#!/usr/bin/env python3
"""
Ensures we can connect to a server signed by root1 but not root2.
"""
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsClient, TlsServer, print_ok, run_ghostunnel, terminate
import ssl
import signal
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server1')
root.create_signed_cert('client')
root.create_signed_cert(
'server2', san="IP:127.0.0.1,IP:::1,DNS:foobar")
other_root = RootCert('other_root')
other_root.create_signed_cert('other_server')
# start ghostunnel
ghostunnel = run_ghostunnel(['client',
'--listen={0}:13001'.format(LOCALHOST),
'--target=localhost:13002',
'--keystore=client.p12',
'--cacert=root.crt',
'--timed-reload=1s',
'--override-server-name=foobar',
#!/usr/bin/env python3
"""
Ensures that tunnel sees & reloads a certificate
change.
"""
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, TlsClient, print_ok, run_ghostunnel, terminate
import os
import signal
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
root.create_signed_cert('new_server')
root.create_signed_cert('client')
# start ghostunnel
ghostunnel = run_ghostunnel([
'server', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
'--cacert=root.crt', '--allow-ou=client',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
])
# create connections with client
pair1 = SocketPair(TlsClient('client', 'root', 13001),
TcpServer(13002))
pair1.validate_can_send_from_client("toto", "pair1 works")
There are various cases to take into account:
- tunnel picks up client cert change and connects with new cert.
- tunnel picks up ca change and connects to other_server.
- tunnel picks up client cert change and uses it on the status port.
"""
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsClient, TlsServer, print_ok, run_ghostunnel, terminate
import os
import signal
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root1 = RootCert('root1')
root1.create_signed_cert('server1')
root1.create_signed_cert('client1')
# start ghostunnel
ghostunnel = run_ghostunnel(['client',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=client1.p12',
'--cacert=root1.crt',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
# ensure ghostunnel connects with server1
pair1 = SocketPair(TcpClient(13001), TlsServer(
'server1', 'root1', 13002))
"{0}:{1} server -> client".format(i, counter))
r = random.random()
if r < 0.5:
p.validate_closing_client_closes_server(
"{0} client close -> server close".format(i))
else:
p.validate_closing_server_closes_client(
"{0} server close -> client close".format(i))
if __name__ == "__main__":
ghostunnel = None
n_clients = 10
try:
# create certs
root = RootCert('root')
root.create_signed_cert('client')
for n in range(1, n_clients):
root.create_signed_cert("server{0}".format(n))
# start ghostunnel
ghostunnel = run_ghostunnel([
'client', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=client.p12',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT), '--cacert=root.crt'
])
# servers should be able to communicate all at the same time.
procs = []
for n in range(1, n_clients):
#!/usr/bin/env python3
from common import LOCALHOST, RootCert, STATUS_PORT, print_ok, run_ghostunnel, terminate
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('client')
# start ghostunnel with bad proxy
ghostunnel = run_ghostunnel(['client',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=client.p12',
'--connect-proxy=ftp://invalid',
'--cacert=root.crt',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
# wait for ghostunnel to exit and make sure error code is not zero
ret = ghostunnel.wait(timeout=20)
if ret == 0:
raise Exception(
'ghostunnel terminated with zero, though flags were invalid')
else:
print_ok("OK (terminated)")
# start ghostunnel with bad client listen addr
ghostunnel = run_ghostunnel(['client',
#!/usr/bin/env python3
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, TlsClient, print_ok, run_ghostunnel, terminate
import time
import os
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
root.create_signed_cert('client')
# start ghostunnel
ghostunnel = run_ghostunnel(['server',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=server.p12',
'--cacert=root.crt',
'--allow-ou=client',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
# wait for startup
TlsClient(None, 'root', STATUS_PORT).connect(20, 'server')
# create connections with client
pair1 = SocketPair(
TlsClient('client', 'root', 13001), TcpServer(13002))
pair1.validate_can_send_from_client("toto", "pair1 works")
There are various cases to take into account:
- tunnel picks up client cert change and connects with new cert.
- tunnel picks up ca change and connects to other_server.
- tunnel picks up client cert change and uses it on the status port.
