#!/usr/bin/env python3 """ Ensures we can connect to a server signed by root1 but not root2. """ from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsClient, TlsServer, print_ok, run_ghostunnel, terminate import ssl import signal if __name__ == "__main__": ghostunnel = None try: # create certs root = RootCert('root') root.create_signed_cert('server1') root.create_signed_cert('client') root.create_signed_cert( 'server2', san="IP:127.0.0.1,IP:::1,DNS:foobar") other_root = RootCert('other_root') other_root.create_signed_cert('other_server') # start ghostunnel ghostunnel = run_ghostunnel(['client', '--listen={0}:13001'.format(LOCALHOST), '--target=localhost:13002', '--keystore=client.p12', '--cacert=root.crt', '--timed-reload=1s', '--override-server-name=foobar',
#!/usr/bin/env python3 """ Ensures that tunnel sees & reloads a certificate change. """ from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, TlsClient, print_ok, run_ghostunnel, terminate import os import signal if __name__ == "__main__": ghostunnel = None try: # create certs root = RootCert('root') root.create_signed_cert('server') root.create_signed_cert('new_server') root.create_signed_cert('client') # start ghostunnel ghostunnel = run_ghostunnel([ 'server', '--listen={0}:13001'.format(LOCALHOST), '--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12', '--cacert=root.crt', '--allow-ou=client', '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT) ]) # create connections with client pair1 = SocketPair(TlsClient('client', 'root', 13001), TcpServer(13002)) pair1.validate_can_send_from_client("toto", "pair1 works")
There are various cases to take into account: - tunnel picks up client cert change and connects with new cert. - tunnel picks up ca change and connects to other_server. - tunnel picks up client cert change and uses it on the status port. """ from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsClient, TlsServer, print_ok, run_ghostunnel, terminate import os import signal if __name__ == "__main__": ghostunnel = None try: # create certs root1 = RootCert('root1') root1.create_signed_cert('server1') root1.create_signed_cert('client1') # start ghostunnel ghostunnel = run_ghostunnel(['client', '--listen={0}:13001'.format(LOCALHOST), '--target={0}:13002'.format(LOCALHOST), '--keystore=client1.p12', '--cacert=root1.crt', '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)]) # ensure ghostunnel connects with server1 pair1 = SocketPair(TcpClient(13001), TlsServer( 'server1', 'root1', 13002))
"{0}:{1} server -> client".format(i, counter)) r = random.random() if r < 0.5: p.validate_closing_client_closes_server( "{0} client close -> server close".format(i)) else: p.validate_closing_server_closes_client( "{0} server close -> client close".format(i)) if __name__ == "__main__": ghostunnel = None n_clients = 10 try: # create certs root = RootCert('root') root.create_signed_cert('client') for n in range(1, n_clients): root.create_signed_cert("server{0}".format(n)) # start ghostunnel ghostunnel = run_ghostunnel([ 'client', '--listen={0}:13001'.format(LOCALHOST), '--target={0}:13002'.format(LOCALHOST), '--keystore=client.p12', '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT), '--cacert=root.crt' ]) # servers should be able to communicate all at the same time. procs = [] for n in range(1, n_clients):
#!/usr/bin/env python3 from common import LOCALHOST, RootCert, STATUS_PORT, print_ok, run_ghostunnel, terminate if __name__ == "__main__": ghostunnel = None try: # create certs root = RootCert('root') root.create_signed_cert('client') # start ghostunnel with bad proxy ghostunnel = run_ghostunnel(['client', '--listen={0}:13001'.format(LOCALHOST), '--target={0}:13002'.format(LOCALHOST), '--keystore=client.p12', '--connect-proxy=ftp://invalid', '--cacert=root.crt', '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)]) # wait for ghostunnel to exit and make sure error code is not zero ret = ghostunnel.wait(timeout=20) if ret == 0: raise Exception( 'ghostunnel terminated with zero, though flags were invalid') else: print_ok("OK (terminated)") # start ghostunnel with bad client listen addr ghostunnel = run_ghostunnel(['client',
#!/usr/bin/env python3 from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, TlsClient, print_ok, run_ghostunnel, terminate import time import os if __name__ == "__main__": ghostunnel = None try: # create certs root = RootCert('root') root.create_signed_cert('server') root.create_signed_cert('client') # start ghostunnel ghostunnel = run_ghostunnel(['server', '--listen={0}:13001'.format(LOCALHOST), '--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12', '--cacert=root.crt', '--allow-ou=client', '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)]) # wait for startup TlsClient(None, 'root', STATUS_PORT).connect(20, 'server') # create connections with client pair1 = SocketPair( TlsClient('client', 'root', 13001), TcpServer(13002)) pair1.validate_can_send_from_client("toto", "pair1 works")
