Ubuntu Single Sign On Client

ubuntu_sso/utils/ui.py (+6/-0)
ubuntu_sso/utils/webclient/common.py (+34/-1)
ubuntu_sso/utils/webclient/gsettings.py (+21/-14)
ubuntu_sso/utils/webclient/qtnetwork.py (+113/-21)
ubuntu_sso/utils/webclient/tests/__init__.py (+74/-6)
ubuntu_sso/utils/webclient/tests/test_gsettings.py (+44/-61)
ubuntu_sso/utils/webclient/tests/test_webclient.py (+219/-0)

To merge this branch:

bzr merge lp:~mandel/ubuntu-sso-client/qt-ssl-dialog

Related bugs:

Bug #948119: [UIFE] Add a translatable string for the ssl certificate details	Medium	Fix Released
Bug #948134: Qt webclient implementation does not show the ssl dialog when there is an error	Medium	Fix Released
Bug #950088: The qt webclient implementation uses the same proxy for all requests on Ubuntu	Medium	Fix Released

Link a bug report

Reviewer	Date Requested	Status
Roberto Alsina (community)		Approve on 2012-03-09
Alejandro J. Cura (community)	2012-03-08	Approve on 2012-03-08
Review via email: mp+96624@code.launchpad.net

Commit message

- Added a translatable string to give more context of the ssl cert info to the user
  (LP: #948119).
- Provided the logic required for the Qt webclient implementation to detect ssl errors
  and spawn the ssl dialog to allow the user accept the ssl cert exceptions
  (LP: #948134).
- Changed the qt webclient implementation to use a proxy factory so that the correct
  proxy is chosen according to the request (LP: #950088).

Description of the change

This branch fixes a number of bugs:

lp:948119

Added a translatable string to give more context of the ssl cert info to the user.

lp:948134

The Qt implementation of the webclient detects ssl errors and spawns the ssl dialog to allow the user to accept the ssl cert exception.

lp:950088
Implemented the qt webclient using a proxy factory over a proxy so that the correct proxy is returned.

Revision history for this message

Alejandro J. Cura (alecu) wrote on 2012-03-08:

Very good branch.
I can't comment on anything but typos!

---

I looks like it will be a problem with SSL_DETAILS_TEMPLATE, tabs (\t) and translations, since the \t tabs will not likely align with the different text lengths of the headers. I think we should either drop tabs or use html tables, since QTextEdit supports those. Although I wouldn't mind this change happening in a later branch, in fact I recommend it :-)

----

This comment is outdated: "# define here the return codes from the proxy creds dialogs"

"formated stirng" -> "formatted string"

"is used in according" -> "is used according"

"accoding" -> "according"

"in witch" -> "in which"

"this funtion most return" ->
"this function must return".

"a proxu set for the query lets return" ->
^ ^
"a proxy set for the query let's return

"lets retry" -> "let's retry"

"the port being listen" -> "the port where we are listening."
"the ssl port being listen" -> "the ssl port where we are listening."

"Assert the parsing anonymous settings" ->
"Assert the parsing of anonymous settings"

"for the http requets" ->
"for the http request"

"SSL support has not yet implemented" ->
"SSL support has not yet been implemented" or "SSL support not yet implemented"

review: Approve

Revision history for this message

Roberto Alsina (ralsina) wrote on 2012-03-09:

+1 with what alecu said.

review: Approve

Revision history for this message

Manuel de la Peña (mandel) wrote on 2012-03-09:

> Very good branch.
> I can't comment on anything but typos!
>
> ---
>
> I looks like it will be a problem with SSL_DETAILS_TEMPLATE, tabs (\t) and
> translations, since the \t tabs will not likely align with the different text
> lengths of the headers. I think we should either drop tabs or use html tables,
> since QTextEdit supports those. Although I wouldn't mind this change happening
> in a later branch, in fact I recommend it :-)
>
> ----
>
> This comment is outdated: "# define here the return codes from the proxy creds
> dialogs"
>
> "formated stirng" -> "formatted string"
>
> "is used in according" -> "is used according"
>
> "accoding" -> "according"
>
> "in witch" -> "in which"
>
> "this funtion most return" ->
> "this function must return".
>
> "a proxu set for the query lets return" ->
> ^ ^
> "a proxy set for the query let's return
>
> "lets retry" -> "let's retry"
>
> "the port being listen" -> "the port where we are listening."
> "the ssl port being listen" -> "the ssl port where we are listening."
>
> "Assert the parsing anonymous settings" ->
> "Assert the parsing of anonymous settings"
>
> "for the http requets" ->
> "for the http request"
>
> "SSL support has not yet implemented" ->
> "SSL support has not yet been implemented" or "SSL support not yet
> implemented"

Fixing all those, thx!

