ssl deproxy client and server #9
Conversation
vladtcvs
force-pushed
the
vlad-https
branch
2 times, most recently
from
b42c3aa to
1cd179d
Compare
|
This PR is for tempesta-tech/tempesta#737 |
vladtcvs
changed the title
tls/test_https.py
Outdated
| __license__ = 'GPL2' | ||
|
|
||
| rootCA = """-----BEGIN CERTIFICATE----- | ||
| MIIDZjCCAk6gAwIBAgIJAPP794tWF2qsMA0GCSqGSIb3DQEBCwUAMEgxCzAJBgNV |
There was a problem hiding this comment.
The certificates and keys are defined twice: in tls/ directory and in this file. Why the repetition is required?
There was a problem hiding this comment.
It's not required. They should be deleted ftom tls/
There was a problem hiding this comment.
May be we should store them in tls directory? We will also need the certificates for stress tests.
helpers/tf_cfg.py
Outdated
| 'log_file': 'tests_log.log'}, | ||
| 'log_file': 'tests_log.log', | ||
| 'tmpdir': '/tmp/host', | ||
| 'ip': '127.0.0.1'}, |
There was a problem hiding this comment.
Configuration is confusing and mixed up. It was assumed that framework and client - are the same node and can't exist without each other, especially if deproxy-based tests are used. But I see the reason why it's important to run stress tester on other node: TfwBomber. Since it kernel module which heavily relies on Tempesta code, system will crash on bugs and no tests results will be saved.
I'm not happy about splitting framework and client nodes: when developing tests, you have to always remember, what is the type of current client and which node to use. But I don't see a good solution here.
Since the splitting is required, then explicit sections framework, stress_tester, tempesta, backendsare required. Putting everything ingeneral` section is worst way possible.
There was a problem hiding this comment.
Also the splitting is half-done. Client node is still hardcoded to be localhost only. See the check() function here.
There was a problem hiding this comment.
Good solution is to find good way to run deproxy client and servers on remote nodes.
helpers/tf_cfg.py
Outdated
| @@ -47,7 +47,9 @@ def defaults(self): | |||
| self.config.read_dict({'General': {'verbose': '0', | |||
| 'duration': '10', | |||
| 'concurrent_connections': '10', | |||
| 'log_file': 'tests_log.log'}, | |||
| 'log_file': 'tests_log.log', | |||
| 'tmpdir': '/tmp/host', | |||
There was a problem hiding this comment.
tmpdir: configuration key with absolutely the same meaning in other nodes is workdir. Please keep same names for options with the same meaning.
tls/test_https.py
Outdated
| }, | ||
| ] | ||
|
|
||
| def test_1(self): |
There was a problem hiding this comment.
Don't see usage of Tempesta itself. Client connects directly to nginx.
There was a problem hiding this comment.
Yes, this tests checks only client and server. Tests for tempesta will be added later
helpers/remote.py
Outdated
| @@ -15,7 +15,7 @@ | |||
| __license__ = 'GPL2' | |||
|
|
|||
| # Don't remove files from remote node. Helpful for tests development. | |||
| DEBUG_FILES = False | |||
| DEBUG_FILES = True | |||
There was a problem hiding this comment.
See this change again and again in your PRs and evey time it's dirty commit.
framework/deproxy_server.py
Outdated
| '<<<<<\n%s>>>>>' | ||
| % self.request_buffer)) | ||
| self.send_response(self.response_bad_request) |
There was a problem hiding this comment.
Connection must be closed after parsing error. It's bad idea to keep connection open and parse further requests.
There was a problem hiding this comment.
May be handle_parsing_error() would be handy helpful function? it'll send and error (if asked) and close the connection. We have more tests, where the behaviour is going to be pretty useful.
framework/deproxy_server.py
Outdated
| raise NotImplementedError("Not implemented 'wait_for_connections'") | ||
|
|
||
| @abc.abstractmethod | ||
| def recieve_request(self, request, connection): |
There was a problem hiding this comment.