"""
import ssl
import os
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsClient, TlsServer, print_ok, run_ghostunnel, terminate
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root1 = RootCert('root1')
root1.create_signed_cert('server1')
root1.create_signed_cert('client1')
root1.create_signed_cert('new_client1')
root2 = RootCert('new_root')
root2.create_signed_cert('server2')
# start ghostunnel
ghostunnel = run_ghostunnel(['client',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=client1.p12',
'--timed-reload=1s',
'--cacert=root1.crt',
'--status={0}:{1}'.format(LOCALHOST,
#!/usr/bin/env python3
from common import LOCALHOST, RootCert, STATUS_PORT, print_ok, run_ghostunnel, terminate, assert_not_zero
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
# start ghostunnel with bad flags
ghostunnel1 = run_ghostunnel([
'server', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
'--disable-authentication', '--allow-cn=test.example.com',
'--cacert=root.crt'
])
assert_not_zero(ghostunnel1)
ghostunnel2 = run_ghostunnel([
'server', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
'--cert=server.crt', '--key=server.key', '--cacert=root.crt'
])
assert_not_zero(ghostunnel2)
ghostunnel3 = run_ghostunnel([
'server', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--cert=server.crt',
'--cacert=root.crt'
(self.connection if s == remote else remote).send(data)
finally:
print_ok("connect proxy is done")
try:
socket.get_socket().shutdown()
socket.cleanup()
self.connection.close()
except BaseException:
pass
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server', san='DNS:{}'.format(FAKE_TARGET))
root.create_signed_cert('client')
httpd = http.server.HTTPServer((LOCALHOST, 13080),
FakeConnectProxyHandler)
server = threading.Thread(target=httpd.handle_request)
server.start()
# start ghostunnel
ghostunnel = run_ghostunnel([
'client', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(FAKE_TARGET), '--keystore=client.p12',
'--cacert=root.crt',
'--connect-proxy=http://{0}:13080'.format(LOCALHOST),
'--connect-timeout=30s',
#!/usr/bin/env python3
"""
Ensures that root certificates are reloaded as well.
"""
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, TlsClient, print_ok, run_ghostunnel, terminate
import time
import signal
import os
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
root.create_signed_cert('client')
# start ghostunnel
ghostunnel = run_ghostunnel(['server',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=server.p12',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT),
'--cacert=root.crt',
'--allow-ou=client'])
# connect with client, confirm that the tunnel is up
pair = SocketPair(TlsClient('client', 'root', 13001), TcpServer(13002))
"""
Test to check --allow-uri flag behavior.
"""
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, \
TlsClient, print_ok, run_ghostunnel, terminate
import os
import signal
import ssl
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert(
'server',
san='URI:spiffe://server,IP:127.0.0.1,IP:::1,DNS:localhost')
root.create_signed_cert(
'client1',
san='URI:spiffe://client1,IP:127.0.0.1,IP:::1,DNS:localhost')
root.create_signed_cert(
'client2',
san='URI:spiffe://client2,IP:127.0.0.1,IP:::1,DNS:localhost')
# start ghostunnel
ghostunnel = run_ghostunnel(['server',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=server.p12',
There are various cases to take into account:
- tunnel picks up client cert change and connects with new cert.
- tunnel picks up ca change and connects to other_server.
- tunnel picks up client cert change and uses it on the status port.
"""
import ssl
import os
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsClient, TlsServer, print_ok, run_ghostunnel, terminate
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root1 = RootCert('root1')
root1.create_signed_cert('server1')
root1.create_signed_cert('client1')
root1.create_signed_cert('new_client1')
root2 = RootCert('new_root')
root2.create_signed_cert('server2')
# start ghostunnel
ghostunnel = run_ghostunnel([
'client', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=client1.p12',
'--timed-reload=1s', '--cacert=root1.crt',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
])
#!/usr/bin/env python3
"""
Tests that verify-uri flag works correctly on the client.
"""
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, \
TlsServer, print_ok, run_ghostunnel, terminate
import ssl
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('client')
root.create_signed_cert(
'server1',
san='URI:spiffe://server1,IP:127.0.0.1,IP:::1,DNS:localhost')
root.create_signed_cert(
'server2',
san='URI:spiffe://server2,IP:127.0.0.1,IP:::1,DNS:localhost')
other_root = RootCert('other_root')
other_root.create_signed_cert('other_server')
# start ghostunnel
ghostunnel = run_ghostunnel([
'client', '--listen={0}:13001'.format(LOCALHOST),
'--target=localhost:13002', '--keystore=client.p12',
'--verify-uri=spiffe://server1', '--cacert=root.crt',
#!/usr/bin/env python3
"""
Ensures that Graphite metrics submission works.
"""
from common import LOCALHOST, RootCert, STATUS_PORT, print_ok, run_ghostunnel, terminate
import socket
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('client')
# Mock out a graphite server
m = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
m.settimeout(10)
m.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
m.bind((LOCALHOST, 13099))
m.listen(1)
# start ghostunnel
ghostunnel = run_ghostunnel(['client',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=client.p12',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT),
'--metrics-interval=1s',
r = random.random()
if r < 0.5:
p.validate_closing_client_closes_server(
"{0} client close -> server close".format(i))
else:
p.validate_closing_server_closes_client(
"{0} server close -> client close".format(i))
if __name__ == "__main__":
ghostunnel = None
n_clients = 10
allow_ou = []
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
for n in range(1, n_clients):
root.create_signed_cert("client{0}".format(n))
allow_ou.append("--allow-ou=client{0}".format(n))
# start ghostunnel
ghostunnel = run_ghostunnel(['server',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=server.p12',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT),
'--cacert=root.crt'] + allow_ou)
# clients should be able to communicate all at the same time.
"""
Test to check --allow-dns flag behavior.
