Daniel Maksymilian Syrnicki
e68ed279cc
All checks were successful
Build ISO / build-iso (push) Successful in 17m23s
CI / lint (push) Successful in 27s
CI / test (push) Successful in 1m2s
CI / validate-json (push) Successful in 24s
CI / markdown-links (push) Successful in 15s
Release / release (push) Successful in 11m34s
Every Furtka since 26.5 shipped a Caddyfile with a
`__FURTKA_HOSTNAME__.local { tls internal }` site block, so every
first boot auto-generated a fresh self-signed CA + intermediate +
leaf. That worked for the first-ever Furtka user, but every reinstall
(or second box on the same LAN) produced a new CA whose intermediate
shared the fixed CN `Caddy Local Authority - ECC Intermediate` with
the previous one. Firefox caches intermediates by CN across profiles
— even private windows share cert9.db — so any visitor who had
trusted an older Furtka's CA got a cached intermediate with
mismatched keys when they hit the new box, producing
`SEC_ERROR_BAD_SIGNATURE`. Unlike UNKNOWN_ISSUER, Firefox has NO
"Advanced → Accept Risk" bypass for BAD_SIGNATURE, so fresh-install
boxes were effectively unreachable over HTTPS in any browser that
had ever seen a previous Furtka.
Validated live on the .46 test VM: fresh 26.14 ISO install → Firefox
hits BAD_SIGNATURE on https://furtka.local/ (even in private mode).
Chromium bypasses it via mDNS failure but the issue is the same.
openssl verify on the box confirms the chain is internally valid —
this is purely client-side cache pollution across boxes.
Fix:
- assets/Caddyfile: removed the hostname site block. Default install
serves :80 only — https://furtka.local connection-refuses, which is
a normal error every browser handles instead of the unbypassable
crypto fault. Added top-level import of
/etc/caddy/furtka-https.d/*.caddyfile so the /settings HTTPS toggle
can drop a listener snippet there when a user explicitly opts in.
- furtka/https.py: set_force_https now writes TWO snippets atomically
— the top-level hostname + tls internal block (enables :443) and
the :80-scoped redirect (forces HTTP→HTTPS). Disable removes both.
Reload failure rolls both back. Added _read_hostname + _https_snippet_content
helpers with `/etc/hostname` → 'furtka' fallback so a missing
hostname file doesn't produce an empty site block Caddy rejects.
- furtka/https.py::status: force_https now reads the listener
snippet (was reading the redirect snippet). A redirect without a
listener isn't actually HTTPS being served, so the listener is the
authoritative "HTTPS is on" signal.
- furtka/updater.py: new _maybe_migrate_preserve_https hook runs
inside _refresh_caddyfile on the 26.14 → 26.15 transition. If the
box had the redirect snippet on disk (user had opted into HTTPS
under the old regime), it writes the new listener snippet too so
HTTPS keeps working after the Caddyfile swap removes the hostname
block.
- webinstaller/app.py: post-install creates /etc/caddy/furtka-https.d/
alongside /etc/caddy/furtka.d/ so the glob import can't trip an
older Caddy on a missing path during the first reload.
Live-tested on .46: set_force_https(True) writes both snippets, Caddy
reloads, :443 listener comes up with fresh CA, curl -k returns 302,
HTTP 301-redirects. set_force_https(False) removes both snippets
atomically, :443 goes back to connection-refused.
Tests: test_https.py expanded from 13 to 15 cases. Toggle-on asserts
both snippets written + hostname substituted. Toggle-off asserts
both removed. Rollback cases verify BOTH snippets restore on reload
failure. New test_https_snippet_content_has_tls_internal_and_routes
locks the exact shape of the listener block.
test_webinstaller_assets.py: updated two old asserts that assumed
hostname block was in Caddyfile; new test_post_install_creates_https_snippet_dir
guards the new directory.
276 tests pass, ruff check + format clean.
