Merge branch 'development' of https://github.com/mylh/hyper into mylh-development

Author: Lukasa

hyper/contrib.py

@@ -16,6 +16,7 @@
 
 from hyper.common.connection import HTTPConnection
 from hyper.compat import urlparse
+from hyper.tls import init_context
 
 
 class HTTP20Adapter(HTTPAdapter):
@@ -28,31 +29,42 @@ def __init__(self, *args, **kwargs):
         #: A mapping between HTTP netlocs and ``HTTP20Connection`` objects.
         self.connections = {}
 
-    def get_connection(self, host, port, scheme):
+    def get_connection(self, host, port, scheme, cert=None):
         """
-        Gets an appropriate HTTP/2 connection object based on host/port/scheme
-        tuples.
+        Gets an appropriate HTTP/2 connection object based on
+        host/port/scheme/cert tuples.
         """
         secure = (scheme == 'https')
 
         if port is None:  # pragma: no cover
             port = 80 if not secure else 443
 
+        ssl_context = None
+        if cert is not None:
+            ssl_context = init_context(cert=cert)
+
         try:
-            conn = self.connections[(host, port, scheme)]
+            conn = self.connections[(host, port, scheme, cert)]
         except KeyError:
-            conn = HTTPConnection(host, port, secure=secure)
-            self.connections[(host, port, scheme)] = conn
+            conn = HTTPConnection(
+                host,
+                port,
+                secure=secure,
+                ssl_context=ssl_context)
+            self.connections[(host, port, scheme, cert)] = conn
 
         return conn
 
-    def send(self, request, stream=False, **kwargs):
+    def send(self, request, stream=False, cert=None, **kwargs):
         """
         Sends a HTTP message to the server.
         """
         parsed = urlparse(request.url)
-
-        conn = self.get_connection(parsed.hostname, parsed.port, parsed.scheme)
+        conn = self.get_connection(
+            parsed.hostname,
+            parsed.port,
+            parsed.scheme,
+            cert=cert)
 
         # Build the selector.
         selector = parsed.path

hyper/tls.py

@@ -65,7 +65,7 @@ def wrap_socket(sock, server_hostname, ssl_context=None, force_proto=None):
     return (ssl_sock, proto)
 
 
-def init_context(cert_path=None):
+def init_context(cert_path=None, cert=None, cert_password=None):
     """
     Create a new ``SSLContext`` that is correctly set up for an HTTP/2 connection.
     This SSL context object can be customized and passed as a parameter to the
@@ -74,7 +74,24 @@ def init_context(cert_path=None):
     certificate. The path to the certificate can be absolute or relative
     to your working directory.
 
-    :param cert_path: (optional) The path to the certificate file.
+    :param cert_path: (optional) The path to the certificate file of
+        “certification authority” (CA) certificates
+    :param cert: (optional) if string, path to ssl client cert file (.pem).
+        If tuple, ('cert', 'key') pair.
+        The certfile string must be the path to a single file in PEM format
+        containing the certificate as well as any number of CA certificates
+        needed to establish the certificate’s authenticity. The keyfile string,
+        if present, must point to a file containing the private key in.
+        Otherwise the private key will be taken from certfile as well.
+    :param cert_password: (optional) The password argument may be a function to
+        call to get the password for decrypting the private key. It will only
+        be called if the private key is encrypted and a password is necessary.
+        It will be called with no arguments, and it should return a string,
+        bytes, or bytearray. If the return value is a string it will be
+        encoded as UTF-8 before using it to decrypt the key. Alternatively a
+        string, bytes, or bytearray value may be supplied directly as the
+        password argument. It will be ignored if the private key is not
+        encrypted and no password is needed.
     :returns: An ``SSLContext`` correctly set up for HTTP/2.
     """
     context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
@@ -92,4 +109,14 @@ def init_context(cert_path=None):
     # required by the spec
     context.options |= ssl.OP_NO_COMPRESSION
 
