def do_POST(self):
global received_metrics
print_ok("handling POST to fake bridge")
length = int(self.headers['Content-Length'])
received_metrics = json.loads(self.rfile.read(length).decode('utf-8'))
if __name__ == "__main__":
ghostunnel = None
try:
# Step 1: create certs
# root, ou=server, ou=client, ou=other_client
create_root_cert('root')
create_signed_cert('server', 'root')
create_signed_cert('client1', 'root')
# Step 2: start ghostunnel
ghostunnel = Popen([
'../ghostunnel', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13000'.format(LOCALHOST), '--keystore=server.p12',
'--storepass='******'--cacert=root.crt', '--allow-ou=client1'
])
# Step 3: connect with client1, confirm that the tunnel is up
pair = SocketPair('client1', 13001, 13000)
pair.validate_can_send_from_client("hello world",
"1: client -> server")
pair.validate_can_send_from_server("hello world",
"1: server -> client")
pair.validate_closing_client_closes_server(
"1: client closed -> server closed")
print_ok("OK")
finally:
cleanup_certs(['root', 'server', 'client1'])
if ghostunnel:
ghostunnel.kill()
httpd = http.server.HTTPServer(('localhost',13080), FakeMetricsBridgeHandler)
server = threading.Thread(target=httpd.handle_request)
server.start()
# Step 2: start ghostunnel
ghostunnel = Popen(['../ghostunnel', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13100'.format(LOCALHOST), '--keystore=server.p12',
'--storepass='******'--cacert=root.crt', '--allow-ou=client1',
'--status={0}:13100'.format(LOCALHOST), '--metrics-url=http://localhost:13080/post'])
# Step 3: wait for metrics to post
for i in range(0, 10):
if received_metrics:
break
else:
# wait a little longer...
time.sleep(1)
if not received_metrics:
raise Exception("did not receive metrics from instance")
if type(received_metrics) != list:
raise Exception("ghostunnel metrics expected to be JSON list")
print_ok("OK")
finally:
if ghostunnel:
ghostunnel.kill()
cleanup_certs(['root', 'server', 'new_server', 'client1'])
from subprocess import Popen
from test_common import RootCert, LOCALHOST, STATUS_PORT, SocketPair, print_ok, TcpClient, TlsServer
import socket, ssl
if __name__ == "__main__":
ghostunnel = None
try:
# create certs
root = RootCert('root')
root.create_signed_cert('server')
root.create_signed_cert('client')
# start ghostunnel
ghostunnel = Popen(['../ghostunnel', 'client', '--listen={0}:13004'.format(LOCALHOST),
'--target={0}:13005'.format(LOCALHOST), '--keystore=client.p12',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT), '--cacert=root.crt'])
# client should fail to connect since nothing is listening on 13006
try:
pair = SocketPair(TcpClient(13004), TlsServer('server', 'root', 13006))
raise Exception('client should have failed to connect')
except socket.timeout:
print_ok("timeout when nothing is listening on 13006")
# client should connect
pair = SocketPair(TcpClient(13004), TlsServer('server', 'root', 13005))
print_ok("OK")
finally:
if ghostunnel:
ghostunnel.kill()
'--storepass='******'--cacert=root.crt', '--allow-ou=client1'])
# Step 3: connect with client1, confirm that the tunnel is up
pair = SocketPair('client1', 13001, 13000)
pair.validate_can_send_from_client("hello world", "1: client -> server")
pair.validate_can_send_from_server("hello world", "1: server -> client")
pair.validate_closing_client_closes_server("1: client closed -> server closed")
# Step 4: connect with client2, confirm that the tunnel isn't up
try:
pair = SocketPair('client2', 13001, 13000)
raise Exception('failed to reject client2')
except socket.timeout:
# TODO: this should be a ssl.SSLError, but ends up being a timeout. Figure
# out why.
print_ok("client2 correctly rejected")
# Step 5: connect with other_client1, confirm that the tunnel isn't
# up
try:
pair = SocketPair('other_client1', 13001, 13000)
raise Exception('failed to reject other_client1')
except ssl.SSLError:
print_ok("other_client1 correctly rejected")
print_ok("OK")
finally:
cleanup_certs(['root', 'server', 'client1', 'client2', 'other_root', 'other_client1'])
if ghostunnel:
ghostunnel.kill()
# block until ghostunnel is up
TcpClient(STATUS_PORT).connect(20)
status = json.loads(str(urlopen("https://{0}:{1}/_status".format(LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
metrics = json.loads(str(urlopen("https://{0}:{1}/_metrics".format(LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
if not status['ok']:
raise Exception("ghostunnel reported non-ok status")
if type(metrics) != list:
raise Exception("ghostunnel metrics expected to be JSON list")
# reload, check we get the new cert on /_status
os.rename('new_server.p12', 'server.p12')
ghostunnel.send_signal(signal.SIGUSR1)
TlsClient(None, 'root', STATUS_PORT).connect(20, 'new_server')
print_ok('/_status seems up')
# read status information
status = json.loads(str(urlopen("https://{0}:{1}/_status".format(LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
metrics = json.loads(str(urlopen("https://{0}:{1}/_metrics".format(LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
if not status['ok']:
raise Exception("ghostunnel reported non-ok status")
if type(metrics) != list:
raise Exception("ghostunnel metrics expected to be JSON list")
print_ok("OK")
finally:
if ghostunnel:
ghostunnel.kill()
try:
# Step 1: create certs
create_root_cert('root')
create_signed_cert('server', 'root')
create_signed_cert('client1', 'root')
# Step 2: start ghostunnel
ghostunnel = Popen([
'../ghostunnel', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13000'.format(LOCALHOST), '--keystore=server.p12',
'--storepass='******'--cacert=root.crt', '--allow-ou=client1'
])
# Step 3: client should fail to connect since nothing is listening on 13002
try:
pair = SocketPair('client1', 13001, 13002)
except socket.timeout:
print_ok("timeout when nothing is listening on 13000")
# Step 4: client should connect
try:
pair = SocketPair('client1', 13001, 13000)
except socket.timeout:
print_ok("timeout when nothing is listening on 13000")
print_ok("OK")
finally:
cleanup_certs(['root', 'server', 'client1'])
if ghostunnel:
ghostunnel.kill()
# Step 2: start ghostunnel
ghostunnel = Popen(['../ghostunnel', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13000'.format(LOCALHOST), '--keystore=server.p12',
'--storepass='******'--cacert=root.crt', '--allow-ou=client1', '--allow-ou=client2'])
# Step 3: create connections with client1 and client2
pair1 = SocketPair('client1', 13001, 13000)
pair1.validate_can_send_from_client("toto", "pair1 works")
pair2 = SocketPair('client2', 13001, 13000)
pair2.validate_can_send_from_client("toto", "pair2 works")
# Step 4: re-new the server and client1 certs
cleanup_certs(['root', 'server', 'client1'])
print_ok("deleted root, server and client1")
create_root_cert('root')
print_ok("re-created root")
create_signed_cert('server', 'root')
print_ok("re-created server")
create_signed_cert('client1', 'root')
print_ok("re-created client1")
# Trigger reload
ghostunnel.send_signal(signal.SIGUSR1)
time.sleep(10)
# Step 5: ensure that client1 can connect
try:
pair3 = SocketPair('client1', 13001, 13000)
pair3.validate_can_send_from_client("toto", "pair3 works")
root2.create_signed_cert('server2')
root2.create_signed_cert('client2')
# start ghostunnel
ghostunnel = Popen(['../ghostunnel', 'client', '--listen={0}:13004'.format(LOCALHOST),
'--target={0}:13005'.format(LOCALHOST), '--keystore=client1.p12',
'--cacert=root1.crt', '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)])
# ensure ghostunnel connects with server1
pair1 = SocketPair(TcpClient(13004), TlsServer('server1', 'root1', 13005))
pair1.validate_can_send_from_client("toto", "pair1 works")
pair1.validate_client_cert("client1", "pair1: ou=client1 -> ...")
