def do_CONNECT(self):
try:
host, port = self.path.split(':')
if host != FAKE_TARGET:
raise Exception('proxy target must be fake target, but was: ' +
self.path)
print_ok("got proxy request, with proxy target: " + self.path)
socket = TcpClient(int(port))
socket.connect(attempts=5)
self.wfile.write(
bytearray("HTTP/1.1 200 Connection established\r\n", "utf-8"))
self.wfile.write(
bytearray("Proxy-agent: FakeConnectProxyHandler\r\n\r\n",
"utf-8"))
remote = socket.get_socket()
rlist = [self.connection, remote]
for _ in range(0, 1000):
reads, _, errs = select.select(rlist, [], rlist, 10)
if errs:
print_ok("got error in select(): " + str(errs))
break
for s in reads:
data = s.recv(8192)
if data:
print_ok("proxy is sending/receiving " +
str(len(data)) + " bytes")
(self.connection if s == remote else remote).send(data)
finally:
print_ok("connect proxy is done")
try:
socket.get_socket().shutdown()
socket.cleanup()
self.connection.close()
except BaseException:
pass
'--keystore=server.p12',
'--cacert=root.crt',
'--allow-ou=client',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
# wait for startup
TlsClient(None, 'root', STATUS_PORT).connect(20, 'server')
# create connections with client
pair1 = SocketPair(
TlsClient('client', 'root', 13001), TcpServer(13002))
pair1.validate_can_send_from_client("toto", "pair1 works")
# shut down ghostunnel with connection open, make sure it doesn't hang
print_ok('attempting to terminate ghostunnel via SIGTERM signals')
for n in range(0, 90):
try:
try:
ghostunnel.terminate()
ghostunnel.wait(timeout=1)
except BaseException:
pass
os.kill(ghostunnel.pid, 0)
print_ok("ghostunnel is still alive")
except BaseException:
stopped = True
break
time.sleep(1)
if not stopped:
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
root.create_signed_cert('client')
# start ghostunnel
server = UnixServer()
ghostunnel = run_ghostunnel(['server',
'--listen={0}:13001'.format(LOCALHOST),
'--target=unix:{0}'.format(server.get_socket_path()),
'--keystore=server.p12',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT),
'--cacert=root.crt',
'--allow-ou=client'])
# connect with client, confirm that the tunnel is up
pair = SocketPair(TlsClient('client', 'root', 13001), server)
pair.validate_can_send_from_server(
"hello world", "1: server -> client")
pair.validate_can_send_from_client(
"hello world", "1: client -> server")
pair.validate_closing_server_closes_client(
"1: server closed -> client closed")
print_ok("OK")
finally:
terminate(ghostunnel)
status = json.loads(str(urlopen(
"https://{0}:{1}/_status".format(LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
metrics = json.loads(str(urlopen(
"https://{0}:{1}/_metrics".format(LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
if not status['ok']:
raise Exception("ghostunnel reported non-ok status")
if not isinstance(metrics, list):
raise Exception("ghostunnel metrics expected to be JSON list")
# reload, check we get the new cert on /_status
os.rename('new_server.p12', 'server.p12')
ghostunnel.send_signal(signal.SIGUSR1)
TlsClient(None, 'root', STATUS_PORT).connect(20, 'new_server')
print_ok('/_status seems up')
# read status information
status = json.loads(str(urlopen(
"https://{0}:{1}/_status".format(LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
metrics = json.loads(str(urlopen(
"https://{0}:{1}/_metrics".format(LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
if not status['ok']:
raise Exception("ghostunnel reported non-ok status")
if not isinstance(metrics, list):
raise Exception("ghostunnel metrics expected to be JSON list")
print_ok("OK")
finally:
def do_POST(self):
# pylint: disable=global-statement
global received_metrics
print_ok("handling POST to fake bridge")
length = int(self.headers['Content-Length'])
received_metrics = json.loads(self.rfile.read(length).decode('utf-8'))
'server', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
