def get_brew_build(nvr, product_version='', session=None):
"""5.2.2.1. GET /api/v1/build/{id_or_nvr}
Get Brew build details.
https://errata.devel.redhat.com/developer-guide/api-http-api.html#api-get-apiv1buildid_or_nvr
:param str nvr: A name-version-release string of a brew rpm/image build
:param str product_version: The product version tag as given to ET
when attaching a build
:param requests.Session session: A python-requests Session object,
used for for connection pooling. Providing `session` object can
yield a significant reduction in total query time when looking up
many builds.
http://docs.python-requests.org/en/master/user/advanced/#session-objects
:return: An initialized Build object with the build details
:raises exceptions.BrewBuildException: When build not found
"""
if session is not None:
res = session.get(constants.errata_get_build_url.format(id=nvr),
verify=ssl.get_default_verify_paths().openssl_cafile,
auth=HTTPKerberosAuth())
else:
res = requests.get(
constants.errata_get_build_url.format(id=nvr),
verify=ssl.get_default_verify_paths().openssl_cafile,
auth=HTTPKerberosAuth())
if res.status_code == 200:
return Build(nvr=nvr, body=res.json(), product_version=product_version)
else:
raise exceptions.BrewBuildException("{build}: {msg}".format(
build=nvr, msg=res.text))
def testManualHeaders(self):
websock3 = ws.WebSocket(sslopt={"ca_certs": ssl.get_default_verify_paths().cafile,
"ca_cert_path": ssl.get_default_verify_paths().capath})
self.assertRaises(ws._exceptions.WebSocketBadStatusException,
websock3.connect, "wss://api.bitfinex.com/ws/2", cookie="chocolate",
origin="testing_websockets.com",
host="echo.websocket.org/websocket-client-test",
subprotocols=["testproto"],
connection="Upgrade",
header={"CustomHeader1":"123",
"Cookie":"TestValue",
"Sec-WebSocket-Key":"k9kFAUWNAMmf5OEMfTlOEA==",
"Sec-WebSocket-Protocol":"newprotocol"})
def _connect(self):
"""Creates a websocket connection.
:return:
"""
self.log.debug("_connect(): Initializing Connection..")
self.socket = websocket.WebSocketApp(self.url,
on_open=self._on_open,
on_message=self._on_message,
on_error=self._on_error,
on_close=self._on_close)
if 'ca_certs' not in self.sslopt.keys():
ssl_defaults = ssl.get_default_verify_paths()
self.sslopt['ca_certs'] = ssl_defaults.cafile
self.log.debug("_connect(): Starting Connection..")
self.socket.run_forever(sslopt=self.sslopt)
while self.reconnect_required.is_set():
if not self.disconnect_called.is_set():
self.log.info("Attempting to connect again in %s seconds." %
self.reconnect_interval)
self.state = "unavailable"
time.sleep(self.reconnect_interval)
# We need to set this flag since closing the socket will
# set it to False
self.socket.keep_running = True
self.socket.run_forever(sslopt=self.sslopt)
def connect(self):
screepsConnection = API(u=self.user,p=self.password,ptr=self.ptr,host=self.host,secure=self.secure, token=self.atoken)
me = screepsConnection.me()
self.user_id = me['_id']
self.token = screepsConnection.token
if self.logging:
logging.getLogger('websocket').addHandler(logging.StreamHandler())
websocket.enableTrace(True)
else:
logging.getLogger('websocket').addHandler(logging.NullHandler())
websocket.enableTrace(False)
if self.host:
url = 'wss://' if self.secure else 'ws://'
url += self.host + '/socket/websocket'
elif not self.ptr:
url = 'wss://screeps.com/socket/websocket'
else:
url = 'wss://screeps.com/ptr/socket/websocket'
self.ws = websocket.WebSocketApp(url=url,
on_message=self.on_message,
on_error=self.on_error,
on_close=self.on_close,
on_open=self.on_open)
ssl_defaults = ssl.get_default_verify_paths()
sslopt_ca_certs = {'ca_certs': ssl_defaults.cafile}
if 'http_proxy' in self.settings and self.settings['http_proxy'] is not None:
http_proxy_port = self.settings['http_proxy_port'] if 'http_proxy_port' in self.settings else 8080
self.ws.run_forever(http_proxy_host=self.settings['http_proxy'], http_proxy_port=http_proxy_port, ping_interval=1, sslopt=sslopt_ca_certs)
else:
self.ws.run_forever(ping_interval=1, sslopt=sslopt_ca_certs)
def __connect(self, wsURL):
'''Connect to the websocket in a thread.'''
