cpython/Lib/test/ssl_servers.py

import os
import sys
import ssl
import pprint
import threading
import urllib.parse
# Rename HTTPServer to _HTTPServer so as to avoid confusion with HTTPSServer.
from http.server import (HTTPServer as _HTTPServer,
    SimpleHTTPRequestHandler, BaseHTTPRequestHandler)

from test import support
from test.support import socket_helper

here = os.path.dirname(__file__)

HOST = socket_helper.HOST
CERTFILE = os.path.join(here, 'certdata', 'keycert.pem')

# This one's based on HTTPServer, which is based on socketserver

class HTTPSServer(_HTTPServer):

    def __init__(self, server_address, handler_class, context):
        _HTTPServer.__init__(self, server_address, handler_class)
        self.context = context

    def __str__(self):
        return ('<%s %s:%s>' %
                (self.__class__.__name__,
                 self.server_name,
                 self.server_port))

    def get_request(self):
        # override this to wrap socket with SSL
        try:
            sock, addr = self.socket.accept()
            sslconn = self.context.wrap_socket(sock, server_side=True)
        except OSError as e:
            # socket errors are silenced by the caller, print them here
            if support.verbose:
                sys.stderr.write("Got an error:\n%s\n" % e)
            raise
        return sslconn, addr

class RootedHTTPRequestHandler(SimpleHTTPRequestHandler):
    # need to override translate_path to get a known root,
    # instead of using os.curdir, since the test could be
    # run from anywhere

    server_version = "TestHTTPS/1.0"
    root = here
    # Avoid hanging when a request gets interrupted by the client
    timeout = support.LOOPBACK_TIMEOUT

    def translate_path(self, path):
        """Translate a /-separated PATH to the local filename syntax.

        Components that mean special things to the local file system
        (e.g. drive or directory names) are ignored.  (XXX They should
        probably be diagnosed.)

        """
        # abandon query parameters
        path = urllib.parse.urlparse(path)[2]
        path = os.path.normpath(urllib.parse.unquote(path))
        words = path.split('/')
        words = filter(None, words)
        path = self.root
        for word in words:
            drive, word = os.path.splitdrive(word)
            head, word = os.path.split(word)
            path = os.path.join(path, word)
        return path

    def log_message(self, format, *args):
        # we override this to suppress logging unless "verbose"
        if support.verbose:
            sys.stdout.write(" server (%s:%d %s):\n   [%s] %s\n" %
                             (self.server.server_address,
                              self.server.server_port,
                              self.request.cipher(),
                              self.log_date_time_string(),
                              format%args))


class StatsRequestHandler(BaseHTTPRequestHandler):
    """Example HTTP request handler which returns SSL statistics on GET
    requests.
    """

    server_version = "StatsHTTPS/1.0"

    def do_GET(self, send_body=True):
        """Serve a GET request."""
        sock = self.rfile.raw._sock
        context = sock.context
        stats = {
            'session_cache': context.session_stats(),
            'cipher': sock.cipher(),
            'compression': sock.compression(),
            }
        body = pprint.pformat(stats)
        body = body.encode('utf-8')
        self.send_response(200)
        self.send_header("Content-type", "text/plain; charset=utf-8")
        self.send_header("Content-Length", str(len(body)))
        self.end_headers()
        if send_body:
            self.wfile.write(body)

    def do_HEAD(self):
        """Serve a HEAD request."""
        self.do_GET(send_body=False)

    def log_request(self, format, *args):
        if support.verbose:
            BaseHTTPRequestHandler.log_request(self, format, *args)


class HTTPSServerThread(threading.Thread):

    def __init__(self, context, host=HOST, handler_class=None):
        self.flag = None
        self.server = HTTPSServer((host, 0),
                                  handler_class or RootedHTTPRequestHandler,
                                  context)
        self.port = self.server.server_port
        threading.Thread.__init__(self)
        self.daemon = True

    def __str__(self):
        return "<%s %s>" % (self.__class__.__name__, self.server)

    def start(self, flag=None):
        self.flag = flag
        threading.Thread.start(self)

    def run(self):
        if self.flag:
            self.flag.set()
        try:
            self.server.serve_forever(0.05)
        finally:
            self.server.server_close()

    def stop(self):
        self.server.shutdown()