'--cacert=root.crt', '--allow-ou=client',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
])
# wait for startup
TlsClient(None, 'root', STATUS_PORT).connect(20, 'server')
# create connections with client
pair1 = SocketPair(TlsClient('client', 'root', 13001),
TcpServer(13002))
pair1.validate_can_send_from_client("toto", "pair1 works")
# shut down ghostunnel with connection open, make sure it doesn't hang
print_ok('attempting to terminate ghostunnel via SIGTERM signals')
for n in range(0, 90):
try:
try:
ghostunnel.terminate()
ghostunnel.wait(timeout=1)
except BaseException:
pass
os.kill(ghostunnel.pid, 0)
print_ok("ghostunnel is still alive")
except BaseException:
stopped = True
break
time.sleep(1)
if not stopped:
# connect to server1, confirm that the tunnel is up
pair = SocketPair(TcpClient(13001), TlsServer('server1', 'root',
13002))
pair.validate_can_send_from_client("hello world",
"1: client -> server")
pair.validate_can_send_from_server("hello world",
"1: server -> client")
pair.validate_closing_client_closes_server(
"1: client closed -> server closed")
# connect to other_server, confirm that the tunnel isn't up
try:
pair = SocketPair(TcpClient(13001),
TlsServer('other_server', 'other_root', 13002))
raise Exception('failed to reject other_server')
except ssl.SSLError:
print_ok("other_server correctly rejected")
# connect to server2, confirm that the tunnel isn't up
try:
pair = SocketPair(TcpClient(13001),
TlsServer('server2', 'root', 13002))
raise Exception('failed to reject serve2')
except ssl.SSLError:
print_ok("other_server correctly rejected")
print_ok("OK")
finally:
terminate(ghostunnel)
ghostunnel = run_ghostunnel(['client',
'--listen={0}:13001'.format(LOCALHOST),
'--target=localhost:13002',
'--keystore=client.p12',
'--verify-dns=server1',
'--cacert=root.crt',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
# connect to server1, confirm that the tunnel is up
pair = SocketPair(TcpClient(13001), TlsServer(
'server1', 'root', 13002))
pair.validate_can_send_from_client(
"hello world", "1: client -> server")
pair.validate_can_send_from_server(
"hello world", "1: server -> client")
pair.validate_closing_client_closes_server(
"1: client closed -> server closed")
# connect to server2, confirm that the tunnel isn't up
try:
pair = SocketPair(TcpClient(13001), TlsServer(
'server2', 'root', 13002))
raise Exception('failed to reject other_server')
except ssl.SSLError:
print_ok("other_server correctly rejected")
print_ok("OK")
finally:
terminate(ghostunnel)
'--allow-ou=client',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
# create connections with client
pair1 = SocketPair(
TlsClient('client', 'root', 13001), TcpServer(13002))
pair1.validate_can_send_from_client("toto", "pair1 works")
pair1.validate_tunnel_ou("server", "pair1 -> ou=server")
# Replace keystore and trigger reload
os.rename('new_server.p12', 'server.p12')
ghostunnel.send_signal(signal.SIGUSR1)
TlsClient(None, 'root', STATUS_PORT).connect(20, 'new_server')
print_ok("reload done")
# create connections with client
pair2 = SocketPair(
TlsClient('client', 'root', 13001), TcpServer(13002))
pair2.validate_can_send_from_client("toto", "pair2 works")
pair2.validate_tunnel_ou("new_server", "pair2 -> ou=new_server")
pair2.cleanup()
# ensure that pair1 is still alive
pair1.validate_can_send_from_client("toto", "pair1 still works")
pair1.cleanup()
print_ok("OK")
finally:
terminate(ghostunnel)
ghostunnel = run_ghostunnel([
'client', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=client1.p12',
'--timed-reload=1s', '--cacert=root1.crt',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
])
# ensure ghostunnel connects with server1
pair1 = SocketPair(TcpClient(13001),
TlsServer('server1', 'root1', 13002))
pair1.validate_can_send_from_client("toto", "pair1 works")
pair1.validate_client_cert("client1", "pair1: ou=client1 -> ...")
