def test_ciphers(self):
server = TSSLServerSocket(port=TEST_PORT,
keyfile=SERVER_KEY,
certfile=SERVER_CERT,
ciphers=TEST_CIPHERS)
client = TSSLSocket('localhost',
TEST_PORT,
ca_certs=SERVER_CERT,
ciphers=TEST_CIPHERS)
self._assert_connection_success(server, client)
if not TSSLSocket._has_ciphers:
# unittest.skip is not available for Python 2.6
print('skipping test_ciphers')
return
server = TSSLServerSocket(port=TEST_PORT,
keyfile=SERVER_KEY,
certfile=SERVER_CERT)
client = TSSLSocket('localhost',
TEST_PORT,
ca_certs=SERVER_CERT,
ciphers='NULL')
self._assert_connection_failure(server, client)
server = TSSLServerSocket(port=TEST_PORT,
keyfile=SERVER_KEY,
certfile=SERVER_CERT,
ciphers=TEST_CIPHERS)
client = TSSLSocket('localhost',
TEST_PORT,
ca_certs=SERVER_CERT,
ciphers='NULL')
self._assert_connection_failure(server, client)
def test_newer_tls(self):
if not TSSLSocket._has_ssl_context:
# unittest.skip is not available for Python 2.6
print('skipping test_newer_tls')
return
if not hasattr(ssl, 'PROTOCOL_TLSv1_2'):
print('PROTOCOL_TLSv1_2 is not available')
else:
server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=SERVER_CERT, ssl_version=ssl.PROTOCOL_TLSv1_2)
client = TSSLSocket('localhost', TEST_PORT, ca_certs=SERVER_CERT, ssl_version=ssl.PROTOCOL_TLSv1_2)
self._assert_connection_success(server, client)
if not hasattr(ssl, 'PROTOCOL_TLSv1_1'):
print('PROTOCOL_TLSv1_1 is not available')
else:
server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=SERVER_CERT, ssl_version=ssl.PROTOCOL_TLSv1_1)
client = TSSLSocket('localhost', TEST_PORT, ca_certs=SERVER_CERT, ssl_version=ssl.PROTOCOL_TLSv1_1)
self._assert_connection_success(server, client)
if not hasattr(ssl, 'PROTOCOL_TLSv1_1') or not hasattr(ssl, 'PROTOCOL_TLSv1_2'):
print('PROTOCOL_TLSv1_1 and/or PROTOCOL_TLSv1_2 is not available')
else:
server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=SERVER_CERT, ssl_version=ssl.PROTOCOL_TLSv1_2)
client = TSSLSocket('localhost', TEST_PORT, ca_certs=SERVER_CERT, ssl_version=ssl.PROTOCOL_TLSv1_1)
self._assert_connection_failure(server, client)
def test_server_cert(self):
server = TSSLServerSocket(port=TEST_PORT,
keyfile=SERVER_KEY,
certfile=SERVER_CERT)
client = TSSLSocket('localhost',
TEST_PORT,
cert_reqs=ssl.CERT_REQUIRED,
ca_certs=SERVER_CERT)
self._assert_connection_success(server, client)
server = TSSLServerSocket(port=TEST_PORT,
keyfile=SERVER_KEY,
certfile=SERVER_CERT)
# server cert on in ca_certs
client = TSSLSocket('localhost',
TEST_PORT,
cert_reqs=ssl.CERT_REQUIRED,
ca_certs=CLIENT_CERT)
self._assert_connection_failure(server, client)
server = TSSLServerSocket(port=TEST_PORT,
keyfile=SERVER_KEY,
certfile=SERVER_CERT)
client = TSSLSocket('localhost', TEST_PORT, cert_reqs=ssl.CERT_NONE)
self._assert_connection_success(server, client)
def test_set_server_cert(self):
server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=CLIENT_CERT)
with self._assert_raises(Exception):
server.certfile = 'foo'
with self._assert_raises(Exception):
server.certfile = None
server.certfile = SERVER_CERT
client = TSSLSocket('localhost', TEST_PORT, cert_reqs=ssl.CERT_REQUIRED, ca_certs=SERVER_CERT)
self._assert_connection_success(server, client)
def test_set_server_cert(self):
server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=CLIENT_CERT)
with self._assert_raises(Exception):
server.certfile = 'foo'
with self._assert_raises(Exception):
server.certfile = None
server.certfile = SERVER_CERT
client = TSSLSocket('localhost', TEST_PORT, cert_reqs=ssl.CERT_REQUIRED, ca_certs=SERVER_CERT)