Revision history for this message

Manuel de la Peña (mandel) wrote on 2012-03-09:

Stupid wired brain... I'll take care of them, thx!

lp:~mandel/ubuntu-sso-client/qt-ssl-dialog updated on 2012-03-09

939. By Manuel de la Peña on 2012-03-09: Merged webclient-use-dialog into qt-ssl-dialog.
940. By Manuel de la Peña on 2012-03-09: Fixed typos.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Manuel de la Peña

Natalia Bidart

Ubuntu One hackers

 === modified file 'ubuntu_sso/utils/ui.py'
 --- ubuntu_sso/utils/ui.py	2012-03-06 14:13:10 +0000
 +++ ubuntu_sso/utils/ui.py	2012-03-09 12:09:20 +0000
@@ -133,6 +133,12 @@
  SSL_CERT_DETAILS = _('Certificate details')
  SSL_CONNECT_BUTTON = _('Connect')
  SSL_DETAILS_HELP = _('the details ssl certificate we are going to show.')
++SSL_DETAILS_TEMPLATE = ('Organization:\t%(organization)s\n'
++                        'Common Name:\t%(common_name)s\n'
++                        'Locality Name:\t%(locality_name)s\n'
++                        'Unit:\t%(unit)s\n'
++                        'Country:\t%(country_name)s\n'
++                        'State or Province:\t%(state_name)s')
  SSL_DESCRIPTION = _('Open the SSL certificate UI.')
  SSL_DIALOG_TITLE = _('SSL Certificate Not Valid')
  SSL_DOMAIN_HELP = _('the domain whose ssl certificate we are going to show.')
 === modified file 'ubuntu_sso/utils/webclient/common.py'
 --- ubuntu_sso/utils/webclient/common.py	2012-03-09 12:09:20 +0000
 +++ ubuntu_sso/utils/webclient/common.py	2012-03-09 12:09:20 +0000
@@ -27,8 +27,11 @@
  from ubuntu_sso import USER_SUCCESS, UI_PROXY_CREDS_DIALOG
  from ubuntu_sso.logger import setup_logging
  from ubuntu_sso.utils.runner import spawn_program
++from ubuntu_sso.utils.ui import SSL_DETAILS_TEMPLATE
  from ubuntu_sso.utils.webclient.timestamp import TimestampChecker
++SSL_DIALOG = 'ubuntu-sso-ssl-certificate-qt'
++
  logger = setup_logging("ubuntu_sso.utils.webclient.common")
@@ -87,8 +90,10 @@
      timestamp_checker = None
--    def __init__(self, username=None, password=None, oauth_sign_plain=False):
++    def __init__(self, appname='', username=None, password=None,
++                 oauth_sign_plain=False):
          """Initialize this instance."""
++        self.appname = appname
          self.username = username
          self.password = password
          self.proxy_username = None
@@ -222,3 +227,31 @@
              logger.debug('Could not retrieve the credentials. Return code: %r',
                           return_code)
              defer.returnValue(False)
++
++    def format_ssl_details(self, details):
++        """Return a formatted string with the details."""
++        return SSL_DETAILS_TEMPLATE % details
++
++    def _launch_ssl_dialog(self, domain, details):
++        """Launch a dialog used to approve the ssl cert."""
++        from ubuntu_sso.utils import get_bin_dir
++
++        bin_dir = get_bin_dir()
++        args = (os.path.join(bin_dir, SSL_DIALOG), '--domain', domain,
++                                                   '--details', details,
++                                                   '--appname', self.appname)
++        return spawn_program(args)
++
++    def _was_ssl_accepted(self, cert_details):
++        """Return if the cert was already accepted."""
++        # TODO: Ensure that we look at pinned certs in a following branch
++        return False
++
++    @defer.inlineCallbacks
++    def request_ssl_cert_approval(self, domain, details):
++        """Request the user for ssl approval."""
++        if self._was_ssl_accepted(details):
++            defer.returnValue(True)
++
++        return_code = yield self._launch_ssl_dialog(domain, details)
++        defer.returnValue(return_code == USER_SUCCESS)
 === modified file 'ubuntu_sso/utils/webclient/gsettings.py'
 --- ubuntu_sso/utils/webclient/gsettings.py	2012-02-10 14:46:16 +0000
 +++ ubuntu_sso/utils/webclient/gsettings.py	2012-03-09 12:09:20 +0000
@@ -31,6 +31,24 @@
      return hostname, username, password
++def parse_manual_proxy_settings(scheme, gsettings):
++    """Parse the settings for a given scheme."""
++    host, username, pwd = parse_proxy_host(gsettings[scheme + ".host"])
++    settings = {
++        "host": host,
++        "port": gsettings[scheme + ".port"],
++    }
++    if scheme == "http" and gsettings["http.use-authentication"]:
++        username = gsettings["http.authentication-user"]
++        pwd = gsettings["http.authentication-password"]
++    if username is not None and pwd is not None:
++        settings.update({
++            "username": username,
++            "password": pwd,
++        })
++    return settings
++
++
  def get_proxy_settings():
      """Parse the proxy settings as returned by the gsettings executable."""
      output = subprocess.check_output(GSETTINGS_CMDLINE.split())
@@ -56,20 +74,9 @@
      if mode == "none":
          settings = {}
      elif mode == "manual":
--        # attempt to parse the host
--        host, username, pwd = parse_proxy_host(gsettings["http.host"])
--        settings = {