self.logger.debug("Starting thread")
ssl_defaults = ssl.get_default_verify_paths()
sslopt_ca_certs = {'ca_certs': ssl_defaults.cafile}
self.ws = websocket.WebSocketApp(wsURL,
on_message=self.__on_message,
on_close=self.__on_close,
on_open=self.__on_open,
on_error=self.__on_error,
header=self.__get_auth()
)
setup_custom_logger('websocket', log_level=settings.LOG_LEVEL)
self.wst = threading.Thread(target=lambda: self.ws.run_forever(sslopt=sslopt_ca_certs))
self.wst.daemon = True
self.wst.start()
self.logger.info("Started thread")
# Wait for connect before continuing
conn_timeout = 5
while (not self.ws.sock or not self.ws.sock.connected) and conn_timeout and not self._error:
sleep(1)
conn_timeout -= 1
if not conn_timeout or self._error:
self.logger.error("Couldn't connect to WS! Exiting.")
self.exit()
sys.exit(1)
def __connect(self):
'''Connect to the websocket in a thread.'''
print("启动websocket线程.")
ssl_defaults = ssl.get_default_verify_paths()
sslopt_ca_certs = {'ca_certs': ssl_defaults.cafile}
self.ws = websocket.WebSocketApp(self.wsUrl,
on_message=self.__on_message,
on_close=self.__on_close,
on_open=self.__on_open,
on_error=self.__on_error,
header=self.__get_auth())
setup_custom_logger('websocket', log_level=LOG_LEVEL)
self.wst = threading.Thread(
target=lambda: self.ws.run_forever(sslopt=sslopt_ca_certs))
self.wst.daemon = True
self.wst.start()
print("websocket线程已启动.")
conn_timeout = 5
while (not self.ws.sock or not self.ws.sock.connected
) and conn_timeout and not self._error:
sleep(1)
conn_timeout -= 1
if not conn_timeout or self._error:
print("无法连接websocket服务器,准备退出..")
self.exit()
self.isconnected = False
else:
self.isconnected = True
self.__start_ping_thread()
def initialize_ssl_cert_dir():
"""Initialize OpenSSL's CA certificates file.
Makes it so certificates can be verified.
"""
global _ssl_init_done
if _ssl_init_done:
return
_ssl_init_done = True
if not sys.platform.startswith('linux'):
return
import os
import ssl
dvp = ssl.get_default_verify_paths()
# from https://golang.org/src/crypto/x509/root_linux.go
cert_files = [
"/etc/ssl/certs/ca-certificates.crt", # Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt", # Fedora/RHEL 6
"/etc/ssl/ca-bundle.pem", # OpenSUSE
"/etc/pki/tls/cacert.pem", # OpenELEC
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", # CentOS/RHEL 7
]
for fn in cert_files:
if os.path.exists(fn):
os.environ[dvp.openssl_cafile_env] = fn
# os.environ[dvp.openssl_capath_env] = os.path.dirname(fn)
return
def __connect(self, wsURL):
'''Connect to the websocket in a thread.'''
self.logger.info("Starting thread")
# Return paths to default cafile and capath.
ssl_defaults = ssl.get_default_verify_paths()
# dictionary holding defaults cafile = '/Users/jeroenderyck/anaconda/ssl/cert.pem'
sslopt_ca_certs = {'ca_certs': ssl_defaults.cafile}
self.ws = websocket.WebSocketApp(wsURL,
on_message=self.__on_message,
on_close=self.__on_close,
on_open=self.__on_open,
on_error=self.__on_error,
header=self.__get_auth()
)
self.__setup_logger()
self.wst = threading.Thread(target=lambda: self.ws.run_forever(sslopt=sslopt_ca_certs))
self.wst.daemon = True
self.wst.start()
self.logger.info("Started thread")
# Wait for connect before continuing
conn_timeout = 5
while (not self.ws.sock or not self.ws.sock.connected) and conn_timeout and not self._error:
sleep(1)
conn_timeout -= 1
if not conn_timeout or self._error:
self.logger.error("Couldn't connect to WS! Exiting.")
