示例#1
0
 def do_POST(self):
   global received_metrics
   print_ok("handling POST to fake bridge")
   length = int(self.headers['Content-Length'])
   received_metrics = json.loads(self.rfile.read(length).decode('utf-8'))
if __name__ == "__main__":
    ghostunnel = None
    try:
        # Step 1: create certs
        # root, ou=server, ou=client, ou=other_client
        create_root_cert('root')
        create_signed_cert('server', 'root')
        create_signed_cert('client1', 'root')

        # Step 2: start ghostunnel
        ghostunnel = Popen([
            '../ghostunnel', '--listen={0}:13001'.format(LOCALHOST),
            '--target={0}:13000'.format(LOCALHOST), '--keystore=server.p12',
            '--storepass='******'--cacert=root.crt', '--allow-ou=client1'
        ])

        # Step 3: connect with client1, confirm that the tunnel is up
        pair = SocketPair('client1', 13001, 13000)
        pair.validate_can_send_from_client("hello world",
                                           "1: client -> server")
        pair.validate_can_send_from_server("hello world",
                                           "1: server -> client")
        pair.validate_closing_client_closes_server(
            "1: client closed -> server closed")

        print_ok("OK")
    finally:
        cleanup_certs(['root', 'server', 'client1'])
        if ghostunnel:
            ghostunnel.kill()
示例#3
0
    httpd = http.server.HTTPServer(('localhost',13080), FakeMetricsBridgeHandler)
    server = threading.Thread(target=httpd.handle_request)
    server.start()

    # Step 2: start ghostunnel
    ghostunnel = Popen(['../ghostunnel', '--listen={0}:13001'.format(LOCALHOST),
      '--target={0}:13100'.format(LOCALHOST), '--keystore=server.p12',
      '--storepass='******'--cacert=root.crt', '--allow-ou=client1',
      '--status={0}:13100'.format(LOCALHOST), '--metrics-url=http://localhost:13080/post'])

    # Step 3: wait for metrics to post
    for i in range(0, 10):
      if received_metrics:
        break
      else:
        # wait a little longer...
        time.sleep(1)

    if not received_metrics:
      raise Exception("did not receive metrics from instance")

    if type(received_metrics) != list:
      raise Exception("ghostunnel metrics expected to be JSON list")

    print_ok("OK")
  finally:
    if ghostunnel:
      ghostunnel.kill()
    cleanup_certs(['root', 'server', 'new_server', 'client1'])
from subprocess import Popen
from test_common import RootCert, LOCALHOST, STATUS_PORT, SocketPair, print_ok, TcpClient, TlsServer
import socket, ssl

if __name__ == "__main__":
  ghostunnel = None
  try:
    # create certs
    root = RootCert('root')
    root.create_signed_cert('server')
    root.create_signed_cert('client')

    # start ghostunnel
    ghostunnel = Popen(['../ghostunnel', 'client', '--listen={0}:13004'.format(LOCALHOST),
      '--target={0}:13005'.format(LOCALHOST), '--keystore=client.p12',
      '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT), '--cacert=root.crt'])

    # client should fail to connect since nothing is listening on 13006
    try:
      pair = SocketPair(TcpClient(13004), TlsServer('server', 'root', 13006))
      raise Exception('client should have failed to connect')
    except socket.timeout:
      print_ok("timeout when nothing is listening on 13006")

    # client should connect
    pair = SocketPair(TcpClient(13004), TlsServer('server', 'root', 13005))
    print_ok("OK")
  finally:
    if ghostunnel:
      ghostunnel.kill()
示例#5
0
      '--storepass='******'--cacert=root.crt', '--allow-ou=client1'])

    # Step 3: connect with client1, confirm that the tunnel is up
    pair = SocketPair('client1', 13001, 13000)
    pair.validate_can_send_from_client("hello world", "1: client -> server")
    pair.validate_can_send_from_server("hello world", "1: server -> client")
    pair.validate_closing_client_closes_server("1: client closed -> server closed")

    # Step 4: connect with client2, confirm that the tunnel isn't up
    try:
      pair = SocketPair('client2', 13001, 13000)
      raise Exception('failed to reject client2')
    except socket.timeout:
      # TODO: this should be a ssl.SSLError, but ends up being a timeout. Figure
      # out why.
      print_ok("client2 correctly rejected")

