-
Notifications
You must be signed in to change notification settings - Fork 263
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #188 from square/cs/tests
Add tests for {allow,verify}-{dns,uri} flags
- Loading branch information
Showing
5 changed files
with
225 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
#!/usr/bin/env python3 | ||
|
||
""" | ||
Tests that verify-dns flag works correctly on the client. | ||
""" | ||
|
||
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, \ | ||
TlsServer, print_ok, run_ghostunnel, terminate | ||
|
||
import ssl | ||
|
||
if __name__ == "__main__": | ||
ghostunnel = None | ||
try: | ||
# create certs | ||
root = RootCert('root') | ||
root.create_signed_cert('client') | ||
root.create_signed_cert( | ||
'server1', | ||
san='DNS:server1,IP:127.0.0.1,IP:::1,DNS:localhost') | ||
root.create_signed_cert( | ||
'server2', | ||
san='DNS:server2,IP:127.0.0.1,IP:::1,DNS:localhost') | ||
|
||
other_root = RootCert('other_root') | ||
other_root.create_signed_cert('other_server') | ||
|
||
# start ghostunnel | ||
ghostunnel = run_ghostunnel(['client', | ||
'--listen={0}:13001'.format(LOCALHOST), | ||
'--target=localhost:13002', | ||
'--keystore=client.p12', | ||
'--verify-dns=server1', | ||
'--cacert=root.crt', | ||
'--status={0}:{1}'.format(LOCALHOST, | ||
STATUS_PORT)]) | ||
|
||
# connect to server1, confirm that the tunnel is up | ||
pair = SocketPair(TcpClient(13001), TlsServer( | ||
'server1', 'root', 13002)) | ||
pair.validate_can_send_from_client( | ||
"hello world", "1: client -> server") | ||
pair.validate_can_send_from_server( | ||
"hello world", "1: server -> client") | ||
pair.validate_closing_client_closes_server( | ||
"1: client closed -> server closed") | ||
|
||
# connect to server2, confirm that the tunnel isn't up | ||
try: | ||
pair = SocketPair(TcpClient(13001), TlsServer( | ||
'server2', 'root', 13002)) | ||
raise Exception('failed to reject other_server') | ||
except ssl.SSLError: | ||
print_ok("other_server correctly rejected") | ||
|
||
print_ok("OK") | ||
finally: | ||
terminate(ghostunnel) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
#!/usr/bin/env python3 | ||
|
||
""" | ||
Tests that verify-uri flag works correctly on the client. | ||
""" | ||
|
||
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, \ | ||
TlsServer, print_ok, run_ghostunnel, terminate | ||
|
||
import ssl | ||
|
||
if __name__ == "__main__": | ||
ghostunnel = None | ||
try: | ||
# create certs | ||
root = RootCert('root') | ||
root.create_signed_cert('client') | ||
root.create_signed_cert( | ||
'server1', | ||
san='URI:spiffe://server1,IP:127.0.0.1,IP:::1,DNS:localhost') | ||
root.create_signed_cert( | ||
'server2', | ||
san='URI:spiffe://server2,IP:127.0.0.1,IP:::1,DNS:localhost') | ||
|
||
other_root = RootCert('other_root') | ||
other_root.create_signed_cert('other_server') | ||
|
||
# start ghostunnel | ||
ghostunnel = run_ghostunnel(['client', | ||
'--listen={0}:13001'.format(LOCALHOST), | ||
'--target=localhost:13002', | ||
'--keystore=client.p12', | ||
'--verify-uri=spiffe://server1', | ||
'--cacert=root.crt', | ||
'--status={0}:{1}'.format(LOCALHOST, | ||
STATUS_PORT)]) | ||
|
||
# connect to server1, confirm that the tunnel is up | ||
pair = SocketPair(TcpClient(13001), TlsServer( | ||
'server1', 'root', 13002)) | ||
pair.validate_can_send_from_client( | ||
"hello world", "1: client -> server") | ||
pair.validate_can_send_from_server( | ||
"hello world", "1: server -> client") | ||
pair.validate_closing_client_closes_server( | ||