def make_https_server(case, *, context=None, certfile=CERTFILE,
                      host=HOST, handler_class=None):
    if context is None:
        context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
    # We assume the certfile contains both private key and certificate
    context.load_cert_chain(certfile)
    server = HTTPSServerThread(context, host, handler_class)
    flag = threading.Event()
    server.start(flag)
    flag.wait()
    def cleanup():
        if support.verbose:
            sys.stdout.write('stopping HTTPS server\n')
        server.stop()
        if support.verbose:
            sys.stdout.write('joining HTTPS thread\n')
        server.join()
    case.addCleanup(cleanup)
    return server


if __name__ == "__main__":
    import argparse
    parser = argparse.ArgumentParser(
        description='Run a test HTTPS server. '
                    'By default, the current directory is served.')
    parser.add_argument('-p', '--port', type=int, default=4433,
                        help='port to listen on (default: %(default)s)')
    parser.add_argument('-q', '--quiet', dest='verbose', default=True,
                        action='store_false', help='be less verbose')
    parser.add_argument('-s', '--stats', dest='use_stats_handler', default=False,
                        action='store_true', help='always return stats page')
    parser.add_argument('--curve-name', dest='curve_name', type=str,
                        action='store',
                        help='curve name for EC-based Diffie-Hellman')
    parser.add_argument('--ciphers', dest='ciphers', type=str,
                        help='allowed cipher list')
    parser.add_argument('--dh', dest='dh_file', type=str, action='store',
                        help='PEM file containing DH parameters')
    args = parser.parse_args()

    support.verbose = args.verbose
    if args.use_stats_handler:
        handler_class = StatsRequestHandler
    else:
        handler_class = RootedHTTPRequestHandler
        handler_class.root = os.getcwd()
    context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
    context.load_cert_chain(CERTFILE)
    if args.curve_name:
        context.set_ecdh_curve(args.curve_name)
    if args.dh_file:
        context.load_dh_params(args.dh_file)
    if args.ciphers:
        context.set_ciphers(args.ciphers)

    server = HTTPSServer(("", args.port), handler_class, context)
    if args.verbose:
        print("Listening on https://localhost:{0.port}".format(args))
    server.serve_forever(0.1)
Issue #9003: http.client.HTTPSConnection, urllib.request.HTTPSHandler and urllib.request.urlopen now take optional arguments to allow for server certificate checking, as recommended in public uses of HTTPS. 2010-10-13 10:36:15 +00:00			`import os`
			`import sys`
			`import ssl`
Run a simple HTTPS server when Lib/test/ssl_servers.py is run as __main__ 2010-10-13 11:27:09 +00:00			`import pprint`
Trivial cleanups following bpo-31370 (#3649) * Trivial cleanups following bpo-31370 * Also cleanup the "importlib._bootstrap_external" module 2017-09-18 23:50:44 +02:00			`import threading`
Issue #9003: http.client.HTTPSConnection, urllib.request.HTTPSHandler and urllib.request.urlopen now take optional arguments to allow for server certificate checking, as recommended in public uses of HTTPS. 2010-10-13 10:36:15 +00:00			`import urllib.parse`
			`# Rename HTTPServer to _HTTPServer so as to avoid confusion with HTTPSServer.`
Run a simple HTTPS server when Lib/test/ssl_servers.py is run as __main__ 2010-10-13 11:27:09 +00:00			`from http.server import (HTTPServer as _HTTPServer,`
			`SimpleHTTPRequestHandler, BaseHTTPRequestHandler)`
Issue #9003: http.client.HTTPSConnection, urllib.request.HTTPSHandler and urllib.request.urlopen now take optional arguments to allow for server certificate checking, as recommended in public uses of HTTPS. 2010-10-13 10:36:15 +00:00
			`from test import support`
bpo-40275: Avoid importing socket in test.support (GH-19603) * Move socket related functions from test.support to socket_helper. * Import socket, nntplib and urllib.error lazily in transient_internet(). * Remove importing multiprocess. 2020-04-25 10:06:29 +03:00			`from test.support import socket_helper`
Issue #9003: http.client.HTTPSConnection, urllib.request.HTTPSHandler and urllib.request.urlopen now take optional arguments to allow for server certificate checking, as recommended in public uses of HTTPS. 2010-10-13 10:36:15 +00:00
			`here = os.path.dirname(__file__)`

