comparison env/lib/python3.7/site-packages/urllib3/connection.py @ 5:9b1c78e6ba9c draft default tip

"planemo upload commit 6c0a8142489327ece472c84e558c47da711a9142"
author shellac
date Mon, 01 Jun 2020 08:59:25 -0400
parents 79f47841a781
children
comparison
equal deleted inserted replaced
4:79f47841a781 5:9b1c78e6ba9c
1 from __future__ import absolute_import
2 import re
3 import datetime
4 import logging
5 import os
6 import socket
7 from socket import error as SocketError, timeout as SocketTimeout
8 import warnings
9 from .packages import six
10 from .packages.six.moves.http_client import HTTPConnection as _HTTPConnection
11 from .packages.six.moves.http_client import HTTPException # noqa: F401
12
13 try: # Compiled with SSL?
14 import ssl
15
16 BaseSSLError = ssl.SSLError
17 except (ImportError, AttributeError): # Platform-specific: No SSL.
18 ssl = None
19
20 class BaseSSLError(BaseException):
21 pass
22
23
24 try:
25 # Python 3: not a no-op, we're adding this to the namespace so it can be imported.
26 ConnectionError = ConnectionError
27 except NameError:
28 # Python 2
29 class ConnectionError(Exception):
30 pass
31
32
33 from .exceptions import (
34 NewConnectionError,
35 ConnectTimeoutError,
36 SubjectAltNameWarning,
37 SystemTimeWarning,
38 )
39 from .packages.ssl_match_hostname import match_hostname, CertificateError
40
41 from .util.ssl_ import (
42 resolve_cert_reqs,
43 resolve_ssl_version,
44 assert_fingerprint,
45 create_urllib3_context,
46 ssl_wrap_socket,
47 )
48
49
50 from .util import connection
51
52 from ._collections import HTTPHeaderDict
53
54 log = logging.getLogger(__name__)
55
56 port_by_scheme = {"http": 80, "https": 443}
57
58 # When it comes time to update this value as a part of regular maintenance
59 # (ie test_recent_date is failing) update it to ~6 months before the current date.
60 RECENT_DATE = datetime.date(2019, 1, 1)
61
62 _CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]")
63
64
65 class DummyConnection(object):
66 """Used to detect a failed ConnectionCls import."""
67
68 pass
69
70
71 class HTTPConnection(_HTTPConnection, object):
72 """
73 Based on httplib.HTTPConnection but provides an extra constructor
74 backwards-compatibility layer between older and newer Pythons.
75
76 Additional keyword parameters are used to configure attributes of the connection.
77 Accepted parameters include:
78
79 - ``strict``: See the documentation on :class:`urllib3.connectionpool.HTTPConnectionPool`
80 - ``source_address``: Set the source address for the current connection.
81 - ``socket_options``: Set specific options on the underlying socket. If not specified, then
82 defaults are loaded from ``HTTPConnection.default_socket_options`` which includes disabling
83 Nagle's algorithm (sets TCP_NODELAY to 1) unless the connection is behind a proxy.
84
85 For example, if you wish to enable TCP Keep Alive in addition to the defaults,
86 you might pass::
87
88 HTTPConnection.default_socket_options + [
89 (socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1),
90 ]
91
92 Or you may want to disable the defaults by passing an empty list (e.g., ``[]``).
93 """
94
95 default_port = port_by_scheme["http"]
96
97 #: Disable Nagle's algorithm by default.
98 #: ``[(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)]``
99 default_socket_options = [(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)]
100
101 #: Whether this connection verifies the host's certificate.
102 is_verified = False
103
104 def __init__(self, *args, **kw):
105 if not six.PY2:
106 kw.pop("strict", None)
107
108 # Pre-set source_address.
109 self.source_address = kw.get("source_address")
110
111 #: The socket options provided by the user. If no options are
112 #: provided, we use the default options.
113 self.socket_options = kw.pop("socket_options", self.default_socket_options)
114
115 _HTTPConnection.__init__(self, *args, **kw)
116
117 @property
118 def host(self):
119 """
120 Getter method to remove any trailing dots that indicate the hostname is an FQDN.
121
122 In general, SSL certificates don't include the trailing dot indicating a
123 fully-qualified domain name, and thus, they don't validate properly when
124 checked against a domain name that includes the dot. In addition, some
125 servers may not expect to receive the trailing dot when provided.
126
127 However, the hostname with trailing dot is critical to DNS resolution; doing a
128 lookup with the trailing dot will properly only resolve the appropriate FQDN,
129 whereas a lookup without a trailing dot will search the system's search domain
130 list. Thus, it's important to keep the original host around for use only in
131 those cases where it's appropriate (i.e., when doing DNS lookup to establish the
132 actual TCP connection across which we're going to send HTTP requests).
