Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / thrift / 25536ad83a85cfda6d5388278e4e378f2d4df73e / . / lib / py / test / test_sslsocket.py
blob: fe03961a2dce5f05cf2454d80fad8b8da20f5e1a [file] [log] [blame]
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]1#
2# Licensed to the Apache Software Foundation (ASF) under one
3# or more contributor license agreements. See the NOTICE file
4# distributed with this work for additional information
5# regarding copyright ownership. The ASF licenses this file
6# to you under the Apache License, Version 2.0 (the
7# "License"); you may not use this file except in compliance
8# with the License. You may obtain a copy of the License at
9#
10# http://www.apache.org/licenses/LICENSE-2.0
11#
12# Unless required by applicable law or agreed to in writing,
13# software distributed under the License is distributed on an
14# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15# KIND, either express or implied. See the License for the
16# specific language governing permissions and limitations
17# under the License.
18#
19
20import os
21import platform
22import select
23import ssl
24import sys
25import threading
26import time
27import unittest
28import warnings
29
30import _import_local_thrift
31from thrift.transport.TSSLSocket import TSSLSocket, TSSLServerSocket
32
33SCRIPT_DIR = os.path.realpath(os.path.dirname(__file__))
34ROOT_DIR = os.path.dirname(os.path.dirname(os.path.dirname(SCRIPT_DIR)))
35SERVER_PEM = os.path.join(ROOT_DIR, 'test', 'keys', 'server.pem')
36SERVER_CERT = os.path.join(ROOT_DIR, 'test', 'keys', 'server.crt')
37SERVER_KEY = os.path.join(ROOT_DIR, 'test', 'keys', 'server.key')
38CLIENT_CERT = os.path.join(ROOT_DIR, 'test', 'keys', 'client.crt')
39CLIENT_KEY = os.path.join(ROOT_DIR, 'test', 'keys', 'client.key')
40
41TEST_PORT = 23458
42TEST_ADDR = '/tmp/.thrift.domain.sock.%d' % TEST_PORT
Nobuaki Sukegawaf07b4a12016-02-01 23:44:02 +0900[diff] [blame]43CONNECT_DELAY = 0.5
Nobuaki Sukegawa25536ad2016-02-04 15:08:55 +0900[diff] [blame^]44CONNECT_TIMEOUT = 20.0
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]45TEST_CIPHERS = 'DES-CBC3-SHA'
46
47
48class ServerAcceptor(threading.Thread):
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]49 def __init__(self, server):
50 super(ServerAcceptor, self).__init__()
51 self._server = server
52 self.client = None
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]53
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]54 def run(self):
55 self._server.listen()
56 self.client = self._server.accept()
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]57
58
59# Python 2.6 compat
60class AssertRaises(object):
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]61 def __init__(self, expected):
62 self._expected = expected
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]63
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]64 def __enter__(self):
65 pass
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]66
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]67 def __exit__(self, exc_type, exc_value, traceback):
68 if not exc_type or not issubclass(exc_type, self._expected):
69 raise Exception('fail')
70 return True
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]71
72
73class TSSLSocketTest(unittest.TestCase):
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]74 def _assert_connection_failure(self, server, client):
Nobuaki Sukegawa25536ad2016-02-04 15:08:55 +0900[diff] [blame^]75 acc = ServerAcceptor(server)
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]76 try:
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]77 acc.start()
Nobuaki Sukegawa25536ad2016-02-04 15:08:55 +0900[diff] [blame^]78 time.sleep(CONNECT_DELAY / 2)
79 client.setTimeout(CONNECT_TIMEOUT / 2)
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]80 with self._assert_raises(Exception):
81 client.open()
Nobuaki Sukegawa25536ad2016-02-04 15:08:55 +0900[diff] [blame^]82 select.select([], [client.handle], [], CONNECT_TIMEOUT / 2)
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]83 # self.assertIsNone(acc.client)
84 self.assertTrue(acc.client is None)
85 finally:
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]86 client.close()
Nobuaki Sukegawa25536ad2016-02-04 15:08:55 +0900[diff] [blame^]87 if acc.client:
88 acc.client.close()
89 server.close()
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]90
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]91 def _assert_raises(self, exc):
92 if sys.hexversion >= 0x020700F0:
93 return self.assertRaises(exc)
94 else:
95 return AssertRaises(exc)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]96
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]97 def _assert_connection_success(self, server, client):
Nobuaki Sukegawa25536ad2016-02-04 15:08:55 +0900[diff] [blame^]98 acc = ServerAcceptor(server)
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]99 try:
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]100 acc.start()
Nobuaki Sukegawa25536ad2016-02-04 15:08:55 +0900[diff] [blame^]101 time.sleep(CONNECT_DELAY)
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]102 client.setTimeout(CONNECT_TIMEOUT)
103 client.open()
104 select.select([], [client.handle], [], CONNECT_TIMEOUT)
105 # self.assertIsNotNone(acc.client)
106 self.assertTrue(acc.client is not None)
107 finally:
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]108 client.close()
Nobuaki Sukegawa25536ad2016-02-04 15:08:55 +0900[diff] [blame^]109 if acc.client:
110 acc.client.close()
111 server.close()
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]112