--            "host": host,
--            "port": gsettings["http.port"],
--        }
--        if gsettings["http.use-authentication"]:
--            username = gsettings["http.authentication-user"]
--            pwd = gsettings["http.authentication-password"]
--        if username is not None and pwd is not None:
--            settings.update({
--                "username": username,
--                "password": pwd,
--            })
++        settings = {}
++        for scheme in ["http", "https"]:
++            settings[scheme] = parse_manual_proxy_settings(scheme, gsettings)
      else:
          # If mode is automatic the PAC javascript should be interpreted
          # on each request. That is out of scope so it's ignored for now
 === modified file 'ubuntu_sso/utils/webclient/qtnetwork.py'
 --- ubuntu_sso/utils/webclient/qtnetwork.py	2012-03-09 12:09:20 +0000
 +++ ubuntu_sso/utils/webclient/qtnetwork.py	2012-03-09 12:09:20 +0000
@@ -30,6 +30,7 @@
      QNetworkProxyFactory,
      QNetworkReply,
      QNetworkRequest,
++    QSslCertificate,
+ )
  from twisted.internet import defer
@@ -47,6 +48,77 @@
  logger = setup_logging("ubuntu_sso.utils.webclient.qtnetwork")
++class WebClientProxyFactory(QNetworkProxyFactory):
++    """Proxy factory used by the web client.
++
++    The proxy factory ensures that the correct proxy is used according to
++    the request performed by the web client. For example, if the system has
++    different proxies set for the http and the https the proxy factory will
++    return the correct proxy according to the scheme of the request.
++    """
++
++    def __init__(self):
++        """Create a new instance."""
++        super(WebClientProxyFactory, self).__init__()
++        self._proxies = dict(default=QNetworkProxy(QNetworkProxy.DefaultProxy))
++        self._setup_proxies()
++
++    def _get_proxy_for_settings(self, settings):
++        """Return a proxy that uses the given settings."""
++        if "username" in settings and "password" in settings:
++            logger.debug('Setting auth %s:%s proxy',
++                    settings.get("host", ""), settings.get("port", 0))
++            proxy = QNetworkProxy(QNetworkProxy.HttpProxy,
++                                  hostName=settings.get("host", ""),
++                                  port=settings.get("port", 0),
++                                  user=settings.get("username", ""),
++                                  password=settings.get("password", ""))
++        else:
++            logger.debug('Using nonauth proxy %s:%s', settings.get("host", ""),
++                    settings.get("port", 0))
++            proxy = QNetworkProxy(QNetworkProxy.HttpProxy,
++                                  hostName=settings.get("host", ""),
++                                  port=settings.get("port", 0))
++        return proxy
++
++    def _setup_proxies(self):
++        """Set the different proxies used in the system."""
++        proxy_settings = gsettings.get_proxy_settings()
++        for scheme, settings in proxy_settings.iteritems():
++            self._proxies[scheme] = self._get_proxy_for_settings(settings)
++
++    # ignore the complain since we have to use the Qt naming convention
++    # pylint: disable=C0103
++    def queryProxy(self, query):
++        """Return the proxy servers to be used in order of preference."""
++        if 'force' in self._proxies:
++            return [self._proxies['force']]
++        if self._proxies:
++            scheme = str(query.protocolTag())
++            if scheme in self._proxies:
++                return [self._proxies[scheme]]
++        # this function most return always at least one item, since we do not
++        # have a proxy set for the query let's return the system default proxy
++        return [self._proxies['default']]
++    # pylint: enable=C0103
++
++    def update_proxy(self, scheme, settings):
++        """Allows to update the proxy to be used for a scheme."""
++        self._proxies[scheme] = self._get_proxy_for_settings(settings)
++
++    def force_use_proxy(self, settings):
++        """Force to use the proxies in the given settings."""
++        self._proxies['force'] = self._get_proxy_for_settings(settings)
++
++    def find_proxy_schemes(self, proxy):
++        """Return the scheme in wich the proxy is used."""
++        schemes = []
++        for scheme, scheme_proxy in self._proxies.iteritems():
++            if scheme_proxy == proxy:
++                schemes.append(scheme)
++        return schemes
++
++
  class WebClient(BaseWebClient):
      """A webclient with a qtnetwork backend."""
@@ -58,16 +130,17 @@
          self.nam.authenticationRequired.connect(self._handle_authentication)
          self.nam.proxyAuthenticationRequired.connect(
                                        self._handle_bad_proxy_authentication)
++        self.nam.sslErrors.connect(self._handle_ssl_errors)
          self.replies = {}
++        self.proxy_factory = None
          self.setup_proxy()
      def setup_proxy(self):