self.exit()
sys.exit(1)
def __connect(self, wsURL):
'''Connect to the websocket in a thread.'''
ssl_defaults = ssl.get_default_verify_paths()
sslopt_ca_certs = {'ca_certs': ssl_defaults.cafile}
self.ws = websocket.WebSocketApp(wsURL,
on_message=self.__on_message,
on_close=self.__on_close,
on_open=self.__on_open,
on_error=self.__on_error,
header=[],
cookie='__jsluid=a3718fd232c1901c0400e3a9a63ea216; USER_UNI=e7ef627cd9bb4c1f41611cce71b3675c; PHPSESSID=34f3eea0ac392475f8f5faf651a504dc; COINTYPE=btc2ckusd; lang=us_EN; UNIQUEID=f4c56f83ff9427fa3f173bebbd5afa4e'
)
self.lastConnect = datetime.utcnow()
self.wst = threading.Thread(target=lambda: self.ws.run_forever(sslopt=sslopt_ca_certs))
self.wst.daemon = True
self.wst.start()
# Wait for connect before continuing
conn_timeout = 5
while (not self.ws.sock or not self.ws.sock.connected) and conn_timeout and not self._error:
sleep(2)
conn_timeout -= 1
if not conn_timeout or self._error:
print("Couldn't connect to WS! Exiting.")
self.exit()
sys.exit(1)
def test_openssl(self):
import ssl
ssl.PROTOCOL_TLSv1_2
if isosx:
cafile = ssl.get_default_verify_paths().cafile
if not cafile or not cafile.endswith('/mozilla-ca-certs.pem') or not os.access(cafile, os.R_OK):
self.assert_('Mozilla CA certs not loaded')
def __connect(self, wsURL):
'''Connect to the websocket in a thread.'''
self.logger.debug("Starting thread")
ssl_defaults = ssl.get_default_verify_paths()
sslopt_ca_certs = {'ca_certs': ssl_defaults.cafile}
self.ws = websocket.WebSocketApp(wsURL,
on_message=self.__on_message,
on_close=self.__on_close,
on_open=self.__on_open,
on_error=self.__on_error,
header=self.__get_auth()
)
setup_custom_logger('websocket', log_level=settings.LOG_LEVEL)
self.wst = threading.Thread(target=lambda: self.ws.run_forever(sslopt=sslopt_ca_certs))
self.wst.daemon = True
self.wst.start()
self.logger.info("Started thread")
# Wait for connect before continuing
conn_timeout = 5
while (not self.ws.sock or not self.ws.sock.connected) and conn_timeout and not self._error:
sleep(1)
conn_timeout -= 1
if not conn_timeout or self._error:
self.logger.error("Couldn't connect to WS! Exiting.")
self.exit()
def main():
openssl_dir, openssl_cafile = os.path.split(
ssl.get_default_verify_paths().openssl_cafile)
print(" -- pip install --upgrade certifi")
subprocess.check_call([
sys.executable, "-E", "-s", "-m", "pip", "install", "--upgrade",
"certifi"
])
import certifi
# change working directory to the default SSL directory
os.chdir(openssl_dir)
relpath_to_certifi_cafile = os.path.relpath(certifi.where())
print(" -- removing any existing file or link")
try:
os.remove(openssl_cafile)
except FileNotFoundError:
pass
print(" -- creating symlink to certifi certificate bundle")
os.symlink(relpath_to_certifi_cafile, openssl_cafile)
print(" -- setting permissions")
os.chmod(openssl_cafile, STAT_0o775)
print(" -- update complete")
def get_https_context_factory():
if not hasattr(ssl, 'Purpose'):
return lambda *_, **__: None
if not hasattr(ssl, '_create_default_https_context') or \
hasattr(ssl, 'get_default_verify_paths') and \
ssl.get_default_verify_paths()[0] is None:
m = re.match(r'(Open|Libre)SSL (\d+)\.(\d+)\.(\d+)',
ssl.OPENSSL_VERSION)
openssl_version = int(m.group(2)), int(m.group(3)), int(m.group(4))
if openssl_version < (1, 0, 2) and hasattr(certifi, 'old_where'):
# https://github.com/certifi/python-certifi/issues/26
where = certifi.old_where
else:
where = certifi.where
def get_https_context(purpose=ssl.Purpose.SERVER_AUTH,
cafile=None, capath=None, cadata=None):
return ssl.create_default_context(
purpose=purpose,
cafile=cafile or where(),
capath=capath,
cadata=cadata
)
return get_https_context
if hasattr(ssl, '_create_default_https_context'):
return ssl._create_default_https_context
if hasattr(ssl, 'create_default_context'):
return ssl.create_default_context
return lambda *_, **__: None
def test_http_SSL(self):
websock1 = ws.WebSocket(sslopt={"cert_chain": ssl.get_default_verify_paths().capath}, enable_multithread=False)
self.assertRaises(ValueError,
websock1.connect, "wss://api.bitfinex.com/ws/2")
websock2 = ws.WebSocket(sslopt={"certfile": "myNonexistentCertFile"})
self.assertRaises(FileNotFoundError,
websock2.connect, "wss://api.bitfinex.com/ws/2")
def _connect(self, wsURL):
'''Connect to the websocket in a thread.'''
