Merge pull request #9 from gattjoe/master

v1.3

CHANGELOG.md

@@ -13,4 +13,11 @@
 - Rename internal variable (non breaking change)
 - Update node packages
 - Improved documentation with screen shots
-- Imporved python version detection and error handling
+- Imporved python version detection and error handling
+
+# v1.3.0
+- Added support for Python 3.9 with upgrade of SSLyze to 4.0.x
+- Added support for junitparser 2.0.0 (fixes breaking change)
+- Removed hardcoded python package configuration from tlstestgate.ts
+- Added tox tests for Python 3.9
+- Added pytest to validate junitparser functionality in scanner.py

README.md

@@ -122,7 +122,7 @@ pytest -v test_tlstestgate.py --cov=buildAndReleaseTask --cov-report=xml
 
 ## Known Issues and Limitations of the Microsoft hosted Azure Pipeline agent
 
-If you intend to test a private endpoint, it is probable that the Microsoft hosted agents do not have access to your internal network. If you want to test a private endpoint, please use a self-hosted Azure Pipeline agent. For self-hosted agents, Python 3.7 or 3.8 is required, Python 3.9 is not supported at this time. Please refer to the links below for your target platform:
+If you intend to test a private endpoint, it is probable that the Microsoft hosted agents do not have access to your internal network. If you want to test a private endpoint, please use a self-hosted Azure Pipeline agent. For self-hosted agents, Python 3.7 and above is required. Please refer to the links below for your target platform:
 
 * [Linux](https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/v2-linux?view=azure-devops)
 * [MacOS](https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/v2-osx?view=azure-devops)

azure-pipelines.yml

@@ -4,7 +4,7 @@
 # https://aka.ms/yaml
 
 stages:
-- stage: 'Python37_and_Python38_tests'
+- stage: 'Python_Tests'
   jobs:
   - job:
     pool:
@@ -16,6 +16,8 @@ stages:
           python.version: '3.7'
         Python38:
           python.version: '3.8'
+        Python39:
+          python.version: '3.9'
 
     steps:
     - task: UsePythonVersion@0

buildAndReleaseTask/getpythonpath.ts

@@ -68,12 +68,6 @@ async function getSelfHostedPythonPath(): Promise<string> {
         const result: string = await pythonVer.execSync().stdout;
         console.log('PYTHON VERSION: ' + `${result}`);
 
-        // Python 3.7 or 3.8 is required, Python 3.9 is not supported at this time
-        if (result < '3.7' || result >= '3.9') {
-
-            throw new Error('Python 3.7 or 3.8 is required, Python 3.9 is not supported at this time.');
-        }
-
     } else {
         // Python3 not installed
         throw new Error('Python3 installation not found.');

buildAndReleaseTask/package.json

@@ -1,7 +1,7 @@
 {
   "name": "tlstestgate",
   "version": "1.0.0",
-  "description": "Build/Release Task to test for non-compliant SSL/TLS settings on public or internal endpoints. This extension requires Python 3.7 or 3.8, Python 3.9 is not supported at this time.",
+  "description": "Build/Release Task to test for non-compliant SSL/TLS settings on public or internal endpoints. Python 3.7 and above is required.",
   "main": "tlstestgate.js",
   "scripts": {
     "test": "mocha -r ts-node/register test/*.ts --reporter xunit --reporter-option output=ResultsFile.xml"

buildAndReleaseTask/python/scanner.py

@@ -144,10 +144,10 @@ def scan(dns_server: IpAddr, name: str, port: int) -> dict:
 def new_results() -> dict:
     """ Create the results dict """
 
-    return {'Hostname':     None,
-            'IP':           None,
-            'DNS':          None,
-            'Results':      []}
+    return {"Hostname":     None,
+            "IP":           None,
+            "DNS":          None,
+            "Results":      []}
 
 
 def write_output(target, results) -> None:
@@ -156,7 +156,7 @@ def write_output(target, results) -> None:
     test_case = TestCase(f'{target}')
     test_case.name = f'{target}'
     if results['Results'] != ['No SSL/TLS Violations found.']:
-        test_case.result = Failure(results)
+        test_case.result = [Failure(results)]
     else:
         test_case.result = results
 

buildAndReleaseTask/requirements.txt

@@ -0,0 +1,3 @@
+dnspython==2.1.0
+junitparser==2.0.0
+sslyze==4.0.1

buildAndReleaseTask/tlstestgate.ts

@@ -76,10 +76,12 @@ async function run(): Promise<void> {
             packageSetup.arg('-m');
             packageSetup.arg('pip');
             packageSetup.arg('install');
-            packageSetup.arg('--upgrade');
-            packageSetup.arg('dnspython==2.0.0');
-            packageSetup.arg('junitparser');
-            packageSetup.arg('sslyze==3.1.0');
+            packageSetup.arg('-r');
+            packageSetup.arg(path.join(__dirname, 'requirements.txt'));
+            //packageSetup.arg('--upgrade');
+            //packageSetup.arg('dnspython==2.0.0');
+            //packageSetup.arg('junitparser==1.6.3');
+            //packageSetup.arg('sslyze==3.1.0');
             await packageSetup.exec();
             tl.setResult(tl.TaskResult.Succeeded, 'Python package install was successful.');
 
