#!/usr/bin/env python3

"""
Ensures we can connect to a server signed by root1 but not root2.
"""

from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsClient, TlsServer, print_ok, run_ghostunnel, terminate
import ssl
import signal

if __name__ == "__main__":
    ghostunnel = None
    try:
        # create certs
        root = RootCert('root')
        root.create_signed_cert('server1')
        root.create_signed_cert('client')
        root.create_signed_cert(
            'server2', san="IP:127.0.0.1,IP:::1,DNS:foobar")

        other_root = RootCert('other_root')
        other_root.create_signed_cert('other_server')

        # start ghostunnel
        ghostunnel = run_ghostunnel(['client',
                                     '--listen={0}:13001'.format(LOCALHOST),
                                     '--target=localhost:13002',
                                     '--keystore=client.p12',
                                     '--cacert=root.crt',
                                     '--timed-reload=1s',
                                     '--override-server-name=foobar',
#!/usr/bin/env python3
"""
Ensures that tunnel sees & reloads a certificate
change.
"""

from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, TlsClient, print_ok, run_ghostunnel, terminate
import os
import signal

if __name__ == "__main__":
    ghostunnel = None
    try:
        # create certs
        root = RootCert('root')
        root.create_signed_cert('server')
        root.create_signed_cert('new_server')
        root.create_signed_cert('client')

        # start ghostunnel
        ghostunnel = run_ghostunnel([
            'server', '--listen={0}:13001'.format(LOCALHOST),
            '--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
            '--cacert=root.crt', '--allow-ou=client',
            '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
        ])

        # create connections with client
        pair1 = SocketPair(TlsClient('client', 'root', 13001),
                           TcpServer(13002))
        pair1.validate_can_send_from_client("toto", "pair1 works")
There are various cases to take into account:
- tunnel picks up client cert change and connects with new cert.
- tunnel picks up ca change and connects to other_server.
- tunnel picks up client cert change and uses it on the status port.
"""

from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsClient, TlsServer, print_ok, run_ghostunnel, terminate
import os
import signal

if __name__ == "__main__":
    ghostunnel = None
    try:
        # create certs
        root1 = RootCert('root1')
        root1.create_signed_cert('server1')
        root1.create_signed_cert('client1')

        # start ghostunnel
        ghostunnel = run_ghostunnel(['client',
                                     '--listen={0}:13001'.format(LOCALHOST),
                                     '--target={0}:13002'.format(LOCALHOST),
                                     '--keystore=client1.p12',
                                     '--cacert=root1.crt',
                                     '--status={0}:{1}'.format(LOCALHOST,
                                                               STATUS_PORT)])

        # ensure ghostunnel connects with server1
        pair1 = SocketPair(TcpClient(13001), TlsServer(
            'server1', 'root1', 13002))
                "{0}:{1} server -> client".format(i, counter))
    r = random.random()
    if r < 0.5:
        p.validate_closing_client_closes_server(
            "{0} client close -> server close".format(i))
    else:
        p.validate_closing_server_closes_client(
            "{0} server close -> client close".format(i))


if __name__ == "__main__":
    ghostunnel = None
    n_clients = 10
    try:
        # create certs
        root = RootCert('root')
        root.create_signed_cert('client')
        for n in range(1, n_clients):
            root.create_signed_cert("server{0}".format(n))

        # start ghostunnel
        ghostunnel = run_ghostunnel([
            'client', '--listen={0}:13001'.format(LOCALHOST),
            '--target={0}:13002'.format(LOCALHOST), '--keystore=client.p12',
            '--status={0}:{1}'.format(LOCALHOST,
                                      STATUS_PORT), '--cacert=root.crt'
        ])

        # servers should be able to communicate all at the same time.
        procs = []
        for n in range(1, n_clients):
#!/usr/bin/env python3

from common import LOCALHOST, RootCert, STATUS_PORT, print_ok, run_ghostunnel, terminate

if __name__ == "__main__":
    ghostunnel = None
    try:
        # create certs
        root = RootCert('root')
        root.create_signed_cert('client')

        # start ghostunnel with bad proxy
        ghostunnel = run_ghostunnel(['client',
                                     '--listen={0}:13001'.format(LOCALHOST),
                                     '--target={0}:13002'.format(LOCALHOST),
                                     '--keystore=client.p12',
                                     '--connect-proxy=ftp://invalid',
                                     '--cacert=root.crt',
                                     '--status={0}:{1}'.format(LOCALHOST,
                                                               STATUS_PORT)])

