Show More
| @@ -1,120 +1,122 b'' | |||
|
|
1 | 1 | #!/usr/bin/env python |
|
|
2 | 2 | |
|
|
3 | 3 | """dummy SMTP server for use in tests""" |
|
|
4 | 4 | |
|
|
5 | 5 | |
|
|
6 | 6 | import asyncore |
|
|
7 | 7 | import optparse |
|
|
8 | 8 | import smtpd |
|
|
9 | 9 | import ssl |
|
|
10 | 10 | import sys |
|
|
11 | 11 | import traceback |
|
|
12 | 12 | |
|
|
13 | 13 | from mercurial import ( |
|
|
14 | 14 | pycompat, |
|
|
15 | 15 | server, |
|
|
16 | 16 | sslutil, |
|
|
17 | 17 | ui as uimod, |
|
|
18 | 18 | ) |
|
|
19 | 19 | |
|
|
20 | 20 | |
|
|
21 | 21 | def log(msg): |
|
|
22 | 22 | sys.stdout.write(msg) |
|
|
23 | 23 | sys.stdout.flush() |
|
|
24 | 24 | |
|
|
25 | 25 | |
|
|
26 | 26 | class dummysmtpserver(smtpd.SMTPServer): |
|
|
27 | 27 | def __init__(self, localaddr): |
|
|
28 | 28 | smtpd.SMTPServer.__init__(self, localaddr, remoteaddr=None) |
|
|
29 | 29 | |
|
|
30 | 30 | def process_message(self, peer, mailfrom, rcpttos, data, **kwargs): |
|
|
31 | 31 | log('%s from=%s to=%s\n' % (peer[0], mailfrom, ', '.join(rcpttos))) |
|
|
32 | 32 | |
|
|
33 | 33 | def handle_error(self): |
|
|
34 | 34 | # On Windows, a bad SSL connection sometimes generates a WSAECONNRESET. |
|
|
35 | 35 | # The default handler will shutdown this server, and then both the |
|
|
36 | 36 | # current connection and subsequent ones fail on the client side with |
|
|
37 | 37 | # "No connection could be made because the target machine actively |
|
|
38 | 38 | # refused it". If we eat the error, then the client properly aborts in |
|
|
39 | 39 | # the expected way, and the server is available for subsequent requests. |
|
|
40 | 40 | traceback.print_exc() |
|
|
41 | 41 | |
|
|
42 | 42 | |
|
|
43 | 43 | class dummysmtpsecureserver(dummysmtpserver): |
|
|
44 | 44 | def __init__(self, localaddr, certfile): |
|
|
45 | 45 | dummysmtpserver.__init__(self, localaddr) |
|
|
46 | 46 | self._certfile = certfile |
|
|
47 | 47 | |
|
|
48 | 48 | def handle_accept(self): |
|
|
49 | 49 | pair = self.accept() |
|
|
50 | 50 | if not pair: |
|
|
51 | 51 | return |
|
|
52 | 52 | conn, addr = pair |
|
|
53 | 53 | ui = uimod.ui.load() |
|
|
54 | 54 | try: |
|
|
55 | 55 | # wrap_socket() would block, but we don't care |
|
|
56 | 56 | conn = sslutil.wrapserversocket(conn, ui, certfile=self._certfile) |
|
|
57 | 57 | except ssl.SSLError: |
|
|
58 | 58 | log('%s ssl error\n' % addr[0]) |
|
|
59 | 59 | conn.close() |
|
|
60 | 60 | return |
|
|
61 | 61 | smtpd.SMTPChannel(self, conn, addr) |
|
|
62 | 62 | |
|
|
63 | 63 | |
|
|
64 | 64 | def run(): |
|
|
65 | 65 | try: |
|
|
66 | 66 | asyncore.loop() |
|
|
67 | 67 | except KeyboardInterrupt: |
|
|
68 | 68 | pass |
|
|
69 | 69 | |
|
|
70 | 70 | |
|
|
71 | 71 | def _encodestrsonly(v): |
|
|
72 | 72 | if isinstance(v, type(u'')): |
|
|
73 | 73 | return v.encode('ascii') |
|
|
74 | 74 | return v |
|
|
75 | 75 | |
|
|
76 | 76 | |
|
|
77 | 77 | def bytesvars(obj): |
|
|
78 | 78 | unidict = vars(obj) |
|
|
79 | 79 | bd = {k.encode('ascii'): _encodestrsonly(v) for k, v in unidict.items()} |
|
|