133 """
134 return self._dns_host.rstrip(".")
135
136 @host.setter
137 def host(self, value):
138 """
139 Setter for the `host` property.
140
141 We assume that only urllib3 uses the _dns_host attribute; httplib itself
142 only uses `host`, and it seems reasonable that other libraries follow suit.
143 """
144 self._dns_host = value
145
146 def _new_conn(self):
147 """ Establish a socket connection and set nodelay settings on it.
148
149 :return: New socket connection.
150 """
151 extra_kw = {}
152 if self.source_address:
153 extra_kw["source_address"] = self.source_address
154
155 if self.socket_options:
156 extra_kw["socket_options"] = self.socket_options
157
158 try:
159 conn = connection.create_connection(
160 (self._dns_host, self.port), self.timeout, **extra_kw
161 )
162
163 except SocketTimeout:
164 raise ConnectTimeoutError(
165 self,
166 "Connection to %s timed out. (connect timeout=%s)"
167 % (self.host, self.timeout),
168 )
169
170 except SocketError as e:
171 raise NewConnectionError(
172 self, "Failed to establish a new connection: %s" % e
173 )
174
175 return conn
176
177 def _prepare_conn(self, conn):
178 self.sock = conn
179 # Google App Engine's httplib does not define _tunnel_host
180 if getattr(self, "_tunnel_host", None):
181 # TODO: Fix tunnel so it doesn't depend on self.sock state.
182 self._tunnel()
183 # Mark this connection as not reusable
184 self.auto_open = 0
185
186 def connect(self):
187 conn = self._new_conn()
188 self._prepare_conn(conn)
189
190 def putrequest(self, method, url, *args, **kwargs):
191 """Send a request to the server"""
192 match = _CONTAINS_CONTROL_CHAR_RE.search(method)
193 if match:
194 raise ValueError(
195 "Method cannot contain non-token characters %r (found at least %r)"
196 % (method, match.group())
197 )
198
199 return _HTTPConnection.putrequest(self, method, url, *args, **kwargs)
200
201 def request_chunked(self, method, url, body=None, headers=None):
202 """
203 Alternative to the common request method, which sends the
204 body with chunked encoding and not as one block
205 """
206 headers = HTTPHeaderDict(headers if headers is not None else {})
207 skip_accept_encoding = "accept-encoding" in headers
208 skip_host = "host" in headers
209 self.putrequest(
210 method, url, skip_accept_encoding=skip_accept_encoding, skip_host=skip_host
211 )
212 for header, value in headers.items():
213 self.putheader(header, value)
214 if "transfer-encoding" not in headers:
215 self.putheader("Transfer-Encoding", "chunked")
216 self.endheaders()
217
218 if body is not None:
219 stringish_types = six.string_types + (bytes,)
220 if isinstance(body, stringish_types):
221 body = (body,)
222 for chunk in body:
223 if not chunk:
224 continue
225 if not isinstance(chunk, bytes):
226 chunk = chunk.encode("utf8")
227 len_str = hex(len(chunk))[2:]
228 self.send(len_str.encode("utf-8"))
229 self.send(b"\r\n")
230 self.send(chunk)
231 self.send(b"\r\n")
232
233 # After the if clause, to always have a closed body
234 self.send(b"0\r\n\r\n")
235
236
237 class HTTPSConnection(HTTPConnection):
238 default_port = port_by_scheme["https"]
239
240 cert_reqs = None
241 ca_certs = None
242 ca_cert_dir = None
243 ca_cert_data = None
244 ssl_version = None
245 assert_fingerprint = None
246
247 def __init__(
248 self,
249 host,
250 port=None,
251 key_file=None,
252 cert_file=None,
253 key_password=None,
254 strict=None,
255 timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
256 ssl_context=None,
257 server_hostname=None,
258 **kw
259 ):
260
261 HTTPConnection.__init__(self, host, port, strict=strict, timeout=timeout, **kw)
262
263 self.key_file = key_file
264 self.cert_file = cert_file
265 self.key_password = key_password
266 self.ssl_context = ssl_context
267 self.server_hostname = server_hostname
268
269 # Required property for Google AppEngine 1.9.0 which otherwise causes
270 # HTTPS requests to go out as HTTP. (See Issue #356)
271 self._protocol = "https"
272
273 def set_cert(
274 self,
275 key_file=None,
276 cert_file=None,
277 cert_reqs=None,
278 key_password=None,
279 ca_certs=None,
280 assert_hostname=None,
281 assert_fingerprint=None,
282 ca_cert_dir=None,
283 ca_cert_data=None,
284 ):
285 """
286 This method should only be called once, before the connection is used.
287 """
288 # If cert_reqs is not provided we'll assume CERT_REQUIRED unless we also
289 # have an SSLContext object in which case we'll use its verify_mode.