self.logger.debug("Starting thread")
ssl_defaults = ssl.get_default_verify_paths()
sslopt_ca_certs = {'ca_certs': ssl_defaults.cafile}
self.ws = websocket.WebSocketApp(
wsURL,
on_message=lambda ws, msg: self._on_message(ws, msg),
on_close=lambda ws: self._on_close(ws),
on_open=lambda ws: self._on_open(ws),
on_error=lambda ws, msg: self._on_error(ws, msg),
header=self.__get_auth())
#self.wst = threading.Thread(target=lambda: self.ws.run_forever(sslopt=sslopt_ca_certs))
self.wst = threading.Thread(target=lambda: self.ws.run_forever())
self.wst.daemon = True
self.wst.start()
# Wait for connect before continuing
conn_timeout = 5
while (not self.ws.sock or not self.ws.sock.connected
) and conn_timeout and not self._error:
sleep(1)
conn_timeout -= 1
if not conn_timeout or self._error:
self.logger.error("Couldn't connect to Account WS! Exiting.")
self.exit()
sys.exit(1)
def get_https_context_factory():
if not hasattr(ssl, 'Purpose'):
return lambda *_, **__: None
if not hasattr(ssl, '_create_default_https_context') or \
hasattr(ssl, 'get_default_verify_paths') and \
ssl.get_default_verify_paths()[0] is None:
m = re.match(r'OpenSSL (\d+)\.(\d+)\.(\d+)',
ssl.OPENSSL_VERSION)
openssl_version = int(m.group(1)), int(m.group(2)), int(m.group(3))
if openssl_version < (1, 0, 2) and hasattr(certifi, 'old_where'):
# https://github.com/certifi/python-certifi/issues/26
where = certifi.old_where
else:
where = certifi.where
def get_https_context(purpose=ssl.Purpose.SERVER_AUTH,
cafile=None, capath=None, cadata=None):
return ssl.create_default_context(
purpose=purpose,
cafile=cafile or where(),
capath=capath,
cadata=cadata
)
return get_https_context
if hasattr(ssl, '_create_default_https_context'):
return ssl._create_default_https_context
if hasattr(ssl, 'create_default_context'):
return ssl.create_default_context
return lambda *_, **__: None
def __init__(self, url=None, username=None, password=None, verify=None,
cache=False):
# Basic URL and authentication settings
self.url = url or self.url
self.username = username or self.username
self.password = password or self.password
self._session = Session()
self._session.verify = verify or get_default_verify_paths().capath
self.auth = HTTPBasicAuth(self.username, self.password)
self.parser = makeparser(huge_tree=True)
# API endpoints
self.build = Build(osc_obj=self)
self.comments = Comment(osc_obj=self)
self.groups = Group(osc_obj=self)
self.packages = Package(osc_obj=self)
self.projects = Project(osc_obj=self)
self.requests = BsRequest(osc_obj=self)
self.search = Search(osc_obj=self)
self.users = Person(osc_obj=self)
# Cache
if cache:
# pylint: disable=broad-except
try:
self.session = CacheControl(self._session)
except Exception as error:
self.session = self._session
warnings.warn("Cannot use the cache: {}".format(error),
RuntimeWarning)
else:
self.session = self._session
def _connect(self):
# websocket开启日志跟踪
# websocket.enableTrace(True)
self._ws = websocket.WebSocketApp(self.host,