bpo-40275: Avoid importing socket in test.support (GH-19603) * Move socket related functions from test.support to socket_helper. * Import socket, nntplib and urllib.error lazily in transient_internet(). * Remove importing multiprocess. 2020-04-25 10:06:29 +03:00			`HOST = socket_helper.HOST`
gh-108303: Move all certificates to `Lib/test/certdata/` (#109489) 2023-09-16 19:47:18 +03:00			`CERTFILE = os.path.join(here, 'certdata', 'keycert.pem')`
Issue #9003: http.client.HTTPSConnection, urllib.request.HTTPSHandler and urllib.request.urlopen now take optional arguments to allow for server certificate checking, as recommended in public uses of HTTPS. 2010-10-13 10:36:15 +00:00
Fix references to Python 3’s socketserver (lowercase) module 2016-09-22 09:37:56 +00:00			`# This one's based on HTTPServer, which is based on socketserver`
Issue #9003: http.client.HTTPSConnection, urllib.request.HTTPSHandler and urllib.request.urlopen now take optional arguments to allow for server certificate checking, as recommended in public uses of HTTPS. 2010-10-13 10:36:15 +00:00
			`class HTTPSServer(_HTTPServer):`

			`def __init__(self, server_address, handler_class, context):`
			`_HTTPServer.__init__(self, server_address, handler_class)`
			`self.context = context`

			`def __str__(self):`
			`return ('<%s %s:%s>' %`
			`(self.__class__.__name__,`
			`self.server_name,`
			`self.server_port))`

			`def get_request(self):`
			`# override this to wrap socket with SSL`
Print out socket errors in HTTPS server thread 2010-10-13 11:51:05 +00:00			`try:`
			`sock, addr = self.socket.accept()`
			`sslconn = self.context.wrap_socket(sock, server_side=True)`
Issue #16717: get rid of socket.error, replace with OSError 2012-12-18 23:10:48 +02:00			`except OSError as e:`
Print out socket errors in HTTPS server thread 2010-10-13 11:51:05 +00:00			`# socket errors are silenced by the caller, print them here`
			`if support.verbose:`
			`sys.stderr.write("Got an error:\n%s\n" % e)`
			`raise`
Issue #9003: http.client.HTTPSConnection, urllib.request.HTTPSHandler and urllib.request.urlopen now take optional arguments to allow for server certificate checking, as recommended in public uses of HTTPS. 2010-10-13 10:36:15 +00:00			`return sslconn, addr`

			`class RootedHTTPRequestHandler(SimpleHTTPRequestHandler):`
			`# need to override translate_path to get a known root,`
			`# instead of using os.curdir, since the test could be`
			`# run from anywhere`

			`server_version = "TestHTTPS/1.0"`
			`root = here`
			`# Avoid hanging when a request gets interrupted by the client`
bpo-38614: Use test.support.LOOPBACK_TIMEOUT constant (GH-17554) Replace hardcoded timeout constants in tests with LOOPBACK_TIMEOUT of test.support, so it's easier to ajdust this timeout for all tests at once. 2019-12-10 20:32:59 +01:00			`timeout = support.LOOPBACK_TIMEOUT`
Issue #9003: http.client.HTTPSConnection, urllib.request.HTTPSHandler and urllib.request.urlopen now take optional arguments to allow for server certificate checking, as recommended in public uses of HTTPS. 2010-10-13 10:36:15 +00:00
			`def translate_path(self, path):`
			`"""Translate a /-separated PATH to the local filename syntax.`

			`Components that mean special things to the local file system`
			`(e.g. drive or directory names) are ignored. (XXX They should`
			`probably be diagnosed.)`

			`"""`
			`# abandon query parameters`
			`path = urllib.parse.urlparse(path)[2]`
			`path = os.path.normpath(urllib.parse.unquote(path))`
			`words = path.split('/')`
			`words = filter(None, words)`
			`path = self.root`
			`for word in words:`
			`drive, word = os.path.splitdrive(word)`
			`head, word = os.path.split(word)`
			`path = os.path.join(path, word)`
			`return path`

