def request():
try:
pool = HTTPSConnectionPool(self.host, self.port, assert_fingerprint=fingerprint)
response = pool.urlopen("GET", "/", preload_content=False, timeout=Timeout(connect=1, read=0.001))
response.read()
finally:
pool.close()
def request():
try:
pool = HTTPSConnectionPool(self.host, self.port,
assert_fingerprint=fingerprint)
response = pool.urlopen('GET', '/', preload_content=False,
timeout=Timeout(connect=1, read=0.001))
response.read()
finally:
pool.close()
class HTTP(object):
""" Wrapper for HTTP method calls.
"""
@staticmethod
def authorization(user, password):
return 'Basic ' + b64encode((user + ":" + password).encode("utf-8")).decode("ascii")
def __init__(self, uri, headers, verified):
self.uri = uri
self.verified = verified
parts = urlsplit(uri)
scheme = parts.scheme
host = parts.hostname
port = parts.port
if scheme == "http":
from urllib3 import HTTPConnectionPool
self._http = HTTPConnectionPool("%s:%d" % (host, port))
elif scheme == "https":
from urllib3 import HTTPSConnectionPool
if verified:
from certifi import where
self._http = HTTPSConnectionPool("%s:%d" % (host, port), cert_reqs="CERT_REQUIRED", ca_certs=where())
else:
self._http = HTTPSConnectionPool("%s:%d" % (host, port))
else:
raise ValueError("Unsupported scheme %r" % scheme)
self.path = parts.path
if "auth" in headers:
user, password = headers.pop("auth")
headers["Authorization"] = 'Basic ' + b64encode(
(ustr(user) + u":" + ustr(password)).encode("utf-8")).decode("ascii")
self.headers = headers
def __del__(self):
self.close()
def __eq__(self, other):
try:
return self.uri == other.uri
except AttributeError:
return False
def __ne__(self, other):
return not self.__eq__(other)
def request(self, method, url, fields=None, headers=None, **urlopen_kw):
from neo4j.v1 import ServiceUnavailable
from urllib3.exceptions import MaxRetryError
try:
if self.verified:
return self._http.request(method, url, fields, headers, **urlopen_kw)
else:
with catch_warnings():
simplefilter("ignore")
return self._http.request(method, url, fields, headers, **urlopen_kw)
except MaxRetryError:
raise ServiceUnavailable("Cannot send %s request to <%s>" % (method, url))
def get_json(self, ref):
""" Perform an HTTP GET to this resource and return JSON.
"""
rs = self.request("GET", self.path + ref, headers=self.headers)
try:
if rs.status == 200:
return json_loads(rs.data.decode('utf-8'))
else:
self.raise_error(rs.status, rs.data)
finally:
rs.close()
def post(self, ref, json, expected):
""" Perform an HTTP POST to this resource.
"""
headers = dict(self.headers)
if json is not None:
headers["Content-Type"] = "application/json"
json = json_dumps(json).encode('utf-8')
rs = self.request("POST", self.path + ref, headers=self.headers, body=json)
if rs.status not in expected:
self.raise_error(rs.status, rs.data)
return rs
def delete(self, ref, expected):
""" Perform an HTTP DELETE to this resource.
"""
rs = self.request("DELETE", self.path + ref, headers=self.headers)
if rs.status not in expected:
self.raise_error(rs.status, rs.data)
return rs
def close(self):
if self._http and self._http.pool:
self._http.close()
def raise_error(self, status_code, data):
if status_code == UNAUTHORIZED:
raise AuthError(self.uri)
if status_code == FORBIDDEN:
raise Forbidden(self.uri)
if data:
content = json_loads(data.decode('utf-8'))
else:
content = {}
message = content.pop("message", "HTTP request to <%s> returned unexpected status code %s" % (self.uri, status_code))
error = GraphError(message, **content)
error.http_status_code = status_code
raise error
class HTTP(object):
""" Wrapper for HTTP method calls.