Known remaining wart (documented in CHANGELOG): a browser that
trusted a prior Furtka CA still hits BAD_SIGNATURE on this box's
HTTPS after enabling it, because the fixed intermediate CN is a
Caddy-side limitation. Workaround: clear cert9.db or visit in a
fresh profile. Won't affect end users with one Furtka box ever.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
216 lines
8.1 KiB
Python
216 lines
8.1 KiB
Python
"""Tests for furtka.https — fingerprint extraction + HTTPS toggle.
|
|
|
|
Since 26.15-alpha the toggle writes/removes TWO snippets atomically:
|
|
- The top-level HTTPS listener snippet (enables :443 + tls internal)
|
|
- The :80-scoped redirect snippet (forces HTTP → HTTPS)
|
|
|
|
The fingerprint case uses a throwaway self-signed EC cert with a known
|
|
reference fingerprint (computed once via `openssl x509 -fingerprint
|
|
-sha256 -noout`) so we verify the PEM → DER → SHA256 path without a
|
|
runtime subprocess dependency. The toggle cases stub the caddy reload
|
|
so we assert both snippet files are written / removed together and that
|
|
reload failures roll BOTH state back.
|
|
"""
|
|
|
|
import subprocess
|
|
|
|
import pytest
|
|
|
|
from furtka import https
|
|
|
|
# Self-signed test-only cert. Don't trust it anywhere; it's here because
|
|
# we need a real PEM whose fingerprint we can pre-compute.
|
|
_TEST_CERT_PEM = """-----BEGIN CERTIFICATE-----
|
|
MIIBjjCCATOgAwIBAgIUGIKx2BGMvNQwAcZvjwJiaJO1GvEwCgYIKoZIzj0EAwIw
|
|
HDEaMBgGA1UEAwwRRnVydGthIFRlc3QgTG9jYWwwHhcNMjYwNDE3MTAxNTMxWhcN
|
|
MzYwNDE0MTAxNTMxWjAcMRowGAYDVQQDDBFGdXJ0a2EgVGVzdCBMb2NhbDBZMBMG
|
|
ByqGSM49AgEGCCqGSM49AwEHA0IABIfWX2oVXrw+iv4lCcIIceoX24bvRdlEECB5
|
|
QoMYphmlOoI492tRCGHxA8eaIwIYqFn1DzBKBRSL0H3xcu+4Pg6jUzBRMB0GA1Ud
|
|
DgQWBBSMizCL5Kh+SLE5n12oKV05L9bJXjAfBgNVHSMEGDAWgBSMizCL5Kh+SLE5
|
|
n12oKV05L9bJXjAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0kAMEYCIQDp
|
|
6etGEuj7AGD5zzyzDSpmRiMEgBp1k6fVoLYW7N2K3AIhAK8khUp3gKPo4UqtWNK9
|
|
Cs/B0mzRy2MUPGdZ5QU6LoDz
|
|
-----END CERTIFICATE-----
|
|
"""
|
|
_TEST_CERT_FP_SHA256 = (
|
|
"40:A7:98:2E:8D:1F:4C:0D:9B:E6:87:ED:91:FA:6F:B1:"
|
|
"3D:8A:10:06:79:7C:08:A9:8F:AD:71:0C:B8:29:87:28"
|
|
)
|
|
|
|
|
|
def _paths(tmp_path):
|
|
"""Return the four paths the toggle touches, in a dict for kwargs
|
|
spreading. Keeps each test's fixture boilerplate small."""
