def get_proxy_tls_connection_options_for_test(test_type):
if test_type == ProxyTestType.TUNNELING_DOUBLE_TLS:
tls_ctx_opt = TlsContextOptions()
tls_ctx_opt.verify_peer = False
tls_ctx = ClientTlsContext(tls_ctx_opt)
tls_conn_opt = tls_ctx.new_connection_options()
tls_conn_opt.set_server_name("localhost")
return tls_conn_opt
else:
return None
def get_tls_connection_options_for_test(test_type, host_name):
if test_type == ProxyTestType.FORWARDING or test_type == ProxyTestType.LEGACY_HTTP or test_type == ProxyTestType.TUNNELING_HTTP:
return None
else:
tls_ctx_opt = TlsContextOptions()
tls_ctx = ClientTlsContext(tls_ctx_opt)
tls_conn_opt = tls_ctx.new_connection_options()
tls_conn_opt.set_server_name(host_name)
return tls_conn_opt
def _create_connection(self, auth_type=AuthType.CERT_AND_KEY, use_static_singletons=False):
config = Config(auth_type)
if auth_type == AuthType.CERT_AND_KEY:
tls_opts = TlsContextOptions.create_client_with_mtls_from_path(config.cert_path, config.key_path)
tls = ClientTlsContext(tls_opts)
elif auth_type == AuthType.PKCS11:
try:
pkcs11_lib = Pkcs11Lib(
file=config.pkcs11_lib_path,
behavior=Pkcs11Lib.InitializeFinalizeBehavior.STRICT)
tls_opts = TlsContextOptions.create_client_with_mtls_pkcs11(
pkcs11_lib=pkcs11_lib,
user_pin=config.pkcs11_pin,
token_label=config.pkcs11_token_label,
private_key_label=config.pkcs11_key_label,
cert_file_path=config.cert_path)
tls = ClientTlsContext(tls_opts)
except Exception as e:
if 'AWS_ERROR_UNIMPLEMENTED' in str(e):
raise unittest.SkipTest(f'TLS with PKCS#11 not supported on this platform ({sys.platform})')
else:
# re-raise exception
raise
if use_static_singletons:
client = Client(tls_ctx=tls)
else:
elg = EventLoopGroup()
resolver = DefaultHostResolver(elg)
bootstrap = ClientBootstrap(elg, resolver)
client = Client(bootstrap, tls)
connection = Connection(
client=client,
client_id=create_client_id(),
host_name=config.endpoint,
port=8883)
return connection
def _new_client_connection(self, secure, proxy_options=None):
if secure:
tls_ctx_opt = TlsContextOptions()
tls_ctx_opt.override_default_trust_store_from_path(None, 'test/resources/ca.crt')
tls_ctx = ClientTlsContext(tls_ctx_opt)
tls_conn_opt = tls_ctx.new_connection_options()
tls_conn_opt.set_server_name(self.hostname)
else:
tls_conn_opt = None
event_loop_group = EventLoopGroup()
host_resolver = DefaultHostResolver(event_loop_group)
bootstrap = ClientBootstrap(event_loop_group, host_resolver)
connection_future = HttpClientConnection.new(host_name=self.hostname,
port=self.port,
bootstrap=bootstrap,
tls_connection_options=tls_conn_opt,
proxy_options=proxy_options)
return connection_future.result(self.timeout)
def test_on_message_old_fn_signature(self):
# ensure that message-received callbacks with the old function signature still work
config = Config.get()
elg = EventLoopGroup()
resolver = DefaultHostResolver(elg)
bootstrap = ClientBootstrap(elg, resolver)
tls_opts = TlsContextOptions.create_client_with_mtls(
config.cert, config.key)
tls = ClientTlsContext(tls_opts)
client = Client(bootstrap, tls)
connection = Connection(client=client,
client_id=create_client_id(),
host_name=config.endpoint,
port=8883)
any_received = Future()
sub_received = Future()