        # wait for ghostunnel to exit and make sure error code is not zero
        ret = ghostunnel.wait(timeout=20)
        if ret == 0:
            raise Exception(
                'ghostunnel terminated with zero, though flags were invalid')
        else:
            print_ok("OK (terminated)")

        # start ghostunnel with bad client listen addr
        ghostunnel = run_ghostunnel(['client',
#!/usr/bin/env python3

from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, TlsClient, print_ok, run_ghostunnel, terminate
import time
import os

if __name__ == "__main__":
    ghostunnel = None
    try:
        # create certs
        root = RootCert('root')
        root.create_signed_cert('server')
        root.create_signed_cert('client')

        # start ghostunnel
        ghostunnel = run_ghostunnel(['server',
                                     '--listen={0}:13001'.format(LOCALHOST),
                                     '--target={0}:13002'.format(LOCALHOST),
                                     '--keystore=server.p12',
                                     '--cacert=root.crt',
                                     '--allow-ou=client',
                                     '--status={0}:{1}'.format(LOCALHOST,
                                                               STATUS_PORT)])

        # wait for startup
        TlsClient(None, 'root', STATUS_PORT).connect(20, 'server')

        # create connections with client
        pair1 = SocketPair(
            TlsClient('client', 'root', 13001), TcpServer(13002))
        pair1.validate_can_send_from_client("toto", "pair1 works")
There are various cases to take into account:
- tunnel picks up client cert change and connects with new cert.
- tunnel picks up ca change and connects to other_server.
- tunnel picks up client cert change and uses it on the status port.
"""

import ssl
import os
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsClient, TlsServer, print_ok, run_ghostunnel, terminate

if __name__ == "__main__":
    ghostunnel = None
    try:
        # create certs
        root1 = RootCert('root1')
        root1.create_signed_cert('server1')
        root1.create_signed_cert('client1')
        root1.create_signed_cert('new_client1')

        root2 = RootCert('new_root')
        root2.create_signed_cert('server2')

        # start ghostunnel
        ghostunnel = run_ghostunnel(['client',
                                     '--listen={0}:13001'.format(LOCALHOST),
                                     '--target={0}:13002'.format(LOCALHOST),
                                     '--keystore=client1.p12',
                                     '--timed-reload=1s',
                                     '--cacert=root1.crt',
                                     '--status={0}:{1}'.format(LOCALHOST,
#!/usr/bin/env python3

from common import LOCALHOST, RootCert, STATUS_PORT, print_ok, run_ghostunnel, terminate, assert_not_zero

if __name__ == "__main__":
    ghostunnel = None
    try:
        # create certs
        root = RootCert('root')
        root.create_signed_cert('server')

        # start ghostunnel with bad flags
        ghostunnel1 = run_ghostunnel([
            'server', '--listen={0}:13001'.format(LOCALHOST),
            '--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
            '--disable-authentication', '--allow-cn=test.example.com',
            '--cacert=root.crt'
        ])
        assert_not_zero(ghostunnel1)

        ghostunnel2 = run_ghostunnel([
            'server', '--listen={0}:13001'.format(LOCALHOST),
            '--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
            '--cert=server.crt', '--key=server.key', '--cacert=root.crt'
        ])
        assert_not_zero(ghostunnel2)

        ghostunnel3 = run_ghostunnel([
            'server', '--listen={0}:13001'.format(LOCALHOST),
            '--target={0}:13002'.format(LOCALHOST), '--cert=server.crt',
            '--cacert=root.crt'
Esempio n. 9
0
                        (self.connection if s == remote else remote).send(data)
        finally:
            print_ok("connect proxy is done")
            try:
                socket.get_socket().shutdown()
                socket.cleanup()
                self.connection.close()
            except BaseException:
                pass


if __name__ == "__main__":
    ghostunnel = None
    try:
        # create certs
        root = RootCert('root')
        root.create_signed_cert('server', san='DNS:{}'.format(FAKE_TARGET))
        root.create_signed_cert('client')

        httpd = http.server.HTTPServer((LOCALHOST, 13080),
                                       FakeConnectProxyHandler)
        server = threading.Thread(target=httpd.handle_request)
        server.start()

        # start ghostunnel
        ghostunnel = run_ghostunnel([
            'client', '--listen={0}:13001'.format(LOCALHOST),
            '--target={0}:13002'.format(FAKE_TARGET), '--keystore=client.p12',
            '--cacert=root.crt',
            '--connect-proxy=http://{0}:13080'.format(LOCALHOST),
            '--connect-timeout=30s',
#!/usr/bin/env python3

