root = RootCert('root')
root.create_signed_cert('client')
# Mock out a graphite server
m = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
m.settimeout(10)
m.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
m.bind((LOCALHOST, 13099))
m.listen(1)
# start ghostunnel
ghostunnel = run_ghostunnel(['client',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=client.p12',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT),
'--metrics-interval=1s',
'--cacert=root.crt',
'--metrics-graphite=localhost:13099'])
# wait for metrics to be sent
conn, addr = m.accept()
for line in conn.makefile().readlines():
if len(line.partition(' ')) != 3:
raise Exception('invalid metric: ' + line)
print_ok("OK")
finally:
terminate(ghostunnel)
#!/usr/bin/env python3
from common import LOCALHOST, RootCert, STATUS_PORT, print_ok, run_ghostunnel, terminate
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('client')
# start ghostunnel with bad proxy
ghostunnel = run_ghostunnel(['client',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=client.p12',
'--connect-proxy=ftp://invalid',
'--cacert=root.crt',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
# wait for ghostunnel to exit and make sure error code is not zero
ret = ghostunnel.wait(timeout=20)
if ret == 0:
raise Exception(
'ghostunnel terminated with zero, though flags were invalid')
else:
print_ok("OK (terminated)")
# start ghostunnel with bad client listen addr
ghostunnel = run_ghostunnel(['client',
'--listen=invalid',
# create certs
root = RootCert('root')
root.create_signed_cert('server1')
root.create_signed_cert('client')
root.create_signed_cert(
'server2', san="IP:127.0.0.1,IP:::1,DNS:foobar")
other_root = RootCert('other_root')
other_root.create_signed_cert('other_server')
# start ghostunnel
ghostunnel = run_ghostunnel(['client',
'--listen={0}:13001'.format(LOCALHOST),
'--target=localhost:13002',
'--keystore=client.p12',
'--cacert=root.crt',
'--timed-reload=1s',
'--override-server-name=foobar',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
# connect to server1, confirm that the tunnel is up
pair = SocketPair(TcpClient(13001), TlsServer(
'server2', 'root', 13002))
pair.validate_can_send_from_client(
"hello world", "1: client -> server")
pair.validate_can_send_from_server(
"hello world", "1: server -> client")
pair.validate_closing_client_closes_server(
"1: client closed -> server closed")
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, UnixServer, TlsClient, print_ok, run_ghostunnel, terminate
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
root.create_signed_cert('client')
# start ghostunnel
server = UnixServer()
ghostunnel = run_ghostunnel([
'server', '--listen={0}:13001'.format(LOCALHOST),
'--target=unix:{0}'.format(server.get_socket_path()),
'--keystore=server.p12',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT),
'--cacert=root.crt', '--allow-ou=client'
])
# connect with client, confirm that the tunnel is up
pair = SocketPair(TlsClient('client', 'root', 13001), server)
pair.validate_can_send_from_server("hello world",
"1: server -> client")
pair.validate_can_send_from_client("hello world",
"1: client -> server")
pair.validate_closing_server_closes_client(
"1: server closed -> client closed")
print_ok("OK")
finally:
#!/usr/bin/env python3
from common import LOCALHOST, RootCert, STATUS_PORT, print_ok, run_ghostunnel, terminate
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
# start ghostunnel with bad flags
ghostunnel = run_ghostunnel(['client',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--connect-proxy=ftp://invalid',
'--cacert=root.crt',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
# wait for ghostunnel to exit and make sure error code is not zero
ret = ghostunnel.wait(timeout=20)
if ret == 0:
raise Exception(
'ghostunnel terminated with zero, though flags were invalid')
else:
print_ok("OK (terminated)")
finally:
terminate(ghostunnel)
#!/usr/bin/env python3
from common import LOCALHOST, RootCert, STATUS_PORT, print_ok, run_ghostunnel, terminate
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
# start ghostunnel with bad access flags
ghostunnel = run_ghostunnel([
'server', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
'--cacert=root.crt',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
])
# wait for ghostunnel to exit and make sure error code is not zero
ret = ghostunnel.wait(timeout=20)
if ret == 0:
raise Exception(
'ghostunnel terminated with zero, though flags were invalid')
else:
print_ok("OK (terminated)")
# start ghostunnel with bad listen addr
ghostunnel = run_ghostunnel([
'server', '--listen=invalid',
'--target={0}:13002'.format(LOCALHOST), '--allow-all',
if __name__ == "__main__":
ghostunnel = None
try:
# Only run PKCS11 tests if requested
if 'GHOSTUNNEL_TEST_PKCS11' not in os.environ:
sys.exit(0)