@@ -89,6 +91,7 @@ async function run(): Promise<void> {
         }
 
         try {
+
             // Run the scan and generate the results
             const scan: trm.ToolRunner = tl.tool(pyPath);
             scan.arg(path.join(__dirname, './python/scanner.py'));

requirements.txt

@@ -1,3 +1,3 @@
-dnspython==2.0.0
-junitparser==1.6.2
-sslyze==3.1.0
+dnspython==2.1.0
+junitparser==2.0.0
+sslyze==4.0.1

tests/test_tlstestgate.py

@@ -3,10 +3,26 @@
 usage: pytest -v test_tlstestgate.py --cov=buildAndReleaseTask
 
 """
+import html
+import json
+import os
 
-from buildAndReleaseTask.python.scanner import scan
+from junitparser import JUnitXml
 
-DNS_SERVER = '8.8.8.8'
+from buildAndReleaseTask.python.scanner import scan, write_output
+
+DNS_SERVER = "8.8.8.8"
+
+TEST_RESULTS = {"Results": [{"Version": "TLS_1_1", "Cipher": "TLS_RSA_WITH_AES_256_CBC_SHA"},
+                {"Version": "TLS_1_1", "Cipher": "TLS_RSA_WITH_AES_128_CBC_SHA"},
+                {"Version": "TLS_1_1", "Cipher": "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
+                {"Version": "TLS_1_1", "Cipher": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"},
+                {"Version": "TLS_1_1", "Cipher": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"},
+                {"Version": "TLS_1_0", "Cipher": "TLS_RSA_WITH_AES_256_CBC_SHA"},
+                {"Version": "TLS_1_0", "Cipher": "TLS_RSA_WITH_AES_128_CBC_SHA"},
+                {"Version": "TLS_1_0", "Cipher": "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
+                {"Version": "TLS_1_0", "Cipher": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"},
+                {"Version": "TLS_1_0", "Cipher": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}]}
 
 
 def test_scan_no_violations():
@@ -57,7 +73,7 @@ def test_sslyze_timeout():
 def test_bad_dnsserver():
     """ Test bad dns server """
 
-    results = scan('8.8.7.6', "espn.com", 443)
+    results = scan("8.8.7.6", "espn.com", 443)
 
     # Check the output to ensure the DNS name could not resolve
     assert results["Results"] == ["The DNS operation timed out."]
@@ -79,3 +95,24 @@ def test_by_ip_no_violations():
 
     # Check the output to ensure there are no violations
     assert results["Results"] != ["No SSL/TLS Violations found."]
+
+def test_junit_parser_with_violations():
+    """ Test writing results to test-output.xml and reading output """
+
+    # Write the test-output.xml
+    write_output("foo", TEST_RESULTS)
+
+    # Load it
+    output = os.path.normpath(os.path.abspath(os.path.expanduser(os.path.expandvars("test-output.xml"))))
+
+    xml = JUnitXml.fromfile(output)
+    for suite in xml:
+        # Should be one failure
+        assert suite.failures == 1
+
+        for case in suite:
+            for element in case:
+                results = html.unescape(element.message)
+                jsonResults = json.loads(results.replace("'", "\""))
+                # Should be 10 results
+                assert len(jsonResults["Results"]) == 10

tox.ini

@@ -4,7 +4,7 @@
 # and then run "tox" from this directory.
 [tox]
 skipsdist=True
-envlist = py37, py38
+envlist = py36, py37, py38, py39
 
 [testenv]
 commands =

vss-extension.json

@@ -4,7 +4,7 @@
     "name": "SSL/TLS Test Gate",
     "version": "1.0.0",
     "publisher": "gattjoe",
-    "description": "Test public or internal endpoints for non-compliant SSL/TLS settings. This extension requires Python 3.7 or 3.8, Python 3.9 is not supported at this time.",
+    "description": "Test public or internal endpoints for non-compliant SSL/TLS settings. Python 3.7 and above is required.",
     "targets": [
         {
             "id": "Microsoft.VisualStudio.Services"