# check certificate on status port
TlsClient(None, 'root1', STATUS_PORT).connect(20, 'client1')
print_ok("got client1 on /_status")
# replace keystore and check ghostunnel connects with new_client1
print_ok("replacing certificates")
os.rename('new_client1.p12', 'client1.p12')
# reload should happen automatically
TlsClient(None, 'root1', STATUS_PORT).connect(20, 'new_client1')
print_ok("reload done")
pair2 = SocketPair(TcpClient(13001),
TlsServer('server1', 'root1', 13002))
pair2.validate_can_send_from_client("toto", "pair2 works")
pair2.validate_client_cert("new_client1",
"pair2: ou=new_client1 -> ...")
pair2.cleanup()
def do_POST(self):
# pylint: disable=global-statement
global received_metrics
print_ok("handling POST to fake bridge")
length = int(self.headers['Content-Length'])
received_metrics = json.loads(self.rfile.read(length).decode('utf-8'))
# connect but don't perform handshake
client = TcpClient(13000)
client.connect(20)
client.get_socket().setblocking(False)
def urlopen(path):
return urllib.request.urlopen(path, cafile='root.crt')
# wait until handshake times out
timeout = False
for _ in range(0, 20):
metrics = json.loads(
str(
urlopen("https://{0}:{1}/_metrics".format(
LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
timeouts = [
m['value'] for m in metrics if "accept.timeout" in m['metric']
]
if timeouts[0] > 0:
print_ok("handshake timed out, as expected")
timeout = True
break
time.sleep(1)
if not timeout:
raise Exception("socket still appears to be open after timeout")
print_ok("OK")
finally:
terminate(ghostunnel)
#!/usr/bin/env python3
"""
Spins up a client and tests systemd socket activation.
"""
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsServer, print_ok, run_ghostunnel, terminate
from distutils.spawn import find_executable
import sys
if __name__ == "__main__":
ghostunnel = None
if not find_executable('systemd-socket-activate'):
print_ok(
'skipping systemd socket activation test, no systemd-socket-activate binary found'
)
sys.exit(0)
try:
# create certs
root = RootCert('root')
root.create_signed_cert('client')
# start ghostunnel
ghostunnel = run_ghostunnel([
'client', '--listen=systemd:client', '--target={0}:{1}'.format(
LOCALHOST, STATUS_PORT), '--keystore=client.p12',
'--status=systemd:status', '--cacert=root.crt'
],
prefix=[
'systemd-socket-activate',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
# connect but don't perform handshake
client = TcpClient(13000)
client.connect(20)
client.get_socket().setblocking(False)
def urlopen(path):
return urllib.request.urlopen(path, cafile='root.crt')
# wait until handshake times out
timeout = False
for _ in range(0, 20):
metrics = json.loads(str(urlopen(
"https://{0}:{1}/_metrics".format(LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
timeouts = [m['value']
for m in metrics if "accept.timeout" in m['metric']]
if timeouts[0] > 0:
print_ok("handshake timed out, as expected")
timeout = True
break
time.sleep(1)
if not timeout:
raise Exception("socket still appears to be open after timeout")
print_ok("OK")
finally:
terminate(ghostunnel)
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
root.create_signed_cert('client')
# start ghostunnel
ghostunnel = run_ghostunnel(['server',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=server.p12',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT),
'--cacert=root.crt',
'--allow-ou=client'])
# client should fail to connect since nothing is listening on 13003
try:
pair = SocketPair(
TlsClient('client', 'root', 13001), TcpServer(13003))
raise Exception('client should have failed to connect')
except socket.timeout:
print_ok("timeout when nothing is listening on 13003")
# client should connect
pair = SocketPair(TlsClient('client', 'root', 13001), TcpServer(13002))
pair.cleanup()
print_ok("OK")
finally:
terminate(ghostunnel)
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=client1.p12',
'--cacert=root1.crt',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
# ensure ghostunnel connects with server1
pair1 = SocketPair(TcpClient(13001), TlsServer(
'server1', 'root1', 13002))
pair1.validate_can_send_from_client("toto", "pair1 works")
pair1.validate_client_cert("client1", "pair1: ou=client1 -> ...")