# start ghostunnel
# hack: point target to STATUS_PORT so that /_status doesn't 503.
ghostunnel = run_ghostunnel(['server',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:{1}'.format(LOCALHOST,
STATUS_PORT),
'--keystore=../test-keys/server-cert.pem',
'--pkcs11-module={0}'.format(os.environ['GHOSTUNNEL_TEST_PKCS11_MODULE']),
'--pkcs11-token-label={0}'.format(os.environ['GHOSTUNNEL_TEST_PKCS11_LABEL']),
'--pkcs11-pin={0}'.format(os.environ['GHOSTUNNEL_TEST_PKCS11_PIN']),
'--cacert=../test-keys/cacert.pem',
'--allow-ou=client',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
def urlopen(path):
return urllib.request.urlopen(path, cafile='../test-keys/cacert.pem')
# block until ghostunnel is up
TcpClient(STATUS_PORT).connect(3)
status = json.loads(str(urlopen(
"https://{0}:{1}/_status".format(LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
metrics = json.loads(str(urlopen(
"https://{0}:{1}/_metrics".format(LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
if __name__ == '__main__':
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
root.create_signed_cert('client')
# start ghostunnel
# hack: point target to STATUS_PORT so that /_status doesn't 503.
ghostunnel = run_ghostunnel(['server',
'--quiet=all',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=server.p12',
'--cacert=root.crt',
'--allow-ou=client',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
def urlopen(path):
return urllib.request.urlopen(path, cafile='root.crt')
# block until ghostunnel is up
TcpClient(STATUS_PORT).connect(20)
# send some requests to status endpoints
metrics = json.loads(str(urlopen(
'https://{0}:{1}/_metrics'.format(LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
from common import LOCALHOST, RootCert, STATUS_PORT, print_ok, run_ghostunnel, terminate
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
# start ghostunnel with bad flags
ghostunnel = run_ghostunnel(['server',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=server.p12',
'--disable-authentication',
'--allow-cn=test.example.com',
'--cacert=root.crt',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
# wait for ghostunnel to exit and make sure error code is not zero
ret = ghostunnel.wait(timeout=20)
if ret == 0:
raise Exception(
'ghostunnel terminated with zero, though flags were invalid')
else:
print_ok("OK (terminated)")
finally:
terminate(ghostunnel)
Spins up a client and tests systemd socket activation.
"""
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsServer, print_ok, run_ghostunnel, terminate
from distutils.spawn import find_executable
import sys
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('client')
# start ghostunnel
ghostunnel = run_ghostunnel([
'client', '--listen=launchd:client',
'--target={0}:{1}'.format(LOCALHOST,
STATUS_PORT), '--keystore=client.p12',
'--status=systemd:status', '--cacert=root.crt'
])
ghostunnel.wait(timeout=10)
if ghostunnel.returncode == 0:
raise Exception('Should fail on invalid socket')
print_ok("OK")
finally:
terminate(ghostunnel)
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
# start ghostunnel
tempdir = mkdtemp()
path = os.path.join(tempdir, 'ghostunnel-status-socket')
ghostunnel = run_ghostunnel(['server',
'--listen={0}:13001'.format(LOCALHOST),
'--target=unix:{0}'.format(path),
'--keystore=server.p12',
'--cacert=root.crt',
'--allow-ou=client',
'--status=unix:{0}'.format(path)])
# wait for startup
for i in range(0, 10):
if os.path.exists(path):
break
time.sleep(1)
# read status information
conn = UnixHTTPConnection(path)
conn.connect()
conn.request('GET', '/_status')
#!/usr/bin/env python3
from common import LOCALHOST, RootCert, STATUS_PORT, print_ok, run_ghostunnel, terminate, assert_not_zero
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
# start ghostunnel with bad flags
ghostunnel1 = run_ghostunnel([
'client', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
'--disable-authentication', '--cacert=root.crt'
])
assert_not_zero(ghostunnel1)
ghostunnel2 = run_ghostunnel([
'client', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--cert=server.crt',
'--key=server.key', '--disable-authentication', '--cacert=root.crt'
])
assert_not_zero(ghostunnel2)
ghostunnel3 = run_ghostunnel([
'client', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--key=server.crt',
'--cacert=root.crt'
])
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root1 = RootCert('root1')
root1.create_signed_cert('server1')
root1.create_signed_cert('client1')
root1.create_signed_cert('new_client1')
root2 = RootCert('new_root')
root2.create_signed_cert('server2')
# start ghostunnel
ghostunnel = run_ghostunnel([
'client', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=client1.p12',
'--timed-reload=1s', '--cacert=root1.crt',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
])
# ensure ghostunnel connects with server1
pair1 = SocketPair(TcpClient(13001),
TlsServer('server1', 'root1', 13002))
pair1.validate_can_send_from_client("toto", "pair1 works")
pair1.validate_client_cert("client1", "pair1: ou=client1 -> ...")