on_message=self.__on_message,
on_close=self.__on_close,
on_open=self.__on_open,
on_error=self.__on_error,
keep_running=True,
header=self.on_header())
_kwargs = {
'ping_interval': self.ping_interval,
'ping_timeout': self.ping_timeout
}
if self.proxy_host and self.proxy_port:
ssl_defaults = ssl.get_default_verify_paths()
sslopt_ca_certs = {'ca_certs': ssl_defaults.cafile}
_kwargs = {
'ping_interval': self.ping_interval,
'ping_timeout': self.ping_timeout,
'sslopt': sslopt_ca_certs
}
_kwargs['http_proxy_host'] = self.proxy_host
_kwargs['http_proxy_port'] = self.proxy_port
# daemon进程模式 程序执行完退出
# self._ws.daemon = True
self._ws.run_forever(**_kwargs)
if not self._ws.sock or not self._ws.sock.connected:
logging.error('Could not connect to WS! Exiting')
def __connect(self, url):
"""
WebSocket Thread connect
"""
self.logger.debug("Starting thread")
ssl_defaults = ssl.get_default_verify_paths()
sslopt_ca_certs = {'ca_certs': ssl_defaults.cafile}
self.ws = websocket.WebSocketApp(url,
on_message=self.__on_message,
on_open=self.__on_open,
on_close=self.__on_close,
on_error=self.__on_error,
header=self.__get_auth())
self.wst = threading.Thread(
target=lambda: self.ws.run_forever(sslopt=sslopt_ca_certs))
self.wst.daemon = True
self.wst.start()
self.logger.info("Started thread")
conn_timeout = 5
while (not self.ws.sock or not self.ws.sock.connected
) and conn_timeout and not self._error:
time.sleep(1)
conn_timeout -= 1
if not conn_timeout or self._error:
self.logger.error("Couldn't connect to WS! Exiting.")
self.exit()
sys.exit(1)
def test_openssl(self):
import ssl
ssl.PROTOCOL_TLSv1_2
if ismacos:
cafile = ssl.get_default_verify_paths().cafile
if not cafile or not cafile.endswith('/mozilla-ca-certs.pem') or not os.access(cafile, os.R_OK):
raise AssertionError('Mozilla CA certs not loaded')
def __init__(self, host, port, has_ssl=False):
self.host = host
self.port = port
self.sock = None
self.socket_handler = None
self.ssl_context = None
self.socket_connected = False
self.cert_file = ssl.get_default_verify_paths().cafile
try:
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
except Exception as e:
print("socket failed - Exception:" + str(e))
sys.exit(1)
if has_ssl:
self.ssl_context = ssl.create_default_context(
purpose=ssl.Purpose.CLIENT_AUTH)
self.ssl_context.options &= ~ssl.OP_NO_SSLv3
self.ssl_context.load_verify_locations(cafile=self.cert_path)
self.socket_handler = self.ssl_context.wrap_socket(self.sock)
else:
self.socket_handler = self.sock
self.sock.setblocking(False)
self.sock.settimeout(2)
def verify_certs_chain(certs_chain: List[crypto.X509],
amazon_cert: crypto.X509) -> bool:
"""Verifies if Amazon and additional certificates creates chain of trust to a root CA.
Args:
certs_chain: List of pycrypto X509 intermediate certificates from signature chain URL.
amazon_cert: Pycrypto X509 Amazon certificate.
Returns:
result: True if verification was successful, False if not.