"""
Ensures that root certificates are reloaded as well.
"""

from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, TlsClient, print_ok, run_ghostunnel, terminate
import time
import signal
import os

if __name__ == "__main__":
    ghostunnel = None
    try:
        # create certs
        root = RootCert('root')
        root.create_signed_cert('server')
        root.create_signed_cert('client')

        # start ghostunnel
        ghostunnel = run_ghostunnel(['server',
                                     '--listen={0}:13001'.format(LOCALHOST),
                                     '--target={0}:13002'.format(LOCALHOST),
                                     '--keystore=server.p12',
                                     '--status={0}:{1}'.format(LOCALHOST,
                                                               STATUS_PORT),
                                     '--cacert=root.crt',
                                     '--allow-ou=client'])

        # connect with client, confirm that the tunnel is up
        pair = SocketPair(TlsClient('client', 'root', 13001), TcpServer(13002))
"""
Test to check --allow-uri flag behavior.
"""

from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, \
                   TlsClient, print_ok, run_ghostunnel, terminate

import os
import signal
import ssl

if __name__ == "__main__":
    ghostunnel = None
    try:
        # create certs
        root = RootCert('root')
        root.create_signed_cert(
                'server',
                san='URI:spiffe://server,IP:127.0.0.1,IP:::1,DNS:localhost')
        root.create_signed_cert(
                'client1',
                san='URI:spiffe://client1,IP:127.0.0.1,IP:::1,DNS:localhost')
        root.create_signed_cert(
                'client2',
                san='URI:spiffe://client2,IP:127.0.0.1,IP:::1,DNS:localhost')

        # start ghostunnel
        ghostunnel = run_ghostunnel(['server',
                                     '--listen={0}:13001'.format(LOCALHOST),
                                     '--target={0}:13002'.format(LOCALHOST),
                                     '--keystore=server.p12',
Esempio n. 12
0
There are various cases to take into account:
- tunnel picks up client cert change and connects with new cert.
- tunnel picks up ca change and connects to other_server.
- tunnel picks up client cert change and uses it on the status port.
"""

import ssl
import os
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsClient, TlsServer, print_ok, run_ghostunnel, terminate

if __name__ == "__main__":
    ghostunnel = None
    try:
        # create certs
        root1 = RootCert('root1')
        root1.create_signed_cert('server1')
        root1.create_signed_cert('client1')
        root1.create_signed_cert('new_client1')

        root2 = RootCert('new_root')
        root2.create_signed_cert('server2')

        # start ghostunnel
        ghostunnel = run_ghostunnel([
            'client', '--listen={0}:13001'.format(LOCALHOST),
            '--target={0}:13002'.format(LOCALHOST), '--keystore=client1.p12',
            '--timed-reload=1s', '--cacert=root1.crt',
            '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
        ])
#!/usr/bin/env python3
"""
Tests that verify-uri flag works correctly on the client.
"""

from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, \
                   TlsServer, print_ok, run_ghostunnel, terminate

import ssl

if __name__ == "__main__":
    ghostunnel = None
    try:
        # create certs
        root = RootCert('root')
        root.create_signed_cert('client')
        root.create_signed_cert(
            'server1',
            san='URI:spiffe://server1,IP:127.0.0.1,IP:::1,DNS:localhost')
        root.create_signed_cert(
            'server2',
            san='URI:spiffe://server2,IP:127.0.0.1,IP:::1,DNS:localhost')

        other_root = RootCert('other_root')
        other_root.create_signed_cert('other_server')

        # start ghostunnel
        ghostunnel = run_ghostunnel([
            'client', '--listen={0}:13001'.format(LOCALHOST),
            '--target=localhost:13002', '--keystore=client.p12',
            '--verify-uri=spiffe://server1', '--cacert=root.crt',
Esempio n. 14
0
#!/usr/bin/env python3

"""
Ensures that Graphite metrics submission works.
"""

from common import LOCALHOST, RootCert, STATUS_PORT, print_ok, run_ghostunnel, terminate
import socket

if __name__ == "__main__":
    ghostunnel = None
    try:
        # create certs
        root = RootCert('root')
        root.create_signed_cert('client')

        # Mock out a graphite server
        m = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        m.settimeout(10)
        m.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        m.bind((LOCALHOST, 13099))
        m.listen(1)