          """Setup the proxy settings if needed."""
          # QtNetwork knows how to use the system settings on both Win and Mac
          if sys.platform.startswith("linux"):
--            settings = gsettings.get_proxy_settings()
--            if settings:
--                self.force_use_proxy(settings)
++            self.proxy_factory = WebClientProxyFactory()
++            self.nam.setProxyFactory(self.proxy_factory)
          else:
              QNetworkProxyFactory.setUseSystemConfiguration(True)
@@ -121,9 +194,8 @@
      @defer.inlineCallbacks
      def _handle_bad_proxy_authentication(self, proxy, authenticator):
          """Handle when we have a bad proxy."""
--        current_proxy = self.nam.proxy()
--        host = unicode(current_proxy.hostName()).encode('utf8')
--        port = current_proxy.port()
++        host = unicode(proxy.hostName()).encode('utf8')
++        port = proxy.port()
          settings = dict(host=host, port=port)
          # HACK: work around for reported bugs: QTBUG-16728 and #QTBUG-14850
          got_creds = yield self.request_proxy_auth_credentials(host, True)
@@ -135,7 +207,9 @@
                 and 'password' in settings):
              authenticator.setUser(self.proxy_username)
              authenticator.setPassword(self.proxy_password)
--            self.force_use_proxy(settings)
++            schemes = self.proxy_factory.find_proxy_schemes(proxy)
++            for scheme in schemes:
++                self.proxy_factory.update_proxy(scheme, settings)
      @defer.inlineCallbacks
      def _handle_proxy_authentication(self, failure, method, reply,
@@ -158,9 +232,10 @@
                                   'password': self.proxy_password})
          if (settings and 'username' in settings
                  and 'password' in settings):
--            self.force_use_proxy(settings)
--            # lets retry using the request
              request = reply.request()
++            scheme = str(request.url().scheme())
++            self.proxy_factory.update_proxy(scheme, settings)
++            # let's retry using the request
              result = yield self._perform_request(request, method, post_buffer)
              defer.returnValue(result)
          else:
@@ -191,20 +266,37 @@
                  exception = WebClientError(error_string, content)
              d.errback(exception)
++    def _get_certificate_details(self, cert):
++        """Return an string with the details of the certificate."""
++        detail_titles = {QSslCertificate.Organization: 'organization',
++                         QSslCertificate.CommonName: 'common_name',
++                         QSslCertificate.LocalityName: 'locality_name',
++                         QSslCertificate.OrganizationalUnitName: 'unit',
++                         QSslCertificate.CountryName: 'country_name',
++                         QSslCertificate.StateOrProvinceName: 'state_name'}
++        details = {}
++        for info, title in detail_titles.iteritems():
++            details[title] = str(cert.issuerInfo(info))
++        return self.format_ssl_details(details)
++
++    def _get_certificate_host(self, cert):
++        """Return the host of the cert."""
++        return str(cert.issuerInfo(QSslCertificate.CommonName))
++
++    @defer.inlineCallbacks
++    def _handle_ssl_errors(self, reply, errors):
++        """Handle the case in which we got an ssl error."""
++        # ask the user if the cer should be trusted
++        cert = errors[0].certificate()
++        trust_cert = yield self.request_ssl_cert_approval(
++                                    self._get_certificate_host(cert),
++                                    self._get_certificate_details(cert))
++        if trust_cert:
++            reply.ignoreSslErrors()
++
      def force_use_proxy(self, settings):
          """Setup this webclient to use the given proxy settings."""
--        host = settings.get("host", "")
--        port = settings.get("port", 0)
--        if "username" in settings and "password" in settings:
--            logger.debug('Using auth proxy for %s:%s', host, port)
--            proxy = QNetworkProxy(QNetworkProxy.HttpProxy, hostName=host,
--                              port=port, user=settings.get("username", ""),
--                              password=settings.get("password", ""))
--        else:
--            logger.debug('Using nonauth proxy for %s:%s', host, port)
--            proxy = QNetworkProxy(QNetworkProxy.HttpProxy, hostName=host,
--                                                               port=port)
--        self.nam.setProxy(proxy)
++        self.proxy_factory.force_use_proxy(settings)
      def shutdown(self):
          """Shut down all pending requests (if possible)."""
 === modified file 'ubuntu_sso/utils/webclient/tests/__init__.py'
 --- ubuntu_sso/utils/webclient/tests/__init__.py	2012-02-07 19:36:50 +0000
 +++ ubuntu_sso/utils/webclient/tests/__init__.py	2012-03-09 12:09:20 +0000
@@ -17,9 +17,48 @@
  """Tests for the proxy-aware webclient."""
  from twisted.application import internet, service