"""
def __init__(self, uri):
self.uri = uri
parts = urlsplit(uri)
scheme = parts.scheme
host = parts.hostname
port = parts.port
if scheme == "http":
from urllib3 import HTTPConnectionPool
self._http = HTTPConnectionPool("%s:%d" % (host, port))
elif scheme == "https":
from urllib3 import HTTPSConnectionPool
self._http = HTTPSConnectionPool("%s:%d" % (host, port))
else:
raise ValueError("Unsupported scheme %r" % scheme)
self.path = parts.path
self._headers = get_http_headers(scheme, host, port)
def __del__(self):
self.close()
def __eq__(self, other):
try:
return self.uri == other.uri
except AttributeError:
return False
def __ne__(self, other):
return not self.__eq__(other)
def request(self, method, url, fields=None, headers=None, **urlopen_kw):
from neo4j.v1 import ServiceUnavailable
from urllib3.exceptions import MaxRetryError
try:
return self._http.request(method, url, fields, headers,
**urlopen_kw)
except MaxRetryError:
raise ServiceUnavailable("Cannot send %r request to %r" %
(method, url))
def get_json(self, ref):
""" Perform an HTTP GET to this resource and return JSON.
"""
rs = self.request("GET", self.path + ref, headers=self._headers)
try:
if rs.status == 200:
return json_loads(rs.data.decode('utf-8'))
else:
raise_error(self.uri, rs.status, rs.data)
finally:
rs.close()
def post(self, ref, json, expected):
""" Perform an HTTP POST to this resource.
"""
headers = dict(self._headers)
if json is not None:
headers["Content-Type"] = "application/json"
json = json_dumps(json).encode('utf-8')
rs = self.request("POST",
self.path + ref,
headers=self._headers,
body=json)
if rs.status not in expected:
raise_error(self.uri, rs.status, rs.data)
return rs
def delete(self, ref, expected):
""" Perform an HTTP DELETE to this resource.
"""
rs = self.request("DELETE", self.path + ref, headers=self._headers)
if rs.status not in expected:
raise_error(self.uri, rs.status, rs.data)
return rs
def close(self):
if self._http and self._http.pool:
self._http.close()
class TestHTTPS(HTTPSDummyServerTestCase):
tls_protocol_name = None
def setup_method(self, method):
self._pool = HTTPSConnectionPool(self.host,
self.port,
ca_certs=DEFAULT_CA)
def teardown_method(self, method):
self._pool.close()
def test_simple(self):
r = self._pool.request("GET", "/")
assert r.status == 200, r.data
@fails_on_travis_gce
def test_dotted_fqdn(self):
pool = HTTPSConnectionPool(self.host + ".",
self.port,
ca_certs=DEFAULT_CA)
r = pool.request("GET", "/")
assert r.status == 200, r.data
def test_client_intermediate(self):
client_cert, client_key = (
DEFAULT_CLIENT_CERTS["certfile"],
DEFAULT_CLIENT_CERTS["keyfile"],
)
https_pool = HTTPSConnectionPool(
self.host,
self.port,
key_file=client_key,
cert_file=client_cert,
ca_certs=DEFAULT_CA,
)
r = https_pool.request("GET", "/certificate")
subject = json.loads(r.data.decode("utf-8"))
assert subject["organizationalUnitName"].startswith(
"Testing server cert")
def test_client_no_intermediate(self):
client_cert, client_key = (
DEFAULT_CLIENT_NO_INTERMEDIATE_CERTS["certfile"],
DEFAULT_CLIENT_NO_INTERMEDIATE_CERTS["keyfile"],
)
https_pool = HTTPSConnectionPool(