# Note: Testing degenerate callback signature that failed to take
# forward-compatibility **kwargs.
def on_any_message(topic, payload):
any_received.set_result({'topic': topic, 'payload': payload})
def on_sub_message(topic, payload):
sub_received.set_result({'topic': topic, 'payload': payload})
# on_message for connection has to be set before connect, or possible race will happen
connection.on_message(on_any_message)
connection.connect().result(TIMEOUT)
# subscribe without callback
subscribed, packet_id = connection.subscribe(self.TEST_TOPIC,
QoS.AT_LEAST_ONCE,
on_sub_message)
subscribed.result(TIMEOUT)
# publish
published, packet_id = connection.publish(self.TEST_TOPIC,
self.TEST_MSG,
QoS.AT_LEAST_ONCE)
puback = published.result(TIMEOUT)
# receive message
rcv = any_received.result(TIMEOUT)
self.assertEqual(self.TEST_TOPIC, rcv['topic'])
self.assertEqual(self.TEST_MSG, rcv['payload'])
rcv = sub_received.result(TIMEOUT)
self.assertEqual(self.TEST_TOPIC, rcv['topic'])
self.assertEqual(self.TEST_MSG, rcv['payload'])
# disconnect
connection.disconnect().result(TIMEOUT)
def _new_client_connection(self, secure, proxy_options=None):
if secure:
tls_ctx_opt = TlsContextOptions()
tls_ctx_opt.verify_peer = False
tls_ctx = ClientTlsContext(tls_ctx_opt)
tls_conn_opt = tls_ctx.new_connection_options()
tls_conn_opt.set_server_name(self.hostname)
else:
tls_conn_opt = None
event_loop_group = EventLoopGroup()
host_resolver = DefaultHostResolver(event_loop_group)
bootstrap = ClientBootstrap(event_loop_group, host_resolver)
connection_future = HttpClientConnection.new(
host_name=self.hostname,
port=self.port,
bootstrap=bootstrap,
tls_connection_options=tls_conn_opt,
proxy_options=proxy_options)
return connection_future.result(self.timeout)
def _test_connection(self):
config = Config.get()
elg = EventLoopGroup()
resolver = DefaultHostResolver(elg)
bootstrap = ClientBootstrap(elg, resolver)
tls_opts = TlsContextOptions.create_client_with_mtls(
config.cert, config.key)
tls = ClientTlsContext(tls_opts)
client = Client(bootstrap, tls)
connection = Connection(client=client,
client_id=create_client_id(),
host_name=config.endpoint,
port=8883)
connection.connect().result(TIMEOUT)
return connection
def test_on_message(self):
config = Config.get()
elg = EventLoopGroup()
resolver = DefaultHostResolver(elg)
bootstrap = ClientBootstrap(elg, resolver)
tls_opts = TlsContextOptions.create_client_with_mtls(
config.cert, config.key)
tls = ClientTlsContext(tls_opts)
client = Client(bootstrap, tls)
connection = Connection(client=client,
client_id=create_client_id(),
host_name=config.endpoint,
port=8883)
received = Future()
def on_message(**kwargs):
received.set_result(kwargs)
# on_message for connection has to be set before connect, or possible race will happen
connection.on_message(on_message)
connection.connect().result(TIMEOUT)
# subscribe without callback
subscribed, packet_id = connection.subscribe(self.TEST_TOPIC,
QoS.AT_LEAST_ONCE)
subscribed.result(TIMEOUT)
# publish
published, packet_id = connection.publish(self.TEST_TOPIC,
self.TEST_MSG,
QoS.AT_LEAST_ONCE)
puback = published.result(TIMEOUT)
# receive message
rcv = received.result(TIMEOUT)
self.assertEqual(self.TEST_TOPIC, rcv['topic'])
self.assertEqual(self.TEST_MSG, rcv['payload'])
self.assertFalse(rcv['dup'])
self.assertEqual(QoS.AT_LEAST_ONCE, rcv['qos'])
self.assertFalse(rcv['retain'])
# disconnect
connection.disconnect().result(TIMEOUT)
def _new_h2_client_connection(self, url):
event_loop_group = EventLoopGroup()
host_resolver = DefaultHostResolver(event_loop_group)
bootstrap = ClientBootstrap(event_loop_group, host_resolver)
port = 443
scheme = 'https'
tls_ctx_options = TlsContextOptions()
tls_ctx = ClientTlsContext(tls_ctx_options)
tls_conn_opt = tls_ctx.new_connection_options()
tls_conn_opt.set_server_name(url.hostname)
tls_conn_opt.set_alpn_list(["h2"])
connection_future = HttpClientConnection.new(host_name=url.hostname,
port=port,
bootstrap=bootstrap,
tls_connection_options=tls_conn_opt)
return connection_future.result(self.timeout)
def s3_client_new(secure, region, part_size=0):
event_loop_group = EventLoopGroup()
host_resolver = DefaultHostResolver(event_loop_group)
bootstrap = ClientBootstrap(event_loop_group, host_resolver)
credential_provider = AwsCredentialsProvider.new_default_chain(bootstrap)
tls_option = None
if secure:
opt = TlsContextOptions()
ctx = ClientTlsContext(opt)
tls_option = TlsConnectionOptions(ctx)
s3_client = S3Client(bootstrap=bootstrap,
region=region,
credential_provider=credential_provider,
tls_connection_options=tls_option,
