Merge pull request ghostunnel#689 from ghostunnel/cs/fix-codeql-python

More code quality fixes for integration tests

Author: csstaub

tests/common.py

@@ -155,6 +155,7 @@ def status_info():
         return json.loads(e.read().decode())
     except Exception as e:
         print('unable to fetch status:', e)
+        return None
 
 def wait_for_status(predicate, timeout=30):
     """Poll status_info() until predicate(info) is truthy, with timeout."""
@@ -276,8 +277,8 @@ def assert_connection_rejected(client, server, name, timeout_ok=True):
 def create_default_certs(algorithm='ecdsa'):
     """Create standard root, server, and client certificates.
 
-    Returns the RootCert object. Callers must keep a reference to it
-    alive for the duration of the test to prevent __del__ cleanup."""
+    Returns the RootCert object. Callers should call root.cleanup()
+    in their finally block to clean up temporary cert files."""
     root = RootCert('root', algorithm=algorithm)
     root.create_signed_cert('server')
     root.create_signed_cert('client')

tests/test-client-auto-reload-certificate.py

@@ -13,65 +13,64 @@
 import os
 from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsClient, TlsServer, print_ok, run_ghostunnel, terminate, LISTEN_PORT, TARGET_PORT
 
-if __name__ == "__main__":
-    ghostunnel = None
-    try:
-        # create certs
-        root1 = RootCert('root1')
-        root1.create_signed_cert('server1')
-        root1.create_signed_cert('client1')
-        root1.create_signed_cert('new_client1')
+ghostunnel = None
+try:
+    # create certs
+    root1 = RootCert('root1')
+    root1.create_signed_cert('server1')
+    root1.create_signed_cert('client1')
+    root1.create_signed_cert('new_client1')
 
-        root2 = RootCert('new_root')
-        root2.create_signed_cert('server2')
+    root2 = RootCert('new_root')
+    root2.create_signed_cert('server2')
 
-        # start ghostunnel
-        ghostunnel = run_ghostunnel(['client',
-                                     '--listen={0}:{1}'.format(LOCALHOST, LISTEN_PORT),
-                                     '--target={0}:{1}'.format(LOCALHOST, TARGET_PORT),
-                                     '--keystore=client1.p12',
-                                     '--timed-reload=1s',
-                                     '--cacert=root1.crt',
-                                     '--status={0}:{1}'.format(LOCALHOST,
-                                                               STATUS_PORT)])
+    # start ghostunnel
+    ghostunnel = run_ghostunnel(['client',
+                                 '--listen={0}:{1}'.format(LOCALHOST, LISTEN_PORT),
+                                 '--target={0}:{1}'.format(LOCALHOST, TARGET_PORT),
+                                 '--keystore=client1.p12',
+                                 '--timed-reload=1s',
+                                 '--cacert=root1.crt',
+                                 '--status={0}:{1}'.format(LOCALHOST,
+                                                           STATUS_PORT)])
 
-        # ensure ghostunnel connects with server1
-        pair1 = SocketPair(TcpClient(LISTEN_PORT), TlsServer(
-            'server1', 'root1', TARGET_PORT))
-        pair1.validate_can_send_from_client("toto", "pair1 works")
-        pair1.validate_client_cert("client1", "pair1: ou=client1 -> ...")
+    # ensure ghostunnel connects with server1
+    pair1 = SocketPair(TcpClient(LISTEN_PORT), TlsServer(
+        'server1', 'root1', TARGET_PORT))
+    pair1.validate_can_send_from_client("toto", "pair1 works")
+    pair1.validate_client_cert("client1", "pair1: ou=client1 -> ...")
 