"""
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, \
TlsClient, print_ok, run_ghostunnel, terminate
import os
import signal
import ssl
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert(
'server',
san='DNS:server,IP:127.0.0.1,IP:::1,DNS:localhost')
root.create_signed_cert(
'client1',
san='DNS:client1,IP:127.0.0.1,IP:::1,DNS:localhost')
root.create_signed_cert(
'client2',
san='DNS:client2,IP:127.0.0.1,IP:::1,DNS:localhost')
# start ghostunnel
ghostunnel = run_ghostunnel(['server',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=server.p12',
"""
Test to check --allow-dns flag behavior.
"""
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, \
TlsClient, print_ok, run_ghostunnel, terminate
import os
import signal
import ssl
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert(
'server', san='DNS:server,IP:127.0.0.1,IP:::1,DNS:localhost')
root.create_signed_cert(
'client1', san='DNS:client1,IP:127.0.0.1,IP:::1,DNS:localhost')
root.create_signed_cert(
'client2', san='DNS:client2,IP:127.0.0.1,IP:::1,DNS:localhost')
# start ghostunnel
ghostunnel = run_ghostunnel([
'server', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
'--cacert=root.crt', '--allow-dns=client1',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
])
Ensures that /_status endpoint works.
"""
from common import LOCALHOST, RootCert, STATUS_PORT, TcpClient, TlsClient, print_ok, run_ghostunnel, terminate
import urllib.request
import urllib.error
import urllib.parse
import os
import signal
import json
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
root.create_signed_cert('new_server')
root.create_signed_cert('client')
# start ghostunnel
# hack: point target to STATUS_PORT so that /_status doesn't 503.
ghostunnel = run_ghostunnel(['server',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:{1}'.format(LOCALHOST,
STATUS_PORT),
'--keystore=server.p12',
'--cacert=root.crt',
'--allow-ou=client',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
#!/usr/bin/env python3
"""
Ensures client1 can connect but that clients with ou=client2 or ca=other_root can't connect.
"""
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, TlsClient, print_ok, run_ghostunnel, terminate
import ssl
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
root.create_signed_cert('client1')
root.create_signed_cert('client2')
other_root = RootCert('other_root')
other_root.create_signed_cert('other_client1')
# start ghostunnel
ghostunnel = run_ghostunnel(['server',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=server.p12',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT),
'--cacert=root.crt',
'--allow-ou=client1'])
r = random.random()
if r < 0.5:
p.validate_closing_client_closes_server(
"{0} client close -> server close".format(i))
else:
p.validate_closing_server_closes_client(
"{0} server close -> client close".format(i))
if __name__ == "__main__":
ghostunnel = None
n_clients = 10
allow_ou = []
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
for n in range(1, n_clients):
root.create_signed_cert("client{0}".format(n))
allow_ou.append("--allow-ou=client{0}".format(n))
# start ghostunnel
ghostunnel = run_ghostunnel([
'server', '--listen={0}:13001'.format(
LOCALHOST), '--target={0}:13002'.format(LOCALHOST),
'--keystore=server.p12', '--status={0}:{1}'.format(
LOCALHOST, STATUS_PORT), '--cacert=root.crt'
] + allow_ou)
# clients should be able to communicate all at the same time.
procs = []
#!/usr/bin/env python3
"""
Tests that verify-dns flag works correctly on the client.
"""
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, \
TlsServer, print_ok, run_ghostunnel, terminate
import ssl
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('client')
root.create_signed_cert(
'server1',
san='DNS:server1,IP:127.0.0.1,IP:::1,DNS:localhost')
root.create_signed_cert(
'server2',
san='DNS:server2,IP:127.0.0.1,IP:::1,DNS:localhost')
other_root = RootCert('other_root')
other_root.create_signed_cert('other_server')
# start ghostunnel
ghostunnel = run_ghostunnel(['client',
'--listen={0}:13001'.format(LOCALHOST),
'--target=localhost:13002',
#!/usr/bin/env python3
"""
Test a client which has disabled authentication. It will not send a TLS Client
Certificate, but should still perform verification.
"""
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsServer, print_ok, run_ghostunnel, terminate
import ssl
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server1')
root.create_signed_cert('server2',
san="IP:127.0.0.1,IP:::1,DNS:foobar")
other_root = RootCert('other_root')
other_root.create_signed_cert('other_server')
# start ghostunnel
ghostunnel = run_ghostunnel([
'client', '--listen={0}:13001'.format(LOCALHOST),
'--target=localhost:13002', '--cacert=root.crt',
'--disable-authentication',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
])
# connect to server1, confirm that the tunnel is up
pair = SocketPair(
There are various cases to take into account:
- tunnel picks up client cert change and connects with new cert.
- tunnel picks up ca change and connects to other_server.
- tunnel picks up client cert change and uses it on the status port.
"""
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsClient, TlsServer, print_ok, run_ghostunnel, terminate
import os
import signal
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root1 = RootCert('root1')
root1.create_signed_cert('server1')
root1.create_signed_cert('client1')
# start ghostunnel
ghostunnel = run_ghostunnel([
'client', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=client1.p12',
'--cacert=root1.crt',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
])
# ensure ghostunnel connects with server1
pair1 = SocketPair(TcpClient(13001),
TlsServer('server1', 'root1', 13002))
pair1.validate_can_send_from_client("toto", "pair1 works")