"""
store = crypto.X509Store()
# add certificates from Amazon provided certs chain
for cert in certs_chain:
store.add_cert(cert)
# add CA certificates
default_verify_paths = ssl.get_default_verify_paths()
default_verify_file = default_verify_paths.cafile
default_verify_file = Path(
default_verify_file).resolve() if default_verify_file else None
default_verify_path = default_verify_paths.capath
default_verify_path = Path(
default_verify_path).resolve() if default_verify_path else None
ca_files = [ca_file for ca_file in default_verify_path.iterdir()
] if default_verify_path else []
if default_verify_file:
ca_files.append(default_verify_file)
for ca_file in ca_files:
ca_file: Path
if ca_file.is_file():
with ca_file.open('r', encoding='ascii') as crt_f:
ca_certs_txt = crt_f.read()
ca_certs = extract_certs(ca_certs_txt)
for cert in ca_certs:
store.add_cert(cert)
# add CA certificates (Windows)
ssl_context = ssl.create_default_context()
der_certs = ssl_context.get_ca_certs(binary_form=True)
pem_certs = '\n'.join(
[ssl.DER_cert_to_PEM_cert(der_cert) for der_cert in der_certs])
ca_certs = extract_certs(pem_certs)
for ca_cert in ca_certs:
store.add_cert(ca_cert)
store_context = crypto.X509StoreContext(store, amazon_cert)
try:
store_context.verify_certificate()
result = True
except crypto.X509StoreContextError:
result = False
return result
def connect(self):
screepsConnection = API(u=self.user,p=self.password,ptr=self.ptr,host=self.host,secure=self.secure, token=self.atoken)
me = screepsConnection.me()
self.user_id = me['_id']
self.token = screepsConnection.token
if self.logging:
logging.getLogger('websocket').addHandler(logging.StreamHandler())
websocket.enableTrace(True)
else:
logging.getLogger('websocket').addHandler(logging.NullHandler())
websocket.enableTrace(False)
if self.host:
url = 'wss://' if self.secure else 'ws://'
url += self.host + '/socket/websocket'
elif not self.ptr:
url = 'wss://screeps.com/socket/websocket'
else:
url = 'wss://screeps.com/ptr/socket/websocket'
self.ws = websocket.WebSocketApp(url=url,
on_message=self.on_message,
on_error=self.on_error,
on_close=self.on_close,
on_open=self.on_open)
ssl_defaults = ssl.get_default_verify_paths()
sslopt_ca_certs = {'ca_certs': ssl_defaults.cafile}
if 'http_proxy' in self.settings and self.settings['http_proxy'] is not None:
http_proxy_port = self.settings['http_proxy_port'] if 'http_proxy_port' in self.settings else 8080
self.ws.run_forever(http_proxy_host=self.settings['http_proxy'], http_proxy_port=http_proxy_port, ping_interval=1, sslopt=sslopt_ca_certs)
else:
self.ws.run_forever(ping_interval=1, sslopt=sslopt_ca_certs)
def __connect(self, wsURL):
"""Connect to the websocket in a thread."""
ssl_defaults = ssl.get_default_verify_paths()
sslopt_ca_certs = {"ca_certs": ssl_defaults.cafile}
self.ws = websocket.WebSocketApp(
wsURL,
on_message=self.__on_message,
on_close=self.__on_close,
on_error=self.__on_error,
header=self.__get_auth(),
)
self.wst = threading.Thread(
target=lambda: self.ws.run_forever(sslopt=sslopt_ca_certs)
)
self.wst.daemon = True
self.wst.start()
# Wait for connect before continuing
conn_timeout = 5
while (
(not self.ws.sock or not self.ws.sock.connected)
and conn_timeout
and not self._error
):
sleep(1)
conn_timeout -= 1
if not conn_timeout or self._error:
self.logger.warning(
f"Ending the connexion because not conn_timeout={not conn_timeout} or self._error={self._error}"
)
self.exit()
sys.exit(1)
def _connect(self):
"""Create a websocket connection.
Automatically reconnects connection if it was severed unintentionally.
"""
self.conn = websocket.WebSocketApp(
self.url,
on_open=self._on_open,
on_message=self._on_message,
on_error=self._on_error,
on_close=self._on_close
)
ssl_defaults = ssl.get_default_verify_paths()
sslopt_ca_certs = {'ca_certs': ssl_defaults.cafile}
self.conn.run_forever(sslopt=sslopt_ca_certs)
while self.reconnect_required:
if not self.disconnect_called:
self.log.info("Attempting to connect again in %s seconds.", self.reconnect_interval)
time.sleep(self.reconnect_interval)
# We need to set this flag since closing the socket will
# set it to False
self.conn.keep_running = True
self.conn.run_forever(sslopt=sslopt_ca_certs)
def get_comments(advisory_id):
"""5.2.10.2. GET /api/v1/comments?filter[key]=value
Retrieve all advisory comments
Example request body:
{"filter": {"errata_id": 11112, "type": "AutomatedComment"}}
Returns an array of comments ordered in descending order
(newest first). The array may be empty depending on the filters
used. The meaning of each attribute is documented under GET
/api/v1/comments/{id} (see Erratum.get_comment())
Included for reference:
5.2.10.2.1. Filtering
The list of comments can be filtered by applying
filter[key]=value as a query parameter. All attributes of a
comment - except advisory_state - can be used as a filter.