++from twisted.internet import ssl
  from twisted.web import http, server
++# Some settings are not used as described in:
++# https://bugzilla.gnome.org/show_bug.cgi?id=648237
++
++TEMPLATE_GSETTINGS_OUTPUT = """\
++org.gnome.system.proxy autoconfig-url '{autoconfig_url}'
++org.gnome.system.proxy ignore-hosts {ignore_hosts:s}
++org.gnome.system.proxy mode '{mode}'
++org.gnome.system.proxy.ftp host '{ftp_host}'
++org.gnome.system.proxy.ftp port {ftp_port}
++org.gnome.system.proxy.http authentication-password '{auth_password}'
++org.gnome.system.proxy.http authentication-user '{auth_user}'
++org.gnome.system.proxy.http host '{http_host}'
++org.gnome.system.proxy.http port {http_port}
++org.gnome.system.proxy.http use-authentication {http_use_auth}
++org.gnome.system.proxy.https host '{https_host}'
++org.gnome.system.proxy.https port {https_port}
++org.gnome.system.proxy.socks host '{socks_host}'
++org.gnome.system.proxy.socks port {socks_port}
++"""
++
++BASE_GSETTINGS_VALUES = {
++    "autoconfig_url": "",
++    "ignore_hosts": ["localhost", "127.0.0.0/8"],
++    "mode": "none",
++    "ftp_host": "",
++    "ftp_port": 0,
++    "auth_password": "",
++    "auth_user": "",
++    "http_host": "",
++    "http_port": 0,
++    "http_use_auth": "false",
++    "https_host": "",
++    "https_port": 0,
++    "socks_host": "",
++    "socks_port": 0,
++}
++
++
  class SaveHTTPChannel(http.HTTPChannel):
      """A save protocol to be used in tests."""
@@ -48,15 +87,26 @@
  class BaseMockWebServer(object):
      """A mock webserver for testing"""
--    def __init__(self):
++    def __init__(self, ssl_settings=None):
          """Start up this instance."""
          self.root = self.get_root_resource()
          self.site = SaveSite(self.root)
          application = service.Application('web')
          self.service_collection = service.IServiceCollection(application)
          #pylint: disable=E1101
--        self.tcpserver = internet.TCPServer(0, self.site)
--        self.tcpserver.setServiceParent(self.service_collection)
++        ssl_context = None
++        if (ssl_settings is not None
++                and 'key' in ssl_settings
++                and 'cert' in ssl_settings):
++            ssl_context = ssl.DefaultOpenSSLContextFactory(ssl_settings['key'],
++                                                         ssl_settings['cert'])
++            self.ssl_server = internet.SSLServer(0, self.site, ssl_context)
++        else:
++            self.ssl_server = None
++        self.server = internet.TCPServer(0, self.site)
++        self.server.setServiceParent(self.service_collection)
++        if self.ssl_server:
++            self.ssl_server.setServiceParent(self.service_collection)
          self.service_collection.startService()
      def get_root_resource(self):
@@ -65,9 +115,27 @@
      def get_iri(self):
          """Build the iri for this mock server."""
--        #pylint: disable=W0212
--        port_num = self.tcpserver._port.getHost().port
--        return u"http://127.0.0.1:%d/" % port_num
++        url = u"http://127.0.0.1:%d/"
++        return url % self.get_port()
++
++    def get_ssl_iri(self):
++        """Build the ssl iri for this mock server."""
++        if self.ssl_server:
++            url = u"https://127.0.0.1:%d/"
++            return url % self.get_ssl_port()
++
++    def get_port(self):
++        """Return the port where we are listening."""
++        # pylint: disable=W0212
++        return self.server._port.getHost().port
++        # pylint: enable=W0212
++
++    def get_ssl_port(self):
++        """Return the ssl port where we are listening."""
++        # pylint: disable=W0212
++        if self.ssl_server:
++            return self.ssl_server._port.getHost().port
++        # pylint: enable=W0212
      def stop(self):
          """Shut it down."""
 === modified file 'ubuntu_sso/utils/webclient/tests/test_gsettings.py'
 --- ubuntu_sso/utils/webclient/tests/test_gsettings.py	2012-02-10 19:20:33 +0000
 +++ ubuntu_sso/utils/webclient/tests/test_gsettings.py	2012-03-09 12:09:20 +0000
@@ -18,43 +18,10 @@
  from twisted.trial.unittest import TestCase
  from ubuntu_sso.utils.webclient import gsettings
--
--# Some settings are not used as described in:
--# https://bugzilla.gnome.org/show_bug.cgi?id=648237
--
--TEMPLATE_GSETTINGS_OUTPUT = """\
--org.gnome.system.proxy autoconfig-url '{autoconfig_url}'
--org.gnome.system.proxy ignore-hosts {ignore_hosts:s}
--org.gnome.system.proxy mode '{mode}'
--org.gnome.system.proxy.ftp host '{ftp_host}'
--org.gnome.system.proxy.ftp port {ftp_port}
--org.gnome.system.proxy.http authentication-password '{auth_password}'
--org.gnome.system.proxy.http authentication-user '{auth_user}'
--org.gnome.system.proxy.http host '{http_host}'
--org.gnome.system.proxy.http port {http_port}
--org.gnome.system.proxy.http use-authentication {http_use_auth}
--org.gnome.system.proxy.https host '{https_host}'
--org.gnome.system.proxy.https port {https_port}
--org.gnome.system.proxy.socks host '{socks_host}'