self._assert_connection_success(server, client)
def __init__ (self, host=None, port=9090, certfile='cert.pem', unix_socket=None, allowed_ips=None):
assert allowed_ips is None or isinstance (allowed_ips, (list,set,tuple))
TSSLServerSocket.__init__(self, host, port, certfile=certfile, unix_socket=unix_socket)
if allowed_ips:
res = socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket.SOCK_STREAM, 0, socket.AI_PASSIVE | socket.AI_ADDRCONFIG)
af = res[-1][0]
if socket.has_ipv6 and af == socket.AF_INET6:
self.allowed_ips = map (lambda x: socket.inet_ntop (socket.AF_INET6, address_to_in6(x)), allowed_ips)
else:
self.allowed_ips = allowed_ips
def test_client_cert(self):
server = TSSLServerSocket(port=TEST_PORT,
cert_reqs=ssl.CERT_REQUIRED,
keyfile=SERVER_KEY,
certfile=SERVER_CERT,
ca_certs=CLIENT_CERT)
client = TSSLSocket('localhost',
TEST_PORT,
cert_reqs=ssl.CERT_NONE,
certfile=SERVER_CERT,
keyfile=SERVER_KEY)
self._assert_connection_failure(server, client)
server = TSSLServerSocket(port=TEST_PORT,
cert_reqs=ssl.CERT_REQUIRED,
keyfile=SERVER_KEY,
certfile=SERVER_CERT,
ca_certs=CLIENT_CA)
client = TSSLSocket('localhost',
TEST_PORT,
cert_reqs=ssl.CERT_NONE,
certfile=CLIENT_CERT_NO_IP,
keyfile=CLIENT_KEY_NO_IP)
self._assert_connection_failure(server, client)
server = TSSLServerSocket(port=TEST_PORT,
cert_reqs=ssl.CERT_REQUIRED,
keyfile=SERVER_KEY,
certfile=SERVER_CERT,
ca_certs=CLIENT_CA)
client = TSSLSocket('localhost',
TEST_PORT,
cert_reqs=ssl.CERT_NONE,
certfile=CLIENT_CERT,
keyfile=CLIENT_KEY)
self._assert_connection_success(server, client)
server = TSSLServerSocket(port=TEST_PORT,
cert_reqs=ssl.CERT_OPTIONAL,
keyfile=SERVER_KEY,
certfile=SERVER_CERT,
ca_certs=CLIENT_CA)
client = TSSLSocket('localhost',
TEST_PORT,
cert_reqs=ssl.CERT_NONE,
certfile=CLIENT_CERT,
keyfile=CLIENT_KEY)
self._assert_connection_success(server, client)
def test_deprecation(self):
with warnings.catch_warnings(record=True) as w:
warnings.filterwarnings('always',
category=DeprecationWarning,
module=self.__module__)
TSSLSocket('localhost', 0, validate=True, ca_certs=SERVER_CERT)
self.assertEqual(len(w), 1)
with warnings.catch_warnings(record=True) as w:
warnings.filterwarnings('always',
category=DeprecationWarning,
module=self.__module__)
# Deprecated signature
# def __init__(self, host='localhost', port=9090, validate=True, ca_certs=None, keyfile=None, certfile=None, unix_socket=None, ciphers=None):
TSSLSocket('localhost', 0, True, SERVER_CERT, CLIENT_KEY,
CLIENT_CERT, None, TEST_CIPHERS)
self.assertEqual(len(w), 7)
with warnings.catch_warnings(record=True) as w:
warnings.filterwarnings('always',
category=DeprecationWarning,
module=self.__module__)
# Deprecated signature
# def __init__(self, host=None, port=9090, certfile='cert.pem', unix_socket=None, ciphers=None):
TSSLServerSocket(None, 0, SERVER_PEM, None, TEST_CIPHERS)
self.assertEqual(len(w), 3)
def test_deprecation(self):
with warnings.catch_warnings(record=True) as w:
warnings.filterwarnings('always',
category=DeprecationWarning,
module='thrift.*SSL.*')
TSSLSocket('localhost',
TEST_PORT,
validate=True,
ca_certs=SERVER_CERT)
self.assertEqual(len(w), 1)
with warnings.catch_warnings(record=True) as w:
warnings.filterwarnings('always',
category=DeprecationWarning,
module='thrift.*SSL.*')
# Deprecated signature
# def __init__(self, host='localhost', port=9090, validate=True, ca_certs=None, keyfile=None, certfile=None, unix_socket=None, ciphers=None):
client = TSSLSocket('localhost', TEST_PORT, True, SERVER_CERT,