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]113 # deprecated feature
114 def test_deprecation(self):
115 with warnings.catch_warnings(record=True) as w:
116 warnings.filterwarnings('always', category=DeprecationWarning, module='thrift.*SSL.*')
117 TSSLSocket('localhost', TEST_PORT, validate=True, ca_certs=SERVER_CERT)
118 self.assertEqual(len(w), 1)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]119
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]120 with warnings.catch_warnings(record=True) as w:
121 warnings.filterwarnings('always', category=DeprecationWarning, module='thrift.*SSL.*')
122 # Deprecated signature
123 # def __init__(self, host='localhost', port=9090, validate=True, ca_certs=None, keyfile=None, certfile=None, unix_socket=None, ciphers=None):
124 client = TSSLSocket('localhost', TEST_PORT, True, SERVER_CERT, CLIENT_KEY, CLIENT_CERT, None, TEST_CIPHERS)
125 self.assertEqual(len(w), 7)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]126
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]127 with warnings.catch_warnings(record=True) as w:
128 warnings.filterwarnings('always', category=DeprecationWarning, module='thrift.*SSL.*')
129 # Deprecated signature
130 # def __init__(self, host=None, port=9090, certfile='cert.pem', unix_socket=None, ciphers=None):
131 server = TSSLServerSocket(None, TEST_PORT, SERVER_PEM, None, TEST_CIPHERS)
132 self.assertEqual(len(w), 3)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]133
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]134 self._assert_connection_success(server, client)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]135
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]136 # deprecated feature
137 def test_set_cert_reqs_by_validate(self):
138 c1 = TSSLSocket('localhost', TEST_PORT, validate=True, ca_certs=SERVER_CERT)
139 self.assertEqual(c1.cert_reqs, ssl.CERT_REQUIRED)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]140
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]141 c1 = TSSLSocket('localhost', TEST_PORT, validate=False)
142 self.assertEqual(c1.cert_reqs, ssl.CERT_NONE)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]143
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]144 # deprecated feature
145 def test_set_validate_by_cert_reqs(self):
146 c1 = TSSLSocket('localhost', TEST_PORT, cert_reqs=ssl.CERT_NONE)
147 self.assertFalse(c1.validate)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]148
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]149 c2 = TSSLSocket('localhost', TEST_PORT, cert_reqs=ssl.CERT_REQUIRED, ca_certs=SERVER_CERT)
150 self.assertTrue(c2.validate)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]151
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]152 c3 = TSSLSocket('localhost', TEST_PORT, cert_reqs=ssl.CERT_OPTIONAL, ca_certs=SERVER_CERT)
153 self.assertTrue(c3.validate)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]154
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]155 def test_unix_domain_socket(self):
156 if platform.system() == 'Windows':
157 print('skipping test_unix_domain_socket')
158 return
159 server = TSSLServerSocket(unix_socket=TEST_ADDR, keyfile=SERVER_KEY, certfile=SERVER_CERT)
160 client = TSSLSocket(None, None, TEST_ADDR, cert_reqs=ssl.CERT_NONE)
161 self._assert_connection_success(server, client)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]162
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]163 def test_server_cert(self):
164 server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=SERVER_CERT)
165 client = TSSLSocket('localhost', TEST_PORT, cert_reqs=ssl.CERT_REQUIRED, ca_certs=SERVER_CERT)
166 self._assert_connection_success(server, client)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]167
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]168 server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=SERVER_CERT)
169 # server cert on in ca_certs
170 client = TSSLSocket('localhost', TEST_PORT, cert_reqs=ssl.CERT_REQUIRED, ca_certs=CLIENT_CERT)
171 self._assert_connection_failure(server, client)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]172
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]173 server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=SERVER_CERT)
174 client = TSSLSocket('localhost', TEST_PORT, cert_reqs=ssl.CERT_NONE)
175 self._assert_connection_success(server, client)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]176
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]177 def test_set_server_cert(self):
178 server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=CLIENT_CERT)
179 with self._assert_raises(Exception):
180 server.certfile = 'foo'
181 with self._assert_raises(Exception):
182 server.certfile = None
183 server.certfile = SERVER_CERT
184 client = TSSLSocket('localhost', TEST_PORT, cert_reqs=ssl.CERT_REQUIRED, ca_certs=SERVER_CERT)
185 self._assert_connection_success(server, client)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]186
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]187 def test_client_cert(self):
188 server = TSSLServerSocket(
189 port=TEST_PORT, cert_reqs=ssl.CERT_REQUIRED, keyfile=SERVER_KEY,
190 certfile=SERVER_CERT, ca_certs=CLIENT_CERT)
191 client = TSSLSocket('localhost', TEST_PORT, cert_reqs=ssl.CERT_NONE, certfile=CLIENT_CERT, keyfile=CLIENT_KEY)
192 self._assert_connection_success(server, client)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]193
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]194 def test_ciphers(self):