-        # check certificate on status port
-        TlsClient(None, 'root1', STATUS_PORT).connect(20, 'client1')
-        print_ok("got client1 on /_status")
+    # check certificate on status port
+    TlsClient(None, 'root1', STATUS_PORT).connect(20, 'client1')
+    print_ok("got client1 on /_status")
 
-        # replace keystore and check ghostunnel connects with new_client1
-        print_ok("replacing certificates")
-        os.rename('new_client1.p12', 'client1.p12')
-        # reload should happen automatically
-        TlsClient(None, 'root1', STATUS_PORT).connect(20, 'new_client1')
-        print_ok("reload done")
+    # replace keystore and check ghostunnel connects with new_client1
+    print_ok("replacing certificates")
+    os.rename('new_client1.p12', 'client1.p12')
+    # reload should happen automatically
+    TlsClient(None, 'root1', STATUS_PORT).connect(20, 'new_client1')
+    print_ok("reload done")
 
-        pair2 = SocketPair(TcpClient(LISTEN_PORT), TlsServer(
-            'server1', 'root1', TARGET_PORT))
-        pair2.validate_can_send_from_client("toto", "pair2 works")
-        pair2.validate_client_cert(
-            "new_client1", "pair2: ou=new_client1 -> ...")
-        pair2.cleanup()
+    pair2 = SocketPair(TcpClient(LISTEN_PORT), TlsServer(
+        'server1', 'root1', TARGET_PORT))
+    pair2.validate_can_send_from_client("toto", "pair2 works")
+    pair2.validate_client_cert(
+        "new_client1", "pair2: ou=new_client1 -> ...")
+    pair2.cleanup()
 
-        # ensure ghostunnel won't connect to server2
-        try:
-            pair3 = SocketPair(TcpClient(LISTEN_PORT), TlsServer(
-                'server2', 'root1', TARGET_PORT))
-            pair3.validate_can_send_from_client("toto", "pair3 works")
-            raise Exception("pair3 worked")
-        except ssl.SSLError:
-            print_ok("ghostunnel did not connect to incorrect CA")
+    # ensure ghostunnel won't connect to server2
+    try:
+        pair3 = SocketPair(TcpClient(LISTEN_PORT), TlsServer(
+            'server2', 'root1', TARGET_PORT))
+        pair3.validate_can_send_from_client("toto", "pair3 works")
+        raise Exception("pair3 worked")
+    except ssl.SSLError:
+        print_ok("ghostunnel did not connect to incorrect CA")
 
-        # ensure that pair1 is still alive
-        pair1.validate_can_send_from_client("toto", "pair1 still works")
-        pair1.cleanup()
-        print_ok("OK")
+    # ensure that pair1 is still alive
+    pair1.validate_can_send_from_client("toto", "pair1 still works")
+    pair1.cleanup()
+    print_ok("OK")
 
-    finally:
-        terminate(ghostunnel)
+finally:
+    terminate(ghostunnel)

tests/test-client-concurrent-connections.py

@@ -34,34 +34,33 @@ def send_data(i):
             "{0} server close -> client close".format(i))
 
 
-if __name__ == "__main__":
-    ghostunnel = None
-    n_clients = 10
-    try:
-        # create certs
-        root = RootCert('root')
-        root.create_signed_cert('client')
-        for n in range(1, n_clients):
-            root.create_signed_cert("server{0}".format(n))
+ghostunnel = None
+n_clients = 10
+try:
+    # create certs
+    root = RootCert('root')
+    root.create_signed_cert('client')
+    for n in range(1, n_clients):
+        root.create_signed_cert("server{0}".format(n))
 
-        # start ghostunnel
-        ghostunnel = run_ghostunnel(['client',
-                                     '--listen={0}:{1}'.format(LOCALHOST, LISTEN_PORT),
-                                     '--target={0}:{1}'.format(LOCALHOST, TARGET_PORT),
-                                     '--keystore=client.p12',
-                                     '--status={0}:{1}'.format(LOCALHOST,
-                                                               STATUS_PORT),
-                                     '--cacert=root.crt'])
+    # start ghostunnel
+    ghostunnel = run_ghostunnel(['client',
+                                 '--listen={0}:{1}'.format(LOCALHOST, LISTEN_PORT),
+                                 '--target={0}:{1}'.format(LOCALHOST, TARGET_PORT),
+                                 '--keystore=client.p12',
+                                 '--status={0}:{1}'.format(LOCALHOST,
+                                                           STATUS_PORT),
+                                 '--cacert=root.crt'])
 
