def test_ssl_socket(self):
server = None
display_no = self.find_free_display_no()
display = ":%s" % display_no
tcp_port = get_free_tcp_port()
ssl_port = get_free_tcp_port()
try:
tmpdir = tempfile.mkdtemp(suffix='ssl-xpra')
certfile = os.path.join(tmpdir, "self.pem")
openssl_command = [
"openssl", "req", "-new", "-newkey", "rsa:4096", "-days", "2", "-nodes", "-x509",
"-subj", "/C=US/ST=Denial/L=Springfield/O=Dis/CN=localhost",
"-keyout", certfile, "-out", certfile,
]
openssl = self.run_command(openssl_command)
assert pollwait(openssl, 10)==0, "openssl certificate generation failed"
cert_data = load_binary_file(certfile)
log("generated cert data: %s", repr_ellipsized(cert_data))
if not cert_data:
#cannot run openssl? (happens from rpmbuild)
log.warn("SSL test skipped, cannot run '%s'", b" ".join(openssl_command))
return
server_args = [
"--bind-tcp=0.0.0.0:%i" % tcp_port,
"--bind-ssl=0.0.0.0:%i" % ssl_port,
"--ssl=on",
"--ssl-cert=%s" % certfile]
log("starting test ssl server on %s", display)
server = self.start_server(display, *server_args)
#test it with openssl client:
for port in (tcp_port, ssl_port):
openssl_verify_command = "openssl s_client -connect 127.0.0.1:%i -CAfile %s < /dev/null" % (port, certfile)
openssl = self.run_command(openssl_verify_command, shell=True)
assert pollwait(openssl, 10)==0, "openssl certificate verification failed"
def test_connect(uri, exit_code, *client_args):
cmd = ["info", uri] + list(client_args)
client = self.run_xpra(cmd)
r = pollwait(client, 5)
if client.poll() is None:
client.terminate()
assert r==exit_code, "expected info client to return %s but got %s" % (exit_code, client.poll())
noverify = "--ssl-server-verify-mode=none"
#connect to ssl socket:
test_connect("ssl/127.0.0.1:%i/" % ssl_port, EXIT_OK, noverify)
#tcp socket should upgrade:
test_connect("ssl/127.0.0.1:%i/" % tcp_port, EXIT_OK, noverify)
#self signed cert should fail without noverify:
test_connect("ssl/127.0.0.1:%i/" % ssl_port, EXIT_CONNECTION_LOST)
test_connect("ssl/127.0.0.1:%i/" % tcp_port, EXIT_CONNECTION_LOST)
finally:
shutil.rmtree(tmpdir)
if server:
server.terminate()
def test_ssl_socket(self):
server = None
display_no = self.find_free_display_no()
display = ":%s" % display_no
tcp_port = get_free_tcp_port()
ssl_port = get_free_tcp_port()
try:
tmpdir = tempfile.mkdtemp(suffix='ssl-xpra')
certfile = os.path.join(tmpdir, "self.pem")
openssl_command = [
"openssl",
"req",
"-new",
"-newkey",
"rsa:4096",
"-days",
"2",
"-nodes",
"-x509",
"-subj",
"/C=US/ST=Denial/L=Springfield/O=Dis/CN=localhost",
"-keyout",
certfile,
"-out",
certfile,
]
openssl = self.run_command(openssl_command)
assert pollwait(openssl,
10) == 0, "openssl certificate generation failed"
cert_data = load_binary_file(certfile)
log("generated cert data: %s", repr_ellipsized(cert_data))
if not cert_data:
#cannot run openssl? (happens from rpmbuild)
log.warn("SSL test skipped, cannot run '%s'",
b" ".join(openssl_command))
return
server_args = [
"--bind-tcp=0.0.0.0:%i" % tcp_port,
"--bind-ssl=0.0.0.0:%i" % ssl_port, "--ssl=on",
"--ssl-cert=%s" % certfile
]
log("starting test ssl server on %s", display)
server = self.start_server(display, *server_args)
#test it with openssl client:
for port in (tcp_port, ssl_port):
openssl_verify_command = "openssl s_client -connect 127.0.0.1:%i -CAfile %s < /dev/null" % (
port, certfile)
openssl = self.run_command(openssl_verify_command, shell=True)