        # start ghostunnel
        ghostunnel = run_ghostunnel(['client',
                                     '--listen={0}:13001'.format(LOCALHOST),
                                     '--target={0}:13002'.format(LOCALHOST),
                                     '--keystore=client.p12',
                                     '--status={0}:{1}'.format(LOCALHOST,
                                                               STATUS_PORT),
                                     '--metrics-interval=1s',
    r = random.random()
    if r < 0.5:
        p.validate_closing_client_closes_server(
            "{0} client close -> server close".format(i))
    else:
        p.validate_closing_server_closes_client(
            "{0} server close -> client close".format(i))


if __name__ == "__main__":
    ghostunnel = None
    n_clients = 10
    allow_ou = []
    try:
        # create certs
        root = RootCert('root')
        root.create_signed_cert('server')
        for n in range(1, n_clients):
            root.create_signed_cert("client{0}".format(n))
            allow_ou.append("--allow-ou=client{0}".format(n))

        # start ghostunnel
        ghostunnel = run_ghostunnel(['server',
                                     '--listen={0}:13001'.format(LOCALHOST),
                                     '--target={0}:13002'.format(LOCALHOST),
                                     '--keystore=server.p12',
                                     '--status={0}:{1}'.format(LOCALHOST,
                                                               STATUS_PORT),
                                     '--cacert=root.crt'] + allow_ou)

        # clients should be able to communicate all at the same time.
"""
Test to check --allow-dns flag behavior.
"""

from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, \
                   TlsClient, print_ok, run_ghostunnel, terminate

import os
import signal
import ssl

if __name__ == "__main__":
    ghostunnel = None
    try:
        # create certs
        root = RootCert('root')
        root.create_signed_cert(
                'server',
                san='DNS:server,IP:127.0.0.1,IP:::1,DNS:localhost')
        root.create_signed_cert(
                'client1',
                san='DNS:client1,IP:127.0.0.1,IP:::1,DNS:localhost')
        root.create_signed_cert(
                'client2',
                san='DNS:client2,IP:127.0.0.1,IP:::1,DNS:localhost')

        # start ghostunnel
        ghostunnel = run_ghostunnel(['server',
                                     '--listen={0}:13001'.format(LOCALHOST),
                                     '--target={0}:13002'.format(LOCALHOST),
                                     '--keystore=server.p12',
"""
Test to check --allow-dns flag behavior.
"""

from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, \
                   TlsClient, print_ok, run_ghostunnel, terminate

import os
import signal
import ssl

if __name__ == "__main__":
    ghostunnel = None
    try:
        # create certs
        root = RootCert('root')
        root.create_signed_cert(
            'server', san='DNS:server,IP:127.0.0.1,IP:::1,DNS:localhost')
        root.create_signed_cert(
            'client1', san='DNS:client1,IP:127.0.0.1,IP:::1,DNS:localhost')
        root.create_signed_cert(
            'client2', san='DNS:client2,IP:127.0.0.1,IP:::1,DNS:localhost')

        # start ghostunnel
        ghostunnel = run_ghostunnel([
            'server', '--listen={0}:13001'.format(LOCALHOST),
            '--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
            '--cacert=root.crt', '--allow-dns=client1',
            '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
        ])
Ensures that /_status endpoint works.
"""

from common import LOCALHOST, RootCert, STATUS_PORT, TcpClient, TlsClient, print_ok, run_ghostunnel, terminate
import urllib.request
import urllib.error
import urllib.parse
import os
import signal
import json

if __name__ == "__main__":
    ghostunnel = None
    try:
        # create certs
        root = RootCert('root')
        root.create_signed_cert('server')
        root.create_signed_cert('new_server')
        root.create_signed_cert('client')

        # start ghostunnel
        # hack: point target to STATUS_PORT so that /_status doesn't 503.
        ghostunnel = run_ghostunnel(['server',
                                     '--listen={0}:13001'.format(LOCALHOST),
                                     '--target={0}:{1}'.format(LOCALHOST,
                                                               STATUS_PORT),
                                     '--keystore=server.p12',
                                     '--cacert=root.crt',
                                     '--allow-ou=client',
                                     '--status={0}:{1}'.format(LOCALHOST,
                                                               STATUS_PORT)])
#!/usr/bin/env python3