290 if cert_reqs is None:
291 if self.ssl_context is not None:
292 cert_reqs = self.ssl_context.verify_mode
293 else:
294 cert_reqs = resolve_cert_reqs(None)
295
296 self.key_file = key_file
297 self.cert_file = cert_file
298 self.cert_reqs = cert_reqs
299 self.key_password = key_password
300 self.assert_hostname = assert_hostname
301 self.assert_fingerprint = assert_fingerprint
302 self.ca_certs = ca_certs and os.path.expanduser(ca_certs)
303 self.ca_cert_dir = ca_cert_dir and os.path.expanduser(ca_cert_dir)
304 self.ca_cert_data = ca_cert_data
305
306 def connect(self):
307 # Add certificate verification
308 conn = self._new_conn()
309 hostname = self.host
310
311 # Google App Engine's httplib does not define _tunnel_host
312 if getattr(self, "_tunnel_host", None):
313 self.sock = conn
314 # Calls self._set_hostport(), so self.host is
315 # self._tunnel_host below.
316 self._tunnel()
317 # Mark this connection as not reusable
318 self.auto_open = 0
319
320 # Override the host with the one we're requesting data from.
321 hostname = self._tunnel_host
322
323 server_hostname = hostname
324 if self.server_hostname is not None:
325 server_hostname = self.server_hostname
326
327 is_time_off = datetime.date.today() < RECENT_DATE
328 if is_time_off:
329 warnings.warn(
330 (
331 "System time is way off (before {0}). This will probably "
332 "lead to SSL verification errors"
333 ).format(RECENT_DATE),
334 SystemTimeWarning,
335 )
336
337 # Wrap socket using verification with the root certs in
338 # trusted_root_certs
339 default_ssl_context = False
340 if self.ssl_context is None:
341 default_ssl_context = True
342 self.ssl_context = create_urllib3_context(
343 ssl_version=resolve_ssl_version(self.ssl_version),
344 cert_reqs=resolve_cert_reqs(self.cert_reqs),
345 )
346
347 context = self.ssl_context
348 context.verify_mode = resolve_cert_reqs(self.cert_reqs)
349
350 # Try to load OS default certs if none are given.
351 # Works well on Windows (requires Python3.4+)
352 if (
353 not self.ca_certs
354 and not self.ca_cert_dir
355 and not self.ca_cert_data
356 and default_ssl_context
357 and hasattr(context, "load_default_certs")
358 ):
359 context.load_default_certs()
360
361 self.sock = ssl_wrap_socket(
362 sock=conn,
363 keyfile=self.key_file,
364 certfile=self.cert_file,
365 key_password=self.key_password,
366 ca_certs=self.ca_certs,
367 ca_cert_dir=self.ca_cert_dir,
368 ca_cert_data=self.ca_cert_data,
369 server_hostname=server_hostname,
370 ssl_context=context,
371 )
372
373 if self.assert_fingerprint:
374 assert_fingerprint(
375 self.sock.getpeercert(binary_form=True), self.assert_fingerprint
376 )
377 elif (
378 context.verify_mode != ssl.CERT_NONE
379 and not getattr(context, "check_hostname", False)
380 and self.assert_hostname is not False
381 ):
382 # While urllib3 attempts to always turn off hostname matching from
383 # the TLS library, this cannot always be done. So we check whether
384 # the TLS Library still thinks it's matching hostnames.
385 cert = self.sock.getpeercert()
386 if not cert.get("subjectAltName", ()):
387 warnings.warn(
388 (
389 "Certificate for {0} has no `subjectAltName`, falling back to check for a "
390 "`commonName` for now. This feature is being removed by major browsers and "
391 "deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 "
392 "for details.)".format(hostname)
393 ),
394 SubjectAltNameWarning,
395 )
396 _match_hostname(cert, self.assert_hostname or server_hostname)
397
398 self.is_verified = (
399 context.verify_mode == ssl.CERT_REQUIRED
400 or self.assert_fingerprint is not None
401 )
402
403
404 def _match_hostname(cert, asserted_hostname):
405 try:
406 match_hostname(cert, asserted_hostname)
407 except CertificateError as e:
408 log.warning(
409 "Certificate did not match expected hostname: %s. Certificate: %s",
410 asserted_hostname,
411 cert,
412 )
413 # Add cert to exception and reraise so client code can inspect
414 # the cert when catching the exception, if they want to
415 e._peer_cert = cert
416 raise
417
418
419 if not ssl:
420 HTTPSConnection = DummyConnection # noqa: F811
421
422
423 VerifiedHTTPSConnection = HTTPSConnection