| from __future__ import absolute_import |
| import datetime |
| import logging |
| import os |
| import socket |
| from socket import error as SocketError, timeout as SocketTimeout |
| import warnings |
| from .packages import six |
| from .packages.six.moves.http_client import HTTPConnection as _HTTPConnection |
| from .packages.six.moves.http_client import HTTPException # noqa: F401 |
| |
| try: # Compiled with SSL? |
| import ssl |
| BaseSSLError = ssl.SSLError |
| except (ImportError, AttributeError): # Platform-specific: No SSL. |
| ssl = None |
| |
| class BaseSSLError(BaseException): |
| pass |
| |
| |
| try: |
| # Python 3: not a no-op, we're adding this to the namespace so it can be imported. |
| ConnectionError = ConnectionError |
| except NameError: |
| # Python 2 |
| class ConnectionError(Exception): |
| pass |
| |
| |
| from .exceptions import ( |
| NewConnectionError, |
| ConnectTimeoutError, |
| SubjectAltNameWarning, |
| SystemTimeWarning, |
| ) |
| from .packages.ssl_match_hostname import match_hostname, CertificateError |
| |
| from .util.ssl_ import ( |
| resolve_cert_reqs, |
| resolve_ssl_version, |
| assert_fingerprint, |
| create_urllib3_context, |
| ssl_wrap_socket |
| ) |
| |
| |
| from .util import connection |
| |
| from ._collections import HTTPHeaderDict |
| |
| log = logging.getLogger(__name__) |
| |
| port_by_scheme = { |
| 'http': 80, |
| 'https': 443, |
| } |
| |
| # When updating RECENT_DATE, move it to within two years of the current date, |
| # and not less than 6 months ago. |
| # Example: if Today is 2018-01-01, then RECENT_DATE should be any date on or |
| # after 2016-01-01 (today - 2 years) AND before 2017-07-01 (today - 6 months) |
| RECENT_DATE = datetime.date(2017, 6, 30) |
| |
| |
| class DummyConnection(object): |
| """Used to detect a failed ConnectionCls import.""" |
| pass |
| |
| |
| class HTTPConnection(_HTTPConnection, object): |
| """ |
| Based on httplib.HTTPConnection but provides an extra constructor |
| backwards-compatibility layer between older and newer Pythons. |
| |
| Additional keyword parameters are used to configure attributes of the connection. |
| Accepted parameters include: |
| |
| - ``strict``: See the documentation on :class:`urllib3.connectionpool.HTTPConnectionPool` |
| - ``source_address``: Set the source address for the current connection. |
| - ``socket_options``: Set specific options on the underlying socket. If not specified, then |
| defaults are loaded from ``HTTPConnection.default_socket_options`` which includes disabling |
| Nagle's algorithm (sets TCP_NODELAY to 1) unless the connection is behind a proxy. |
| |
| For example, if you wish to enable TCP Keep Alive in addition to the defaults, |
| you might pass:: |
| |
| HTTPConnection.default_socket_options + [ |
| (socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1), |
| ] |
| |
| Or you may want to disable the defaults by passing an empty list (e.g., ``[]``). |
| """ |
| |
| default_port = port_by_scheme['http'] |
| |
| #: Disable Nagle's algorithm by default. |
| #: ``[(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)]`` |
| default_socket_options = [(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)] |
| |
| #: Whether this connection verifies the host's certificate. |
| is_verified = False |
| |
| def __init__(self, *args, **kw): |
| if six.PY3: |
| kw.pop('strict', None) |
| |
| # Pre-set source_address. |
| self.source_address = kw.get('source_address') |
| |
| #: The socket options provided by the user. If no options are |
| #: provided, we use the default options. |
| self.socket_options = kw.pop('socket_options', self.default_socket_options) |
| |
| _HTTPConnection.__init__(self, *args, **kw) |
| |
| @property |
| def host(self): |
| """ |
| Getter method to remove any trailing dots that indicate the hostname is an FQDN. |
| |
| In general, SSL certificates don't include the trailing dot indicating a |
| fully-qualified domain name, and thus, they don't validate properly when |
| checked against a domain name that includes the dot. In addition, some |
| servers may not expect to receive the trailing dot when provided. |
| |
| However, the hostname with trailing dot is critical to DNS resolution; doing a |
| lookup with the trailing dot will properly only resolve the appropriate FQDN, |
| whereas a lookup without a trailing dot will search the system's search domain |
| list. Thus, it's important to keep the original host around for use only in |
| those cases where it's appropriate (i.e., when doing DNS lookup to establish the |