# check certificate on status port
TlsClient(None, 'root1', STATUS_PORT).connect(20, 'client1')
print_ok("got client1 on /_status")
# replace keystore with invalid/empty file and reload
open('new_client1.p12', 'a').close()
os.rename('new_client1.p12', 'client1.p12')
ghostunnel.send_signal(signal.SIGUSR1)
# should still be using old cert
TlsClient(None, 'root1', STATUS_PORT).connect(20, 'client1')
print_ok("reload done")
pair2 = SocketPair(TcpClient(13001), TlsServer(
'server1', 'root1', 13002))
pair2.validate_can_send_from_client("toto", "pair2 works")
pair2.validate_client_cert("client1", "pair2: ou=client1 -> ...")
pair2.cleanup()
# block until ghostunnel is up
TcpClient(STATUS_PORT).connect(20)
# send some requests to status endpoints
metrics = json.loads(str(urlopen(
'https://{0}:{1}/_metrics'.format(LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
# send some data through proxy
pair1 = SocketPair(
TlsClient('client', 'root', 13001), TcpServer(13002))
pair1.validate_can_send_from_client('toto', 'works')
pair1.validate_can_send_from_server('toto', 'works')
pair1.cleanup()
terminate(ghostunnel)
# make sure no logs printed
out, err = ghostunnel.communicate()
print('stdout (len={0}):'.format(len(out)))
print(out)
print('stderr (len={0}):'.format(len(err)))
print(err)
if len(err) > 0:
raise Exception('ghostunnel logged to stderr with --quiet=all')
print_ok('OK')
finally:
terminate(ghostunnel)
pair = SocketPair(TcpClient(13001), TlsServer('server2', 'root',
13002))
pair.validate_can_send_from_client("hello world",
"1: client -> server")
pair.validate_can_send_from_server("hello world",
"1: server -> client")
pair.validate_closing_client_closes_server(
"1: client closed -> server closed")
# connect to other_server, confirm that the tunnel isn't up
try:
pair = SocketPair(TcpClient(13001),
TlsServer('other_server', 'other_root', 13002))
raise Exception('failed to reject other_server')
except ssl.SSLError:
print_ok("other_server correctly rejected")
# connect to server2, confirm that the tunnel isn't up
try:
pair = SocketPair(TcpClient(13001),
TlsServer('server1', 'root', 13002))
raise Exception('failed to reject server1')
except ssl.SSLError:
print_ok("server1 correctly rejected")
# make sure also works after reload
ghostunnel.send_signal(signal.SIGUSR1)
TlsClient(None, 'root', STATUS_PORT).connect(20, 'client')
print_ok("reload done")
pair2 = SocketPair(TcpClient(13001), TlsServer('server2', 'root',
# start ghostunnel with bad access flags
ghostunnel = run_ghostunnel([
'server', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
'--cacert=root.crt',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
])
# wait for ghostunnel to exit and make sure error code is not zero
ret = ghostunnel.wait(timeout=20)
if ret == 0:
raise Exception(
'ghostunnel terminated with zero, though flags were invalid')
else:
print_ok("OK (terminated)")
# start ghostunnel with bad listen addr
ghostunnel = run_ghostunnel([
'server', '--listen=invalid',
'--target={0}:13002'.format(LOCALHOST), '--allow-all',
'--keystore=server.p12', '--cacert=root.crt',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
])
# wait for ghostunnel to exit and make sure error code is not zero
ret = ghostunnel.wait(timeout=20)
if ret == 0:
raise Exception(
'ghostunnel terminated with zero, though flags were invalid')
else:
metrics = json.loads(
str(
urlopen("https://{0}:{1}/_metrics".format(
LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
if not status['ok']:
raise Exception("ghostunnel reported non-ok status")
if not isinstance(metrics, list):
raise Exception("ghostunnel metrics expected to be JSON list")
# reload, check we get the new cert on /_status
os.rename('new_client.p12', 'client.p12')
ghostunnel.send_signal(signal.SIGUSR1)
TlsClient(None, 'root', STATUS_PORT).connect(20, 'new_client')
print_ok('/_status seems up')
# read status information
status = json.loads(
str(
urlopen("https://{0}:{1}/_status".format(
LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
metrics = json.loads(
str(
urlopen("https://{0}:{1}/_metrics".format(
LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
if not status['ok']:
raise Exception("ghostunnel reported non-ok status")
if not isinstance(metrics, list):
pair = SocketPair(TcpClient(13001), TlsServer(
'server2', 'root', 13002))
pair.validate_can_send_from_client(
"hello world", "1: client -> server")
pair.validate_can_send_from_server(
"hello world", "1: server -> client")
pair.validate_closing_client_closes_server(
"1: client closed -> server closed")
# connect to other_server, confirm that the tunnel isn't up
try:
pair = SocketPair(TcpClient(13001), TlsServer(
'other_server', 'other_root', 13002))
raise Exception('failed to reject other_server')
except ssl.SSLError:
print_ok("other_server correctly rejected")
# connect to server2, confirm that the tunnel isn't up
try:
pair = SocketPair(TcpClient(13001), TlsServer(
'server1', 'root', 13002))
raise Exception('failed to reject server1')
except ssl.SSLError:
print_ok("server1 correctly rejected")
# make sure also works after reload
ghostunnel.send_signal(signal.SIGUSR1)
TlsClient(None, 'root', STATUS_PORT).connect(20, 'client')
print_ok("reload done")
pair2 = SocketPair(TcpClient(13001), TlsServer(
'--target={0}:13002'.format(LOCALHOST),
'--keystore=client1.p12',
'--timed-reload=1s',
'--cacert=root1.crt',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
# ensure ghostunnel connects with server1
pair1 = SocketPair(TcpClient(13001), TlsServer(
'server1', 'root1', 13002))
pair1.validate_can_send_from_client("toto", "pair1 works")
pair1.validate_client_cert("client1", "pair1: ou=client1 -> ...")
# check certificate on status port
TlsClient(None, 'root1', STATUS_PORT).connect(20, 'client1')
print_ok("got client1 on /_status")
# replace keystore and check ghostunnel connects with new_client1
print_ok("replacing certificates")
os.rename('new_client1.p12', 'client1.p12')
# reload should happen automatically
TlsClient(None, 'root1', STATUS_PORT).connect(20, 'new_client1')
print_ok("reload done")
pair2 = SocketPair(TcpClient(13001), TlsServer(
'server1', 'root1', 13002))
pair2.validate_can_send_from_client("toto", "pair2 works")
pair2.validate_client_cert(
"new_client1", "pair2: ou=new_client1 -> ...")
pair2.cleanup()
'--cacert=root.crt', '--allow-ou=client',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
])
# create connections with client
pair1 = SocketPair(TlsClient('client', 'root', 13001),
TcpServer(13002))
pair1.validate_can_send_from_client("toto", "pair1 works")
pair1.validate_tunnel_ou("server", "pair1 -> ou=server")
# Replace keystore and trigger reload
os.rename('new_server.p12', 'server.p12')
ghostunnel.send_signal(signal.SIGUSR1)
TlsClient(None, 'root', STATUS_PORT).connect(20, 'new_server')
print_ok("reload done")
# create connections with client
pair2 = SocketPair(TlsClient('client', 'root', 13001),
TcpServer(13002))
pair2.validate_can_send_from_client("toto", "pair2 works")
pair2.validate_tunnel_ou("new_server", "pair2 -> ou=new_server")
pair2.cleanup()
# ensure that pair1 is still alive
pair1.validate_can_send_from_client("toto", "pair1 still works")
pair1.cleanup()
print_ok("OK")
finally:
terminate(ghostunnel)
# connect to server1, confirm that the tunnel is up
pair = SocketPair(TcpClient(13001), TlsServer(
'server1', 'root', 13002, cert_reqs=ssl.CERT_NONE))
pair.validate_can_send_from_client(
"hello world", "1: client -> server")
pair.validate_can_send_from_server(
"hello world", "1: server -> client")
pair.validate_closing_client_closes_server(
"1: client closed -> server closed")
# connect to other_server, confirm that the tunnel isn't up
try:
pair = SocketPair(TcpClient(13001), TlsServer(
'other_server', 'other_root', 13002, cert_reqs=ssl.CERT_NONE))
raise Exception('failed to reject other_server')
except ssl.SSLError:
print_ok("other_server with unknown CA correctly rejected")
# connect to server2, confirm that the tunnel isn't up
try:
pair = SocketPair(TcpClient(13001), TlsServer(
'server2', 'root', 13002, cert_reqs=ssl.CERT_NONE))
raise Exception('failed to reject serve2')
except ssl.SSLError:
print_ok("server2 with incorrect CN correctly rejected")
print_ok("OK")
finally:
terminate(ghostunnel)
root.create_signed_cert(
'client2',
san='DNS:client2,IP:127.0.0.1,IP:::1,DNS:localhost')
# start ghostunnel
ghostunnel = run_ghostunnel(['server',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=server.p12',
'--cacert=root.crt',
'--allow-dns=client1',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
# create connections with client
pair1 = SocketPair(
TlsClient('client1', 'root', 13001), TcpServer(13002))
pair1.validate_can_send_from_client("toto", "pair1 works")
pair1.validate_can_send_from_server
try:
pair2 = SocketPair(
TlsClient('client2', 'root', 13001), TcpServer(13002))
raise Exception('failed to reject client2')
except ssl.SSLError:
print_ok("client2 correctly rejected")
print_ok("OK")
finally:
terminate(ghostunnel)
'server', san='DNS:server,IP:127.0.0.1,IP:::1,DNS:localhost')
root.create_signed_cert(
'client1', san='DNS:client1,IP:127.0.0.1,IP:::1,DNS:localhost')
root.create_signed_cert(
'client2', san='DNS:client2,IP:127.0.0.1,IP:::1,DNS:localhost')
# start ghostunnel
ghostunnel = run_ghostunnel([
'server', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
'--cacert=root.crt', '--allow-dns=client1',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
])
# create connections with client
pair1 = SocketPair(TlsClient('client1', 'root', 13001),
TcpServer(13002))
pair1.validate_can_send_from_client("toto", "pair1 works")
pair1.validate_can_send_from_server
try:
pair2 = SocketPair(TlsClient('client2', 'root', 13001),
TcpServer(13002))
raise Exception('failed to reject client2')
except ssl.SSLError:
print_ok("client2 correctly rejected")
print_ok("OK")
finally:
terminate(ghostunnel)
ghostunnel = run_ghostunnel(['client',
'--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST),
'--keystore=client.p12',
'--connect-proxy=ftp://invalid',
'--cacert=root.crt',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
# wait for ghostunnel to exit and make sure error code is not zero
ret = ghostunnel.wait(timeout=20)
if ret == 0:
raise Exception(
'ghostunnel terminated with zero, though flags were invalid')
else:
print_ok("OK (terminated)")
# start ghostunnel with bad client listen addr
ghostunnel = run_ghostunnel(['client',
'--listen=invalid',
'--target={0}:13002'.format(LOCALHOST),
'--keystore=client.p12',
'--cacert=root.crt',
'--status={0}:{1}'.format(LOCALHOST,
STATUS_PORT)])
# wait for ghostunnel to exit and make sure error code is not zero
ret = ghostunnel.wait(timeout=20)
if ret == 0:
raise Exception(
'ghostunnel terminated with zero, though flags were invalid')
# send some requests to status endpoints
metrics = json.loads(
str(
urlopen('https://{0}:{1}/_metrics'.format(
LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
# send some data through proxy
pair1 = SocketPair(TlsClient('client', 'root', 13001),
TcpServer(13002))
pair1.validate_can_send_from_client('toto', 'works')
pair1.validate_can_send_from_server('toto', 'works')
pair1.cleanup()
terminate(ghostunnel)
# make sure no logs printed
out, err = ghostunnel.communicate()
print('stdout (len={0}):'.format(len(out)))
print(out)
print('stderr (len={0}):'.format(len(err)))
print(err)
if 'opening pipe' in err.decode('utf-8'):
raise Exception(
'ghostunnel logged connection log to stderr with --quiet=all')
print_ok('OK')
finally:
terminate(ghostunnel)
root.create_signed_cert('server')
for n in range(1, n_clients):
root.create_signed_cert("client{0}".format(n))
allow_ou.append("--allow-ou=client{0}".format(n))
# start ghostunnel
ghostunnel = run_ghostunnel([
'server', '--listen={0}:13001'.format(
LOCALHOST), '--target={0}:13002'.format(LOCALHOST),
'--keystore=server.p12', '--status={0}:{1}'.format(
LOCALHOST, STATUS_PORT), '--cacert=root.crt'
] + allow_ou)
