def test_ssl_socket(self): server = None display_no = self.find_free_display_no() display = ":%s" % display_no tcp_port = get_free_tcp_port() ssl_port = get_free_tcp_port() try: tmpdir = tempfile.mkdtemp(suffix='ssl-xpra') certfile = os.path.join(tmpdir, "self.pem") openssl_command = [ "openssl", "req", "-new", "-newkey", "rsa:4096", "-days", "2", "-nodes", "-x509", "-subj", "/C=US/ST=Denial/L=Springfield/O=Dis/CN=localhost", "-keyout", certfile, "-out", certfile, ] openssl = self.run_command(openssl_command) assert pollwait(openssl, 10)==0, "openssl certificate generation failed" cert_data = load_binary_file(certfile) log("generated cert data: %s", repr_ellipsized(cert_data)) if not cert_data: #cannot run openssl? (happens from rpmbuild) log.warn("SSL test skipped, cannot run '%s'", b" ".join(openssl_command)) return server_args = [ "--bind-tcp=0.0.0.0:%i" % tcp_port, "--bind-ssl=0.0.0.0:%i" % ssl_port, "--ssl=on", "--ssl-cert=%s" % certfile] log("starting test ssl server on %s", display) server = self.start_server(display, *server_args) #test it with openssl client: for port in (tcp_port, ssl_port): openssl_verify_command = "openssl s_client -connect 127.0.0.1:%i -CAfile %s < /dev/null" % (port, certfile) openssl = self.run_command(openssl_verify_command, shell=True) assert pollwait(openssl, 10)==0, "openssl certificate verification failed" def test_connect(uri, exit_code, *client_args): cmd = ["info", uri] + list(client_args) client = self.run_xpra(cmd) r = pollwait(client, 5) if client.poll() is None: client.terminate() assert r==exit_code, "expected info client to return %s but got %s" % (exit_code, client.poll()) noverify = "--ssl-server-verify-mode=none" #connect to ssl socket: test_connect("ssl/127.0.0.1:%i/" % ssl_port, EXIT_OK, noverify) #tcp socket should upgrade: test_connect("ssl/127.0.0.1:%i/" % tcp_port, EXIT_OK, noverify) #self signed cert should fail without noverify: test_connect("ssl/127.0.0.1:%i/" % ssl_port, EXIT_CONNECTION_LOST) test_connect("ssl/127.0.0.1:%i/" % tcp_port, EXIT_CONNECTION_LOST) finally: shutil.rmtree(tmpdir) if server: server.terminate()
def test_ssl_socket(self): server = None display_no = self.find_free_display_no() display = ":%s" % display_no tcp_port = get_free_tcp_port() ssl_port = get_free_tcp_port() try: tmpdir = tempfile.mkdtemp(suffix='ssl-xpra') certfile = os.path.join(tmpdir, "self.pem") openssl_command = [ "openssl", "req", "-new", "-newkey", "rsa:4096", "-days", "2", "-nodes", "-x509", "-subj", "/C=US/ST=Denial/L=Springfield/O=Dis/CN=localhost", "-keyout", certfile, "-out", certfile, ] openssl = self.run_command(openssl_command) assert pollwait(openssl, 10) == 0, "openssl certificate generation failed" cert_data = load_binary_file(certfile) log("generated cert data: %s", repr_ellipsized(cert_data)) if not cert_data: #cannot run openssl? (happens from rpmbuild) log.warn("SSL test skipped, cannot run '%s'", b" ".join(openssl_command)) return server_args = [ "--bind-tcp=0.0.0.0:%i" % tcp_port, "--bind-ssl=0.0.0.0:%i" % ssl_port, "--ssl=on", "--ssl-cert=%s" % certfile ] log("starting test ssl server on %s", display) server = self.start_server(display, *server_args) #test it with openssl client: for port in (tcp_port, ssl_port): openssl_verify_command = "openssl s_client -connect 127.0.0.1:%i -CAfile %s < /dev/null" % ( port, certfile) openssl = self.run_command(openssl_verify_command, shell=True) assert