    # Step 5: connect with other_client1, confirm that the tunnel isn't
    # up
    try:
      pair = SocketPair('other_client1', 13001, 13000)
      raise Exception('failed to reject other_client1')
    except ssl.SSLError:
      print_ok("other_client1 correctly rejected")

    print_ok("OK")
  finally:
    cleanup_certs(['root', 'server', 'client1', 'client2', 'other_root', 'other_client1'])
    if ghostunnel:
      ghostunnel.kill()
    # block until ghostunnel is up
    TcpClient(STATUS_PORT).connect(20)
    status = json.loads(str(urlopen("https://{0}:{1}/_status".format(LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
    metrics = json.loads(str(urlopen("https://{0}:{1}/_metrics".format(LOCALHOST, STATUS_PORT)).read(), 'utf-8'))

    if not status['ok']:
        raise Exception("ghostunnel reported non-ok status")

    if type(metrics) != list:
        raise Exception("ghostunnel metrics expected to be JSON list")

    # reload, check we get the new cert on /_status
    os.rename('new_server.p12', 'server.p12')
    ghostunnel.send_signal(signal.SIGUSR1)
    TlsClient(None, 'root', STATUS_PORT).connect(20, 'new_server')
    print_ok('/_status seems up')

    # read status information
    status = json.loads(str(urlopen("https://{0}:{1}/_status".format(LOCALHOST, STATUS_PORT)).read(), 'utf-8'))
    metrics = json.loads(str(urlopen("https://{0}:{1}/_metrics".format(LOCALHOST, STATUS_PORT)).read(), 'utf-8'))

    if not status['ok']:
        raise Exception("ghostunnel reported non-ok status")

    if type(metrics) != list:
        raise Exception("ghostunnel metrics expected to be JSON list")

    print_ok("OK")
  finally:
    if ghostunnel:
      ghostunnel.kill()
示例#7
0
    try:
        # Step 1: create certs
        create_root_cert('root')
        create_signed_cert('server', 'root')
        create_signed_cert('client1', 'root')

        # Step 2: start ghostunnel
        ghostunnel = Popen([
            '../ghostunnel', '--listen={0}:13001'.format(LOCALHOST),
            '--target={0}:13000'.format(LOCALHOST), '--keystore=server.p12',
            '--storepass='******'--cacert=root.crt', '--allow-ou=client1'
        ])

        # Step 3: client should fail to connect since nothing is listening on 13002
        try:
            pair = SocketPair('client1', 13001, 13002)
        except socket.timeout:
            print_ok("timeout when nothing is listening on 13000")

        # Step 4: client should connect
        try:
            pair = SocketPair('client1', 13001, 13000)
        except socket.timeout:
            print_ok("timeout when nothing is listening on 13000")

        print_ok("OK")
    finally:
        cleanup_certs(['root', 'server', 'client1'])
        if ghostunnel:
            ghostunnel.kill()
    # Step 2: start ghostunnel
    ghostunnel = Popen(['../ghostunnel', '--listen={0}:13001'.format(LOCALHOST),
      '--target={0}:13000'.format(LOCALHOST), '--keystore=server.p12',
      '--storepass='******'--cacert=root.crt', '--allow-ou=client1', '--allow-ou=client2'])

    # Step 3: create connections with client1 and client2
    pair1 = SocketPair('client1', 13001, 13000)
    pair1.validate_can_send_from_client("toto", "pair1 works")

    pair2 = SocketPair('client2', 13001, 13000)
    pair2.validate_can_send_from_client("toto", "pair2 works")

    # Step 4: re-new the server and client1 certs
    cleanup_certs(['root', 'server', 'client1'])
    print_ok("deleted root, server and client1")
    create_root_cert('root')
    print_ok("re-created root")
    create_signed_cert('server', 'root')
    print_ok("re-created server")
    create_signed_cert('client1', 'root')
    print_ok("re-created client1")

    # Trigger reload
    ghostunnel.send_signal(signal.SIGUSR1)
    time.sleep(10)

    # Step 5: ensure that client1 can connect
    try:
      pair3 = SocketPair('client1', 13001, 13000)
      pair3.validate_can_send_from_client("toto", "pair3 works")
    root2.create_signed_cert('server2')
    root2.create_signed_cert('client2')

    # start ghostunnel
    ghostunnel = Popen(['../ghostunnel', 'client', '--listen={0}:13004'.format(LOCALHOST),
      '--target={0}:13005'.format(LOCALHOST), '--keystore=client1.p12',
      '--cacert=root1.crt', '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)])

    # ensure ghostunnel connects with server1
    pair1 = SocketPair(TcpClient(13004), TlsServer('server1', 'root1', 13005))
    pair1.validate_can_send_from_client("toto", "pair1 works")
    pair1.validate_client_cert("client1", "pair1: ou=client1 -> ...")

