def get_tls_connection_options_for_test(test_type, host_name): if test_type == ProxyTestType.FORWARDING or test_type == ProxyTestType.LEGACY_HTTP or test_type == ProxyTestType.TUNNELING_HTTP: return None else: tls_ctx_opt = TlsContextOptions() tls_ctx = ClientTlsContext(tls_ctx_opt) tls_conn_opt = tls_ctx.new_connection_options() tls_conn_opt.set_server_name(host_name) return tls_conn_opt
def get_proxy_tls_connection_options_for_test(test_type): if test_type == ProxyTestType.TUNNELING_DOUBLE_TLS: tls_ctx_opt = TlsContextOptions() tls_ctx_opt.verify_peer = False tls_ctx = ClientTlsContext(tls_ctx_opt) tls_conn_opt = tls_ctx.new_connection_options() tls_conn_opt.set_server_name("localhost") return tls_conn_opt else: return None
def _new_h2_client_connection(self, url): event_loop_group = EventLoopGroup() host_resolver = DefaultHostResolver(event_loop_group) bootstrap = ClientBootstrap(event_loop_group, host_resolver) port = 443 scheme = 'https' tls_ctx_options = TlsContextOptions() tls_ctx = ClientTlsContext(tls_ctx_options) tls_conn_opt = tls_ctx.new_connection_options() tls_conn_opt.set_server_name(url.hostname) tls_conn_opt.set_alpn_list(["h2"]) connection_future = HttpClientConnection.new(host_name=url.hostname, port=port, bootstrap=bootstrap, tls_connection_options=tls_conn_opt) return connection_future.result(self.timeout)
def _create_connection(self, auth_type=AuthType.CERT_AND_KEY, use_static_singletons=False): config = Config(auth_type) if auth_type == AuthType.CERT_AND_KEY: tls_opts = TlsContextOptions.create_client_with_mtls_from_path(config.cert_path, config.key_path) tls = ClientTlsContext(tls_opts) elif auth_type == AuthType.PKCS11: try: pkcs11_lib = Pkcs11Lib( file=config.pkcs11_lib_path, behavior=Pkcs11Lib.InitializeFinalizeBehavior.STRICT) tls_opts = TlsContextOptions.create_client_with_mtls_pkcs11( pkcs11_lib=pkcs11_lib, user_pin=config.pkcs11_pin, token_label=config.pkcs11_token_label, private_key_label=config.pkcs11_key_label, cert_file_path=config.cert_path) tls = ClientTlsContext(tls_opts) except Exception as e: if 'AWS_ERROR_UNIMPLEMENTED' in str(e): raise unittest.SkipTest(f'TLS with PKCS#11 not supported on this platform ({sys.platform})') else: # re-raise exception raise if use_static_singletons: client = Client(tls_ctx=tls) else: elg = EventLoopGroup() resolver = DefaultHostResolver(elg) bootstrap = ClientBootstrap(elg, resolver) client = Client(bootstrap, tls) connection = Connection( client=client, client_id=create_client_id(), host_name=config.endpoint, port=8883) return connection
def _new_client_connection(self, secure, proxy_options=None): if secure: tls_ctx_opt = TlsContextOptions() tls_ctx_opt.override_default_trust_store_from_path(None, 'test/resources/ca.crt') tls_ctx = ClientTlsContext(tls_ctx_opt) tls_conn_opt = tls_ctx.new_connection_options() tls_conn_opt.set_server_name(self.hostname) else: tls_conn_opt = None event_loop_group = EventLoopGroup() host_resolver = DefaultHostResolver(event_loop_group) bootstrap = ClientBootstrap(event_loop_group, host_resolver) connection_future = HttpClientConnection.new(host_name=self.hostname, port=self.port, bootstrap=bootstrap, tls_connection_options=tls_conn_opt, proxy_options=proxy_options) return connection_future.result(self.timeout)
def test_on_message_old_fn_signature(self): # ensure that message-received callbacks with the old function signature still work config = Config.get() elg = EventLoopGroup() resolver = DefaultHostResolver(elg) bootstrap = ClientBootstrap(elg, resolver) tls_opts = TlsContextOptions.create_client_with_mtls( config.cert, config.key) tls = ClientTlsContext(tls_opts) client = Client(bootstrap, tls) connection = Connection(client=client, client_id=create_client_id(), host_name=config.endpoint, port=8883) any_received = Future() sub_received = Future() # Note: Testing degenerate callback signature that failed to take # forward-compatibility **kwargs. def on_any_message(topic, payload): any_received.set_result({'topic': topic, 'payload': payload}) def on_sub_message(topic, payload): sub_received.set_result({'topic': topic, 'payload': payload}) # on_message for connection has to be set before connect, or possible race will happen connection.on_message(on_any_message) connection.connect().result(TIMEOUT) # subscribe without callback subscribed, packet_id = connection.subscribe(self.TEST_TOPIC, QoS.AT_LEAST_ONCE, on_sub_message) subscribed.result(TIMEOUT) # publish published, packet_id = connection.publish(self.TEST_TOPIC, self.TEST_MSG, QoS.AT_LEAST_ONCE) puback = published.result(TIMEOUT) # receive message rcv = any_received.result(TIMEOUT) self.assertEqual(self.TEST_TOPIC, rcv['topic']) self.assertEqual(self.TEST_MSG, rcv['payload']) rcv = sub_received.result(TIMEOUT) self.assertEqual(self.TEST_TOPIC, rcv['topic']) self.assertEqual(self.TEST_MSG, rcv['payload']) # disconnect connection.disconnect().result(TIMEOUT)