assert pollwait(
openssl,
10) == 0, "openssl certificate verification failed"
def test_connect(uri, exit_code, *client_args):
cmd = ["info", uri] + list(client_args)
client = self.run_xpra(cmd)
r = pollwait(client, 5)
if client.poll() is None:
client.terminate()
assert r == exit_code, "expected info client to return %s but got %s" % (
exit_code, client.poll())
noverify = "--ssl-server-verify-mode=none"
#connect to ssl socket:
test_connect("ssl/127.0.0.1:%i/" % ssl_port, EXIT_OK, noverify)
#tcp socket should upgrade:
test_connect("ssl/127.0.0.1:%i/" % tcp_port, EXIT_OK, noverify)
#self signed cert should fail without noverify:
test_connect("ssl/127.0.0.1:%i/" % ssl_port, EXIT_CONNECTION_LOST)
test_connect("ssl/127.0.0.1:%i/" % tcp_port, EXIT_CONNECTION_LOST)
finally:
shutil.rmtree(tmpdir)
if server:
server.terminate()
def test_ssl(self):
server = None
display_no = self.find_free_display_no()
display = ":%s" % display_no
tcp_port = get_free_tcp_port()
ws_port = get_free_tcp_port()
wss_port = get_free_tcp_port()
ssl_port = get_free_tcp_port()
try:
tmpdir = tempfile.mkdtemp(suffix='ssl-xpra')
keyfile = os.path.join(tmpdir, "key.pem")
outfile = os.path.join(tmpdir, "out.pem")
openssl_command = [
"openssl",
"req",
"-new",
"-newkey",
"rsa:4096",
"-days",
"2",
"-nodes",
"-x509",
"-subj",
"/C=US/ST=Denial/L=Springfield/O=Dis/CN=localhost",
"-keyout",
keyfile,
"-out",
outfile,
]
openssl = self.run_command(openssl_command)
assert pollwait(openssl,
20) == 0, "openssl certificate generation failed"
#combine the two files:
certfile = os.path.join(tmpdir, "cert.pem")
with open(certfile, 'wb') as cert:
for fname in (keyfile, outfile):
with open(fname, 'rb') as f:
cert.write(f.read())
cert_data = load_binary_file(certfile)
log("generated cert data: %s", repr_ellipsized(cert_data))
if not cert_data:
#cannot run openssl? (happens from rpmbuild)
log.warn("SSL test skipped, cannot run '%s'",
b" ".join(openssl_command))
return
server_args = [
"--bind-tcp=0.0.0.0:%i" % tcp_port,
"--bind-ws=0.0.0.0:%i" % ws_port,
"--bind-wss=0.0.0.0:%i" % wss_port,
"--bind-ssl=0.0.0.0:%i" % ssl_port,
"--ssl=on",
"--html=on",
"--ssl-cert=%s" % certfile,
]
log("starting test ssl server on %s", display)
server = self.start_server(display, *server_args)
#test it with openssl client:
for port in (tcp_port, ssl_port, ws_port, wss_port):
openssl_verify_command = ("openssl", "s_client", "-connect",
"127.0.0.1:%i" % port, "-CAfile",
certfile)
devnull = os.open(os.devnull, os.O_WRONLY)
openssl = self.run_command(openssl_verify_command,
stdin=devnull,
shell=True)
r = pollwait(openssl, 10)
assert r == 0, "openssl certificate verification failed, returned %s" % r
def test_connect(uri, exit_code, *client_args):
cmd = ["info", uri] + list(client_args)
client = self.run_xpra(cmd)
r = pollwait(client, CONNECT_WAIT)
if client.poll() is None:
client.terminate()
assert r == exit_code, "expected info client to return %s but got %s" % (
estr(exit_code), estr(client.poll()))
noverify = "--ssl-server-verify-mode=none"
#connect to ssl socket:
test_connect("ssl://127.0.0.1:%i/" % ssl_port, EXIT_OK, noverify)
#tcp socket should upgrade to ssl:
test_connect("ssl://127.0.0.1:%i/" % tcp_port, EXIT_OK, noverify)
#tcp socket should upgrade to ws and ssl:
test_connect("wss://127.0.0.1:%i/" % tcp_port, EXIT_OK, noverify)
#ws socket should upgrade to ssl:
test_connect("wss://127.0.0.1:%i/" % ws_port, EXIT_OK, noverify)