80 | 80 | if bd[b'daemon_postexec'] is not None: |
|
|
81 | 81 | bd[b'daemon_postexec'] = [ |
|
|
82 | 82 | _encodestrsonly(v) for v in bd[b'daemon_postexec'] |
|
|
83 | 83 | ] |
|
|
84 | 84 | return bd |
|
|
85 | 85 | |
|
|
86 | 86 | |
|
|
87 | 87 | def main(): |
|
|
88 | 88 | op = optparse.OptionParser() |
|
|
89 | 89 | op.add_option('-d', '--daemon', action='store_true') |
|
|
90 | 90 | op.add_option('--daemon-postexec', action='append') |
|
|
91 | 91 | op.add_option('-p', '--port', type=int, default=8025) |
|
|
92 | 92 | op.add_option('-a', '--address', default='localhost') |
|
|
93 | 93 | op.add_option('--pid-file', metavar='FILE') |
|
|
94 | 94 | op.add_option('--tls', choices=['none', 'smtps'], default='none') |
|
|
95 | 95 | op.add_option('--certificate', metavar='FILE') |
|
|
96 | op.add_option('--logfile', metavar='FILE') | |
|
|
96 | 97 | |
|
|
97 | 98 | opts, args = op.parse_args() |
|
|
98 | 99 | if opts.tls == 'smtps' and not opts.certificate: |
|
|
99 | 100 | op.error('--certificate must be specified') |
|
|
100 | 101 | |
|
|
101 | 102 | addr = (opts.address, opts.port) |
|
|
102 | 103 | |
|
|
103 | 104 | def init(): |
|
|
104 | 105 | if opts.tls == 'none': |
|
|
105 | 106 | dummysmtpserver(addr) |
|
|
106 | 107 | else: |
|
|
107 | 108 | dummysmtpsecureserver(addr, opts.certificate) |
|
|
108 | 109 | log('listening at %s:%d\n' % addr) |
|
|
109 | 110 | |
|
|
110 | 111 | server.runservice( |
|
|
111 | 112 | bytesvars(opts), |
|
|
112 | 113 | initfn=init, |
|
|
113 | 114 | runfn=run, |
|
|
114 | 115 | runargs=[pycompat.sysexecutable, pycompat.fsencode(__file__)] |
|
|
115 | 116 | + pycompat.sysargv[1:], |
|
|
117 | logfile=opts.logfile, | |
|
|
116 | 118 | ) |
|
|
117 | 119 | |
|
|
118 | 120 | |
|
|
119 | 121 | if __name__ == '__main__': |
|
|
120 | 122 | main() |
| @@ -1,99 +1,111 b'' | |||
|
|
1 | 1 | #require serve ssl |
|
|
2 | 2 | |
|
|
3 | 3 | Set up SMTP server: |
|
|
4 | 4 | |
|
|
5 | 5 | $ CERTSDIR="$TESTDIR/sslcerts" |
|
|
6 | 6 | $ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem |
|
|
7 | 7 | |
|
|
8 | $ "$PYTHON" "$TESTDIR/dummysmtpd.py" -p $HGPORT --pid-file a.pid -d \ | |
|
|
8 | $ "$PYTHON" "$TESTDIR/dummysmtpd.py" -p $HGPORT --pid-file a.pid --logfile log -d \ | |
|
|
9 | 9 | > --tls smtps --certificate `pwd`/server.pem |
|
|
10 | 10 | listening at localhost:$HGPORT (?) |
|
|
11 | 11 | $ cat a.pid >> $DAEMON_PIDS |
|
|
12 | 12 | |
|
|
13 | 13 | Set up repository: |
|
|
14 | 14 | |
|
|
15 | 15 | $ hg init t |
|
|
16 | 16 | $ cd t |
|
|
17 | 17 | $ cat <<EOF >> .hg/hgrc |
|
|
18 | 18 | > [extensions] |
|
|
19 | 19 | > patchbomb = |
|
|
20 | 20 | > [email] |
|
|
21 | 21 | > method = smtp |
|
|
22 | 22 | > [smtp] |
|
|
23 | 23 | > host = localhost |
|
|
24 | 24 | > port = $HGPORT |
|
|
25 | 25 | > tls = smtps |
|
|
26 | 26 | > EOF |
|
|
27 | 27 | |
|
|
28 | 28 | $ echo a > a |
|
|
29 | 29 | $ hg commit -Ama -d '1 0' |
|
|
30 | 30 | adding a |
|
|
31 | 31 | |
|
|
32 | 32 | Utility functions: |
|
|
33 | 33 | |
|
|
34 | 34 | $ DISABLECACERTS= |
|
|