There are various cases to take into account: - tunnel picks up client cert change and connects with new cert. - tunnel picks up ca change and connects to other_server. - tunnel picks up client cert change and uses it on the status port. """ import ssl import os from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsClient, TlsServer, print_ok, run_ghostunnel, terminate if __name__ == "__main__": ghostunnel = None try: # create certs root1 = RootCert('root1') root1.create_signed_cert('server1') root1.create_signed_cert('client1') root1.create_signed_cert('new_client1') root2 = RootCert('new_root') root2.create_signed_cert('server2') # start ghostunnel ghostunnel = run_ghostunnel(['client', '--listen={0}:13001'.format(LOCALHOST), '--target={0}:13002'.format(LOCALHOST), '--keystore=client1.p12', '--timed-reload=1s', '--cacert=root1.crt', '--status={0}:{1}'.format(LOCALHOST,
#!/usr/bin/env python3 from common import LOCALHOST, RootCert, STATUS_PORT, print_ok, run_ghostunnel, terminate, assert_not_zero if __name__ == "__main__": ghostunnel = None try: # create certs root = RootCert('root') root.create_signed_cert('server') # start ghostunnel with bad flags ghostunnel1 = run_ghostunnel([ 'server', '--listen={0}:13001'.format(LOCALHOST), '--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12', '--disable-authentication', '--allow-cn=test.example.com', '--cacert=root.crt' ]) assert_not_zero(ghostunnel1) ghostunnel2 = run_ghostunnel([ 'server', '--listen={0}:13001'.format(LOCALHOST), '--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12', '--cert=server.crt', '--key=server.key', '--cacert=root.crt' ]) assert_not_zero(ghostunnel2) ghostunnel3 = run_ghostunnel([ 'server', '--listen={0}:13001'.format(LOCALHOST), '--target={0}:13002'.format(LOCALHOST), '--cert=server.crt', '--cacert=root.crt'
(self.connection if s == remote else remote).send(data) finally: print_ok("connect proxy is done") try: socket.get_socket().shutdown() socket.cleanup() self.connection.close() except BaseException: pass if __name__ == "__main__": ghostunnel = None try: # create certs root = RootCert('root') root.create_signed_cert('server', san='DNS:{}'.format(FAKE_TARGET)) root.create_signed_cert('client') httpd = http.server.HTTPServer((LOCALHOST, 13080), FakeConnectProxyHandler) server = threading.Thread(target=httpd.handle_request) server.start() # start ghostunnel ghostunnel = run_ghostunnel([ 'client', '--listen={0}:13001'.format(LOCALHOST), '--target={0}:13002'.format(FAKE_TARGET), '--keystore=client.p12', '--cacert=root.crt', '--connect-proxy=http://{0}:13080'.format(LOCALHOST), '--connect-timeout=30s',
#!/usr/bin/env python3 """ Ensures that root certificates are reloaded as well. """ from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, TlsClient, print_ok, run_ghostunnel, terminate import time import signal import os if __name__ == "__main__": ghostunnel = None try: # create certs root = RootCert('root') root.create_signed_cert('server') root.create_signed_cert('client') # start ghostunnel ghostunnel = run_ghostunnel(['server', '--listen={0}:13001'.format(LOCALHOST), '--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12', '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT), '--cacert=root.crt', '--allow-ou=client']) # connect with client, confirm that the tunnel is up pair = SocketPair(TlsClient('client', 'root', 13001), TcpServer(13002))
""" Test to check --allow-uri flag behavior. """ from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, \ TlsClient, print_ok, run_ghostunnel, terminate import os import signal import ssl if __name__ == "__main__": ghostunnel = None try: # create certs root = RootCert('root') root.create_signed_cert( 'server', san='URI:spiffe://server,IP:127.0.0.1,IP:::1,DNS:localhost') root.create_signed_cert( 'client1', san='URI:spiffe://client1,IP:127.0.0.1,IP:::1,DNS:localhost') root.create_signed_cert( 'client2', san='URI:spiffe://client2,IP:127.0.0.1,IP:::1,DNS:localhost') # start ghostunnel ghostunnel = run_ghostunnel(['server', '--listen={0}:13001'.format(LOCALHOST), '--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