#self signed cert should fail without noverify:
test_connect("ssl://127.0.0.1:%i/" % ssl_port,
EXIT_SSL_CERTIFICATE_VERIFY_FAILURE)
test_connect("ssl://127.0.0.1:%i/" % tcp_port,
EXIT_SSL_CERTIFICATE_VERIFY_FAILURE)
test_connect("wss://127.0.0.1:%i/" % ws_port,
EXIT_SSL_CERTIFICATE_VERIFY_FAILURE)
test_connect("wss://127.0.0.1:%i/" % wss_port,
EXIT_SSL_CERTIFICATE_VERIFY_FAILURE)
finally:
shutil.rmtree(tmpdir)
if server:
server.terminate()
def _test(self, subcommand, options):
log("starting test server with options=%s", options)
args = ["--%s=%s" % (k, v) for k, v in options.items()]
tcp_port = None
xvfb = None
if WIN32 or OSX:
display = ""
connect_args = []
elif self.display:
display = self.display
connect_args = [display]
args.append("--use-display=yes")
else:
display = self.find_free_display()
connect_args = [display]
if subcommand == "shadow":
xvfb = self.start_Xvfb(display)
if TEST_RFB or WIN32:
tcp_port = get_free_tcp_port()
args += ["--bind-tcp=0.0.0.0:%i" % tcp_port]
if WIN32:
connect_args = ["tcp://127.0.0.1:%i" % tcp_port]
server = None
client = None
rfb_client = None
gui_client = None
try:
log("args=%s", " ".join("'%s'" % x for x in args))
server = self.check_server(subcommand, display, *args)
#we should always be able to get the version:
client = self.run_xpra(["version"] + connect_args)
assert pollwait(
client, 5
) == 0, "version client failed to connect to server with args=%s" % args
#run info query:
cmd = ["info"] + connect_args
client = self.run_xpra(cmd)
r = pollwait(client, 20)
assert r==0, "info client failed and returned %s: '%s' for server with args=%s" % \
(r, EXIT_STR.get(r, r), args)
client_kwargs = {}
if not (WIN32 or OSX):
env = self.get_run_env()
env["DISPLAY"] = self.client_display
client_kwargs = {"env": env}
if subcommand in ("shadow",
"start-desktop") and TEST_RFB and options.get(
"windows", True):
vncviewer = which("vncviewer")
log("testing RFB clients with vncviewer '%s'", vncviewer)
if vncviewer:
rfb_cmd = [vncviewer, "localhost::%i" % tcp_port]
rfb_client = self.run_command(rfb_cmd, **client_kwargs)
r = pollwait(rfb_client, 10)
if r is not None:
self.show_proc_error(
rfb_client,
"rfb client terminated early and returned %i for server with args=%s"
% (r, args))
#connect a gui client:
if WIN32 or (self.client_display and self.client_xvfb):
xpra_args = [
"attach",
"--clipboard=no", #could create loops
"--notifications=no", #may get sent to the desktop session running the tests!
] + connect_args
gui_client = self.run_xpra(xpra_args, **client_kwargs)
r = pollwait(gui_client, 10)
if r is not None:
self.show_proc_error(
gui_client,
"gui client terminated early and returned %i : '%s' for server with args=%s"
% (r, EXIT_STR.get(r, r), args))
if self.display:
self.stop_server(server, "exit", *connect_args)
else:
self.stop_server(server, "stop", *connect_args)
if display:
if display in self.dotxpra.displays():
log.warn(
"server socket for display %s should have been removed",
display)
if gui_client:
r = pollwait(gui_client, 20)
if r is None:
log.warn("client still connected!")
self.show_proc_pipes(server)
raise Exception("gui client should have been disconnected")
except Exception:
log.error("test error for '%s' subcommand with options=%s",
subcommand, options)
raise
finally:
for x in (xvfb, rfb_client, gui_client, server, client):
try:
if x and x.poll() is None:
x.terminate()
except OSError:
log("%s.terminate()", exc_info=True)