CLIENT_KEY, CLIENT_CERT, None, TEST_CIPHERS)
self.assertEqual(len(w), 7)
with warnings.catch_warnings(record=True) as w:
warnings.filterwarnings('always',
category=DeprecationWarning,
module='thrift.*SSL.*')
# Deprecated signature
# def __init__(self, host=None, port=9090, certfile='cert.pem', unix_socket=None, ciphers=None):
server = TSSLServerSocket(None, TEST_PORT, SERVER_PEM, None,
TEST_CIPHERS)
self.assertEqual(len(w), 3)
self._assert_connection_success(server, client)
def test_unix_domain_socket(self):
if platform.system() == 'Windows':
print('skipping test_unix_domain_socket')
return
server = TSSLServerSocket(unix_socket=TEST_ADDR, keyfile=SERVER_KEY, certfile=SERVER_CERT)
client = TSSLSocket(None, None, TEST_ADDR, cert_reqs=ssl.CERT_NONE)
self._assert_connection_success(server, client)
def test_ssl2_and_ssl3_disabled(self):
if not hasattr(ssl, 'PROTOCOL_SSLv3'):
print('PROTOCOL_SSLv3 is not available')
else:
server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=SERVER_CERT)
client = TSSLSocket('localhost', TEST_PORT, ca_certs=SERVER_CERT, ssl_version=ssl.PROTOCOL_SSLv3)
self._assert_connection_failure(server, client)
server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=SERVER_CERT, ssl_version=ssl.PROTOCOL_SSLv3)
client = TSSLSocket('localhost', TEST_PORT, ca_certs=SERVER_CERT)
self._assert_connection_failure(server, client)
if not hasattr(ssl, 'PROTOCOL_SSLv2'):
print('PROTOCOL_SSLv2 is not available')
else:
server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=SERVER_CERT)
client = TSSLSocket('localhost', TEST_PORT, ca_certs=SERVER_CERT, ssl_version=ssl.PROTOCOL_SSLv2)
self._assert_connection_failure(server, client)
server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=SERVER_CERT, ssl_version=ssl.PROTOCOL_SSLv2)
client = TSSLSocket('localhost', TEST_PORT, ca_certs=SERVER_CERT)
self._assert_connection_failure(server, client)
def test_ssl_context(self):
if not TSSLSocket._has_ssl_context:
# unittest.skip is not available for Python 2.6
print('skipping test_ssl_context')
return
server_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
server_context.load_cert_chain(SERVER_CERT, SERVER_KEY)
server_context.load_verify_locations(CLIENT_CERT)
client_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
client_context.load_cert_chain(CLIENT_CERT, CLIENT_KEY)
client_context.load_verify_locations(SERVER_CERT)
server = TSSLServerSocket(port=TEST_PORT, ssl_context=server_context)
client = TSSLSocket('localhost', TEST_PORT, ssl_context=client_context)
self._assert_connection_success(server, client)
def _initialize_thrift_service(self):
""" Initialize the thrift server. """
mux_processor = TMultiplexedProcessor.TMultiplexedProcessor()
for plugin in thrift_services():
self._logger.info("Load thrift services %s (num_threads: %d)",
plugin.name, plugin.num_threads)
handler = plugin.handler
processor = plugin.service.Processor(handler)
mux_processor.registerProcessor(plugin.name, processor)
cert_file = "/etc/vmware/ssl/host.crt"
if os.path.isfile(cert_file):
transport = TSSLServerSocket(port=self._config.host_port, certfile=cert_file)
else:
transport = TSocket.TServerSocket(port=self._config.host_port)
protocol_factory = TCompactProtocol.TCompactProtocolFactory()
server = TNonblockingServer.TNonblockingServer(
mux_processor, transport, protocol_factory, protocol_factory,
self._config.host_service_threads)
self._server = server
def _server_socket(self, **kwargs):
return TSSLServerSocket(port=0, **kwargs)