There are various cases to take into account: - tunnel picks up client cert change and connects with new cert. - tunnel picks up ca change and connects to other_server. - tunnel picks up client cert change and uses it on the status port. """ import ssl import os from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsClient, TlsServer, print_ok, run_ghostunnel, terminate if __name__ == "__main__": ghostunnel = None try: # create certs root1 = RootCert('root1') root1.create_signed_cert('server1') root1.create_signed_cert('client1') root1.create_signed_cert('new_client1') root2 = RootCert('new_root') root2.create_signed_cert('server2') # start ghostunnel ghostunnel = run_ghostunnel([ 'client', '--listen={0}:13001'.format(LOCALHOST), '--target={0}:13002'.format(LOCALHOST), '--keystore=client1.p12', '--timed-reload=1s', '--cacert=root1.crt', '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT) ])
#!/usr/bin/env python3 """ Tests that verify-uri flag works correctly on the client. """ from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, \ TlsServer, print_ok, run_ghostunnel, terminate import ssl if __name__ == "__main__": ghostunnel = None try: # create certs root = RootCert('root') root.create_signed_cert('client') root.create_signed_cert( 'server1', san='URI:spiffe://server1,IP:127.0.0.1,IP:::1,DNS:localhost') root.create_signed_cert( 'server2', san='URI:spiffe://server2,IP:127.0.0.1,IP:::1,DNS:localhost') other_root = RootCert('other_root') other_root.create_signed_cert('other_server') # start ghostunnel ghostunnel = run_ghostunnel([ 'client', '--listen={0}:13001'.format(LOCALHOST), '--target=localhost:13002', '--keystore=client.p12', '--verify-uri=spiffe://server1', '--cacert=root.crt',
#!/usr/bin/env python3 """ Ensures that Graphite metrics submission works. """ from common import LOCALHOST, RootCert, STATUS_PORT, print_ok, run_ghostunnel, terminate import socket if __name__ == "__main__": ghostunnel = None try: # create certs root = RootCert('root') root.create_signed_cert('client') # Mock out a graphite server m = socket.socket(socket.AF_INET, socket.SOCK_STREAM) m.settimeout(10) m.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) m.bind((LOCALHOST, 13099)) m.listen(1) # start ghostunnel ghostunnel = run_ghostunnel(['client', '--listen={0}:13001'.format(LOCALHOST), '--target={0}:13002'.format(LOCALHOST), '--keystore=client.p12', '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT), '--metrics-interval=1s',
r = random.random() if r < 0.5: p.validate_closing_client_closes_server( "{0} client close -> server close".format(i)) else: p.validate_closing_server_closes_client( "{0} server close -> client close".format(i)) if __name__ == "__main__": ghostunnel = None n_clients = 10 allow_ou = [] try: # create certs root = RootCert('root') root.create_signed_cert('server') for n in range(1, n_clients): root.create_signed_cert("client{0}".format(n)) allow_ou.append("--allow-ou=client{0}".format(n)) # start ghostunnel ghostunnel = run_ghostunnel(['server', '--listen={0}:13001'.format(LOCALHOST), '--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12', '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT), '--cacert=root.crt'] + allow_ou) # clients should be able to communicate all at the same time.
""" Test to check --allow-dns flag behavior. """ from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, \ TlsClient, print_ok, run_ghostunnel, terminate import os import signal import ssl if __name__ == "__main__": ghostunnel = None try: # create certs root = RootCert('root') root.create_signed_cert( 'server', san='DNS:server,IP:127.0.0.1,IP:::1,DNS:localhost') root.create_signed_cert( 'client1', san='DNS:client1,IP:127.0.0.1,IP:::1,DNS:localhost') root.create_signed_cert( 'client2', san='DNS:client2,IP:127.0.0.1,IP:::1,DNS:localhost') # start ghostunnel ghostunnel = run_ghostunnel(['server', '--listen={0}:13001'.format(LOCALHOST), '--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
""" Test to check --allow-dns flag behavior. """ from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, \ TlsClient, print_ok, run_ghostunnel, terminate import os import signal import ssl if __name__ == "__main__": ghostunnel = None try: # create certs root = RootCert('root') root.create_signed_cert( 'server', san='DNS:server,IP:127.0.0.1,IP:::1,DNS:localhost') root.create_signed_cert( 'client1', san='DNS:client1,IP:127.0.0.1,IP:::1,DNS:localhost') root.create_signed_cert( 'client2', san='DNS:client2,IP:127.0.0.1,IP:::1,DNS:localhost') # start ghostunnel ghostunnel = run_ghostunnel([ 'server', '--listen={0}:13001'.format(LOCALHOST), '--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12', '--cacert=root.crt', '--allow-dns=client1', '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT) ])