part_size=part_size)
return s3_client
def _establish_mqtt_connection(self, proxy_options):
event_loop_group = EventLoopGroup()
host_resolver = DefaultHostResolver(event_loop_group)
bootstrap = ClientBootstrap(event_loop_group, host_resolver)
tls_opts = TlsContextOptions.create_client_with_mtls_from_path(
ProxyTestConfiguration.HTTP_PROXY_TLS_CERT_PATH,
ProxyTestConfiguration.HTTP_PROXY_TLS_KEY_PATH)
tls_opts.override_default_trust_store_from_path(
ca_filepath=ProxyTestConfiguration.HTTP_PROXY_TLS_ROOT_CA_PATH)
tls = ClientTlsContext(tls_opts)
client = Client(bootstrap, tls)
connection = Connection(
client=client,
client_id=create_client_id(),
host_name=ProxyTestConfiguration.HTTP_PROXY_MQTT_ENDPOINT,
port=8883,
proxy_options=proxy_options)
connection.connect().result(TIMEOUT)
return connection
def test_server_name(self):
opt = TlsContextOptions()
ctx = ClientTlsContext(opt)
conn_opt = TlsConnectionOptions(ctx)
conn_opt.set_server_name('localhost')
def test_alpn_list(self):
opt = TlsContextOptions()
ctx = ClientTlsContext(opt)
conn_opt = TlsConnectionOptions(ctx)
conn_opt.set_alpn_list(['h2', 'http/1.1'])
def test_init(self):
opt = TlsContextOptions()
ctx = ClientTlsContext(opt)
conn_opt = TlsConnectionOptions(ctx)
def test_override_default_trust_store_file(self):
opt = TlsContextOptions()
opt.override_default_trust_store_from_path(None, 'test/resources/ca.crt')
ctx = ClientTlsContext(opt)
def test_override_default_trust_store_dir(self):
opt = TlsContextOptions()
opt.override_default_trust_store_from_path('test/resources', None)
ctx = ClientTlsContext(opt)
def test_with_mtls_pkcs12(self):
opt = TlsContextOptions.create_client_with_mtls_pkcs12(
'test/resources/crt.unittests.p12', '1234')
ctx = ClientTlsContext(opt)
def test_with_mtls_from_path(self):
opt = TlsContextOptions.create_client_with_mtls_from_path(
'test/resources/crt.unittests.crt', 'test/resources/crt.unittests.key')
ctx = ClientTlsContext(opt)
def test_init_defaults(self):
opt = TlsContextOptions()
ctx = ClientTlsContext(opt)
def create_s3_crt_client(region,
botocore_credential_provider=None,
num_threads=None,
target_throughput=5 * GB / 8,
part_size=8 * MB,
use_ssl=True,
verify=None):
"""
:type region: str
:param region: The region used for signing
:type botocore_credential_provider:
Optional[botocore.credentials.CredentialResolver]
:param botocore_credential_provider: Provide credentials for CRT
to sign the request if not set, the request will not be signed
:type num_threads: Optional[int]
:param num_threads: Number of worker threads generated. Default
is the number of processors in the machine.
:type target_throughput: Optional[int]
:param target_throughput: Throughput target in Bytes.
Default is 0.625 GB/s (which translates to 5 Gb/s).
:type part_size: Optional[int]
:param part_size: Size, in Bytes, of parts that files will be downloaded
or uploaded in.
:type use_ssl: boolean
:param use_ssl: Whether or not to use SSL. By default, SSL is used.
Note that not all services support non-ssl connections.
:type verify: Optional[boolean/string]
:param verify: Whether or not to verify SSL certificates.
By default SSL certificates are verified. You can provide the
following values:
* False - do not validate SSL certificates. SSL will still be
used (unless use_ssl is False), but SSL certificates
will not be verified.
* path/to/cert/bundle.pem - A filename of the CA cert bundle to
use. Specify this argument if you want to use a custom CA cert
bundle instead of the default one on your system.
"""
event_loop_group = EventLoopGroup(num_threads)
host_resolver = DefaultHostResolver(event_loop_group)
bootstrap = ClientBootstrap(event_loop_group, host_resolver)
provider = None
tls_connection_options = None
tls_mode = S3RequestTlsMode.ENABLED if use_ssl \
else S3RequestTlsMode.DISABLED
if verify is not None:
tls_ctx_options = TlsContextOptions()
if verify:
tls_ctx_options.override_default_trust_store_from_path(
ca_filepath=verify)
else:
tls_ctx_options.verify_peer = False
client_tls_option = ClientTlsContext(tls_ctx_options)
tls_connection_options = client_tls_option.new_connection_options()
if botocore_credential_provider:
credentails_provider_adapter = CRTCredentialProviderAdapter(
botocore_credential_provider)
provider = AwsCredentialsProvider.new_delegate(
credentails_provider_adapter)
target_gbps = target_throughput * 8 / GB
return S3Client(
bootstrap=bootstrap,
region=region,
credential_provider=provider,
part_size=part_size,
tls_mode=tls_mode,
tls_connection_options=tls_connection_options,
throughput_target_gbps=target_gbps)
