diff --git a/src/auto_archiver/modules/timestamping_enricher/timestamping_enricher.py b/src/auto_archiver/modules/timestamping_enricher/timestamping_enricher.py index 756c1c9..93d3ae8 100644 --- a/src/auto_archiver/modules/timestamping_enricher/timestamping_enricher.py +++ b/src/auto_archiver/modules/timestamping_enricher/timestamping_enricher.py @@ -78,7 +78,6 @@ class TimestampingEnricher(Enricher): try: message = bytes(data_to_sign, encoding='utf8') - print(tsa_url) logger.debug(f"Timestamping {url=} with {tsa_url=}") signed: TimeStampResponse = self.sign_data(tsa_url, message) @@ -118,8 +117,6 @@ class TimestampingEnricher(Enricher): f.write(timestamp_token) return tst_path - trust_roots = [] - with open(certifi.where(), "rb") as f: def verify_signed(self, timestamp_response: TimeStampResponse, message: bytes) -> x509.Certificate: """ Verify a Signed Timestamp Response is trusted by a known Certificate Authority. diff --git a/tests/conftest.py b/tests/conftest.py index a9f9ff8..44d8058 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -145,7 +145,7 @@ def sample_media(tmp_path) -> Media: """Fixture creating a Media object with temporary source file""" src_file = tmp_path / "source.txt" src_file.write_text("test content") - return Media(key="subdir/test.txt", filename=str(src_file)) + return Media(_key="subdir/test.txt", filename=str(src_file)) @pytest.fixture diff --git a/tests/data/timestamping/digicert.tsr b/tests/data/timestamping/digicert.tsr new file mode 100644 index 0000000..1648bdb Binary files /dev/null and b/tests/data/timestamping/digicert.tsr differ diff --git a/tests/enrichers/test_timestamping_enricher.py b/tests/enrichers/test_timestamping_enricher.py index 706678d..22cab06 100644 --- a/tests/enrichers/test_timestamping_enricher.py +++ b/tests/enrichers/test_timestamping_enricher.py @@ -29,6 +29,12 @@ def selfsigned_response() -> TimeStampResponse: return decode_timestamp_response(f.read()) +@pytest.fixture +def digicert_response() -> TimeStampResponse: + with open("tests/data/timestamping/digicert.tsr", "rb") as f: + return f.read() + + @pytest.fixture def filehash(): return "4b7b4e39f12b8c725e6e603e6d4422500316df94211070682ef10260ff5759ef" @@ -65,7 +71,6 @@ def test_full_enriching_selfsigned(setup_module, sample_media, mocker, selfsigne # set self-signed on tsp tsp.allow_selfsigned = True - tsp.enrich(metadata) assert len(metadata.media) @@ -131,12 +136,15 @@ def test_full_enriching_multiple_tsa(setup_module, sample_media, mocker, timesta assert len(timestamp_token_media.get("cert_chain")) == 3 -@pytest.mark.download -def test_fails_for_digicert(setup_module): +def test_fails_for_digicert(setup_module, mocker, digicert_response): """ Digicert TSRs are not compliant with RFC 3161. See https://github.com/trailofbits/rfc3161-client/issues/104#issuecomment-2621960840 """ + mocker.patch("requests.sessions.Session.post", return_value=requests.Response()) + mocker.patch("requests.Response.raise_for_status") + mocker.patch("requests.Response.content", new_callable=mocker.PropertyMock, return_value=digicert_response) + tsa_url = "http://timestamp.digicert.com" tsp: TimestampingEnricher = setup_module("timestamping_enricher") @@ -191,16 +199,10 @@ def test_order_crt_correctly(setup_module, wrong_order_timestamp_response): assert ordered_certs[1].subject.rfc4514_string() == "CN=TrustID Timestamping CA 3,O=IdenTrust,C=US" -def test_invalid_tsa_404(setup_module, mocker): - tsp = setup_module("timestamping_enricher") - post_mock = mocker.patch("requests.sessions.Session.post") - post_mock.side_effect = Exception("error") - with pytest.raises(Exception, match="error"): - tsp.sign_data("http://bellingcat.com/", b"my-message") - - -@pytest.mark.download def test_invalid_tsa_invalid_response(setup_module, mocker): + mocker.patch("requests.sessions.Session.post", return_value=requests.Response()) + raise_for_status = mocker.patch("requests.Response.raise_for_status") + raise_for_status.side_effect = requests.exceptions.HTTPError("404 Client Error") tsp = setup_module("timestamping_enricher") with pytest.raises(requests.exceptions.HTTPError, match="404 Client Error"):