--org.gnome.system.proxy.socks port {socks_port}
--"""
--
--BASE_GSETTINGS_VALUES = {
--    "autoconfig_url": "",
--    "ignore_hosts": ["localhost", "127.0.0.0/8"],
--    "mode": "none",
--    "ftp_host": "",
--    "ftp_port": 0,
--    "auth_password": "",
--    "auth_user": "",
--    "http_host": "",
--    "http_port": 0,
--    "http_use_auth": "false",
--    "https_host": "",
--    "https_port": 0,
--    "socks_host": "",
--    "socks_port": 0,
--}
++from ubuntu_sso.utils.webclient.tests import (
++    BASE_GSETTINGS_VALUES,
++    TEMPLATE_GSETTINGS_OUTPUT,
++)
  class ProxySettingsTestCase(TestCase):
@@ -83,25 +50,33 @@
          ps = gsettings.get_proxy_settings()
          self.assertEqual(ps, expected)
++    def _assert_parser_anonymous(self, scheme):
++        """Assert the parsing of anonymous settings."""
++        template_values = dict(BASE_GSETTINGS_VALUES)
++        expected_host = "expected_host"
++        expected_port = 54321
++        expected = {
++            "host": expected_host,
++            "port": expected_port,
++        }
++        template_values.update({
++            "mode": "manual",
++            scheme + "_host": expected_host,
++            scheme + "_port": expected_port,
++        })
++        fake_output = TEMPLATE_GSETTINGS_OUTPUT.format(**template_values)
++        self.patch(gsettings.subprocess, "check_output",
++                   lambda _: fake_output)
++        ps = gsettings.get_proxy_settings()
++        self.assertEqual(ps[scheme], expected)
++
      def test_gsettings_parser_http_anonymous(self):
          """Test a parser of gsettings."""
--        template_values = dict(BASE_GSETTINGS_VALUES)
--        expected_host = "expected_host"
--        expected_port = 54321
--        expected = {
--            "host": expected_host,
--            "port": expected_port,
--        }
--        template_values.update({
--            "mode": "manual",
--            "http_host": expected_host,
--            "http_port": expected_port,
--        })
--        fake_output = TEMPLATE_GSETTINGS_OUTPUT.format(**template_values)
--        self.patch(gsettings.subprocess, "check_output",
--                   lambda _: fake_output)
--        ps = gsettings.get_proxy_settings()
--        self.assertEqual(ps, expected)
++        self._assert_parser_anonymous('http')
++
++    def test_gsettings_parser_https_anonymus(self):
++        """Test a parser of gsettings."""
++        self._assert_parser_anonymous('https')
      def test_gsettings_parser_http_authenticated(self):
          """Test a parser of gsettings."""
@@ -128,9 +103,9 @@
          self.patch(gsettings.subprocess, "check_output",
                     lambda _: fake_output)
          ps = gsettings.get_proxy_settings()
--        self.assertEqual(ps, expected)
++        self.assertEqual(ps["http"], expected)
--    def test_gsettings_parser_authenticated_url(self):
++    def _assert_parser_authenticated_url(self, scheme):
          """Test a parser of gsettings with creds in the url."""
          template_values = dict(BASE_GSETTINGS_VALUES)
          expected_host = "expected_host"
@@ -147,15 +122,23 @@
+         }
          template_values.update({
              "mode": "manual",
--            "http_host": composed_url,
--            "http_port": expected_port,
++            scheme + "_host": composed_url,
++            scheme + "_port": expected_port,
              "http_use_auth": "false",
          })
          fake_output = TEMPLATE_GSETTINGS_OUTPUT.format(**template_values)
          self.patch(gsettings.subprocess, "check_output",
                     lambda _: fake_output)
          ps = gsettings.get_proxy_settings()
--        self.assertEqual(ps, expected)
++        self.assertEqual(ps[scheme], expected)
++
++    def test_gsettings_parser_http_authenticated_url(self):
++        """Test a parser of gsettings with creds in the url."""
++        self._assert_parser_authenticated_url('http')
++
++    def test_gsettings_parser_https_authenticated_url(self):
++        """Test a parser of gsettings with creds in the url."""
++        self._assert_parser_authenticated_url('https')
      def test_gsettings_auth_over_url(self):
          """Test that the settings are more important that the url."""
@@ -166,7 +149,7 @@
          expected_password = "very secret password"
          composed_url = '%s:%s@%s' % ('user', 'random',
                                       expected_host)
--        expected = {
++        http_expected = {
              "host": expected_host,
              "port": expected_port,
              "username": expected_user,
@@ -184,7 +167,7 @@
          self.patch(gsettings.subprocess, "check_output",
                     lambda _: fake_output)
          ps = gsettings.get_proxy_settings()
--        self.assertEqual(ps, expected)
++        self.assertEqual(ps["http"], http_expected)
  class ParseProxyHostTestCase(TestCase):
 === modified file 'ubuntu_sso/utils/webclient/tests/test_webclient.py'
 --- ubuntu_sso/utils/webclient/tests/test_webclient.py	2012-03-09 12:09:20 +0000