def _new_client_connection(self, secure, proxy_options=None): if secure: tls_ctx_opt = TlsContextOptions() tls_ctx_opt.verify_peer = False tls_ctx = ClientTlsContext(tls_ctx_opt) tls_conn_opt = tls_ctx.new_connection_options() tls_conn_opt.set_server_name(self.hostname) else: tls_conn_opt = None event_loop_group = EventLoopGroup() host_resolver = DefaultHostResolver(event_loop_group) bootstrap = ClientBootstrap(event_loop_group, host_resolver) connection_future = HttpClientConnection.new( host_name=self.hostname, port=self.port, bootstrap=bootstrap, tls_connection_options=tls_conn_opt, proxy_options=proxy_options) return connection_future.result(self.timeout)
def _test_connection(self): config = Config.get() elg = EventLoopGroup() resolver = DefaultHostResolver(elg) bootstrap = ClientBootstrap(elg, resolver) tls_opts = TlsContextOptions.create_client_with_mtls( config.cert, config.key) tls = ClientTlsContext(tls_opts) client = Client(bootstrap, tls) connection = Connection(client=client, client_id=create_client_id(), host_name=config.endpoint, port=8883) connection.connect().result(TIMEOUT) return connection
def test_on_message(self): config = Config.get() elg = EventLoopGroup() resolver = DefaultHostResolver(elg) bootstrap = ClientBootstrap(elg, resolver) tls_opts = TlsContextOptions.create_client_with_mtls( config.cert, config.key) tls = ClientTlsContext(tls_opts) client = Client(bootstrap, tls) connection = Connection(client=client, client_id=create_client_id(), host_name=config.endpoint, port=8883) received = Future() def on_message(**kwargs): received.set_result(kwargs) # on_message for connection has to be set before connect, or possible race will happen connection.on_message(on_message) connection.connect().result(TIMEOUT) # subscribe without callback subscribed, packet_id = connection.subscribe(self.TEST_TOPIC, QoS.AT_LEAST_ONCE) subscribed.result(TIMEOUT) # publish published, packet_id = connection.publish(self.TEST_TOPIC, self.TEST_MSG, QoS.AT_LEAST_ONCE) puback = published.result(TIMEOUT) # receive message rcv = received.result(TIMEOUT) self.assertEqual(self.TEST_TOPIC, rcv['topic']) self.assertEqual(self.TEST_MSG, rcv['payload']) self.assertFalse(rcv['dup']) self.assertEqual(QoS.AT_LEAST_ONCE, rcv['qos']) self.assertFalse(rcv['retain']) # disconnect connection.disconnect().result(TIMEOUT)
def s3_client_new(secure, region, part_size=0): event_loop_group = EventLoopGroup() host_resolver = DefaultHostResolver(event_loop_group) bootstrap = ClientBootstrap(event_loop_group, host_resolver) credential_provider = AwsCredentialsProvider.new_default_chain(bootstrap) tls_option = None if secure: opt = TlsContextOptions() ctx = ClientTlsContext(opt) tls_option = TlsConnectionOptions(ctx) s3_client = S3Client(bootstrap=bootstrap, region=region, credential_provider=credential_provider, tls_connection_options=tls_option, part_size=part_size) return s3_client
def __init__(self, bootstrap: ClientBootstrap, socket_options: SocketOptions, tls_context: ClientTlsContext, region: str): assert isinstance(bootstrap, ClientBootstrap) assert isinstance(socket_options, SocketOptions) assert isinstance(tls_context, ClientTlsContext) assert isinstance(region, str) self._bootstrap = bootstrap self._socket_options = socket_options self._region = region self._gg_server_name = 'greengrass-ats.iot.{}.amazonaws.com'.format( region) self._tls_connection_options = tls_context.new_connection_options() self._tls_connection_options.set_server_name(self._gg_server_name) self.port = 8443 if is_alpn_available(): self._tls_connection_options.set_alpn_list(['x-amzn-http-ca']) self.port = 443
