENABLED)
ca_mocker.assert_called_once()
expected_global_config = dict(mount_efs.STUNNEL_GLOBAL_CONFIG)
......@@ -186,7 +186,7 @@ def test_write_stunnel_config_check_cert_hostname_not_supported_flag_set_true(mo
with pytest.raises(SystemExit) as ex:
mount_efs.write_stunnel_config_file(_get_config(mocker, stunnel_check_cert_hostname_supported=False,
stunnel_check_cert_hostname=True), str(tmpdir), FS_ID, MOUNT_POINT, PORT, DNS_NAME,
VERIFY_LEVEL)
VERIFY_LEVEL, OCSP_ENABLED)
assert 0 != ex.value.code
......@@ -195,38 +195,28 @@ def test_write_stunnel_config_check_cert_hostname_not_supported_flag_set_true(mo
assert 'stunnel_check_cert_hostname' in err
def test_write_stunnel_config_check_cert_validity_supported_flag_not_set(mocker, capsys, tmpdir):
_test_check_cert_validity(mocker, tmpdir, stunnel_check_cert_validity_supported=True, stunnel_check_cert_validity=None,
expected_check_cert_validity_config_value=True)
def test_write_stunnel_config_check_cert_validity_supported_flag_set_false(mocker, capsys, tmpdir):
_test_check_cert_validity(mocker, tmpdir, stunnel_check_cert_validity_supported=True, stunnel_check_cert_validity=False,
expected_check_cert_validity_config_value=False)
def test_write_stunnel_config_check_cert_validity_supported_flag_set_true(mocker, tmpdir):
def test_write_stunnel_config_check_cert_validity_supported_ocsp_enabled(mocker, capsys, tmpdir):
_test_check_cert_validity(mocker, tmpdir, stunnel_check_cert_validity_supported=True, stunnel_check_cert_validity=True,
expected_check_cert_validity_config_value=True)
def test_write_stunnel_config_check_cert_validity_not_supported_flag_not_set(mocker, capsys, tmpdir):