# check certificate on status port
TlsClient(None, 'root1', STATUS_PORT).connect(20, 'client1')
print_ok("got client1 on /_status")
# replace keystore and check ghostunnel connects with new_client1
print_ok("replacing certificates")
import time
import os
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
root.create_signed_cert('client')
# start ghostunnel
ghostunnel = run_ghostunnel(['server',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=server.p12',
'--cacert=root.crt',
'--allow-ou=client',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
# wait for startup
TlsClient(None, 'root', STATUS_PORT).connect(20, 'server')
# create connections with client
pair1 = SocketPair(
TlsClient('client', 'root', 13001), TcpServer(13002))
pair1.validate_can_send_from_client("toto", "pair1 works")
# shut down ghostunnel with connection open, make sure it doesn't hang
print_ok('attempting to terminate ghostunnel via SIGTERM signals')
for n in range(0, 90):
# create certs
root = RootCert('root')
root.create_signed_cert('server')
root.create_signed_cert('client')
httpd = http.server.HTTPServer(
(LOCALHOST, 13080), FakeConnectProxyHandler)
server = threading.Thread(target=httpd.handle_request)
server.start()
# start ghostunnel
ghostunnel = run_ghostunnel(['client',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=client.p12',
'--cacert=root.crt',
'--connect-proxy=http://{0}:13080'.format(LOCALHOST),
'--connect-timeout=30s',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
# connect to server, confirm that the tunnel is up
pair = SocketPair(TcpClient(13001), TlsServer('server', 'root', 13002))
pair.validate_can_send_from_client(
'hello world', '1: client -> server')
pair.validate_can_send_from_server(
'hello world', '1: server -> client')
pair.validate_closing_client_closes_server('closing client')
pair.cleanup()
print_ok("OK")
# create certs
root = RootCert('root')
root.create_signed_cert('server')
httpd = http.server.HTTPServer(
('localhost', 13080), FakeMetricsBridgeHandler)
server = threading.Thread(target=httpd.handle_request)
server.start()
# start ghostunnel
ghostunnel = run_ghostunnel(['server',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=server.p12',
'--cacert=root.crt',
'--allow-ou=client',
'--enable-pprof',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT),
'--metrics-interval=1s',
'--metrics-url=http://localhost:13080/post'])
# wait for metrics to post
for i in range(0, 10):
if received_metrics:
break
else:
# wait a little longer...
time.sleep(1)
if not received_metrics:
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server1')
root.create_signed_cert('client')
root.create_signed_cert('server2',
san="IP:127.0.0.1,IP:::1,DNS:foobar")
other_root = RootCert('other_root')
other_root.create_signed_cert('other_server')
# start ghostunnel
ghostunnel = run_ghostunnel([
'client', '--listen={0}:13001'.format(LOCALHOST),
'--target=localhost:13002', '--keystore=client.p12',
'--cacert=root.crt', '--timed-reload=1s',
'--override-server-name=foobar',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
])
# connect to server1, confirm that the tunnel is up
pair = SocketPair(TcpClient(13001), TlsServer('server2', 'root',
13002))
pair.validate_can_send_from_client("hello world",
"1: client -> server")
pair.validate_can_send_from_server("hello world",
"1: server -> client")
pair.validate_closing_client_closes_server(
"1: client closed -> server closed")
# connect to other_server, confirm that the tunnel isn't up
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, UnixClient, TlsServer, print_ok, run_ghostunnel, terminate
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
root.create_signed_cert('client')
# start ghostunnel
client = UnixClient()
ghostunnel = run_ghostunnel(['client',
'--listen=unix:{0}'.format(client.get_socket_path()),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=client.p12',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT),
'--cacert=root.crt'])
# connect to server, confirm that the tunnel is up
pair = SocketPair(client, TlsServer('server', 'root', 13002))
pair.validate_can_send_from_client(
"hello world", "1: client -> server")
pair.validate_can_send_from_server(
"hello world", "1: server -> client")
pair.validate_closing_client_closes_server(
"1: client closed -> server closed")
print_ok("OK")
finally:
#!/usr/bin/env python3
from common import LOCALHOST, RootCert, STATUS_PORT, print_ok, run_ghostunnel, terminate
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
# start ghostunnel with bad access flags
ghostunnel = run_ghostunnel([
'server', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
'--cacert=root.crt',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
])
# wait for ghostunnel to exit and make sure error code is not zero
ret = ghostunnel.wait(timeout=20)
if ret == 0:
raise Exception(
'ghostunnel terminated with zero, though flags were invalid')
else:
print_ok("OK (terminated)")
# start ghostunnel with bad listen addr
ghostunnel = run_ghostunnel([
'server', '--listen=invalid',
'--target={0}:13002'.format(LOCALHOST), '--allow-all',
root.create_signed_cert('client')
root.create_signed_cert(
'server1',
san='DNS:server1,IP:127.0.0.1,IP:::1,DNS:localhost')
root.create_signed_cert(
'server2',
san='DNS:server2,IP:127.0.0.1,IP:::1,DNS:localhost')
other_root = RootCert('other_root')
other_root.create_signed_cert('other_server')
# start ghostunnel
ghostunnel = run_ghostunnel(['client',
'--listen={0}:13001'.format(LOCALHOST),
'--target=localhost:13002',
'--keystore=client.p12',
'--verify-dns=server1',
'--cacert=root.crt',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
# connect to server1, confirm that the tunnel is up
pair = SocketPair(TcpClient(13001), TlsServer(
'server1', 'root', 13002))
pair.validate_can_send_from_client(
"hello world", "1: client -> server")
pair.validate_can_send_from_server(
"hello world", "1: server -> client")
pair.validate_closing_client_closes_server(
"1: client closed -> server closed")
# connect to server2, confirm that the tunnel isn't up
ghostunnel = None
try:
# create certs
root1 = RootCert('root1')
root1.create_signed_cert('server1')
root1.create_signed_cert('client1')
root1.create_signed_cert('new_client1')
root2 = RootCert('new_root')
root2.create_signed_cert('server2')
# start ghostunnel
ghostunnel = run_ghostunnel(['client',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=client1.p12',
'--timed-reload=1s',
'--cacert=root1.crt',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
# ensure ghostunnel connects with server1
pair1 = SocketPair(TcpClient(13001), TlsServer(
'server1', 'root1', 13002))
pair1.validate_can_send_from_client("toto", "pair1 works")
pair1.validate_client_cert("client1", "pair1: ou=client1 -> ...")