def _establish_mqtt_connection(self, proxy_options): event_loop_group = EventLoopGroup() host_resolver = DefaultHostResolver(event_loop_group) bootstrap = ClientBootstrap(event_loop_group, host_resolver) tls_opts = TlsContextOptions.create_client_with_mtls_from_path( ProxyTestConfiguration.HTTP_PROXY_TLS_CERT_PATH, ProxyTestConfiguration.HTTP_PROXY_TLS_KEY_PATH) tls_opts.override_default_trust_store_from_path( ca_filepath=ProxyTestConfiguration.HTTP_PROXY_TLS_ROOT_CA_PATH) tls = ClientTlsContext(tls_opts) client = Client(bootstrap, tls) connection = Connection( client=client, client_id=create_client_id(), host_name=ProxyTestConfiguration.HTTP_PROXY_MQTT_ENDPOINT, port=8883, proxy_options=proxy_options) connection.connect().result(TIMEOUT) return connection
def test_server_name(self): opt = TlsContextOptions() ctx = ClientTlsContext(opt) conn_opt = TlsConnectionOptions(ctx) conn_opt.set_server_name('localhost')
def test_alpn_list(self): opt = TlsContextOptions() ctx = ClientTlsContext(opt) conn_opt = TlsConnectionOptions(ctx) conn_opt.set_alpn_list(['h2', 'http/1.1'])
def test_init(self): opt = TlsContextOptions() ctx = ClientTlsContext(opt) conn_opt = TlsConnectionOptions(ctx)
def test_override_default_trust_store_file(self): opt = TlsContextOptions() opt.override_default_trust_store_from_path(None, 'test/resources/ca.crt') ctx = ClientTlsContext(opt)
def test_override_default_trust_store_dir(self): opt = TlsContextOptions() opt.override_default_trust_store_from_path('test/resources', None) ctx = ClientTlsContext(opt)
def test_with_mtls_pkcs12(self): opt = TlsContextOptions.create_client_with_mtls_pkcs12( 'test/resources/crt.unittests.p12', '1234') ctx = ClientTlsContext(opt)
def test_with_mtls_from_path(self): opt = TlsContextOptions.create_client_with_mtls_from_path( 'test/resources/crt.unittests.crt', 'test/resources/crt.unittests.key') ctx = ClientTlsContext(opt)
def test_init_defaults(self): opt = TlsContextOptions() ctx = ClientTlsContext(opt)
def create_s3_crt_client(region, botocore_credential_provider=None, num_threads=None, target_throughput=5 * GB / 8, part_size=8 * MB, use_ssl=True, verify=None): """ :type region: str :param region: The region used for signing :type botocore_credential_provider: Optional[botocore.credentials.CredentialResolver] :param botocore_credential_provider: Provide credentials for CRT to sign the request if not set, the request will not be signed :type num_threads: Optional[int] :param num_threads: Number of worker threads generated. Default is the number of processors in the machine. :type target_throughput: Optional[int] :param target_throughput: Throughput target in Bytes. Default is 0.625 GB/s (which translates to 5 Gb/s). :type part_size: Optional[int] :param part_size: Size, in Bytes, of parts that files will be downloaded or uploaded in. :type use_ssl: boolean :param use_ssl: Whether or not to use SSL. By default, SSL is used. Note that not all services support non-ssl connections. :type verify: Optional[boolean/string] :param verify: Whether or not to verify SSL certificates. By default SSL certificates are verified. You can provide the following values: * False - do not validate SSL certificates. SSL will still be used (unless use_ssl is False), but SSL certificates will not be verified. * path/to/cert/bundle.pem - A filename of the CA cert bundle to use. Specify this argument if you want to use a custom CA cert bundle instead of the default one on your system. """ event_loop_group = EventLoopGroup(num_threads) host_resolver = DefaultHostResolver(event_loop_group) bootstrap = ClientBootstrap(event_loop_group, host_resolver) provider = None tls_connection_options = None tls_mode = S3RequestTlsMode.ENABLED if use_ssl \ else S3RequestTlsMode.DISABLED if verify is not None: tls_ctx_options = TlsContextOptions() if verify: tls_ctx_options.override_default_trust_store_from_path( ca_filepath=verify) else: tls_ctx_options.verify_peer = False client_tls_option = ClientTlsContext(tls_ctx_options) tls_connection_options = client_tls_option.new_connection_options() if botocore_credential_provider: credentails_provider_adapter = CRTCredentialProviderAdapter( botocore_credential_provider) provider = AwsCredentialsProvider.new_delegate( credentails_provider_adapter) target_gbps = target_throughput * 8 / GB return S3Client( bootstrap=bootstrap, region=region, credential_provider=provider, part_size=part_size, tls_mode=tls_mode, tls_connection_options=tls_connection_options, throughput_target_gbps=target_gbps)