pollwait( openssl, 10) == 0, "openssl certificate verification failed" def test_connect(uri, exit_code, *client_args): cmd = ["info", uri] + list(client_args) client = self.run_xpra(cmd) r = pollwait(client, 5) if client.poll() is None: client.terminate() assert r == exit_code, "expected info client to return %s but got %s" % ( exit_code, client.poll()) noverify = "--ssl-server-verify-mode=none" #connect to ssl socket: test_connect("ssl/127.0.0.1:%i/" % ssl_port, EXIT_OK, noverify) #tcp socket should upgrade: test_connect("ssl/127.0.0.1:%i/" % tcp_port, EXIT_OK, noverify) #self signed cert should fail without noverify: test_connect("ssl/127.0.0.1:%i/" % ssl_port, EXIT_CONNECTION_LOST) test_connect("ssl/127.0.0.1:%i/" % tcp_port, EXIT_CONNECTION_LOST) finally: shutil.rmtree(tmpdir) if server: server.terminate()
def test_ssl(self): server = None display_no = self.find_free_display_no() display = ":%s" % display_no tcp_port = get_free_tcp_port() ws_port = get_free_tcp_port() wss_port = get_free_tcp_port() ssl_port = get_free_tcp_port() try: tmpdir = tempfile.mkdtemp(suffix='ssl-xpra') keyfile = os.path.join(tmpdir, "key.pem") outfile = os.path.join(tmpdir, "out.pem") openssl_command = [ "openssl", "req", "-new", "-newkey", "rsa:4096", "-days", "2", "-nodes", "-x509", "-subj", "/C=US/ST=Denial/L=Springfield/O=Dis/CN=localhost", "-keyout", keyfile, "-out", outfile, ] openssl = self.run_command(openssl_command) assert pollwait(openssl, 20) == 0, "openssl certificate generation failed" #combine the two files: certfile = os.path.join(tmpdir, "cert.pem") with open(certfile, 'wb') as cert: for fname in (keyfile, outfile): with open(fname, 'rb') as f: cert.write(f.read()) cert_data = load_binary_file(certfile) log("generated cert data: %s", repr_ellipsized(cert_data)) if not cert_data: #cannot run openssl? (happens from rpmbuild) log.warn("SSL test skipped, cannot run '%s'", b" ".join(openssl_command)) return server_args = [ "--bind-tcp=0.0.0.0:%i" % tcp_port, "--bind-ws=0.0.0.0:%i" % ws_port, "--bind-wss=0.0.0.0:%i" % wss_port, "--bind-ssl=0.0.0.0:%i" % ssl_port, "--ssl=on", "--html=on", "--ssl-cert=%s" % certfile, ] log("starting test ssl server on %s", display) server = self.start_server(display, *server_args) #test it with openssl client: for port in (tcp_port, ssl_port, ws_port, wss_port): openssl_verify_command = ("openssl", "s_client", "-connect", "127.0.0.1:%i" % port, "-CAfile", certfile) devnull = os.open(os.devnull, os.O_WRONLY) openssl = self.run_command(openssl_verify_command, stdin=devnull, shell=True) r = pollwait(openssl, 10) assert r == 0, "openssl certificate verification failed, returned %s" % r def test_connect(uri, exit_code, *client_args): cmd = ["info", uri] + list(client_args) client = self.run_xpra(cmd) r = pollwait(client, CONNECT_WAIT) if client.poll() is None: client.terminate() assert r == exit_code, "expected info client to return %s but got %s" % ( estr(exit_code), estr(client.poll())) noverify = "--ssl-server-verify-mode=none" #connect to ssl socket: test_connect("ssl://127.0.0.1:%i/" % ssl_port, EXIT_OK, noverify) #tcp socket should upgrade to ssl: test_connect("ssl://127.0.0.1:%i/" % tcp_port, EXIT_OK, noverify) #tcp socket should upgrade to ws and ssl: test_connect("wss://127.0.0.1:%i/" % tcp_port, EXIT_OK, noverify) #ws socket should upgrade to ssl: test_connect("wss://127.0.0.1:%i/" % ws_port, EXIT_OK, noverify) #self signed cert should fail without noverify: test_connect("ssl://127.0.0.1:%i/" % ssl_port, EXIT_SSL_CERTIFICATE_VERIFY_FAILURE) test_connect("ssl://127.0.0.1:%i/" % tcp_port, EXIT_SSL_CERTIFICATE_VERIFY_FAILURE) test_connect("wss://127.0.0.1:%i/" % ws_port, EXIT_SSL_CERTIFICATE_VERIFY_FAILURE) test_connect("wss://127.0.0.1:%i/" % wss_port, EXIT_SSL_CERTIFICATE_VERIFY_FAILURE) finally: shutil.rmtree(tmpdir) if server: server.terminate()