self.host,
self.port,
cert_file=client_cert,
key_file=client_key,
ca_certs=DEFAULT_CA,
)
try:
https_pool.request("GET", "/certificate", retries=False)
except SSLError as e:
if not ("alert unknown ca" in str(e) or "invalid certificate chain"
in str(e) or "unknown Cert Authority" in str(e) or
# https://github.com/urllib3/urllib3/issues/1422
"connection closed via error" in str(e)
or "WSAECONNRESET" in str(e)):
raise
except ProtocolError as e:
if not ("An existing connection was forcibly closed by the remote host"
in str(e)
# Python 3.7.4+
or "WSAECONNRESET" in str(e) # Windows
or "EPIPE" in str(e) # macOS
):
raise
@requires_ssl_context_keyfile_password
def test_client_key_password(self):
client_cert, client_key = (
DEFAULT_CLIENT_CERTS["certfile"],
PASSWORD_CLIENT_KEYFILE,
)
https_pool = HTTPSConnectionPool(
self.host,
self.port,
ca_certs=DEFAULT_CA,
key_file=client_key,
cert_file=client_cert,
key_password="******",
)
r = https_pool.request("GET", "/certificate")
subject = json.loads(r.data.decode("utf-8"))
assert subject["organizationalUnitName"].startswith(
"Testing server cert")
@requires_ssl_context_keyfile_password
def test_client_encrypted_key_requires_password(self):
client_cert, client_key = (
DEFAULT_CLIENT_CERTS["certfile"],
PASSWORD_CLIENT_KEYFILE,
)
with pytest.raises(SSLError) as e:
HTTPSConnectionPool(
self.host,
self.port,
key_file=client_key,
cert_file=client_cert,
key_password=None,
)
assert "password is required" in str(e.value)
def test_verified(self):
with HTTPSConnectionPool(self.host,
self.port,
cert_reqs="CERT_REQUIRED",
ca_certs=DEFAULT_CA) as https_pool:
with mock.patch("warnings.warn") as warn:
r = https_pool.request("GET", "/")
assert r.status == 200
# Modern versions of Python, or systems using PyOpenSSL, don't
# emit warnings.
if (sys.version_info >= (2, 7, 9) or util.IS_PYOPENSSL
or util.IS_SECURETRANSPORT):
assert not warn.called, warn.call_args_list
else:
assert warn.called
if util.HAS_SNI:
call = warn.call_args_list[0]
else:
call = warn.call_args_list[1]
error = call[0][1]
assert error == InsecurePlatformWarning
def test_verified_with_context(self):
ctx = util.ssl_.create_urllib3_context(cert_reqs=ssl.CERT_REQUIRED)
ctx.load_verify_locations(cafile=DEFAULT_CA)
with HTTPSConnectionPool(self.host, self.port,
ssl_context=ctx) as https_pool:
with mock.patch("warnings.warn") as warn:
r = https_pool.request("GET", "/")
assert r.status == 200
# Modern versions of Python, or systems using PyOpenSSL, don't
# emit warnings.
if (sys.version_info >= (2, 7, 9) or util.IS_PYOPENSSL
or util.IS_SECURETRANSPORT):
assert not warn.called, warn.call_args_list
else:
assert warn.called
if util.HAS_SNI:
call = warn.call_args_list[0]
else:
call = warn.call_args_list[1]
error = call[0][1]
assert error == InsecurePlatformWarning
def test_context_combines_with_ca_certs(self):
ctx = util.ssl_.create_urllib3_context(cert_reqs=ssl.CERT_REQUIRED)
with HTTPSConnectionPool(self.host,
self.port,
ca_certs=DEFAULT_CA,
ssl_context=ctx) as https_pool:
with mock.patch("warnings.warn") as warn:
r = https_pool.request("GET", "/")