|
|
return {
|
|
"snippet_dir": tmp_path / "furtka.d",
|
|
"snippet": tmp_path / "furtka.d" / "redirect.caddyfile",
|
|
"https_snippet_dir": tmp_path / "furtka-https.d",
|
|
"https_snippet": tmp_path / "furtka-https.d" / "https.caddyfile",
|
|
"hostname_file": tmp_path / "etc_hostname",
|
|
}
|
|
|
|
|
|
def _prepare_hostname(tmp_path, value="testbox"):
|
|
(tmp_path / "etc_hostname").write_text(f"{value}\n")
|
|
|
|
|
|
def test_ca_fingerprint_matches_openssl(tmp_path):
|
|
cert = tmp_path / "root.crt"
|
|
cert.write_text(_TEST_CERT_PEM)
|
|
fp_hex = https._ca_fingerprint(cert)
|
|
assert fp_hex is not None
|
|
assert https._format_fingerprint(fp_hex) == _TEST_CERT_FP_SHA256
|
|
|
|
|
|
def test_ca_fingerprint_missing_file(tmp_path):
|
|
assert https._ca_fingerprint(tmp_path / "nope.crt") is None
|
|
|
|
|
|
def test_ca_fingerprint_no_pem_block(tmp_path):
|
|
garbage = tmp_path / "root.crt"
|
|
garbage.write_text("not a certificate")
|
|
assert https._ca_fingerprint(garbage) is None
|
|
|
|
|
|
def test_status_no_ca_no_snippet(tmp_path):
|
|
s = https.status(ca_path=tmp_path / "root.crt", https_snippet=tmp_path / "https.caddyfile")
|
|
assert s == {
|
|
"ca_available": False,
|
|
"fingerprint_sha256": None,
|
|
"force_https": False,
|
|
"ca_download_url": "/rootCA.crt",
|
|
}
|
|
|
|
|
|
def test_status_with_ca_and_https_snippet(tmp_path):
|
|
ca = tmp_path / "root.crt"
|
|
ca.write_text(_TEST_CERT_PEM)
|
|
https_snip = tmp_path / "https.caddyfile"
|
|
https_snip.write_text("furtka.local, furtka {\n\ttls internal\n\timport furtka_routes\n}\n")
|
|
s = https.status(ca_path=ca, https_snippet=https_snip)
|
|
assert s["ca_available"] is True
|
|
assert s["fingerprint_sha256"] == _TEST_CERT_FP_SHA256
|
|
assert s["force_https"] is True
|
|
|
|
|
|
def test_status_force_reflects_https_snippet_not_redirect(tmp_path):
|
|
"""Authoritative signal for "HTTPS is on" is the listener snippet —
|
|
a lone redirect without a :443 listener wouldn't actually serve
|
|
HTTPS, so the status must NOT report it as on. Locks 26.15 semantic."""
|
|
ca = tmp_path / "root.crt"
|
|
ca.write_text(_TEST_CERT_PEM)
|
|
s = https.status(ca_path=ca, https_snippet=tmp_path / "does-not-exist.caddyfile")
|
|
assert s["force_https"] is False
|
|
|
|
|
|
def test_set_force_enable_writes_both_snippets_and_reloads(tmp_path):
|
|
_prepare_hostname(tmp_path)
|
|
p = _paths(tmp_path)
|
|
calls = []
|
|
|
|
def fake_reload():
|
|
calls.append("reload")
|
|
|
|
result = https.set_force_https(True, reload_caddy=fake_reload, **p)
|
|
assert result is True
|
|
assert p["snippet"].read_text() == https.REDIRECT_CONTENT
|
|
written = p["https_snippet"].read_text()
|
|
assert "testbox.local, testbox" in written
|
|
assert "tls internal" in written
|
|
assert "import furtka_routes" in written
|
|
assert calls == ["reload"]
|
|
|
|
|
|
def test_set_force_uses_fallback_hostname_when_file_missing(tmp_path):