			`def log_message(self, format, *args):`
			`# we override this to suppress logging unless "verbose"`
			`if support.verbose:`
			`sys.stdout.write(" server (%s:%d %s):\n [%s] %s\n" %`
			`(self.server.server_address,`
			`self.server.server_port,`
			`self.request.cipher(),`
			`self.log_date_time_string(),`
			`format%args))`

Run a simple HTTPS server when Lib/test/ssl_servers.py is run as __main__ 2010-10-13 11:27:09 +00:00
			`class StatsRequestHandler(BaseHTTPRequestHandler):`
			`"""Example HTTP request handler which returns SSL statistics on GET`
			`requests.`
			`"""`

			`server_version = "StatsHTTPS/1.0"`

			`def do_GET(self, send_body=True):`
			`"""Serve a GET request."""`
			`sock = self.rfile.raw._sock`
			`context = sock.context`
In the test SSL server, also output the cipher name 2011-12-18 19:00:02 +01:00			`stats = {`
			`'session_cache': context.session_stats(),`
			`'cipher': sock.cipher(),`
Issue #13634: Add support for querying and disabling SSL compression. 2011-12-20 10:13:40 +01:00			`'compression': sock.compression(),`
In the test SSL server, also output the cipher name 2011-12-18 19:00:02 +01:00			`}`
			`body = pprint.pformat(stats)`
Run a simple HTTPS server when Lib/test/ssl_servers.py is run as __main__ 2010-10-13 11:27:09 +00:00			`body = body.encode('utf-8')`
			`self.send_response(200)`
			`self.send_header("Content-type", "text/plain; charset=utf-8")`
			`self.send_header("Content-Length", str(len(body)))`
			`self.end_headers()`
			`if send_body:`
			`self.wfile.write(body)`

			`def do_HEAD(self):`
			`"""Serve a HEAD request."""`
			`self.do_GET(send_body=False)`

			`def log_request(self, format, *args):`
			`if support.verbose:`
			`BaseHTTPRequestHandler.log_request(self, format, *args)`


Issue #9003: http.client.HTTPSConnection, urllib.request.HTTPSHandler and urllib.request.urlopen now take optional arguments to allow for server certificate checking, as recommended in public uses of HTTPS. 2010-10-13 10:36:15 +00:00			`class HTTPSServerThread(threading.Thread):`

			`def __init__(self, context, host=HOST, handler_class=None):`
			`self.flag = None`
			`self.server = HTTPSServer((host, 0),`
			`handler_class or RootedHTTPRequestHandler,`
			`context)`
			`self.port = self.server.server_port`
			`threading.Thread.__init__(self)`
			`self.daemon = True`

			`def __str__(self):`
			`return "<%s %s>" % (self.__class__.__name__, self.server)`

			`def start(self, flag=None):`
			`self.flag = flag`
			`threading.Thread.start(self)`

			`def run(self):`
			`if self.flag:`
			`self.flag.set()`
Clean up socket closing in test_ssl and test.ssl_servers 2010-10-29 23:41:37 +00:00			`try:`
			`self.server.serve_forever(0.05)`
			`finally:`
			`self.server.server_close()`
Issue #9003: http.client.HTTPSConnection, urllib.request.HTTPSHandler and urllib.request.urlopen now take optional arguments to allow for server certificate checking, as recommended in public uses of HTTPS. 2010-10-13 10:36:15 +00:00
			`def stop(self):`
			`self.server.shutdown()`


Issue #17107: Test client-side SNI support in urllib.request thanks to the new server-side SNI support in the ssl module. Initial patch by Daniel Black. 2013-02-05 21:20:51 +01:00			`def make_https_server(case, *, context=None, certfile=CERTFILE,`
			`host=HOST, handler_class=None):`
			`if context is None:`
Use ssl.create_default_context in Lib/test/ssl_servers.py 2014-04-17 12:21:36 +02:00			`context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)`
Issue #17107: Test client-side SNI support in urllib.request thanks to the new server-side SNI support in the ssl module. Initial patch by Daniel Black. 2013-02-05 21:20:51 +01:00			`# We assume the certfile contains both private key and certificate`
Issue #9003: http.client.HTTPSConnection, urllib.request.HTTPSHandler and urllib.request.urlopen now take optional arguments to allow for server certificate checking, as recommended in public uses of HTTPS. 2010-10-13 10:36:15 +00:00			`context.load_cert_chain(certfile)`
			`server = HTTPSServerThread(context, host, handler_class)`
			`flag = threading.Event()`
			`server.start(flag)`
			`flag.wait()`
			`def cleanup():`
			`if support.verbose:`
			`sys.stdout.write('stopping HTTPS server\n')`
			`server.stop()`
			`if support.verbose:`
			`sys.stdout.write('joining HTTPS thread\n')`
			`server.join()`
			`case.addCleanup(cleanup)`
			`return server`
Run a simple HTTPS server when Lib/test/ssl_servers.py is run as __main__ 2010-10-13 11:27:09 +00:00