assert r.status == 200
# Modern versions of Python, or systems using PyOpenSSL, don't
# emit warnings.
if (sys.version_info >= (2, 7, 9) or util.IS_PYOPENSSL
or util.IS_SECURETRANSPORT):
assert not warn.called, warn.call_args_list
else:
assert warn.called
if util.HAS_SNI:
call = warn.call_args_list[0]
else:
call = warn.call_args_list[1]
error = call[0][1]
assert error == InsecurePlatformWarning
@onlyPy279OrNewer
@notSecureTransport # SecureTransport does not support cert directories
@notOpenSSL098 # OpenSSL 0.9.8 does not support cert directories
def test_ca_dir_verified(self):
with HTTPSConnectionPool(self.host,
self.port,
cert_reqs="CERT_REQUIRED",
ca_cert_dir=DEFAULT_CA_DIR) as https_pool:
with mock.patch("warnings.warn") as warn:
r = https_pool.request("GET", "/")
assert r.status == 200
assert not warn.called, warn.call_args_list
def test_invalid_common_name(self):
with HTTPSConnectionPool("127.0.0.1",
self.port,
cert_reqs="CERT_REQUIRED",
ca_certs=DEFAULT_CA) as https_pool:
try:
https_pool.request("GET", "/")
self.fail("Didn't raise SSL invalid common name")
except MaxRetryError as e:
assert isinstance(e.reason, SSLError)
assert "doesn't match" in str(
e.reason) or "certificate verify failed" in str(e.reason)
def test_verified_with_bad_ca_certs(self):
with HTTPSConnectionPool(self.host,
self.port,
cert_reqs="CERT_REQUIRED",
ca_certs=DEFAULT_CA_BAD) as https_pool:
try:
https_pool.request("GET", "/")
self.fail("Didn't raise SSL error with bad CA certs")
except MaxRetryError as e:
assert isinstance(e.reason, SSLError)
assert "certificate verify failed" in str(e.reason), (
"Expected 'certificate verify failed', instead got: %r" %
e.reason)
def test_verified_without_ca_certs(self):
# default is cert_reqs=None which is ssl.CERT_NONE
with HTTPSConnectionPool(self.host,
self.port,
cert_reqs="CERT_REQUIRED") as https_pool:
try:
https_pool.request("GET", "/")
self.fail("Didn't raise SSL error with no CA certs when"
"CERT_REQUIRED is set")
except MaxRetryError as e:
assert isinstance(e.reason, SSLError)
# there is a different error message depending on whether or
# not pyopenssl is injected
assert ("No root certificates specified" in str(e.reason)
# PyPy sometimes uses all-caps here
or
"certificate verify failed" in str(e.reason).lower() or
"invalid certificate chain" in str(e.reason)), (
"Expected 'No root certificates specified', "
"'certificate verify failed', or "
"'invalid certificate chain', "
"instead got: %r" % e.reason)
def test_unverified_ssl(self):
""" Test that bare HTTPSConnection can connect, make requests """
with HTTPSConnectionPool(self.host, self.port,
cert_reqs=ssl.CERT_NONE) as pool:
with mock.patch("warnings.warn") as warn:
r = pool.request("GET", "/")
assert r.status == 200
assert warn.called
# Modern versions of Python, or systems using PyOpenSSL, only emit
# the unverified warning. Older systems may also emit other
# warnings, which we want to ignore here.
calls = warn.call_args_list
assert InsecureRequestWarning in [x[0][1] for x in calls]
def test_ssl_unverified_with_ca_certs(self):
with HTTPSConnectionPool(self.host,
self.port,
cert_reqs="CERT_NONE",
ca_certs=DEFAULT_CA_BAD) as pool:
with mock.patch("warnings.warn") as warn:
r = pool.request("GET", "/")
assert r.status == 200
assert warn.called
# Modern versions of Python, or systems using PyOpenSSL, only emit
# the unverified warning. Older systems may also emit other
# warnings, which we want to ignore here.
calls = warn.call_args_list
if (sys.version_info >= (2, 7, 9) or util.IS_PYOPENSSL
or util.IS_SECURETRANSPORT):
category = calls[0][0][1]
elif util.HAS_SNI:
category = calls[1][0][1]
else:
category = calls[2][0][1]
assert category == InsecureRequestWarning
def test_assert_hostname_false(self):
with HTTPSConnectionPool("localhost",
self.port,
cert_reqs="CERT_REQUIRED",
ca_certs=DEFAULT_CA) as https_pool:
https_pool.assert_hostname = False
https_pool.request("GET", "/")
def test_assert_specific_hostname(self):
with HTTPSConnectionPool("localhost",
self.port,
cert_reqs="CERT_REQUIRED",
ca_certs=DEFAULT_CA) as https_pool:
https_pool.assert_hostname = "localhost"
https_pool.request("GET", "/")
def test_server_hostname(self):
with HTTPSConnectionPool(
"127.0.0.1",
self.port,
cert_reqs="CERT_REQUIRED",
ca_certs=DEFAULT_CA,
server_hostname="localhost",
) as https_pool:
conn = https_pool._new_conn()
https_pool._start_conn(conn, connect_timeout=None)