def _test(self, subcommand, options): log("starting test server with options=%s", options) args = ["--%s=%s" % (k, v) for k, v in options.items()] tcp_port = None xvfb = None if WIN32 or OSX: display = "" connect_args = [] elif self.display: display = self.display connect_args = [display] args.append("--use-display=yes") else: display = self.find_free_display() connect_args = [display] if subcommand == "shadow": xvfb = self.start_Xvfb(display) if TEST_RFB or WIN32: tcp_port = get_free_tcp_port() args += ["--bind-tcp=0.0.0.0:%i" % tcp_port] if WIN32: connect_args = ["tcp://127.0.0.1:%i" % tcp_port] server = None client = None rfb_client = None gui_client = None try: log("args=%s", " ".join("'%s'" % x for x in args)) server = self.check_server(subcommand, display, *args) #we should always be able to get the version: client = self.run_xpra(["version"] + connect_args) assert pollwait( client, 5 ) == 0, "version client failed to connect to server with args=%s" % args #run info query: cmd = ["info"] + connect_args client = self.run_xpra(cmd) r = pollwait(client, 20) assert r==0, "info client failed and returned %s: '%s' for server with args=%s" % \ (r, EXIT_STR.get(r, r), args) client_kwargs = {} if not (WIN32 or OSX): env = self.get_run_env() env["DISPLAY"] = self.client_display client_kwargs = {"env": env} if subcommand in ("shadow", "start-desktop") and TEST_RFB and options.get( "windows", True): vncviewer = which("vncviewer") log("testing RFB clients with vncviewer '%s'", vncviewer) if vncviewer: rfb_cmd = [vncviewer, "localhost::%i" % tcp_port] rfb_client = self.run_command(rfb_cmd, **client_kwargs) r = pollwait(rfb_client, 10) if r is not None: self.show_proc_error( rfb_client, "rfb client terminated early and returned %i for server with args=%s" % (r, args)) #connect a gui client: if WIN32 or (self.client_display and self.client_xvfb): xpra_args = [ "attach", "--clipboard=no", #could create loops "--notifications=no", #may get sent to the desktop session running the tests! ] + connect_args gui_client = self.run_xpra(xpra_args, **client_kwargs) r = pollwait(gui_client, 10) if r is not None: self.show_proc_error( gui_client, "gui client terminated early and returned %i : '%s' for server with args=%s" % (r, EXIT_STR.get(r, r), args)) if self.display: self.stop_server(server, "exit", *connect_args) else: self.stop_server(server, "stop", *connect_args) if display: if display in self.dotxpra.displays(): log.warn( "server socket for display %s should have been removed", display) if gui_client: r = pollwait(gui_client, 20) if r is None: log.warn("client still connected!") self.show_proc_pipes(server) raise Exception("gui client should have been disconnected") except Exception: log.error("test error for '%s' subcommand with options=%s", subcommand, options) raise finally: for x in (xvfb, rfb_client, gui_client, server, client): try: if x and x.poll() is None: x.terminate() except OSError: log("%s.terminate()", exc_info=True)