async def test_require_encryption(): """ Functional test for "require_encryption" setting. """ async def handle_comm(comm): comm.abort() c = { "distributed.comm.tls.ca-file": ca_file, "distributed.comm.tls.scheduler.key": key1, "distributed.comm.tls.scheduler.cert": cert1, "distributed.comm.tls.worker.cert": keycert1, } with dask.config.set(c): sec = Security() c["distributed.comm.require-encryption"] = True with dask.config.set(c): sec2 = Security() for listen_addr in ["inproc://", "tls://"]: async with listen( listen_addr, handle_comm, **sec.get_listen_args("scheduler") ) as listener: comm = await connect( listener.contact_address, **sec2.get_connection_args("worker") ) comm.abort() async with listen( listen_addr, handle_comm, **sec2.get_listen_args("scheduler") ) as listener: comm = await connect( listener.contact_address, **sec2.get_connection_args("worker") ) comm.abort() @contextmanager def check_encryption_error(): with pytest.raises(RuntimeError) as excinfo: yield assert "encryption required" in str(excinfo.value) for listen_addr in ["tcp://"]: async with listen( listen_addr, handle_comm, **sec.get_listen_args("scheduler") ) as listener: comm = await connect( listener.contact_address, **sec.get_connection_args("worker") ) comm.abort() with pytest.raises(RuntimeError): await connect( listener.contact_address, **sec2.get_connection_args("worker") ) with pytest.raises(RuntimeError): listen(listen_addr, handle_comm, **sec2.get_listen_args("scheduler"))
def test_require_encryption(): """ Functional test for "require_encryption" setting. """ @gen.coroutine def handle_comm(comm): comm.abort() c = { 'tls': { 'ca-file': ca_file, 'scheduler': { 'key': key1, 'cert': cert1, }, 'worker': { 'cert': keycert1, }, }, } with new_config(c): sec = Security() c['require-encryption'] = True with new_config(c): sec2 = Security() for listen_addr in ['inproc://', 'tls://']: with listen(listen_addr, handle_comm, connection_args=sec.get_listen_args('scheduler')) as listener: comm = yield connect(listener.contact_address, connection_args=sec2.get_connection_args('worker')) comm.abort() with listen(listen_addr, handle_comm, connection_args=sec2.get_listen_args('scheduler')) as listener: comm = yield connect(listener.contact_address, connection_args=sec2.get_connection_args('worker')) comm.abort() @contextmanager def check_encryption_error(): with pytest.raises(RuntimeError) as excinfo: yield assert "encryption required" in str(excinfo.value) for listen_addr in ['tcp://']: with listen(listen_addr, handle_comm, connection_args=sec.get_listen_args('scheduler')) as listener: comm = yield connect(listener.contact_address, connection_args=sec.get_connection_args('worker')) comm.abort() with pytest.raises(RuntimeError): yield connect(listener.contact_address, connection_args=sec2.get_connection_args('worker')) with pytest.raises(RuntimeError): listen(listen_addr, handle_comm, connection_args=sec2.get_listen_args('scheduler'))
def test_require_encryption(): """ Functional test for "require_encryption" setting. """ @gen.coroutine def handle_comm(comm): comm.abort() c = { 'tls': { 'ca-file': ca_file, 'scheduler': { 'key': key1, 'cert': cert1, }, 'worker': { 'cert': keycert1, }, }, } with new_config(c): sec = Security() c['require-encryption'] = True with new_config(c): sec2 = Security() for listen_addr in ['inproc://', 'tls://']: with listen(listen_addr, handle_comm, connection_args=sec.get_listen_args('scheduler')) as listener: comm = yield connect(listener.contact_address, connection_args=sec2.get_connection_args('worker')) comm.abort() with listen(listen_addr, handle_comm, connection_args=sec2.get_listen_args('scheduler')) as listener: comm = yield connect(listener.contact_address, connection_args=sec2.get_connection_args('worker')) comm.abort() @contextmanager def check_encryption_error(): with pytest.raises(RuntimeError) as excinfo: yield assert "encryption required" in str(excinfo.value) for listen_addr in ['tcp://']: with listen(listen_addr, handle_comm, connection_args=sec.get_listen_args('scheduler')) as listener: comm = yield connect(listener.contact_address, connection_args=sec.get_connection_args('worker')) comm.abort() with pytest.raises(RuntimeError): yield connect(listener.contact_address, connection_args=sec2.get_connection_args('worker')) with pytest.raises(RuntimeError): listen(listen_addr, handle_comm, connection_args=sec2.get_listen_args('scheduler'))