"1: client closed -> server closed") | ||
|
||
# connect to server2, confirm that the tunnel isn't up | ||
try: | ||
pair = SocketPair(TcpClient(13001), TlsServer( | ||
'server2', 'root', 13002)) | ||
raise Exception('failed to reject other_server') | ||
except ssl.SSLError: | ||
print_ok("other_server correctly rejected") | ||
|
||
print_ok("OK") | ||
finally: | ||
terminate(ghostunnel) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
#!/usr/bin/env python3 | ||
|
||
""" | ||
Test to check --allow-dns flag behavior. | ||
""" | ||
|
||
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, \ | ||
TlsClient, print_ok, run_ghostunnel, terminate | ||
|
||
import os | ||
import signal | ||
import ssl | ||
|
||
if __name__ == "__main__": | ||
ghostunnel = None | ||
try: | ||
# create certs | ||
root = RootCert('root') | ||
root.create_signed_cert( | ||
'server', | ||
san='DNS:server,IP:127.0.0.1,IP:::1,DNS:localhost') | ||
root.create_signed_cert( | ||
'client1', | ||
san='DNS:client1,IP:127.0.0.1,IP:::1,DNS:localhost') | ||
root.create_signed_cert( | ||
'client2', | ||
san='DNS:client2,IP:127.0.0.1,IP:::1,DNS:localhost') | ||
|
||
# start ghostunnel | ||
ghostunnel = run_ghostunnel(['server', | ||
'--listen={0}:13001'.format(LOCALHOST), | ||
'--target={0}:13002'.format(LOCALHOST), | ||
'--keystore=server.p12', | ||
'--cacert=root.crt', | ||
'--allow-dns=client1', | ||
'--status={0}:{1}'.format(LOCALHOST, | ||
STATUS_PORT)]) | ||
|
||
# create connections with client | ||
pair1 = SocketPair( | ||
TlsClient('client1', 'root', 13001), TcpServer(13002)) | ||
pair1.validate_can_send_from_client("toto", "pair1 works") | ||
pair1.validate_can_send_from_server | ||
|
||
try: | ||
pair2 = SocketPair( | ||
TlsClient('client2', 'root', 13001), TcpServer(13002)) | ||
raise Exception('failed to reject client2') | ||
except ssl.SSLError: | ||
print_ok("client2 correctly rejected") | ||
|
||
print_ok("OK") | ||
finally: | ||
terminate(ghostunnel) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
#!/usr/bin/env python3 | ||
|
||
""" | ||
Test to check --allow-uri flag behavior. | ||
""" | ||
|
||
from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpServer, \ | ||
TlsClient, print_ok, run_ghostunnel, terminate | ||
|
||
import os | ||
import signal | ||
import ssl | ||
|
||
if __name__ == "__main__": | ||
ghostunnel = None | ||
try: | ||
# create certs | ||
root = RootCert('root') | ||
root.create_signed_cert( | ||
'server', | ||
san='URI:spiffe://server,IP:127.0.0.1,IP:::1,DNS:localhost') | ||
root.create_signed_cert( | ||
'client1', | ||
san='URI:spiffe://client1,IP:127.0.0.1,IP:::1,DNS:localhost') | ||
root.create_signed_cert( | ||
'client2', | ||
san='URI:spiffe://client2,IP:127.0.0.1,IP:::1,DNS:localhost') | ||
|
||
# start ghostunnel | ||
ghostunnel = run_ghostunnel(['server', | ||
'--listen={0}:13001'.format(LOCALHOST), | ||
'--target={0}:13002'.format(LOCALHOST), | ||
'--keystore=server.p12', | ||
'--cacert=root.crt', | ||
'--allow-uri=spiffe://client1', | ||
'--status={0}:{1}'.format(LOCALHOST, | ||
STATUS_PORT)]) | ||
|
||
# create connections with client | ||
pair1 = SocketPair( | ||
TlsClient('client1', 'root', 13001), TcpServer(13002)) | ||
pair1.validate_can_send_from_client("toto", "pair1 works") | ||
pair1.validate_can_send_from_server | ||
|
||
try: | ||
pair2 = SocketPair( | ||
TlsClient('client2', 'root', 13001), TcpServer(13002)) | ||
raise Exception('failed to reject client2') | ||
except ssl.SSLError: | ||
print_ok("client2 correctly rejected") | ||
|
||
print_ok("OK") | ||
finally: | ||
terminate(ghostunnel) |