 +++ ubuntu_sso/utils/webclient/tests/test_webclient.py	2012-03-09 12:09:20 +0000
@@ -16,9 +16,12 @@
  """Integration tests for the proxy-enabled webclient."""
  import os
++import shutil
  import sys
  import urllib
++from OpenSSL import crypto
++from socket import gethostname
  from twisted.cred import checkers, portal
  from twisted.internet import defer
  from twisted.web import guard, http, resource
@@ -34,6 +37,8 @@
      USER_CANCELLATION,
+ )
  from ubuntu_sso.utils import webclient
++from ubuntu_sso.utils.ui import SSL_DETAILS_TEMPLATE
++from ubuntu_sso.utils.webclient import gsettings
  from ubuntu_sso.utils.webclient.common import BaseWebClient, HeaderDict, oauth
  from ubuntu_sso.utils.webclient.tests import BaseMockWebServer
@@ -767,3 +772,217 @@
          got_creds = yield self.wc.request_proxy_auth_credentials(self.domain,
                                                             self.retry)
          self.assertFalse(got_creds, 'Return true when user cancels.')
++
++
++class BaseSSLTestCase(SquidTestCase):
++    """Base test that allows to use ssl connections."""
++
++    @defer.inlineCallbacks
++    def setUp(self):
++        """Set the diff tests."""
++        yield super(BaseSSLTestCase, self).setUp()
++        self.cert_dir = os.path.join(self.tmpdir, 'cert')
++        self.cert_details = dict(organization='Canonical',
++                                 common_name=gethostname(),
++                                 locality_name='London',
++                                 unit='Ubuntu One',
++                                 country_name='UK',
++                                 state_name='London',)
++        self.ssl_settings = self._generate_self_signed_certificate(
++                                                             self.cert_dir,
++                                                             self.cert_details)
++        self.addCleanup(self._clean_ssl_certificate_files)
++
++        self.ws = MockWebServer(self.ssl_settings)
++        self.addCleanup(self.ws.stop)
++        self.base_iri = self.ws.get_iri()
++        self.base_ssl_iri = self.ws.get_ssl_iri()
++
++    def _clean_ssl_certificate_files(self):
++        """Remove the certificate files."""
++        if os.path.exists(self.cert_dir):
++            shutil.rmtree(self.cert_dir)
++
++    def _generate_self_signed_certificate(self, cert_dir, cert_details):
++        """Generate the required SSL certificates."""
++        if not os.path.exists(cert_dir):
++            os.makedirs(cert_dir)
++        cert_path = os.path.join(cert_dir, 'cert.crt')
++        key_path = os.path.join(cert_dir, 'cert.key')
++
++        if os.path.exists(cert_path):
++            os.unlink(cert_path)
++        if os.path.exists(key_path):
++            os.unlink(key_path)
++
++        # create a key pair
++        key = crypto.PKey()
++        key.generate_key(crypto.TYPE_RSA, 1024)
++
++        # create a self-signed cert
++        cert = crypto.X509()
++        cert.get_subject().C = cert_details['country_name']
++        cert.get_subject().ST = cert_details['state_name']
++        cert.get_subject().L = cert_details['locality_name']
++        cert.get_subject().O = cert_details['organization']
++        cert.get_subject().OU = cert_details['unit']
++        cert.get_subject().CN = cert_details['common_name']
++        cert.set_serial_number(1000)
++        cert.gmtime_adj_notBefore(0)
++        cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
++        cert.set_issuer(cert.get_subject())
++        cert.set_pubkey(key)
++        cert.sign(key, 'sha1')
++
++        with open(cert_path, 'wt') as fd:
++            fd.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
++
++        with open(key_path, 'wt') as fd:
++            fd.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
++
++        return dict(key=key_path, cert=cert_path)
++
++
++class CorrectProxyTestCase(BaseSSLTestCase):
++    """Test the interaction with a SSL enabled proxy."""
++
++    @defer.inlineCallbacks
++    def setUp(self):
++        """Set the tests."""
++        yield super(CorrectProxyTestCase, self).setUp()
++
++        # fake the gsettings to have diff settings for https and http
++        http_settings = self.get_auth_proxy_settings()
++
++        #remember so that we can use them in the creds request
++        proxy_username = http_settings['username']
++        proxy_password = http_settings['password']
++
++        # delete the username and password so that we get a 407 for testing
++        del http_settings['username']
++        del http_settings['password']
++
++        https_settings = self.get_nonauth_proxy_settings()
++
++        proxy_settings = dict(http=http_settings, https=https_settings)
++        self.patch(gsettings, "get_proxy_settings", lambda: proxy_settings)
++
++        self.wc = webclient.webclient_factory()
++        self.addCleanup(self.wc.shutdown)
++
++        self.called = []
++
++        def fake_creds_request(domain, retry):
++            """Fake user interaction."""