| actual TCP connection across which we're going to send HTTP requests). |
| """ |
| return self._dns_host.rstrip('.') |
| |
| @host.setter |
| def host(self, value): |
| """ |
| Setter for the `host` property. |
| |
| We assume that only urllib3 uses the _dns_host attribute; httplib itself |
| only uses `host`, and it seems reasonable that other libraries follow suit. |
| """ |
| self._dns_host = value |
| |
| def _new_conn(self): |
| """ Establish a socket connection and set nodelay settings on it. |
| |
| :return: New socket connection. |
| """ |
| extra_kw = {} |
| if self.source_address: |
| extra_kw['source_address'] = self.source_address |
| |
| if self.socket_options: |
| extra_kw['socket_options'] = self.socket_options |
| |
| try: |
| conn = connection.create_connection( |
| (self._dns_host, self.port), self.timeout, **extra_kw) |
| |
| except SocketTimeout: |
| raise ConnectTimeoutError( |
| self, "Connection to %s timed out. (connect timeout=%s)" % |
| (self.host, self.timeout)) |
| |
| except SocketError as e: |
| raise NewConnectionError( |
| self, "Failed to establish a new connection: %s" % e) |
| |
| return conn |
| |
| def _prepare_conn(self, conn): |
| self.sock = conn |
| # Google App Engine's httplib does not define _tunnel_host |
| if getattr(self, '_tunnel_host', None): |
| # TODO: Fix tunnel so it doesn't depend on self.sock state. |
| self._tunnel() |
| # Mark this connection as not reusable |
| self.auto_open = 0 |
| |
| def connect(self): |
| conn = self._new_conn() |
| self._prepare_conn(conn) |
| |
| def request_chunked(self, method, url, body=None, headers=None): |
| """ |
| Alternative to the common request method, which sends the |
| body with chunked encoding and not as one block |
| """ |
| headers = HTTPHeaderDict(headers if headers is not None else {}) |
| skip_accept_encoding = 'accept-encoding' in headers |
| skip_host = 'host' in headers |
| self.putrequest( |
| method, |
| url, |
| skip_accept_encoding=skip_accept_encoding, |
| skip_host=skip_host |
| ) |
| for header, value in headers.items(): |
| self.putheader(header, value) |
| if 'transfer-encoding' not in headers: |
| self.putheader('Transfer-Encoding', 'chunked') |
| self.endheaders() |
| |
| if body is not None: |
| stringish_types = six.string_types + (bytes,) |
| if isinstance(body, stringish_types): |
| body = (body,) |
| for chunk in body: |
| if not chunk: |
| continue |
| if not isinstance(chunk, bytes): |
| chunk = chunk.encode('utf8') |
| len_str = hex(len(chunk))[2:] |
| self.send(len_str.encode('utf-8')) |
| self.send(b'\r\n') |
| self.send(chunk) |
| self.send(b'\r\n') |
| |
| # After the if clause, to always have a closed body |
| self.send(b'0\r\n\r\n') |
| |
| |
| class HTTPSConnection(HTTPConnection): |
| default_port = port_by_scheme['https'] |
| |
| ssl_version = None |
| |
| def __init__(self, host, port=None, key_file=None, cert_file=None, |
| key_password=None, strict=None, |
| timeout=socket._GLOBAL_DEFAULT_TIMEOUT, |
| ssl_context=None, server_hostname=None, **kw): |
| |
| HTTPConnection.__init__(self, host, port, strict=strict, |
| timeout=timeout, **kw) |
| |
| self.key_file = key_file |
| self.cert_file = cert_file |
| self.key_password = key_password |
| self.ssl_context = ssl_context |
| self.server_hostname = server_hostname |
| |
| # Required property for Google AppEngine 1.9.0 which otherwise causes |
| # HTTPS requests to go out as HTTP. (See Issue #356) |
| self._protocol = 'https' |
| |
| def connect(self): |
| conn = self._new_conn() |
| self._prepare_conn(conn) |
| |
| # Wrap socket using verification with the root certs in |
| # trusted_root_certs |
| default_ssl_context = False |
| if self.ssl_context is None: |
| default_ssl_context = True |
| self.ssl_context = create_urllib3_context( |
| ssl_version=resolve_ssl_version(self.ssl_version), |
| cert_reqs=resolve_cert_reqs(self.cert_reqs), |
| ) |
| |
| # Try to load OS default certs if none are given. |
| # Works well on Windows (requires Python3.4+) |
| context = self.ssl_context |
| if (not self.ca_certs and not self.ca_cert_dir and default_ssl_context |
| and hasattr(context, 'load_default_certs')): |
| context.load_default_certs() |
| |
| self.sock = ssl_wrap_socket( |
| sock=conn, |
| keyfile=self.key_file, |
| certfile=self.cert_file, |
| key_password=self.key_password, |
| ssl_context=self.ssl_context, |
| server_hostname=self.server_hostname |
| ) |
| |
| |
| class VerifiedHTTPSConnection(HTTPSConnection): |
| """ |
| Based on httplib.HTTPSConnection but wraps the socket with |
| SSL certification. |
| """ |
| cert_reqs = None |