# clients should be able to communicate all at the same time.
procs = []
for n in range(1, n_clients):
pair = SocketPair(TlsClient("client{0}".format(n), 'root', 13001),
TcpServer(13002))
proc = Process(target=send_data, args=(
n,
pair,
))
proc.start()
procs.append(proc)
for proc in procs:
proc.join()
print_ok("OK")
finally:
terminate(ghostunnel)
# connect with client1, confirm that the tunnel is up
pair = SocketPair(
TlsClient('client1', 'root', 13001), TcpServer(13002))
pair.validate_can_send_from_client(
"hello world", "1: client -> server")
pair.validate_can_send_from_server(
"hello world", "1: server -> client")
pair.validate_closing_client_closes_server(
"1: client closed -> server closed")
# connect with client2, confirm that the tunnel isn't up
try:
pair = SocketPair(
TlsClient('client2', 'root', 13001), TcpServer(13002))
raise Exception('failed to reject client2')
except ssl.SSLError:
print_ok("client2 correctly rejected")
# connect with other_client1, confirm that the tunnel isn't up
try:
pair = SocketPair(
TlsClient('other_client1', 'root', 13001), TcpServer(13002))
raise Exception('failed to reject other_client1')
except ssl.SSLError:
print_ok("other_client1 correctly rejected")
print_ok("OK")
finally:
terminate(ghostunnel)
"1: client -> server")
pair.validate_can_send_from_server("hello world",
"1: server -> client")
pair.validate_closing_client_closes_server(
"1: client closed -> server closed")
# connect to other_server, confirm that the tunnel isn't up
try:
pair = SocketPair(
TcpClient(13001),
TlsServer('other_server',
'other_root',
13002,
cert_reqs=ssl.CERT_NONE))
raise Exception('failed to reject other_server')
except ssl.SSLError:
print_ok("other_server with unknown CA correctly rejected")
# connect to server2, confirm that the tunnel isn't up
try:
pair = SocketPair(
TcpClient(13001),
TlsServer('server2', 'root', 13002, cert_reqs=ssl.CERT_NONE))
raise Exception('failed to reject serve2')
except ssl.SSLError:
print_ok("server2 with incorrect CN correctly rejected")
print_ok("OK")
finally:
terminate(ghostunnel)
ghostunnel = run_ghostunnel([
'client', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=client1.p12',
'--cacert=root1.crt',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
])
# ensure ghostunnel connects with server1
pair1 = SocketPair(TcpClient(13001),
TlsServer('server1', 'root1', 13002))
pair1.validate_can_send_from_client("toto", "pair1 works")
pair1.validate_client_cert("client1", "pair1: ou=client1 -> ...")
# check certificate on status port
TlsClient(None, 'root1', STATUS_PORT).connect(20, 'client1')
print_ok("got client1 on /_status")
# replace keystore with invalid/empty file and reload
open('new_client1.p12', 'a').close()
os.rename('new_client1.p12', 'client1.p12')
ghostunnel.send_signal(signal.SIGUSR1)
# should still be using old cert
TlsClient(None, 'root1', STATUS_PORT).connect(20, 'client1')
print_ok("reload done")
pair2 = SocketPair(TcpClient(13001),
TlsServer('server1', 'root1', 13002))
pair2.validate_can_send_from_client("toto", "pair2 works")
pair2.validate_client_cert("client1", "pair2: ou=client1 -> ...")
pair2.cleanup()