def test_listen_args(): def basic_checks(ctx): assert ctx.verify_mode == ssl.CERT_REQUIRED assert ctx.check_hostname is False def many_ciphers(ctx): if sys.version_info >= (3, 6): assert len(ctx.get_ciphers()) > 2 # Most likely c = { 'tls': { 'ca-file': ca_file, 'scheduler': { 'key': key1, 'cert': cert1, }, 'worker': { 'cert': keycert1, }, }, } with new_config(c): sec = Security() d = sec.get_listen_args('scheduler') assert not d['require_encryption'] ctx = d['ssl_context'] basic_checks(ctx) many_ciphers(ctx) d = sec.get_listen_args('worker') ctx = d['ssl_context'] basic_checks(ctx) many_ciphers(ctx) # No cert defined => no TLS d = sec.get_listen_args('client') assert d.get('ssl_context') is None # With more settings c['tls']['ciphers'] = FORCED_CIPHER c['require-encryption'] = True with new_config(c): sec = Security() d = sec.get_listen_args('scheduler') assert d['require_encryption'] ctx = d['ssl_context'] basic_checks(ctx) if sys.version_info >= (3, 6): supported_ciphers = ctx.get_ciphers() tls_12_ciphers = [c for c in supported_ciphers if c['protocol'] == 'TLSv1.2'] assert len(tls_12_ciphers) == 1 tls_13_ciphers = [c for c in supported_ciphers if c['protocol'] == 'TLSv1.3'] if len(tls_13_ciphers): assert len(tls_13_ciphers) == 3
def test_listen_args(): def basic_checks(ctx): assert ctx.verify_mode == ssl.CERT_REQUIRED assert ctx.check_hostname is False def many_ciphers(ctx): if sys.version_info >= (3, 6): assert len(ctx.get_ciphers()) > 2 # Most likely c = { "distributed.comm.tls.ca-file": ca_file, "distributed.comm.tls.scheduler.key": key1, "distributed.comm.tls.scheduler.cert": cert1, "distributed.comm.tls.worker.cert": keycert1, } with dask.config.set(c): sec = Security() d = sec.get_listen_args("scheduler") assert not d["require_encryption"] ctx = d["ssl_context"] basic_checks(ctx) many_ciphers(ctx) d = sec.get_listen_args("worker") ctx = d["ssl_context"] basic_checks(ctx) many_ciphers(ctx) # No cert defined => no TLS d = sec.get_listen_args("client") assert d.get("ssl_context") is None # With more settings c["distributed.comm.tls.ciphers"] = FORCED_CIPHER c["distributed.comm.require-encryption"] = True with dask.config.set(c): sec = Security() d = sec.get_listen_args("scheduler") assert d["require_encryption"] ctx = d["ssl_context"] basic_checks(ctx) if sys.version_info >= (3, 6): supported_ciphers = ctx.get_ciphers() tls_12_ciphers = [ c for c in supported_ciphers if c["protocol"] == "TLSv1.2" ] assert len(tls_12_ciphers) == 1 tls_13_ciphers = [ c for c in supported_ciphers if c["protocol"] == "TLSv1.3" ] if len(tls_13_ciphers): assert len(tls_13_ciphers) == 3
def test_listen_args(): def basic_checks(ctx): assert ctx.verify_mode == ssl.CERT_REQUIRED assert ctx.check_hostname is False assert ctx.minimum_version is ssl.TLSVersion.TLSv1_2 assert ctx.maximum_version is ssl.TLSVersion.TLSv1_3 c = { "distributed.comm.tls.ca-file": ca_file, "distributed.comm.tls.scheduler.key": key1, "distributed.comm.tls.scheduler.cert": cert1, "distributed.comm.tls.worker.cert": keycert1, "distributed.comm.tls.min-version": None, "distributed.comm.tls.max-version": 1.3, } with dask.config.set(c): sec = Security() d = sec.get_listen_args("scheduler") assert not d["require_encryption"] ctx = d["ssl_context"] basic_checks(ctx) assert_many_ciphers(ctx) d = sec.get_listen_args("worker") ctx = d["ssl_context"] basic_checks(ctx) assert_many_ciphers(ctx) # No cert defined => no TLS d = sec.get_listen_args("client") assert d.get("ssl_context") is None # With more settings c["distributed.comm.tls.ciphers"] = FORCED_CIPHER c["distributed.comm.require-encryption"] = True with dask.config.set(c): sec = Security() d = sec.get_listen_args("scheduler") assert d["require_encryption"] ctx = d["ssl_context"] basic_checks(ctx) supported_ciphers = ctx.get_ciphers() tls_12_ciphers = [ c for c in supported_ciphers if "TLSv1.2" in c["description"] ] assert len(tls_12_ciphers) == 1 tls_13_ciphers = [ c for c in supported_ciphers if "TLSv1.3" in c["description"] ] assert len(tls_13_ciphers) in (0, 3)
def test_listen_args(): def basic_checks(ctx): assert ctx.verify_mode == ssl.CERT_REQUIRED assert ctx.check_hostname == False def many_ciphers(ctx): if sys.version_info >= (3, 6): assert len(ctx.get_ciphers()) > 2 # Most likely c = { 'tls': { 'ca-file': ca_file, 'scheduler': { 'key': key1, 'cert': cert1, }, 'worker': { 'cert': keycert1, }, }, } with new_config(c): sec = Security() d = sec.get_listen_args('scheduler') assert not d['require_encryption'] ctx = d['ssl_context'] basic_checks(ctx) many_ciphers(ctx) d = sec.get_listen_args('worker') ctx = d['ssl_context'] basic_checks(ctx) many_ciphers(ctx) # No cert defined => no TLS d = sec.get_listen_args('client') assert d.get('ssl_context') is None # With more settings c['tls']['ciphers'] = FORCED_CIPHER c['require-encryption'] = True with new_config(c): sec = Security() d = sec.get_listen_args('scheduler') assert d['require_encryption'] ctx = d['ssl_context'] basic_checks(ctx) if sys.version_info >= (3, 6): assert len(ctx.get_ciphers()) == 1
def test_tls_listen_connect(): """ Functional test for TLS connection args. """ @gen.coroutine def handle_comm(comm): peer_addr = comm.peer_address assert peer_addr.startswith("tls://") yield comm.write("hello") yield comm.close() c = { "tls": { "ca-file": ca_file, "scheduler": { "key": key1, "cert": cert1 }, "worker": { "cert": keycert1 }, } } with new_config(c): sec = Security() c["tls"]["ciphers"] = FORCED_CIPHER with new_config(c): forced_cipher_sec = Security() with listen("tls://", handle_comm, connection_args=sec.get_listen_args("scheduler")) as listener: comm = yield connect(listener.contact_address, connection_args=sec.get_connection_args("worker")) msg = yield comm.read() assert msg == "hello" comm.abort() # No SSL context for client with pytest.raises(TypeError): yield connect( listener.contact_address, connection_args=sec.get_connection_args("client"), ) # Check forced cipher comm = yield connect( listener.contact_address, connection_args=forced_cipher_sec.get_connection_args("worker"), ) cipher, _, _, = comm.extra_info["cipher"] assert cipher in [FORCED_CIPHER] + TLS_13_CIPHERS comm.abort()
def test_tls_listen_connect(): """ Functional test for TLS connection args. """ @gen.coroutine def handle_comm(comm): peer_addr = comm.peer_address assert peer_addr.startswith('tls://') yield comm.write('hello') yield comm.close() c = { 'tls': { 'ca-file': ca_file, 'scheduler': { 'key': key1, 'cert': cert1, }, 'worker': { 'cert': keycert1, }, }, } with new_config(c): sec = Security() c['tls']['ciphers'] = FORCED_CIPHER with new_config(c): forced_cipher_sec = Security() with listen('tls://', handle_comm, connection_args=sec.get_listen_args('scheduler')) as listener: comm = yield connect(listener.contact_address, connection_args=sec.get_connection_args('worker')) msg = yield comm.read() assert msg == 'hello' comm.abort() # No SSL context for client with pytest.raises(TypeError): yield connect(listener.contact_address, connection_args=sec.get_connection_args('client')) # Check forced cipher comm = yield connect( listener.contact_address, connection_args=forced_cipher_sec.get_connection_args('worker')) cipher, _, _, = comm.extra_info['cipher'] assert cipher in [FORCED_CIPHER] + TLS_13_CIPHERS comm.abort()