+    if cert is not None:
+        try:
+            basestring
+        except NameError:
+            basestring = str
+        if not isinstance(cert, basestring):
+            context.load_cert_chain(cert[0], cert[1], cert_password)
+        else:
+            context.load_cert_chain(cert, password=cert_password)
+
     return context

test/certs/nopassword.pem

@@ -0,0 +1,49 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6Xa4TY1JPp6Ta
+PdiBsCBIxCDOOUZWsAb+F6p0VDCocOv3Qx8NOHalFHjTAJIHdv0oyCwv99z+z3rc
+NZY+5DAaNQxw3mtaSoQVK+yVLQqfqkze/Qm5RoDFqubrFCGBSI4XQ3RW88JLIuZw
+b2do8MhIUwMo7xkVpsA/C+KBeKP1cchvoDwmO6MDLQGLozfARQpD1Y/kxAsfFRe+
+tsGFhyHuiwFed7IaWt4aUbBsFCw6O5zEg6tK+tJh2O9LEN8PyG1mojYQk3e1v5/6
+sSxoEuE2xTqFruZ+cuT+iSq0upF8o2bLfPZalY5NICKF3sKY0xCdnVabxUbxB+Z1
+5Nf5ZFCpAgMBAAECggEBAJWRm6R5wNSm0fpJSlqC9NYRedaoRthJu8LvUWC9NLPq
+tKYkG2ar2ySPsox9V7Vf/LtfM39n6NgjwhG7fBKLZkOSMaLgDr5PMYQgVWY/2Nfd
+gIYyBDzK5Yw+pccix+UPSuJGw7cJOPS+VL0F27NwEv1gihevFK24v2+Z5TZNkSDo
+yvI8Y0QNEZS36RGP1mlRGB1IAD61gOYPrnkkpYL+N1ZiGHUdqxLbMjxqmoFRJjhj
+qYfll0I6x5o4QydO7qXnSdpQugBWdRP2H/IHHB/QQAwro09t6B3C34jq4mTs6Oeu
+eTXk6ug6oPkqpCjoIk78W32Cd1SdCyeTkD7VTTLPN2UCgYEA3igGKKC7EffZqTYG
+6QXqj2hdl+YXmOy9gKxSnbGCO9uqefJTpqlmY7g9JfV/ijhJlMk4ZI9Hr/eCqCCp
+r6oIcGtwB1GqkHnVUgPaf6qc52r9ag+jXPJdWmL5Dc7GK3iosD4a7xXtY6obf5cX
+qzGczFbRlbBzmwI++/PFwaIBPv8CgYEA1sHZggxt1aOBfzJaYafdiC/NT/7DMAJ+
+qVCgoFU3IaexxAcaHpsPT3sMu/kEsA574V4PAojvR3qlzSMpBsCWNtgrOdA9WNyS
+G0RI/+gA0XCmDZaCGrzBlLGKidY48G+OozLRf3fBR8IbVeHfkocw65KQVKwfG4Ah
+Zc/bj0LwGFcCgYEA1xM4oyy473RcrY04s3Ce3afUtLJ2Nf88l849TZ4Ez56jNNx+
+T+PA1NoRmSZMC6ziz8Dfb7unU5z0SYEVxpN/CBd7phpSXv0UoQpKBz9OGF1kacIq
+Dlo2NsOLCuscwAlYhwgZW06HPO37IVNN/tdRTiLfVWQ3B+Lsx1ACLKyDOFECgYB1
+EsJPWhU6RONggwOwfwGOr3h+poSjlIiWJsUaArqGV1PaaIC9tIw5KPx9MLh0fcDc
+0BjgqeO/lMX0Obmw26ZICbouzy3SVpQz1xrwnvprMrzjZWxRxRrGw66hi64IrNgW
+caqxkYhFZTTfsb3etGJf2ctizV478LLEPPcVd0lKCwKBgG0q1+0FHJ8jsgi1pj+Y
+jP6n8LQ9fLlUVhjFHfNEA3gSanVHdsWmW+7pMUIbDSnDlifS5/afnZfPpW3lQXB4
+yoTmYYSt4mq8Jo5VItRWm5xsWqcbdqKVuuwzTi6m2F2Lvc4tp/E8GXGhSw3UM2qy
+CRHH9H+8ktCv/GnW5MiAF5Jz
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDezCCAmOgAwIBAgIJAJmioIcuQec4MA0GCSqGSIb3DQEBCwUAMFQxCzAJBgNV
+BAYTAlVTMRAwDgYDVQQIDAdOZXdZb3JrMRAwDgYDVQQHDAdOZXdZb3JrMSEwHwYD
+VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTYwMzIzMTE1MzUxWhcN
+MTYwNDIyMTE1MzUxWjBUMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTmV3WW9yazEQ
+MA4GA1UEBwwHTmV3WW9yazEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkg
+THRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAul2uE2NST6ek2j3Y
+gbAgSMQgzjlGVrAG/heqdFQwqHDr90MfDTh2pRR40wCSB3b9KMgsL/fc/s963DWW
+PuQwGjUMcN5rWkqEFSvslS0Kn6pM3v0JuUaAxarm6xQhgUiOF0N0VvPCSyLmcG9n
+aPDISFMDKO8ZFabAPwvigXij9XHIb6A8JjujAy0Bi6M3wEUKQ9WP5MQLHxUXvrbB
+hYch7osBXneyGlreGlGwbBQsOjucxIOrSvrSYdjvSxDfD8htZqI2EJN3tb+f+rEs
+aBLhNsU6ha7mfnLk/okqtLqRfKNmy3z2WpWOTSAihd7CmNMQnZ1Wm8VG8QfmdeTX
++WRQqQIDAQABo1AwTjAdBgNVHQ4EFgQUtdlqFdvfUI7mkDH62Q6BE9DKyqYwHwYD
+VR0jBBgwFoAUtdlqFdvfUI7mkDH62Q6BE9DKyqYwDAYDVR0TBAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAQEAh/el7sxFudIVHcAti7DxkqJEiOs7bPwAwnaRiKfLZEYo
+NVGQ+GtMarCO/j/EO6STlkoFqI8XA2Jn9WYsoV8OD6lcU9DoJKlupIIRH+PVYhSb
+q6WTqbB0o12Se9EGJ/NmsXFn2KqSRah6TTcJSVNAvcF8qMilnPjbJjCxdoMVT34b
+EmdyZxIFmKMrth+zKTqDzs+FK+49JTnjomm7A3h9iErGzsiM3BZzZLGEcG52IYuC
+P/fcJs24014NqPqXl+JVnFk8sLBRZKYA9yYZ4C/XH/ZF/Y2pVhgwxZN8OtcaydR4
+pyGNdgG1ml9CpqZQfj4WMS+x2LmCWpCRH+pXcqg/kQ==
+-----END CERTIFICATE-----