195 server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=SERVER_CERT, ciphers=TEST_CIPHERS)
196 client = TSSLSocket('localhost', TEST_PORT, ca_certs=SERVER_CERT, ciphers=TEST_CIPHERS)
197 self._assert_connection_success(server, client)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]198
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]199 if not TSSLSocket._has_ciphers:
200 # unittest.skip is not available for Python 2.6
201 print('skipping test_ciphers')
202 return
203 server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=SERVER_CERT)
204 client = TSSLSocket('localhost', TEST_PORT, ca_certs=SERVER_CERT, ciphers='NULL')
205 self._assert_connection_failure(server, client)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]206
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]207 server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=SERVER_CERT, ciphers=TEST_CIPHERS)
208 client = TSSLSocket('localhost', TEST_PORT, ca_certs=SERVER_CERT, ciphers='NULL')
209 self._assert_connection_failure(server, client)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]210
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]211 def test_ssl2_and_ssl3_disabled(self):
212 if not hasattr(ssl, 'PROTOCOL_SSLv3'):
213 print('PROTOCOL_SSLv3 is not available')
214 else:
215 server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=SERVER_CERT)
216 client = TSSLSocket('localhost', TEST_PORT, ca_certs=SERVER_CERT, ssl_version=ssl.PROTOCOL_SSLv3)
217 self._assert_connection_failure(server, client)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]218
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]219 server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=SERVER_CERT, ssl_version=ssl.PROTOCOL_SSLv3)
220 client = TSSLSocket('localhost', TEST_PORT, ca_certs=SERVER_CERT)
221 self._assert_connection_failure(server, client)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]222
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]223 if not hasattr(ssl, 'PROTOCOL_SSLv2'):
224 print('PROTOCOL_SSLv2 is not available')
225 else:
226 server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=SERVER_CERT)
227 client = TSSLSocket('localhost', TEST_PORT, ca_certs=SERVER_CERT, ssl_version=ssl.PROTOCOL_SSLv2)
228 self._assert_connection_failure(server, client)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]229
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]230 server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=SERVER_CERT, ssl_version=ssl.PROTOCOL_SSLv2)
231 client = TSSLSocket('localhost', TEST_PORT, ca_certs=SERVER_CERT)
232 self._assert_connection_failure(server, client)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]233
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]234 def test_newer_tls(self):
235 if not TSSLSocket._has_ssl_context:
236 # unittest.skip is not available for Python 2.6
237 print('skipping test_newer_tls')
238 return
239 if not hasattr(ssl, 'PROTOCOL_TLSv1_2'):
240 print('PROTOCOL_TLSv1_2 is not available')
241 else:
242 server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=SERVER_CERT, ssl_version=ssl.PROTOCOL_TLSv1_2)
243 client = TSSLSocket('localhost', TEST_PORT, ca_certs=SERVER_CERT, ssl_version=ssl.PROTOCOL_TLSv1_2)
244 self._assert_connection_success(server, client)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]245
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]246 if not hasattr(ssl, 'PROTOCOL_TLSv1_1'):
247 print('PROTOCOL_TLSv1_1 is not available')
248 else:
249 server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=SERVER_CERT, ssl_version=ssl.PROTOCOL_TLSv1_1)
250 client = TSSLSocket('localhost', TEST_PORT, ca_certs=SERVER_CERT, ssl_version=ssl.PROTOCOL_TLSv1_1)
251 self._assert_connection_success(server, client)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]252
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]253 if not hasattr(ssl, 'PROTOCOL_TLSv1_1') or not hasattr(ssl, 'PROTOCOL_TLSv1_2'):
254 print('PROTOCOL_TLSv1_1 and/or PROTOCOL_TLSv1_2 is not available')
255 else:
256 server = TSSLServerSocket(port=TEST_PORT, keyfile=SERVER_KEY, certfile=SERVER_CERT, ssl_version=ssl.PROTOCOL_TLSv1_2)
257 client = TSSLSocket('localhost', TEST_PORT, ca_certs=SERVER_CERT, ssl_version=ssl.PROTOCOL_TLSv1_1)
258 self._assert_connection_failure(server, client)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]259
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]260 def test_ssl_context(self):
261 if not TSSLSocket._has_ssl_context:
262 # unittest.skip is not available for Python 2.6
263 print('skipping test_ssl_context')
264 return
265 server_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
266 server_context.load_cert_chain(SERVER_CERT, SERVER_KEY)
267 server_context.load_verify_locations(CLIENT_CERT)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]268
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]269 client_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
270 client_context.load_cert_chain(CLIENT_CERT, CLIENT_KEY)
271 client_context.load_verify_locations(SERVER_CERT)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]272
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]273 server = TSSLServerSocket(port=TEST_PORT, ssl_context=server_context)
274 client = TSSLSocket('localhost', TEST_PORT, ssl_context=client_context)
275 self._assert_connection_success(server, client)
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]276
277if __name__ == '__main__':
Nobuaki Sukegawa10308cb2016-02-03 01:57:03 +0900[diff] [blame]278 # import logging
279 # logging.basicConfig(level=logging.DEBUG)
280 unittest.main()