# Assert the wrapping socket is using the passed-through SNI name.
# pyopenssl doesn't let you pull the server_hostname back off the
# socket, so only add this assertion if the attribute is there (i.e.
# the python ssl module).
# XXX This is highly-specific to SyncBackend
# See https://github.com/python-trio/urllib3/pull/54#discussion_r241683895
# for potential solutions
sock = conn._sock._sock
if hasattr(sock, "server_hostname"):
assert sock.server_hostname == "localhost"
def test_assert_fingerprint_md5(self):
with HTTPSConnectionPool("localhost",
self.port,
cert_reqs="CERT_REQUIRED",
ca_certs=DEFAULT_CA) as https_pool:
https_pool.assert_fingerprint = (
"F2:06:5A:42:10:3F:45:1C:17:FE:E6:07:1E:8A:86:E5")
https_pool.request("GET", "/")
def test_assert_fingerprint_sha1(self):
with HTTPSConnectionPool("localhost",
self.port,
cert_reqs="CERT_REQUIRED",
ca_certs=DEFAULT_CA) as https_pool:
https_pool.assert_fingerprint = (
"92:81:FE:85:F7:0C:26:60:EC:D6:B3:BF:93:CF:F9:71:CC:07:7D:0A")
https_pool.request("GET", "/")
def test_assert_fingerprint_sha256(self):
with HTTPSConnectionPool("localhost",
self.port,
cert_reqs="CERT_REQUIRED",
ca_certs=DEFAULT_CA) as https_pool:
https_pool.assert_fingerprint = (
"C5:4D:0B:83:84:89:2E:AE:B4:58:BB:12:"
"F7:A6:C4:76:05:03:88:D8:57:65:51:F3:"
"1E:60:B0:8B:70:18:64:E6")
https_pool.request("GET", "/")
def test_assert_invalid_fingerprint(self):
with HTTPSConnectionPool("127.0.0.1",
self.port,
cert_reqs="CERT_REQUIRED",
ca_certs=DEFAULT_CA) as https_pool:
https_pool.assert_fingerprint = (
"AA:AA:AA:AA:AA:AAAA:AA:AAAA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA")
def _test_request(pool):
with pytest.raises(MaxRetryError) as cm:
pool.request("GET", "/", retries=0)
assert isinstance(cm.value.reason, SSLError)
_test_request(https_pool)
https_pool._get_conn()
# Uneven length
https_pool.assert_fingerprint = "AA:A"
_test_request(https_pool)
https_pool._get_conn()
# Invalid length
https_pool.assert_fingerprint = "AA"
_test_request(https_pool)
def test_verify_none_and_bad_fingerprint(self):
with HTTPSConnectionPool("127.0.0.1",
self.port,
cert_reqs="CERT_NONE",
ca_certs=DEFAULT_CA_BAD) as https_pool:
https_pool.assert_fingerprint = (
"AA:AA:AA:AA:AA:AAAA:AA:AAAA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA")
with pytest.raises(MaxRetryError) as cm:
https_pool.request("GET", "/", retries=0)
assert isinstance(cm.value.reason, SSLError)
def test_verify_none_and_good_fingerprint(self):
with HTTPSConnectionPool("127.0.0.1",
self.port,
cert_reqs="CERT_NONE",
ca_certs=DEFAULT_CA_BAD) as https_pool:
https_pool.assert_fingerprint = (
"92:81:FE:85:F7:0C:26:60:EC:D6:B3:BF:93:CF:F9:71:CC:07:7D:0A")
https_pool.request("GET", "/")
@notSecureTransport
def test_good_fingerprint_and_hostname_mismatch(self):
