Merge pull request #905 from gevent/issue_904_fixes

Issue 904 fixes

Merge pull request #905 from gevent/issue_904_fixes
Issue 904 fixes
38231a7a · Jason Madden · GitHub · 3ab69f26 · f408de14 · 38231a7a
Commit 38231a7a authored Dec 08, 2016 by Jason Madden Committed by GitHub Dec 08, 2016
Show whitespace changes
Inline Side-by-side

Showing with 86 additions and 14 deletions

changelog.rst changelog.rst +2 -0

src/gevent/server.py src/gevent/server.py +59 -14

src/greentest/test__pywsgi.py src/greentest/test__pywsgi.py +25 -0

No files found.
--- a/changelog.rst
+++ b/changelog.rst
@@ -12,6 +12,8 @@
  on non-Windows systems for ease of development on BSD systems where
  ``make`` is BSD make and ``gmake`` is GNU make (gevent requires GNU
  make). See :issue:`888`.
+- Let :class:`gevent.server.StreamServer` accept an ``SSLContext`` on
+  Python versions that support it. Added in :pr:`904` by Arcadiy Ivanov.

 1.2a1 (Oct 27, 2016)
 ====================

--- a/src/gevent/server.py
+++ b/src/gevent/server.py
@@ -17,11 +17,56 @@ else:


 class StreamServer(BaseServer):
-    """A generic TCP server. Accepts connections on a listening socket and spawns user-provided *handle*
-    for each connection with 2 arguments: the client socket and the client address.
+    """
+    A generic TCP server.
+
+    Accepts connections on a listening socket and spawns user-provided
+    *handle* function for each connection with 2 arguments: the client
+    socket and the client address.
+
+    Note that although the errors in a successfully spawned handler
+    will not affect the server or other connections, the errors raised
+    by :func:`accept` and *spawn* cause the server to stop accepting
+    for a short amount of time. The exact period depends on the values
+    of :attr:`min_delay` and :attr:`max_delay` attributes.
+
+    The delay starts with :attr:`min_delay` and doubles with each
+    successive error until it reaches :attr:`max_delay`. A successful
+    :func:`accept` resets the delay to :attr:`min_delay` again.
+
+    See :class:`~gevent.baseserver.BaseServer` for information on defining the *handle*
+    function and important restrictions on it.
+
+    **SSL Support**
+
+    The server can optionally work in SSL mode when given the correct
+    keyword arguments. (That is, the presence of any keyword arguments
+    will trigger SSL mode.) On Python 2.7.9 and later (any Python
+    version that supports the :class:`ssl.SSLContext`), this can be
+    done with a configured ``SSLContext``. On any Python version, it
+    can be done by passing the appropriate arguments for
+    :func:`ssl.wrap_socket`.
+
+    The incoming socket will be wrapped into an SSL socket before
+    being passed to the *handle* function.

-    If any of the following keyword arguments are present, then the server assumes SSL mode and uses these arguments
-    to create an SSL wrapper for the client socket before passing it to *handle*:
+    If the *ssl_context* keyword argument is present, it should
+    contain an :class:`ssl.SSLContext`. The remaining keyword
+    arguments are passed to the :meth:`ssl.SSLContext.wrap_socket`
+    method of that object. Depending on the Python version, supported arguments
+    may include:
+
+    - server_hostname
+    - suppress_ragged_eofs
+    - do_handshake_on_connect
+
+    .. caution:: When using an SSLContext, it should either be
+       imported from :mod:`gevent.ssl`, or the process needs to be monkey-patched.
+       If the process is not monkey-patched and you pass the standard library
+       SSLContext, the resulting client sockets will not cooperate with gevent.
+
+    Otherwise, keyword arguments are assumed to apply to :func:`ssl.wrap_socket`.
+    These keyword arguments bay include:

    - keyfile
    - certfile
@@ -32,14 +77,9 @@ class StreamServer(BaseServer):
    - do_handshake_on_connect
    - ciphers

-    Note that although the errors in a successfully spawned handler will not affect the server or other connections,
-    the errors raised by :func:`accept` and *spawn* cause the server to stop accepting for a short amount of time. The
-    exact period depends on the values of :attr:`min_delay` and :attr:`max_delay` attributes.
-
-    The delay starts with :attr:`min_delay` and doubles with each successive error until it reaches :attr:`max_delay`.
-    A successful :func:`accept` resets the delay to :attr:`min_delay` again.
+    .. versionchanged:: 1.2a2
+       Add support for the *ssl_context* keyword argument.

-    See :class:`BaseServer` for information on defining the *handle* function and important restrictions on it.
    """
    # the default backlog to use if none was provided in __init__
    backlog = 256
@@ -51,6 +91,11 @@ class StreamServer(BaseServer):
        try:
            if ssl_args:
                ssl_args.setdefault('server_side', True)
+                if 'ssl_context' in ssl_args:
+                    ssl_context = ssl_args.pop('ssl_context')
+                    self.wrap_socket = ssl_context.wrap_socket
+                    self.ssl_args = ssl_args
+                else:
                    from gevent.ssl import wrap_socket
                    self.wrap_socket = wrap_socket
                    self.ssl_args = ssl_args

--- a/src/greentest/test__pywsgi.py
+++ b/src/greentest/test__pywsgi.py
@@ -19,7 +19,9 @@
 # THE SOFTWARE.
 # pylint: disable=too-many-lines,unused-argument
 from __future__ import print_function
+
 from gevent import monkey
+
 monkey.patch_all(thread=False)

 try:
@@ -739,6 +741,26 @@ class HttpsTestCase(TestCase):
        start_response('200 OK', [('Content-Type', 'text/plain')])
        return [environ['wsgi.input'].read(10)]

+try:
+    from gevent.ssl import create_default_context as _
+except ImportError:
+    HAVE_SSLCONTEXT = False
+else:
+    HAVE_SSLCONTEXT = True
+
+    class HttpsSslContextTestCase(HttpsTestCase):
+        def init_server(self, application):
+            # On 2.7, our certs don't line up with hostname.
+            # If we just use create_default_context as-is, we get
+            # `ValueError: check_hostname requires server_hostname`.
+            # If we set check_hostname to False, we get
+            # `SSLError: [SSL: PEER_DID_NOT_RETURN_A_CERTIFICATE] peer did not return a certificate`
+            # (Neither of which happens in Python 3.) But the unverified context
+            # works both places. See also test___example_servers.py
+            from gevent.ssl import _create_unverified_context
+            context = _create_unverified_context()
+            context.load_cert_chain(certfile=self.certfile, keyfile=self.keyfile)
+            self.server = pywsgi.WSGIServer(('127.0.0.1', 0), application, ssl_context=context)

 class TestHttps(HttpsTestCase):

@@ -752,6 +774,9 @@ class TestHttps(HttpsTestCase):
            result = self.urlopen()
            self.assertEquals(result.body, '')

+if HAVE_SSLCONTEXT:
+    class TestHttpsWithContext(HttpsSslContextTestCase, TestHttps):
+        pass

 class TestInternational(TestCase):
    validator = None  # wsgiref.validate.IteratorWrapper([]) does not have __len__