-        # servers should be able to communicate all at the same time.
-        procs = []
-        for n in range(1, n_clients):
-            proc = Process(target=send_data, args=(n,))
-            proc.start()
-            procs.append(proc)
-        for proc in procs:
-            proc.join()
+    # servers should be able to communicate all at the same time.
+    procs = []
+    for n in range(1, n_clients):
+        proc = Process(target=send_data, args=(n,))
+        proc.start()
+        procs.append(proc)
+    for proc in procs:
+        proc.join()
 
-        print_ok("OK")
-    finally:
-        terminate(ghostunnel)
+    print_ok("OK")
+finally:
+    terminate(ghostunnel)

tests/test-client-disable-authentication.py

@@ -8,47 +8,46 @@
 from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, TcpClient, TlsServer, print_ok, run_ghostunnel, terminate, LISTEN_PORT, TARGET_PORT, assert_connection_rejected
 import ssl
 
-if __name__ == "__main__":
-    ghostunnel = None
-    try:
-        # create certs
-        root = RootCert('root')
-        root.create_signed_cert('server1')
-        root.create_signed_cert(
-            'server2', san="IP:127.0.0.1,IP:::1,DNS:foobar")
-
-        other_root = RootCert('other_root')
-        other_root.create_signed_cert('other_server')
-
-        # start ghostunnel
-        ghostunnel = run_ghostunnel(['client',
-                                     '--listen={0}:{1}'.format(LOCALHOST, LISTEN_PORT),
-                                     '--target=localhost:{0}'.format(TARGET_PORT),
-                                     '--cacert=root.crt',
-                                     '--disable-authentication',
-                                     '--status={0}:{1}'.format(LOCALHOST,
-                                                               STATUS_PORT)])
-
-        # connect to server1, confirm that the tunnel is up
-        pair = SocketPair(TcpClient(LISTEN_PORT), TlsServer(
-            'server1', 'root', TARGET_PORT, cert_reqs=ssl.CERT_NONE))
-        pair.validate_can_send_from_client(
-            "hello world", "1: client -> server")
-        pair.validate_can_send_from_server(
-            "hello world", "1: server -> client")
-        pair.validate_closing_client_closes_server(
-            "1: client closed -> server closed")
-
-        # connect to other_server, confirm that the tunnel isn't up
-        assert_connection_rejected(
-            TcpClient(LISTEN_PORT), TlsServer('other_server', 'other_root', TARGET_PORT, cert_reqs=ssl.CERT_NONE),
-            "other_server with unknown CA", timeout_ok=False)
-
-        # connect to server2, confirm that the tunnel isn't up
-        assert_connection_rejected(
-            TcpClient(LISTEN_PORT), TlsServer('server2', 'root', TARGET_PORT, cert_reqs=ssl.CERT_NONE),
-            "server2 with incorrect CN", timeout_ok=False)
-
-        print_ok("OK")
-    finally:
-        terminate(ghostunnel)
+ghostunnel = None
+try:
+    # create certs
+    root = RootCert('root')
+    root.create_signed_cert('server1')
+    root.create_signed_cert(
+        'server2', san="IP:127.0.0.1,IP:::1,DNS:foobar")
+
+    other_root = RootCert('other_root')
+    other_root.create_signed_cert('other_server')
+
+    # start ghostunnel
+    ghostunnel = run_ghostunnel(['client',
+                                 '--listen={0}:{1}'.format(LOCALHOST, LISTEN_PORT),
+                                 '--target=localhost:{0}'.format(TARGET_PORT),
+                                 '--cacert=root.crt',
+                                 '--disable-authentication',
+                                 '--status={0}:{1}'.format(LOCALHOST,
+                                                           STATUS_PORT)])
+
+    # connect to server1, confirm that the tunnel is up
+    pair = SocketPair(TcpClient(LISTEN_PORT), TlsServer(
+        'server1', 'root', TARGET_PORT, cert_reqs=ssl.CERT_NONE))
+    pair.validate_can_send_from_client(
+        "hello world", "1: client -> server")
+    pair.validate_can_send_from_server(
+        "hello world", "1: server -> client")
+    pair.validate_closing_client_closes_server(
+        "1: client closed -> server closed")
+
+    # connect to other_server, confirm that the tunnel isn't up
+    assert_connection_rejected(
+        TcpClient(LISTEN_PORT), TlsServer('other_server', 'other_root', TARGET_PORT, cert_reqs=ssl.CERT_NONE),
+        "other_server with unknown CA", timeout_ok=False)
+
+    # connect to server2, confirm that the tunnel isn't up
+    assert_connection_rejected(
+        TcpClient(LISTEN_PORT), TlsServer('server2', 'root', TARGET_PORT, cert_reqs=ssl.CERT_NONE),
+        "server2 with incorrect CN", timeout_ok=False)
+
+    print_ok("OK")
+finally:
+    terminate(ghostunnel)