# This test doesn't run with SecureTransport because we don't turn off
# hostname validation without turning off all validation, which this
# test doesn't do (deliberately). We should revisit this if we make
# new decisions.
with HTTPSConnectionPool("127.0.0.1",
self.port,
cert_reqs="CERT_REQUIRED",
ca_certs=DEFAULT_CA) as https_pool:
https_pool.assert_fingerprint = (
"92:81:FE:85:F7:0C:26:60:EC:D6:B3:BF:93:CF:F9:71:CC:07:7D:0A")
https_pool.request("GET", "/")
@requires_network
def test_https_timeout(self):
timeout = Timeout(total=None, connect=0.001)
with HTTPSConnectionPool(
TARPIT_HOST,
self.port,
timeout=timeout,
retries=False,
cert_reqs="CERT_REQUIRED",
) as https_pool:
with pytest.raises(ConnectTimeoutError):
https_pool.request("GET", "/")
timeout = Timeout(read=0.01)
with HTTPSConnectionPool(
self.host,
self.port,
timeout=timeout,
retries=False,
cert_reqs="CERT_REQUIRED",
) as https_pool:
https_pool.assert_fingerprint = (
"92:81:FE:85:F7:0C:26:60:EC:D6:B3:BF:93:CF:F9:71:CC:07:7D:0A")
timeout = Timeout(total=None)
with HTTPSConnectionPool(self.host,
self.port,
timeout=timeout,
cert_reqs="CERT_NONE") as https_pool:
https_pool.request("GET", "/")
@requires_network
def test_enhanced_timeout(self):
with HTTPSConnectionPool(
TARPIT_HOST,
self.port,
timeout=Timeout(connect=0.001),
retries=False,
cert_reqs="CERT_REQUIRED",
) as https_pool:
conn = https_pool._new_conn()
with pytest.raises(ConnectTimeoutError):
https_pool.request("GET", "/")
with pytest.raises(ConnectTimeoutError):
https_pool._make_request(conn, "GET", "/")
with HTTPSConnectionPool(
TARPIT_HOST,
self.port,
timeout=Timeout(connect=5),
retries=False,
cert_reqs="CERT_REQUIRED",
) as https_pool:
with pytest.raises(ConnectTimeoutError):
https_pool.request("GET", "/", timeout=Timeout(connect=0.001))
with HTTPSConnectionPool(
TARPIT_HOST,
self.port,
timeout=Timeout(total=None),
retries=False,
cert_reqs="CERT_REQUIRED",
) as https_pool:
conn = https_pool._new_conn()
with pytest.raises(ConnectTimeoutError):
https_pool.request("GET",
"/",
timeout=Timeout(total=None, connect=0.001))
def test_enhanced_ssl_connection(self):
fingerprint = "92:81:FE:85:F7:0C:26:60:EC:D6:B3:BF:93:CF:F9:71:CC:07:7D:0A"
with HTTPSConnectionPool(
self.host,
self.port,
cert_reqs="CERT_REQUIRED",
ca_certs=DEFAULT_CA,
assert_fingerprint=fingerprint,
) as https_pool:
r = https_pool.urlopen("GET", "/")
assert r.status == 200
@onlyPy279OrNewer
def test_ssl_correct_system_time(self):
w = self._request_without_resource_warnings("GET", "/")
assert [] == w
@onlyPy279OrNewer
def test_ssl_wrong_system_time(self):
with mock.patch("urllib3._sync.connection.datetime") as mock_date:
mock_date.date.today.return_value = datetime.date(1970, 1, 1)
w = self._request_without_resource_warnings("GET", "/")
assert len(w) == 1
warning = w[0]
assert SystemTimeWarning == warning.category
assert str(RECENT_DATE) in warning.message.args[0]
def _request_without_resource_warnings(self, method, url):
pool = HTTPSConnectionPool(self.host,
self.port,
cert_reqs="CERT_REQUIRED",
ca_certs=DEFAULT_CA)
with warnings.catch_warnings(record=True) as w:
warnings.simplefilter("always")
pool.request(method, url)
return [x for x in w if not isinstance(x.message, ResourceWarning)]
def test_set_ssl_version_to_tls_version(self):
if self.tls_protocol_name is None:
pytest.skip("Skipping base test class")
self._pool.ssl_version = self.certs["ssl_version"]
r = self._pool.request("GET", "/")
assert r.status == 200, r.data
def test_set_cert_default_cert_required(self):
pool = HTTPSConnectionPool(self.host, self.port, ca_certs=DEFAULT_CA)
assert pool.ssl_context.verify_mode == ssl.CERT_REQUIRED
def test_tls_protocol_name_of_socket(self):
if self.tls_protocol_name is None:
pytest.skip("Skipping base test class")
conn = self._pool._get_conn()
conn.connect(self._pool.ssl_context)
if not hasattr(conn._sock, "_version"):
pytest.skip("_version() not available in backend")
assert conn._sock._version() == self.tls_protocol_name