    # check certificate on status port
    TlsClient(None, 'root1', STATUS_PORT).connect(20, 'client1')
    print_ok("got client1 on /_status")

    # replace keystore and check ghostunnel connects with new_client1
    os.rename('new_client1.p12', 'client1.p12')
    ghostunnel.send_signal(signal.SIGUSR1)
    TlsClient(None, 'root1', STATUS_PORT).connect(20, 'new_client1')
    print_ok("reload done")

    pair2 = SocketPair(TcpClient(13004), TlsServer('server1', 'root1', 13005))
    pair2.validate_can_send_from_client("toto", "pair2 works")
    pair2.validate_client_cert("new_client1", "pair2: ou=new_client1 -> ...")

    # ensure ghostunnel won't connect to server2
    try:
      pair3 = SocketPair(TcpClient(13004), TlsServer('server2', 'root1', 13005))
      pair3.validate_can_send_from_client("toto", "pair3 works")
      '--target={0}:13005'.format(LOCALHOST), '--keystore=client.p12',
      '--cacert=root.crt', '--min-tls=1.2',
      '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)])

    try:
      # setup a server which talks TLS < 1.2
      pair = SocketPair(TcpClient(13004), TlsServer('client', 'root', 13005, ssl_version=ssl.PROTOCOL_SSLv3))

      # should fail with value error, because we set min TLS version to v1.2
      # but we tried to connect with TLS < 1.2. if we didn't get an exception,
      # we managed to connect with a lesser version which is not the expected behavior
      raise Exception('urlopen with TLSv1.1 should fail if --min-tls=1.2 was set')

    except ssl.SSLError as e:
      print(e)
      if str(e).find("[SSL: WRONG_VERSION_NUMBER]") == -1:
        raise Exception('unexpected error: ' + str(e) + ' (should be "[SSL: WRONG_VERSION_NUMBER]')
      print_ok('correctly failed to connect with SSLv3 if --min-tls=1.2 was set')

    try:
      # check STATUS_PORT
      TlsClient('client', 'root', STATUS_PORT, ssl_version=ssl.PROTOCOL_SSLv3).connect()
    except ssl.SSLError as e:
      print(e)
      if str(e).find("[SSL: WRONG_VERSION_NUMBER]") == -1:
        raise Exception('unexpected error: ' + str(e) + ' (should be "[SSL: WRONG_VERSION_NUMBER]')
      print_ok('correctly failed to connect with SSLv3 if --min-tls=1.2 was set')
  finally:
    if ghostunnel:
      ghostunnel.kill()
示例#11
0
  try:
    # Step 1: create certs
    create_root_cert('root')
    create_signed_cert('server', 'root')
    create_signed_cert('new_server', 'root')
    create_signed_cert('client1', 'root')

    # Step 2: start ghostunnel, set min TLS version to v1.2
    ghostunnel = Popen(['../ghostunnel', '--listen={0}:13001'.format(LOCALHOST),
      '--target={0}:13100'.format(LOCALHOST), '--keystore=server.p12',
      '--storepass='******'--cacert=root.crt', '--allow-ou=client1',
      '--status={0}:13100'.format(LOCALHOST), '--min-tls=1.2'])
    wait_for_status(13100)

    # Step 3: try to connect with TLS < 1.2
    urllib.request.urlopen('https://{0}:13100/_status'.format(LOCALHOST), context=ssl.SSLContext(ssl.PROTOCOL_SSLv23 & ssl.OP_NO_TLSv1_2))