I'm confused but I rather often misspell receive as recieve. It's copy-paste, but the spelling should be fixed :-]
framework/deproxy_server.py
Outdated
| class SSLStaticDeproxyServer(BaseAsyncoreDeproxyServer): | ||
|
|
||
| def __init__(self, cert, cert_key, *args, **kwargs): | ||
| self.response = kwargs['response'] |
There was a problem hiding this comment.
Why response is defined for SSL servver, but not defined for non-SSL socket. The only differens between them must be init_socket finction
There was a problem hiding this comment.
? both ssl and non-ssl have 'response'
framework/deproxy_server.py
Outdated
|
|
||
| return srv | ||
|
|
||
| def create_srv_deproxy_ssl(server): |
There was a problem hiding this comment.
I think, there should be only one helper function to create appropriate server, since all required variables are taken from server dictionary.
There was a problem hiding this comment.
this is different functions because they creates different classes. I've used 1 class - 1 creation function method
There was a problem hiding this comment.
I just asked because the functions look very close. I was expecting to see fabric pattern here: single function which creates the right class according to it's description. But it's a part of __create_client() function, which is the fabric actually, i missed that, sorry.
framework/deproxy_server.py
Outdated
|
|
||
| def create_srv_deproxy(server): | ||
| ka = "close" | ||
| if server.has_key('connection_header'): |
There was a problem hiding this comment.
What is connection_header? Server class must not add it's own headers when sending responses. The exact message to be send must be defined in test. No modifications inside server or client are allowed.
There was a problem hiding this comment.
Oh, I've confused. Of course, there should be not 'close' or 'keep_alive', but amount of responses before closing connection
vladtcvs
changed the title
vladtcvs
force-pushed
the
vlad-https
branch
3 times, most recently
from
cd30b23 to
3fee6ce
Compare
framework/deproxy_client.py
Outdated
|
|
||
| def init_socket(self): | ||
| self.s = socket.socket() | ||
| #self.ssl_socket = ssl.SSLSocket(sock=self.s, |
There was a problem hiding this comment.
Seems like the code was commented out for the troubleshooting, but the right version wasn't returned back. Need to fix it.
There was a problem hiding this comment.
fixed, commented code is removed
framework/deproxy_client.py
Outdated
| BaseAsyncoreClient.recieve_response(self, response) | ||
|
|
||
| def init_socket(self): | ||
| self.s = socket.socket() |
There was a problem hiding this comment.
asyncore.dispatcher uses self.socket for the interaction, why self.s is needed?
There was a problem hiding this comment.
self.s - raw socket. Later, in make_connect, it is wrapped with ssl socket, and this ssl socket is setted as self.socket
framework/deproxy_server.py
Outdated
| '<<<<<\n%s>>>>>' | ||
| % self.request_buffer)) | ||
| self.send_response(self.response_bad_request) |
There was a problem hiding this comment.
May be handle_parsing_error() would be handy helpful function? it'll send and error (if asked) and close the connection. We have more tests, where the behaviour is going to be pretty useful.
framework/deproxy_server.py
Outdated
|
|
||
| return srv | ||
|
|
||
| def create_srv_deproxy_ssl(server): |
There was a problem hiding this comment.
I just asked because the functions look very close. I was expecting to see fabric pattern here: single function which creates the right class according to it's description. But it's a part of __create_client() function, which is the fabric actually, i missed that, sorry.
helpers/remote.py
Outdated
| @@ -220,6 +220,9 @@ def create_node(host): | |||
| return RemoteNode(host, hostname, workdir, username, port) | |||
| return LocalNode(host, hostname, workdir) | |||
|
|
|||
| def create_host_node(): | |||
There was a problem hiding this comment.
See client. It also has no real hostname field, it's hardcoded to be localhost in tf_cfg.py.
tls/test_https.py
Outdated
| __license__ = 'GPL2' | ||
|
|
||
| rootCA = """-----BEGIN CERTIFICATE----- | ||
| MIIDZjCCAk6gAwIBAgIJAPP794tWF2qsMA0GCSqGSIb3DQEBCwUAMEgxCzAJBgNV |
There was a problem hiding this comment.
May be we should store them in tls directory? We will also need the certificates for stress tests.
It's wrong idea. |
Daemonizing proxy Stopping
Add test for new deproxy Fixes of client_proxy.py
Fixing message parsing
work on https client