++            self.called.append('request_proxy_auth_credentials')
++            self.wc.proxy_username = proxy_username
++            self.wc.proxy_password = proxy_password
++            return defer.succeed(True)
++
++        self.patch(self.wc, 'request_proxy_auth_credentials',
++                   fake_creds_request)
++
++    def assert_header_contains(self, headers, expected):
++        """One of the headers matching key must contain a given value."""
++        self.assertTrue(any(expected in value for value in headers))
++
++    def test_https_request(self):
++        """Test using the correct proxy for the ssl request.
++
++        In order to assert that the correct proxy is used we expect not to call
++        the auth dialog since we set the https proxy not to use the auth proxy
++        and to fail because we are reaching a https page with bad self-signed
++        certs.
++        """
++        # we fail due to the fake ssl cert
++        self.failUnlessFailure(self.wc.request(
++                                     self.base_ssl_iri + SIMPLERESOURCE),
++                                     webclient.WebClientError)
++        # https requests do not use the auth proxy therefore called should be
++        # empty. This asserts that we are using the correct settings for the
++        # request.
++        self.assertEqual([], self.called)
++
++    @defer.inlineCallbacks
++    def test_http_request(self):
++        """Test using the correct proxy for the plain request.
++
++        This tests does the opposite to the https tests. We did set the auth
++        proxy for the http request therefore we expect the proxy dialog to be
++        used and not to get an error since we are not visiting a https with bad
++        self-signed certs.
++        """
++        # we do not fail since we are not going to the https page
++        result = yield self.wc.request(self.base_iri + SIMPLERESOURCE)
++        self.assert_header_contains(result.headers["Via"], "squid")
++        # assert that we did go through the auth proxy
++        self.assertIn('request_proxy_auth_credentials', self.called)
++
++    if WEBCLIENT_MODULE_NAME.endswith(".txweb"):
++        reason = 'Multiple proxy settings is not supported.'
++        test_https_request.skip = reason
++        test_http_request.skip = reason
++
++    if WEBCLIENT_MODULE_NAME.endswith(".libsoup"):
++        reason = 'Hard to test since we need to fully mock gsettings.'
++        test_https_request.skip = reason
++        test_http_request.skip = reason
++
++
++class SSLTestCase(BaseSSLTestCase):
++    """Test error handling when dealing with ssl."""
++
++    @defer.inlineCallbacks
++    def setUp(self):
++        """Set the diff tests."""
++        yield super(SSLTestCase, self).setUp()
++
++        self.wc = webclient.webclient_factory()
++        self.addCleanup(self.wc.shutdown)
++
++        self.return_code = USER_CANCELLATION
++        self.called = []
++
++        def fake_launch_ssl_dialog(client, domain, details):
++            """Fake the ssl dialog."""
++            self.called.append(('_launch_ssl_dialog', domain, details))
++            return defer.succeed(self.return_code)
++
++        self.patch(BaseWebClient, '_launch_ssl_dialog', fake_launch_ssl_dialog)
++
++    @defer.inlineCallbacks
++    def _assert_ssl_fail_user_accepts(self, proxy_settings=None):
++        """Assert the dialog is shown in an ssl fail."""
++        self.return_code = USER_SUCCESS
++        if proxy_settings:
++            self.wc.force_use_proxy(proxy_settings)
++        yield self.wc.request(self.base_ssl_iri + SIMPLERESOURCE)
++        details = SSL_DETAILS_TEMPLATE % self.cert_details
++        self.assertIn(('_launch_ssl_dialog', gethostname(), details),
++                      self.called)
++
++    def test_ssl_fail_dialog_user_accepts(self):
++        """Test showing the dialog and accepting."""
++        self._assert_ssl_fail_user_accepts()
++
++    def test_ssl_fail_dialog_user_accepts_via_proxy(self):
++        """Test showing the dialog and accepting when using a proxy."""
++        self._assert_ssl_fail_user_accepts(self.get_nonauth_proxy_settings())
++
++    def test_ssl_fail_dialog_user_rejects(self):
++        """Test showing the dialog and rejecting."""
++        self.failUnlessFailure(self.wc.request(self.base_iri + SIMPLERESOURCE),
++                                     webclient.WebClientError)
++
++    def test_format_ssl_details(self):
++        """Assert that details are correctly formatted"""
++        details = SSL_DETAILS_TEMPLATE % self.cert_details
++        self.assertEqual(details,
++                self.wc.format_ssl_details(self.cert_details))
++
++    if (WEBCLIENT_MODULE_NAME.endswith(".txweb") or
++            WEBCLIENT_MODULE_NAME.endswith(".libsoup")):
++        reason = 'SSL support has not yet been implemented.'
++        test_ssl_fail_dialog_user_accepts.skip = reason
++        test_ssl_fail_dialog_user_accepts_via_proxy.skip = reason
++        test_ssl_fail_dialog_user_rejects.skip = reason