# check certificate on status port
TlsClient(None, 'root1', STATUS_PORT).connect(20, 'client1')
print_ok("got client1 on /_status")
# replace keystore and check ghostunnel connects with new_client1
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server1')
root.create_signed_cert('client')
root.create_signed_cert('server2',
san="IP:127.0.0.1,IP:::1,DNS:foobar")
other_root = RootCert('other_root')
other_root.create_signed_cert('other_server')
# start ghostunnel
ghostunnel = run_ghostunnel([
'client', '--listen={0}:13001'.format(LOCALHOST),
'--target=localhost:13002', '--keystore=client.p12',
'--cacert=root.crt',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
])
# connect to server1, confirm that the tunnel is up
pair = SocketPair(TcpClient(13001), TlsServer('server1', 'root',
13002))
pair.validate_can_send_from_client("hello world",
"1: client -> server")
pair.validate_can_send_from_server("hello world",
"1: server -> client")
pair.validate_closing_client_closes_server(
"1: client closed -> server closed")
# connect to other_server, confirm that the tunnel isn't up
try:
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
root.create_signed_cert('client1')
root.create_signed_cert('client2')
other_root = RootCert('other_root')
other_root.create_signed_cert('other_client1')
# start ghostunnel
ghostunnel = run_ghostunnel([
'server', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT),
'--cacert=root.crt', '--disable-authentication'
])
# connect with no client cert, confirm that the tunnel is up
pair = SocketPair(TlsClient(None, 'root', 13001), TcpServer(13002))
pair.validate_can_send_from_client("hello world",
"1: client -> server")
pair.validate_can_send_from_server("hello world",
"1: server -> client")
pair.validate_closing_client_closes_server(
"1: client closed -> server closed")
# connect with client1 cert, confirm that the tunnel is up
pair2 = SocketPair(TlsClient('client1', 'root', 13001),
TcpServer(13002))
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, UnixClient, TlsServer, print_ok, run_ghostunnel, terminate
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
root.create_signed_cert('client')
# start ghostunnel
client = UnixClient()
ghostunnel = run_ghostunnel([
'client', '--listen=unix:{0}'.format(client.get_socket_path()),
'--target={0}:13002'.format(LOCALHOST), '--keystore=client.p12',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT), '--cacert=root.crt'
])
# connect to server, confirm that the tunnel is up
pair = SocketPair(client, TlsServer('server', 'root', 13002))
pair.validate_can_send_from_client("hello world",
"1: client -> server")
pair.validate_can_send_from_server("hello world",
"1: server -> client")
pair.validate_closing_client_closes_server(
"1: client closed -> server closed")
print_ok("OK")
finally:
terminate(ghostunnel)
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server1')
root.create_signed_cert(
'server2', san="IP:127.0.0.1,IP:::1,DNS:foobar")
other_root = RootCert('other_root')
other_root.create_signed_cert('other_server')
# start ghostunnel
ghostunnel = run_ghostunnel(['client',
'--listen={0}:13001'.format(LOCALHOST),
'--target=localhost:13002',
'--cacert=root.crt',
'--disable-authentication',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
# connect to server1, confirm that the tunnel is up
pair = SocketPair(TcpClient(13001), TlsServer(
'server1', 'root', 13002, cert_reqs=ssl.CERT_NONE))
pair.validate_can_send_from_client(
"hello world", "1: client -> server")
pair.validate_can_send_from_server(
"hello world", "1: server -> client")
pair.validate_closing_client_closes_server(
"1: client closed -> server closed")
# connect to other_server, confirm that the tunnel isn't up
import signal
import json
import sys
if __name__ == "__main__":
ghostunnel = None
try:
root = RootCert('root')
root.create_signed_cert('server')
root.create_signed_cert('client')
# start ghostunnel
ghostunnel = run_ghostunnel([
'server', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--cert=server.crt',
'--key=server.key', '--cacert=root.crt',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT), '--allow-ou=client'
])
# connect with client, confirm that the tunnel is up
pair = SocketPair(TlsClient('client', 'root', 13001), TcpServer(13002))
pair.validate_can_send_from_client("hello world",
"1: client -> server")
pair.validate_can_send_from_server("hello world",
"1: server -> client")
pair.validate_closing_client_closes_server(
"1: client closed -> server closed")
print_ok("OK")
finally:
import urllib.error
import urllib.parse
import time
import json
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
# start ghostunnel
ghostunnel = run_ghostunnel([
'server', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
'--cacert=root.crt', '--allow-ou=client', '--enable-pprof',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
])
def urlopen(path):
return urllib.request.urlopen(path, cafile='root.crt')
# Wait until ghostunnel is up
TcpClient(STATUS_PORT).connect(20)
# Load JSON metrics
received_metrics1 = json.loads(
str(
urlopen("https://{0}:{1}/_metrics?format=json".format(
LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
#!/usr/bin/env python3
from common import LOCALHOST, RootCert, STATUS_PORT, print_ok, run_ghostunnel, terminate, assert_not_zero
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
# start ghostunnel with bad flags
ghostunnel1 = run_ghostunnel([
'server', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
'--disable-authentication', '--allow-cn=test.example.com',
'--cacert=root.crt'
])
assert_not_zero(ghostunnel1)
ghostunnel2 = run_ghostunnel([
'server', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
'--cert=server.crt', '--key=server.key', '--cacert=root.crt'
])
assert_not_zero(ghostunnel2)
ghostunnel3 = run_ghostunnel([
'server', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--cert=server.crt',
'--cacert=root.crt'
import json
if __name__ == '__main__':
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
root.create_signed_cert('client')