def test_tls_listen_connect(): """ Functional test for TLS connection args. """ @gen.coroutine def handle_comm(comm): peer_addr = comm.peer_address assert peer_addr.startswith('tls://') yield comm.write('hello') yield comm.close() c = { 'tls': { 'ca-file': ca_file, 'scheduler': { 'key': key1, 'cert': cert1, }, 'worker': { 'cert': keycert1, }, }, } with new_config(c): sec = Security() c['tls']['ciphers'] = FORCED_CIPHER with new_config(c): forced_cipher_sec = Security() with listen('tls://', handle_comm, connection_args=sec.get_listen_args('scheduler')) as listener: comm = yield connect(listener.contact_address, connection_args=sec.get_connection_args('worker')) msg = yield comm.read() assert msg == 'hello' comm.abort() # No SSL context for client with pytest.raises(TypeError): yield connect(listener.contact_address, connection_args=sec.get_connection_args('client')) # Check forced cipher comm = yield connect(listener.contact_address, connection_args=forced_cipher_sec.get_connection_args('worker')) cipher, _, _, = comm.extra_info['cipher'] assert cipher in [FORCED_CIPHER] + TLS_13_CIPHERS comm.abort()
async def test_tls_listen_connect(): """ Functional test for TLS connection args. """ async def handle_comm(comm): peer_addr = comm.peer_address assert peer_addr.startswith("tls://") await comm.write("hello") await comm.close() c = { "distributed.comm.tls.ca-file": ca_file, "distributed.comm.tls.scheduler.key": key1, "distributed.comm.tls.scheduler.cert": cert1, "distributed.comm.tls.worker.cert": keycert1, } with dask.config.set(c): sec = Security() c["distributed.comm.tls.ciphers"] = FORCED_CIPHER with dask.config.set(c): forced_cipher_sec = Security() async with listen( "tls://", handle_comm, connection_args=sec.get_listen_args("scheduler")) as listener: comm = await connect(listener.contact_address, connection_args=sec.get_connection_args("worker")) msg = await comm.read() assert msg == "hello" comm.abort() # No SSL context for client with pytest.raises(TypeError): await connect( listener.contact_address, connection_args=sec.get_connection_args("client"), ) # Check forced cipher comm = await connect( listener.contact_address, connection_args=forced_cipher_sec.get_connection_args("worker"), ) cipher, _, _ = comm.extra_info["cipher"] assert cipher in [FORCED_CIPHER] + TLS_13_CIPHERS comm.abort()
def test_require_encryption(): """ Functional test for "require_encryption" setting. """ @gen.coroutine def handle_comm(comm): comm.abort() c = { "tls": { "ca-file": ca_file, "scheduler": { "key": key1, "cert": cert1 }, "worker": { "cert": keycert1 }, } } with new_config(c): sec = Security() c["require-encryption"] = True with new_config(c): sec2 = Security() for listen_addr in ["inproc://", "tls://"]: with listen( listen_addr, handle_comm, connection_args=sec.get_listen_args("scheduler")) as listener: comm = yield connect( listener.contact_address, connection_args=sec2.get_connection_args("worker"), ) comm.abort() with listen( listen_addr, handle_comm, connection_args=sec2.get_listen_args("scheduler")) as listener: comm = yield connect( listener.contact_address, connection_args=sec2.get_connection_args("worker"), ) comm.abort() @contextmanager def check_encryption_error(): with pytest.raises(RuntimeError) as excinfo: yield assert "encryption required" in str(excinfo.value) for listen_addr in ["tcp://"]: with listen( listen_addr, handle_comm, connection_args=sec.get_listen_args("scheduler")) as listener: comm = yield connect( listener.contact_address, connection_args=sec.get_connection_args("worker"), ) comm.abort() with pytest.raises(RuntimeError): yield connect( listener.contact_address, connection_args=sec2.get_connection_args("worker"), ) with pytest.raises(RuntimeError): listen( listen_addr, handle_comm, connection_args=sec2.get_listen_args("scheduler"), )