# check certificate on status port
TlsClient(None, 'root1', STATUS_PORT).connect(20, 'client1')
print_ok("got client1 on /_status")
# replace keystore and check ghostunnel connects with new_client1
os.rename('new_client1.p12', 'client1.p12')
ghostunnel.send_signal(signal.SIGUSR1)
TlsClient(None, 'root1', STATUS_PORT).connect(20, 'new_client1')
print_ok("reload done")
pair2 = SocketPair(TcpClient(13004), TlsServer('server1', 'root1', 13005))
pair2.validate_can_send_from_client("toto", "pair2 works")
pair2.validate_client_cert("new_client1", "pair2: ou=new_client1 -> ...")
# ensure ghostunnel won't connect to server2
try:
pair3 = SocketPair(TcpClient(13004), TlsServer('server2', 'root1', 13005))
pair3.validate_can_send_from_client("toto", "pair3 works")
'--target={0}:13005'.format(LOCALHOST), '--keystore=client.p12',
'--cacert=root.crt', '--min-tls=1.2',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)])
try:
# setup a server which talks TLS < 1.2
pair = SocketPair(TcpClient(13004), TlsServer('client', 'root', 13005, ssl_version=ssl.PROTOCOL_SSLv3))
# should fail with value error, because we set min TLS version to v1.2
# but we tried to connect with TLS < 1.2. if we didn't get an exception,
# we managed to connect with a lesser version which is not the expected behavior
raise Exception('urlopen with TLSv1.1 should fail if --min-tls=1.2 was set')
except ssl.SSLError as e:
print(e)
if str(e).find("[SSL: WRONG_VERSION_NUMBER]") == -1:
raise Exception('unexpected error: ' + str(e) + ' (should be "[SSL: WRONG_VERSION_NUMBER]')
print_ok('correctly failed to connect with SSLv3 if --min-tls=1.2 was set')
try:
# check STATUS_PORT
TlsClient('client', 'root', STATUS_PORT, ssl_version=ssl.PROTOCOL_SSLv3).connect()
except ssl.SSLError as e:
print(e)
if str(e).find("[SSL: WRONG_VERSION_NUMBER]") == -1:
raise Exception('unexpected error: ' + str(e) + ' (should be "[SSL: WRONG_VERSION_NUMBER]')
print_ok('correctly failed to connect with SSLv3 if --min-tls=1.2 was set')
finally:
if ghostunnel:
ghostunnel.kill()
try:
# Step 1: create certs
create_root_cert('root')
create_signed_cert('server', 'root')
create_signed_cert('new_server', 'root')
create_signed_cert('client1', 'root')
# Step 2: start ghostunnel, set min TLS version to v1.2
ghostunnel = Popen(['../ghostunnel', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13100'.format(LOCALHOST), '--keystore=server.p12',
'--storepass='******'--cacert=root.crt', '--allow-ou=client1',
'--status={0}:13100'.format(LOCALHOST), '--min-tls=1.2'])
wait_for_status(13100)
# Step 3: try to connect with TLS < 1.2
urllib.request.urlopen('https://{0}:13100/_status'.format(LOCALHOST), context=ssl.SSLContext(ssl.PROTOCOL_SSLv23 & ssl.OP_NO_TLSv1_2))
# should fail with value error, because we set min TLS version to v1.2
# but we tried to connect with TLS < 1.2. if we didn't get an exception,
# we managed to connect with a lesser version which is not the expected behavior
raise Exception('urlopen with TLSv1.1 should fail if --min-tls=1.2 was set')
except ValueError as e:
if str(e) != 'invalid protocol version':
raise Exception('unexpected error: ' + str(e) + ' (should be "invalid protocol version")')
print_ok('correctly failed to connect with TLSv1.1 if --min-tls=1.2 was set')
finally:
if ghostunnel:
ghostunnel.kill()
cleanup_certs(['root', 'server', 'new_server', 'client1'])
ghostunnel = Popen([
'../ghostunnel', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13100'.format(LOCALHOST), '--keystore=server.p12',
'--storepass='******'--cacert=root.crt', '--allow-ou=client1',
'--status={0}:13100'.format(LOCALHOST), '--min-tls=1.2'
])
wait_for_status(13100)
# Step 3: try to connect with TLS < 1.2
urllib.request.urlopen('https://{0}:13100/_status'.format(LOCALHOST),
context=ssl.SSLContext(ssl.PROTOCOL_SSLv23
& ssl.OP_NO_TLSv1_2))
# should fail with value error, because we set min TLS version to v1.2
# but we tried to connect with TLS < 1.2. if we didn't get an exception,
# we managed to connect with a lesser version which is not the expected behavior
raise Exception(
'urlopen with TLSv1.1 should fail if --min-tls=1.2 was set')
except ValueError as e:
if str(e) != 'invalid protocol version':
raise Exception('unexpected error: ' + str(e) +
' (should be "invalid protocol version")')
print_ok(
'correctly failed to connect with TLSv1.1 if --min-tls=1.2 was set'
)
finally:
if ghostunnel:
ghostunnel.kill()
cleanup_certs(['root', 'server', 'new_server', 'client1'])
'../ghostunnel', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13000'.format(LOCALHOST), '--keystore=server.p12',
'--storepass='******'--cacert=root.crt', '--allow-ou=client1',
'--allow-ou=client2'
])
# Step 3: create connections with client1 and client2
pair1 = SocketPair('client1', 13001, 13000)
pair1.validate_can_send_from_client("toto", "pair1 works")
pair2 = SocketPair('client2', 13001, 13000)
pair2.validate_can_send_from_client("toto", "pair2 works")
# Step 4: re-new the server and client1 certs
cleanup_certs(['root', 'server', 'client1'])
print_ok("deleted root, server and client1")
create_root_cert('root')
print_ok("re-created root")
create_signed_cert('server', 'root')
print_ok("re-created server")
create_signed_cert('client1', 'root')
print_ok("re-created client1")
# Trigger reload
ghostunnel.send_signal(signal.SIGUSR1)
time.sleep(10)
# Step 5: ensure that client1 can connect
try:
pair3 = SocketPair('client1', 13001, 13000)
pair3.validate_can_send_from_client("toto", "pair3 works")
# start ghostunnel
ghostunnel = Popen(['../ghostunnel', 'server', '--listen={0}:13001'.format(LOCALHOST),
'--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
'--cacert=root.crt', '--allow-ou=client',
'--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)])
# create connections with client
pair1 = SocketPair(TlsClient('client', 'root', 13001), TcpServer(13002))
pair1.validate_can_send_from_client("toto", "pair1 works")
pair1.validate_tunnel_ou("server", "pair1 -> ou=server")
# Replace keystore and trigger reload
os.rename('new_server.p12', 'server.p12')
ghostunnel.send_signal(signal.SIGUSR1)
TlsClient(None, 'root', STATUS_PORT).connect(20, 'new_server')
print_ok("reload done")
# create connections with client
pair2 = SocketPair(TlsClient('client', 'root', 13001), TcpServer(13002))
pair2.validate_can_send_from_client("toto", "pair2 works")
pair2.validate_tunnel_ou("new_server", "pair2 -> ou=new_server")
# ensure that pair1 is still alive
pair1.validate_can_send_from_client("toto", "pair1 still works")
print_ok("OK")
finally:
if ghostunnel:
ghostunnel.kill()