test/test_SSLContext.py

@@ -2,11 +2,22 @@
 """
 Tests the hyper SSLContext.
 """
+import os
+
 import hyper
 from hyper.common.connection import HTTPConnection
 from hyper.compat import ssl
+
 import pytest
 
+
+TEST_DIR = os.path.abspath(os.path.dirname(__file__))
+TEST_CERTS_DIR = os.path.join(TEST_DIR, 'certs')
+CLIENT_CERT_FILE = os.path.join(TEST_CERTS_DIR, 'client.crt')
+CLIENT_KEY_FILE = os.path.join(TEST_CERTS_DIR, 'client.key')
+CLIENT_PEM_FILE = os.path.join(TEST_CERTS_DIR, 'nopassword.pem')
+
+
 class TestSSLContext(object):
     """
     Tests default and custom SSLContext
@@ -47,3 +58,10 @@ def test_HTTPConnection_with_custom_context(self):
         assert conn.ssl_context.check_hostname == True
         assert conn.ssl_context.verify_mode == ssl.CERT_REQUIRED
         assert conn.ssl_context.options & ssl.OP_NO_COMPRESSION != 0
+
+
+    def test_client_certificates(self):
+        context = hyper.tls.init_context(
+            cert=(CLIENT_CERT_FILE, CLIENT_KEY_FILE),
+            cert_password=b'abc123')
+        context = hyper.tls.init_context(cert=CLIENT_PEM_FILE)

test/test_hyper.py

@@ -28,6 +28,11 @@
 import hyper
 
 
+TEST_DIR = os.path.abspath(os.path.dirname(__file__))
+TEST_CERTS_DIR = os.path.join(TEST_DIR, 'certs')
+CLIENT_PEM_FILE = os.path.join(TEST_CERTS_DIR, 'nopassword.pem')
+
+
 def decode_frame(frame_data):
     f, length = Frame.parse_frame_header(frame_data[:9])
     f.parse_body(memoryview(frame_data[9:9 + length]))
@@ -784,6 +789,21 @@ def test_adapter_reuses_connections(self):
 
         assert conn1 is conn2
 
+    def test_adapter_accept_client_certificate(self):
+        a = HTTP20Adapter()
+        conn1 = a.get_connection(
+            'http2bin.org',
+            80,
+            'http',
+            cert=CLIENT_PEM_FILE)
+        conn2 = a.get_connection(
+            'http2bin.org',
+            80,
+            'http',
+            cert=CLIENT_PEM_FILE)
+        assert conn1 is conn2
+
+
 
 class TestUtilities(object):
     def test_combining_repeated_headers(self):