tests/test-client-handles-client-closes-connection-unix.py

@@ -6,43 +6,42 @@
 
 from common import LOCALHOST, RootCert, STATUS_PORT, SocketPair, UnixClient, TlsServer, print_ok, run_ghostunnel, terminate, TARGET_PORT
 
-if __name__ == "__main__":
-    ghostunnel = None
-    try:
-        # create certs
-        root = RootCert('root')
-        root.create_signed_cert('server')
-        root.create_signed_cert('client')
+ghostunnel = None
+try:
+    # create certs
+    root = RootCert('root')
+    root.create_signed_cert('server')
+    root.create_signed_cert('client')
 
-        # start ghostunnel
-        client = UnixClient()
-        ghostunnel = run_ghostunnel(['client',
-                                     '--listen=unix:{0}'.format(client.get_socket_path()),
-                                     '--target={0}:{1}'.format(LOCALHOST, TARGET_PORT),
-                                     '--cert=client.crt',
-                                     '--key=client.key',
-                                     '--status={0}:{1}'.format(LOCALHOST,
-                                                               STATUS_PORT),
-                                     '--close-timeout=10s',
-                                     '--cacert=root.crt'])
+    # start ghostunnel
+    client = UnixClient()
+    ghostunnel = run_ghostunnel(['client',
+                                 '--listen=unix:{0}'.format(client.get_socket_path()),
+                                 '--target={0}:{1}'.format(LOCALHOST, TARGET_PORT),
+                                 '--cert=client.crt',
+                                 '--key=client.key',
+                                 '--status={0}:{1}'.format(LOCALHOST,
+                                                           STATUS_PORT),
+                                 '--close-timeout=10s',
+                                 '--cacert=root.crt'])
 
-        # connect to server, confirm that the tunnel is up
-        pair = SocketPair(client, TlsServer('server', 'root', TARGET_PORT))
-        pair.validate_can_send_from_client(
-            "hello world", "1: client -> server")
-        pair.validate_can_send_from_server(
-            "hello world", "1: server -> client")
-        pair.validate_closing_client_closes_server(
-            "1: client closed -> server closed")
+    # connect to server, confirm that the tunnel is up
+    pair = SocketPair(client, TlsServer('server', 'root', TARGET_PORT))
+    pair.validate_can_send_from_client(
+        "hello world", "1: client -> server")
+    pair.validate_can_send_from_server(
+        "hello world", "1: server -> client")
+    pair.validate_closing_client_closes_server(
+        "1: client closed -> server closed")
 
-        pair = SocketPair(client, TlsServer('server', 'root', TARGET_PORT))
-        pair.validate_can_send_from_client(
-            "hello world", "2: client -> server")
-        pair.validate_can_send_from_server(
-            "hello world", "2: server -> client")
-        pair.validate_half_closing_client_closes_server(
-            "2: client closed -> server closed")
+    pair = SocketPair(client, TlsServer('server', 'root', TARGET_PORT))
+    pair.validate_can_send_from_client(
+        "hello world", "2: client -> server")
+    pair.validate_can_send_from_server(
+        "hello world", "2: server -> client")
+    pair.validate_half_closing_client_closes_server(
+        "2: client closed -> server closed")
 
-        print_ok("OK")
-    finally:
-        terminate(ghostunnel)
+    print_ok("OK")
+finally:
+    terminate(ghostunnel)