Ensures that /_status endpoint works. """ from common import LOCALHOST, RootCert, STATUS_PORT, TcpClient, TlsClient, print_ok, run_ghostunnel, terminate import urllib.request import urllib.error import urllib.parse import os import signal import json if __name__ == "__main__": ghostunnel = None try: # create certs root = RootCert('root') root.create_signed_cert('server') root.create_signed_cert('new_server') root.create_signed_cert('client') # start ghostunnel # hack: point target to STATUS_PORT so that /_status doesn't 503. ghostunnel = run_ghostunnel(['server', '--listen={0}:13001'.format(LOCALHOST), '--target={0}:{1}'.format(LOCALHOST, STATUS_PORT), '--keystore=server.p12', '--cacert=root.crt', '--allow-ou=client', '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)])
#!/usr/bin/env python3 """ Ensures client1 can connect but that clients with ou=client2 or ca=other_root can't connect. """ from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, TlsClient, print_ok, run_ghostunnel, terminate import ssl if __name__ == "__main__": ghostunnel = None try: # create certs root = RootCert('root') root.create_signed_cert('server') root.create_signed_cert('client1') root.create_signed_cert('client2') other_root = RootCert('other_root') other_root.create_signed_cert('other_client1') # start ghostunnel ghostunnel = run_ghostunnel(['server', '--listen={0}:13001'.format(LOCALHOST), '--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12', '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT), '--cacert=root.crt', '--allow-ou=client1'])
r = random.random() if r < 0.5: p.validate_closing_client_closes_server( "{0} client close -> server close".format(i)) else: p.validate_closing_server_closes_client( "{0} server close -> client close".format(i)) if __name__ == "__main__": ghostunnel = None n_clients = 10 allow_ou = [] try: # create certs root = RootCert('root') root.create_signed_cert('server') for n in range(1, n_clients): root.create_signed_cert("client{0}".format(n)) allow_ou.append("--allow-ou=client{0}".format(n)) # start ghostunnel ghostunnel = run_ghostunnel([ 'server', '--listen={0}:13001'.format( LOCALHOST), '--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12', '--status={0}:{1}'.format( LOCALHOST, STATUS_PORT), '--cacert=root.crt' ] + allow_ou) # clients should be able to communicate all at the same time. procs = []
#!/usr/bin/env python3 """ Tests that verify-dns flag works correctly on the client. """ from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, \ TlsServer, print_ok, run_ghostunnel, terminate import ssl if __name__ == "__main__": ghostunnel = None try: # create certs root = RootCert('root') root.create_signed_cert('client') root.create_signed_cert( 'server1', san='DNS:server1,IP:127.0.0.1,IP:::1,DNS:localhost') root.create_signed_cert( 'server2', san='DNS:server2,IP:127.0.0.1,IP:::1,DNS:localhost') other_root = RootCert('other_root') other_root.create_signed_cert('other_server') # start ghostunnel ghostunnel = run_ghostunnel(['client', '--listen={0}:13001'.format(LOCALHOST), '--target=localhost:13002',
#!/usr/bin/env python3 """ Test a client which has disabled authentication. It will not send a TLS Client Certificate, but should still perform verification. """ from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsServer, print_ok, run_ghostunnel, terminate import ssl if __name__ == "__main__": ghostunnel = None try: # create certs root = RootCert('root') root.create_signed_cert('server1') root.create_signed_cert('server2', san="IP:127.0.0.1,IP:::1,DNS:foobar") other_root = RootCert('other_root') other_root.create_signed_cert('other_server') # start ghostunnel ghostunnel = run_ghostunnel([ 'client', '--listen={0}:13001'.format(LOCALHOST), '--target=localhost:13002', '--cacert=root.crt', '--disable-authentication', '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT) ]) # connect to server1, confirm that the tunnel is up pair = SocketPair(
There are various cases to take into account: - tunnel picks up client cert change and connects with new cert. - tunnel picks up ca change and connects to other_server. - tunnel picks up client cert change and uses it on the status port. """ from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsClient, TlsServer, print_ok, run_ghostunnel, terminate import os import signal if __name__ == "__main__": ghostunnel = None try: # create certs root1 = RootCert('root1') root1.create_signed_cert('server1') root1.create_signed_cert('client1') # start ghostunnel ghostunnel = run_ghostunnel([ 'client', '--listen={0}:13001'.format(LOCALHOST), '--target={0}:13002'.format(LOCALHOST), '--keystore=client1.p12', '--cacert=root1.crt', '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT) ]) # ensure ghostunnel connects with server1 pair1 = SocketPair(TcpClient(13001), TlsServer('server1', 'root1', 13002)) pair1.validate_can_send_from_client("toto", "pair1 works")