# start ghostunnel
# hack: point target to STATUS_PORT so that /_status doesn't 503.
ghostunnel = run_ghostunnel([
'server', '--quiet=conns', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
'--cacert=root.crt', '--allow-ou=client',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
def urlopen(path):
return urllib.request.urlopen(path, cafile='root.crt')
# block until ghostunnel is up
TcpClient(STATUS_PORT).connect(20)
# send some requests to status endpoints
metrics = json.loads(
str(
urlopen('https://{0}:{1}/_metrics'.format(
LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
if __name__ == "__main__":
ghostunnel = None
n_clients = 10
allow_ou = []
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
for n in range(1, n_clients):
root.create_signed_cert("client{0}".format(n))
allow_ou.append("--allow-ou=client{0}".format(n))
# start ghostunnel
ghostunnel = run_ghostunnel([
'server', '--listen={0}:13001'.format(
LOCALHOST), '--target={0}:13002'.format(LOCALHOST),
'--keystore=server.p12', '--status={0}:{1}'.format(
LOCALHOST, STATUS_PORT), '--cacert=root.crt'
] + allow_ou)
# clients should be able to communicate all at the same time.
procs = []
for n in range(1, n_clients):
pair = SocketPair(TlsClient("client{0}".format(n), 'root', 13001),
TcpServer(13002))
proc = Process(target=send_data, args=(
n,
pair,
))
proc.start()
procs.append(proc)
for proc in procs:
#!/usr/bin/env python3
from common import LOCALHOST, RootCert, STATUS_PORT, print_ok, run_ghostunnel, terminate, assert_not_zero
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
# start ghostunnel with bad flags
ghostunnel1 = run_ghostunnel([
'server', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
'--disable-authentication', '--allow-cn=test.example.com',
'--cacert=root.crt'
])
assert_not_zero(ghostunnel1)
ghostunnel2 = run_ghostunnel([
'server', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
'--cert=server.crt', '--key=server.key', '--cacert=root.crt'
])
assert_not_zero(ghostunnel2)
ghostunnel3 = run_ghostunnel([
'server', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--cert=server.crt',
'--cacert=root.crt'
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server1')
root.create_signed_cert('server2',
san="IP:127.0.0.1,IP:::1,DNS:foobar")
other_root = RootCert('other_root')
other_root.create_signed_cert('other_server')
# start ghostunnel
ghostunnel = run_ghostunnel([
'client', '--listen={0}:13001'.format(LOCALHOST),
'--target=localhost:13002', '--cacert=root.crt',
'--disable-authentication',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
])
# connect to server1, confirm that the tunnel is up
pair = SocketPair(
TcpClient(13001),
TlsServer('server1', 'root', 13002, cert_reqs=ssl.CERT_NONE))
pair.validate_can_send_from_client("hello world",
"1: client -> server")
pair.validate_can_send_from_server("hello world",
"1: server -> client")
pair.validate_closing_client_closes_server(
"1: client closed -> server closed")
# connect to other_server, confirm that the tunnel isn't up
)
sys.exit(0)
try:
# create certs
root = RootCert('root')
root.create_signed_cert('client')
# start ghostunnel
ghostunnel = run_ghostunnel([
'client', '--listen=systemd:client', '--target={0}:{1}'.format(
LOCALHOST, STATUS_PORT), '--keystore=client.p12',
'--status=systemd:status', '--cacert=root.crt'
],
prefix=[
'systemd-socket-activate',
'--listen={0}:13001'.format(LOCALHOST),
'--listen={0}:{1}'.format(
LOCALHOST, STATUS_PORT),
'--fdname=client:status',
'-E=GHOSTUNNEL_INTEGRATION_TEST',
'-E=GHOSTUNNEL_INTEGRATION_ARGS',
])
# Connect on status port to trigger socket activation
# so it will spin up the ghostunnel instance
TcpClient(STATUS_PORT).connect(20)
print_ok("OK")
finally:
terminate(ghostunnel)