|
|
# No /etc/hostname → fall back to 'furtka' so Caddy gets a parseable
|
|
# block instead of an empty hostname that would fail config load.
|
|
p = _paths(tmp_path)
|
|
result = https.set_force_https(True, reload_caddy=lambda: None, **p)
|
|
assert result is True
|
|
assert "furtka.local, furtka" in p["https_snippet"].read_text()
|
|
|
|
|
|
def test_set_force_disable_removes_both_snippets(tmp_path):
|
|
_prepare_hostname(tmp_path)
|
|
p = _paths(tmp_path)
|
|
p["snippet_dir"].mkdir()
|
|
p["https_snippet_dir"].mkdir()
|
|
p["snippet"].write_text(https.REDIRECT_CONTENT)
|
|
p["https_snippet"].write_text("furtka.local { tls internal }\n")
|
|
|
|
result = https.set_force_https(False, reload_caddy=lambda: None, **p)
|
|
assert result is False
|
|
assert not p["snippet"].exists()
|
|
assert not p["https_snippet"].exists()
|
|
|
|
|
|
def test_set_force_disable_is_idempotent_when_already_off(tmp_path):
|
|
p = _paths(tmp_path)
|
|
result = https.set_force_https(False, reload_caddy=lambda: None, **p)
|
|
assert result is False
|
|
assert not p["snippet"].exists()
|
|
assert not p["https_snippet"].exists()
|
|
|
|
|
|
def test_reload_failure_rolls_back_enable(tmp_path):
|
|
_prepare_hostname(tmp_path)
|
|
p = _paths(tmp_path)
|
|
|
|
def failing_reload():
|
|
raise subprocess.CalledProcessError(1, ["systemctl"], stderr="bad config")
|
|
|
|
with pytest.raises(https.HttpsError, match="caddy reload failed: bad config"):
|
|
https.set_force_https(True, reload_caddy=failing_reload, **p)
|
|
# Rollback: since neither snippet existed before, neither exists after.
|
|
assert not p["snippet"].exists()
|
|
assert not p["https_snippet"].exists()
|
|
|
|
|
|
def test_reload_failure_rolls_back_disable(tmp_path):
|
|
_prepare_hostname(tmp_path)
|
|
p = _paths(tmp_path)
|
|
p["snippet_dir"].mkdir()
|
|
p["https_snippet_dir"].mkdir()
|
|
original_redirect = "redir https://{host}{uri} permanent\n# marker\n"
|
|
original_https = "# old https block\nfurtka.local { tls internal }\n"
|
|
p["snippet"].write_text(original_redirect)
|
|
p["https_snippet"].write_text(original_https)
|
|
|
|
def failing_reload():
|
|
raise subprocess.CalledProcessError(1, ["systemctl"], stderr="bad config")
|
|
|
|
with pytest.raises(https.HttpsError):
|
|
https.set_force_https(False, reload_caddy=failing_reload, **p)
|
|
# Rollback: both snippets are restored to their exact prior contents.
|
|
assert p["snippet"].read_text() == original_redirect
|
|
assert p["https_snippet"].read_text() == original_https
|
|
|
|
|
|
def test_systemctl_missing_raises_and_rolls_back(tmp_path):
|
|
_prepare_hostname(tmp_path)
|
|
p = _paths(tmp_path)
|
|
|
|
def missing_systemctl():
|
|
raise FileNotFoundError(2, "No such file", "systemctl")
|
|
|
|
with pytest.raises(https.HttpsError, match="systemctl not available"):
|
|
https.set_force_https(True, reload_caddy=missing_systemctl, **p)
|
|
assert not p["snippet"].exists()
|
|
assert not p["https_snippet"].exists()
|
|
|
|
|
|
def test_redirect_snippet_content_is_caddy_redir_directive():
|
|
# Lock the exact directive. A regression here silently stops the
|
|
# redirect from taking effect even though the file-swap looks fine.
|
|
assert https.REDIRECT_CONTENT.strip() == "redir https://{host}{uri} permanent"
|
|
|
|
|
|
def test_https_snippet_content_has_tls_internal_and_routes(tmp_path):
|
|
# Lock the shape of the opt-in HTTPS listener block. Caddy parses
|
|
# this verbatim — changing the shape without updating the test
|
|
# risks shipping a silently-broken Caddyfile import.
|
|
s = https._https_snippet_content("mybox")
|
|
assert "mybox.local, mybox {" in s
|
|
assert "\ttls internal" in s
|
|
assert "\timport furtka_routes" in s
|
|
assert s.endswith("}\n")
|