			`if __name__ == "__main__":`
			`import argparse`
			`parser = argparse.ArgumentParser(`
			`description='Run a test HTTPS server. '`
			`'By default, the current directory is served.')`
			`parser.add_argument('-p', '--port', type=int, default=4433,`
			`help='port to listen on (default: %(default)s)')`
			`parser.add_argument('-q', '--quiet', dest='verbose', default=True,`
			`action='store_false', help='be less verbose')`
			`parser.add_argument('-s', '--stats', dest='use_stats_handler', default=False,`
			`action='store_true', help='always return stats page')`
Issue #13627: Add support for SSL Elliptic Curve-based Diffie-Hellman key exchange, through the SSLContext.set_ecdh_curve() method and the ssl.OP_SINGLE_ECDH_USE option. 2011-12-19 17:16:51 +01:00			`parser.add_argument('--curve-name', dest='curve_name', type=str,`
			`action='store',`
			`help='curve name for EC-based Diffie-Hellman')`
Add a --ciphers option to Lib/test/ssl_servers.py 2014-04-17 12:30:14 +02:00			`parser.add_argument('--ciphers', dest='ciphers', type=str,`
			`help='allowed cipher list')`
Issue #13626: Add support for SSL Diffie-Hellman key exchange, through the SSLContext.load_dh_params() method and the ssl.OP_SINGLE_DH_USE option. 2011-12-22 10:03:38 +01:00			`parser.add_argument('--dh', dest='dh_file', type=str, action='store',`
			`help='PEM file containing DH parameters')`
Run a simple HTTPS server when Lib/test/ssl_servers.py is run as __main__ 2010-10-13 11:27:09 +00:00			`args = parser.parse_args()`

			`support.verbose = args.verbose`
			`if args.use_stats_handler:`
			`handler_class = StatsRequestHandler`
			`else:`
			`handler_class = RootedHTTPRequestHandler`
			`handler_class.root = os.getcwd()`
Use ssl.create_default_context in Lib/test/ssl_servers.py 2014-04-17 12:21:36 +02:00			`context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)`
Run a simple HTTPS server when Lib/test/ssl_servers.py is run as __main__ 2010-10-13 11:27:09 +00:00			`context.load_cert_chain(CERTFILE)`
Issue #13627: Add support for SSL Elliptic Curve-based Diffie-Hellman key exchange, through the SSLContext.set_ecdh_curve() method and the ssl.OP_SINGLE_ECDH_USE option. 2011-12-19 17:16:51 +01:00			`if args.curve_name:`
			`context.set_ecdh_curve(args.curve_name)`
Issue #13626: Add support for SSL Diffie-Hellman key exchange, through the SSLContext.load_dh_params() method and the ssl.OP_SINGLE_DH_USE option. 2011-12-22 10:03:38 +01:00			`if args.dh_file:`
			`context.load_dh_params(args.dh_file)`
Add a --ciphers option to Lib/test/ssl_servers.py 2014-04-17 12:30:14 +02:00			`if args.ciphers:`
			`context.set_ciphers(args.ciphers)`
Run a simple HTTPS server when Lib/test/ssl_servers.py is run as __main__ 2010-10-13 11:27:09 +00:00
			`server = HTTPSServer(("", args.port), handler_class, context)`
Output served URL when running ssl_servers 2010-11-05 20:26:59 +00:00			`if args.verbose:`
			`print("Listening on https://localhost:{0.port}".format(args))`
Run a simple HTTPS server when Lib/test/ssl_servers.py is run as __main__ 2010-10-13 11:27:09 +00:00			`server.serve_forever(0.1)`