"""
Ensures client1 can connect but that clients with ou=client2 or ca=other_root can't connect.
"""

from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, TlsClient, print_ok, run_ghostunnel, terminate
import ssl

if __name__ == "__main__":
    ghostunnel = None
    try:
        # create certs
        root = RootCert('root')
        root.create_signed_cert('server')
        root.create_signed_cert('client1')
        root.create_signed_cert('client2')

        other_root = RootCert('other_root')
        other_root.create_signed_cert('other_client1')

        # start ghostunnel
        ghostunnel = run_ghostunnel(['server',
                                     '--listen={0}:13001'.format(LOCALHOST),
                                     '--target={0}:13002'.format(LOCALHOST),
                                     '--keystore=server.p12',
                                     '--status={0}:{1}'.format(LOCALHOST,
                                                               STATUS_PORT),
                                     '--cacert=root.crt',
                                     '--allow-ou=client1'])
Esempio n. 20
0
    r = random.random()
    if r < 0.5:
        p.validate_closing_client_closes_server(
            "{0} client close -> server close".format(i))
    else:
        p.validate_closing_server_closes_client(
            "{0} server close -> client close".format(i))


if __name__ == "__main__":
    ghostunnel = None
    n_clients = 10
    allow_ou = []
    try:
        # create certs
        root = RootCert('root')
        root.create_signed_cert('server')
        for n in range(1, n_clients):
            root.create_signed_cert("client{0}".format(n))
            allow_ou.append("--allow-ou=client{0}".format(n))

        # start ghostunnel
        ghostunnel = run_ghostunnel([
            'server', '--listen={0}:13001'.format(
                LOCALHOST), '--target={0}:13002'.format(LOCALHOST),
            '--keystore=server.p12', '--status={0}:{1}'.format(
                LOCALHOST, STATUS_PORT), '--cacert=root.crt'
        ] + allow_ou)

        # clients should be able to communicate all at the same time.
        procs = []
#!/usr/bin/env python3

"""
Tests that verify-dns flag works correctly on the client.
"""

from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, \
                   TlsServer, print_ok, run_ghostunnel, terminate

import ssl

if __name__ == "__main__":
    ghostunnel = None
    try:
        # create certs
        root = RootCert('root')
        root.create_signed_cert('client')
        root.create_signed_cert(
                'server1',
                san='DNS:server1,IP:127.0.0.1,IP:::1,DNS:localhost')
        root.create_signed_cert(
                'server2',
                san='DNS:server2,IP:127.0.0.1,IP:::1,DNS:localhost')

        other_root = RootCert('other_root')
        other_root.create_signed_cert('other_server')

        # start ghostunnel
        ghostunnel = run_ghostunnel(['client',
                                     '--listen={0}:13001'.format(LOCALHOST),
                                     '--target=localhost:13002',
Esempio n. 22
0
#!/usr/bin/env python3
"""
Test a client which has disabled authentication. It will not send a TLS Client
Certificate, but should still perform verification.
"""

from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsServer, print_ok, run_ghostunnel, terminate
import ssl

if __name__ == "__main__":
    ghostunnel = None
    try:
        # create certs
        root = RootCert('root')
        root.create_signed_cert('server1')
        root.create_signed_cert('server2',
                                san="IP:127.0.0.1,IP:::1,DNS:foobar")

        other_root = RootCert('other_root')
        other_root.create_signed_cert('other_server')

        # start ghostunnel
        ghostunnel = run_ghostunnel([
            'client', '--listen={0}:13001'.format(LOCALHOST),
            '--target=localhost:13002', '--cacert=root.crt',
            '--disable-authentication',
            '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
        ])

        # connect to server1, confirm that the tunnel is up
        pair = SocketPair(
There are various cases to take into account:
- tunnel picks up client cert change and connects with new cert.
- tunnel picks up ca change and connects to other_server.
- tunnel picks up client cert change and uses it on the status port.
"""

from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsClient, TlsServer, print_ok, run_ghostunnel, terminate
import os
import signal

if __name__ == "__main__":
    ghostunnel = None
    try:
        # create certs
        root1 = RootCert('root1')
        root1.create_signed_cert('server1')
        root1.create_signed_cert('client1')

        # start ghostunnel
        ghostunnel = run_ghostunnel([
            'client', '--listen={0}:13001'.format(LOCALHOST),
            '--target={0}:13002'.format(LOCALHOST), '--keystore=client1.p12',
            '--cacert=root1.crt',
            '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)
        ])

        # ensure ghostunnel connects with server1
        pair1 = SocketPair(TcpClient(13001),
                           TlsServer('server1', 'root1', 13002))
        pair1.validate_can_send_from_client("toto", "pair1 works")