    # should fail with value error, because we set min TLS version to v1.2
    # but we tried to connect with TLS < 1.2. if we didn't get an exception,
    # we managed to connect with a lesser version which is not the expected behavior
    raise Exception('urlopen with TLSv1.1 should fail if --min-tls=1.2 was set')

  except ValueError as e:
    if str(e) != 'invalid protocol version':
      raise Exception('unexpected error: ' + str(e) + ' (should be "invalid protocol version")')
    print_ok('correctly failed to connect with TLSv1.1 if --min-tls=1.2 was set')
  finally:
    if ghostunnel:
      ghostunnel.kill()
    cleanup_certs(['root', 'server', 'new_server', 'client1'])
示例#12
0
        ghostunnel = Popen([
            '../ghostunnel', '--listen={0}:13001'.format(LOCALHOST),
            '--target={0}:13100'.format(LOCALHOST), '--keystore=server.p12',
            '--storepass='******'--cacert=root.crt', '--allow-ou=client1',
            '--status={0}:13100'.format(LOCALHOST), '--min-tls=1.2'
        ])
        wait_for_status(13100)

        # Step 3: try to connect with TLS < 1.2
        urllib.request.urlopen('https://{0}:13100/_status'.format(LOCALHOST),
                               context=ssl.SSLContext(ssl.PROTOCOL_SSLv23
                                                      & ssl.OP_NO_TLSv1_2))

        # should fail with value error, because we set min TLS version to v1.2
        # but we tried to connect with TLS < 1.2. if we didn't get an exception,
        # we managed to connect with a lesser version which is not the expected behavior
        raise Exception(
            'urlopen with TLSv1.1 should fail if --min-tls=1.2 was set')

    except ValueError as e:
        if str(e) != 'invalid protocol version':
            raise Exception('unexpected error: ' + str(e) +
                            ' (should be "invalid protocol version")')
        print_ok(
            'correctly failed to connect with TLSv1.1 if --min-tls=1.2 was set'
        )
    finally:
        if ghostunnel:
            ghostunnel.kill()
        cleanup_certs(['root', 'server', 'new_server', 'client1'])
示例#13
0
            '../ghostunnel', '--listen={0}:13001'.format(LOCALHOST),
            '--target={0}:13000'.format(LOCALHOST), '--keystore=server.p12',
            '--storepass='******'--cacert=root.crt', '--allow-ou=client1',
            '--allow-ou=client2'
        ])

        # Step 3: create connections with client1 and client2
        pair1 = SocketPair('client1', 13001, 13000)
        pair1.validate_can_send_from_client("toto", "pair1 works")

        pair2 = SocketPair('client2', 13001, 13000)
        pair2.validate_can_send_from_client("toto", "pair2 works")

        # Step 4: re-new the server and client1 certs
        cleanup_certs(['root', 'server', 'client1'])
        print_ok("deleted root, server and client1")
        create_root_cert('root')
        print_ok("re-created root")
        create_signed_cert('server', 'root')
        print_ok("re-created server")
        create_signed_cert('client1', 'root')
        print_ok("re-created client1")

        # Trigger reload
        ghostunnel.send_signal(signal.SIGUSR1)
        time.sleep(10)

        # Step 5: ensure that client1 can connect
        try:
            pair3 = SocketPair('client1', 13001, 13000)
            pair3.validate_can_send_from_client("toto", "pair3 works")
    # start ghostunnel
    ghostunnel = Popen(['../ghostunnel', 'server', '--listen={0}:13001'.format(LOCALHOST),
      '--target={0}:13002'.format(LOCALHOST), '--keystore=server.p12',
      '--cacert=root.crt', '--allow-ou=client',
      '--status={0}:{1}'.format(LOCALHOST, STATUS_PORT)])

    # create connections with client
    pair1 = SocketPair(TlsClient('client', 'root', 13001), TcpServer(13002))
    pair1.validate_can_send_from_client("toto", "pair1 works")
    pair1.validate_tunnel_ou("server", "pair1 -> ou=server")

    # Replace keystore and trigger reload
    os.rename('new_server.p12', 'server.p12')
    ghostunnel.send_signal(signal.SIGUSR1)

    TlsClient(None, 'root', STATUS_PORT).connect(20, 'new_server')
    print_ok("reload done")

    # create connections with client
    pair2 = SocketPair(TlsClient('client', 'root', 13001), TcpServer(13002))
    pair2.validate_can_send_from_client("toto", "pair2 works")
    pair2.validate_tunnel_ou("new_server", "pair2 -> ou=new_server")

    # ensure that pair1 is still alive
    pair1.validate_can_send_from_client("toto", "pair1 still works")

    print_ok("OK")
  finally:
    if ghostunnel:
      ghostunnel.kill()