35 | 35 | $ try () { |
|
|
36 | 36 | > hg email $DISABLECACERTS -f quux -t foo -c bar -r tip "$@" |
|
|
37 | 37 | > } |
|
|
38 | 38 | |
|
|
39 | 39 | Our test cert is not signed by a trusted CA. It should fail to verify if |
|
|
40 | 40 | we are able to load CA certs: |
|
|
41 | 41 | |
|
|
42 | 42 | #if no-defaultcacertsloaded |
|
|
43 | 43 | $ try |
|
|
44 | 44 | this patch series consists of 1 patches. |
|
|
45 | 45 | |
|
|
46 | 46 | |
|
|
47 | 47 | (an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) |
|
|
48 | 48 | (?i)abort: .*?certificate.verify.failed.* (re) |
|
|
49 | 49 | [255] |
|
|
50 | 50 | #endif |
|
|
51 | 51 | |
|
|
52 | 52 | #if defaultcacertsloaded |
|
|
53 | 53 | $ try |
|
|
54 | 54 | this patch series consists of 1 patches. |
|
|
55 | 55 | |
|
|
56 | 56 | |
|
|
57 | 57 | (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
|
|
58 | 58 | (?i)abort: .*?certificate.verify.failed.* (re) |
|
|
59 | 59 | [255] |
|
|
60 | 60 | |
|
|
61 | 61 | #endif |
|
|
62 | 62 | |
|
|
63 | 63 | $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true" |
|
|
64 | 64 | |
|
|
65 | 65 | Without certificates: |
|
|
66 | 66 | |
|
|
67 | 67 | $ try --debug |
|
|
68 | 68 | this patch series consists of 1 patches. |
|
|
69 | 69 | |
|
|
70 | 70 | |
|
|
71 | 71 | (using smtps) |
|
|
72 | 72 | sending mail: smtp host localhost, port * (glob) |
|
|
73 | 73 | (verifying remote certificate) |
|
|
74 | 74 | abort: unable to verify security of localhost (no loaded CA certificates); refusing to connect |
|
|
75 | 75 | (see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error or set hostsecurity.localhost:fingerprints=sha256:20:de:b3:ad:b4:cd:a5:42:f0:74:41:1c:a2:70:1e:da:6e:c0:5c:16:9e:e7:22:0f:f1:b7:e5:6e:e4:92:af:7e to trust this server) |
|
|
76 | 76 | [150] |
|
|
77 | 77 | |
|
|
78 | $ cat ../log | |
|
|
79 | * ssl error (glob) | |
|
|
80 | $ : > ../log | |
|
|
81 | ||
|
|
78 | 82 | With global certificates: |
|
|
79 | 83 | |
|
|
80 | 84 | $ try --debug --config web.cacerts="$CERTSDIR/pub.pem" |
|
|
81 | 85 | this patch series consists of 1 patches. |
|
|
82 | 86 | |
|
|
83 | 87 | |
|
|
84 | 88 | (using smtps) |
|
|
85 | 89 | sending mail: smtp host localhost, port * (glob) |
|
|
86 | 90 | (verifying remote certificate) |
|
|
87 | 91 | sending [PATCH] a ... |
|
|
88 | 92 | |
|
|
93 | $ cat ../log | |
|
|
94 | * from=quux to=foo, bar (glob) | |
|
|
95 | $ : > ../log | |
|
|
96 | ||
|
|
89 | 97 | With invalid certificates: |
|
|
90 | 98 | |
|
|
91 | 99 | $ try --config web.cacerts="$CERTSDIR/pub-other.pem" |
|
|
92 | 100 | this patch series consists of 1 patches. |
|
|
93 | 101 | |
|
|
94 | 102 | |
|
|
95 | 103 | (the full certificate chain may not be available locally; see "hg help debugssl") (windows !) |
|
|
96 | 104 | (?i)abort: .*?certificate.verify.failed.* (re) |
|
|
97 | 105 | [255] |
|
|
98 | 106 | |
|
|
107 | $ cat ../log | |
|
|
108 | * ssl error (glob) | |
|
|
109 | $ : > ../log | |
|
|
110 | ||
|
|
99 | 111 | $ cd .. |
General Comments 0
You need to be logged in to leave comments.
Login now