| ca_certs = None |
| ca_cert_dir = None |
| ssl_version = None |
| assert_fingerprint = None |
| |
| def set_cert(self, key_file=None, cert_file=None, |
| cert_reqs=None, key_password=None, ca_certs=None, |
| assert_hostname=None, assert_fingerprint=None, |
| ca_cert_dir=None): |
| """ |
| This method should only be called once, before the connection is used. |
| """ |
| # If cert_reqs is not provided we'll assume CERT_REQUIRED unless we also |
| # have an SSLContext object in which case we'll use its verify_mode. |
| if cert_reqs is None: |
| if self.ssl_context is not None: |
| cert_reqs = self.ssl_context.verify_mode |
| else: |
| cert_reqs = resolve_cert_reqs(None) |
| |
| self.key_file = key_file |
| self.cert_file = cert_file |
| self.cert_reqs = cert_reqs |
| self.key_password = key_password |
| self.assert_hostname = assert_hostname |
| self.assert_fingerprint = assert_fingerprint |
| self.ca_certs = ca_certs and os.path.expanduser(ca_certs) |
| self.ca_cert_dir = ca_cert_dir and os.path.expanduser(ca_cert_dir) |
| |
| def connect(self): |
| # Add certificate verification |
| conn = self._new_conn() |
| hostname = self.host |
| |
| # Google App Engine's httplib does not define _tunnel_host |
| if getattr(self, '_tunnel_host', None): |
| self.sock = conn |
| # Calls self._set_hostport(), so self.host is |
| # self._tunnel_host below. |
| self._tunnel() |
| # Mark this connection as not reusable |
| self.auto_open = 0 |
| |
| # Override the host with the one we're requesting data from. |
| hostname = self._tunnel_host |
| |
| server_hostname = hostname |
| if self.server_hostname is not None: |
| server_hostname = self.server_hostname |
| |
| is_time_off = datetime.date.today() < RECENT_DATE |
| if is_time_off: |
| warnings.warn(( |
| 'System time is way off (before {0}). This will probably ' |
| 'lead to SSL verification errors').format(RECENT_DATE), |
| SystemTimeWarning |
| ) |
| |
| # Wrap socket using verification with the root certs in |
| # trusted_root_certs |
| default_ssl_context = False |
| if self.ssl_context is None: |
| default_ssl_context = True |
| self.ssl_context = create_urllib3_context( |
| ssl_version=resolve_ssl_version(self.ssl_version), |
| cert_reqs=resolve_cert_reqs(self.cert_reqs), |
| ) |
| |
| context = self.ssl_context |
| context.verify_mode = resolve_cert_reqs(self.cert_reqs) |
| |
| # Try to load OS default certs if none are given. |
| # Works well on Windows (requires Python3.4+) |
| if (not self.ca_certs and not self.ca_cert_dir and default_ssl_context |
| and hasattr(context, 'load_default_certs')): |
| context.load_default_certs() |
| |
| self.sock = ssl_wrap_socket( |
| sock=conn, |
| keyfile=self.key_file, |
| certfile=self.cert_file, |
| key_password=self.key_password, |
| ca_certs=self.ca_certs, |
| ca_cert_dir=self.ca_cert_dir, |
| server_hostname=server_hostname, |
| ssl_context=context) |
| |
| if self.assert_fingerprint: |
| assert_fingerprint(self.sock.getpeercert(binary_form=True), |
| self.assert_fingerprint) |
| elif context.verify_mode != ssl.CERT_NONE \ |
| and not getattr(context, 'check_hostname', False) \ |
| and self.assert_hostname is not False: |
| # While urllib3 attempts to always turn off hostname matching from |
| # the TLS library, this cannot always be done. So we check whether |
| # the TLS Library still thinks it's matching hostnames. |
| cert = self.sock.getpeercert() |
| if not cert.get('subjectAltName', ()): |
| warnings.warn(( |
| 'Certificate for {0} has no `subjectAltName`, falling back to check for a ' |
| '`commonName` for now. This feature is being removed by major browsers and ' |
| 'deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 ' |
| 'for details.)'.format(hostname)), |
| SubjectAltNameWarning |
| ) |
| _match_hostname(cert, self.assert_hostname or server_hostname) |
| |
| self.is_verified = ( |
| context.verify_mode == ssl.CERT_REQUIRED or |
| self.assert_fingerprint is not None |
| ) |
| |
| |
| def _match_hostname(cert, asserted_hostname): |
| try: |
| match_hostname(cert, asserted_hostname) |
| except CertificateError as e: |
| log.error( |
| 'Certificate did not match expected hostname: %s. ' |
| 'Certificate: %s', asserted_hostname, cert |
| ) |
| # Add cert to exception and reraise so client code can inspect |
| # the cert when catching the exception, if they want to |
| e._peer_cert = cert |
| raise |
| |
| |
| if ssl: |
| # Make a copy for testing. |
| UnverifiedHTTPSConnection = HTTPSConnection |
| HTTPSConnection = VerifiedHTTPSConnection |
| else: |
| HTTPSConnection = DummyConnection |