This is a paginated API. Reference documentation:
https://errata.devel.redhat.com/developer-guide/api-http-api.html#api-pagination
"""
body = {"filter": {"errata_id": advisory_id, "type": "Comment"}}
res = requests.get(constants.errata_get_comments_url,
verify=ssl.get_default_verify_paths().openssl_cafile,
auth=HTTPKerberosAuth(),
json=body)
if res.status_code == 200:
return res.json().get('data', [])
elif res.status_code == 401:
raise exceptions.ErrataToolUnauthorizedException(res.text)
else:
return False
def get_appdir():
# setup appdir
if hasattr(sys, 'frozen') and sys.frozen:
if hasattr(sys, '_MEIPASS'):
# PyInstaller
appdir = sys._MEIPASS
# WORKAROUND: Bug that always raise the SSLCertVerificationError from urlopen()
# when CPython is not installed.
# Use certificate from certifi only if cafile could not find by ssl.
# See https://github.com/pyinstaller/pyinstaller/pull/3952
import ssl
if ssl.get_default_verify_paths().cafile is None:
import certifi
os.environ['SSL_CERT_FILE'] = certifi.core.where()
else:
# py2exe
appdir, _ = os.path.split(sys.executable)
else:
dirname, _ = os.path.split(os.path.realpath(__file__))
if dirname and dirname != os.curdir:
appdir = dirname
else:
appdir = os.getcwd()
# make sure it's the full path
appdir_full_path = os.path.abspath(appdir)
return appdir_full_path
def check(cmd, mf):
m = mf.findNode("ssl")
if m is None or m.filename is None:
return None
import ssl
datafiles = []
paths = ssl.get_default_verify_paths()
if paths.cafile is not None:
datafiles.append(paths.cafile)
cafile_path = os.path.basename(paths.cafile)
else:
cafile_path = "no-such-file"
if paths.capath is not None:
datafiles.append(paths.capath)
capath_path = os.path.basename(paths.capath)
else:
capath_path = "no-such-file"
prescript = PRESCRIPT % {
"openssl_cafile_env": paths.openssl_cafile_env,
"openssl_capath_env": paths.openssl_capath_env,
"cafile_path": cafile_path,
"capath_path": capath_path,
}
return {
"resources": [("openssl.ca", datafiles)],
"prescripts": [io.StringIO(prescript)],
}
def get_brew_builds(errata_id, session=None):
"""5.2.2.1. GET /api/v1/erratum/{id}/builds
Get Errata list of builds.
https://errata.devel.redhat.com/developer-guide/api-http-api.html#api-get-apiv1erratumidbuilds
:param str errata_id: the errata id
:param requests.Session session: A python-requests Session object,
used for for connection pooling. Providing `session` object can
yield a significant reduction in total query time when looking up
many builds.
http://docs.python-requests.org/en/master/user/advanced/#session-objects
:return: A List of initialized Build object with the build details
:raises exceptions.BrewBuildException: When erratum return errors
"""
if session is None:
session = requests.session()
res = session.get(constants.errata_get_builds_url.format(id=errata_id),
verify=ssl.get_default_verify_paths().openssl_cafile,
auth=HTTPKerberosAuth())
brew_list = []
if res.status_code == 200:
jlist = res.json()
for key in jlist.keys():
for obj in jlist[key]['builds']:
brew_list.append(
brew.Build(nvr=list(obj.keys())[0], product_version=key))
return brew_list
else:
raise exceptions.BrewBuildException(
"fetch builds from {id}: {msg}".format(id=errata_id, msg=res.text))
def main(cert_path=script_loc, set_env={}, prepend_env={}, do_pip=False,
do_aws=False, do_requests=False):
''' This is the main script. '''
if not do_requests and not do_pip and not prepend_env and not set_env and not do_aws:
print("Please specify at least one of the following: --requests, --pip, --prepend-env, --set_env, --aws (windows only).")
# Automated inputs:
if do_requests or do_pip or do_aws:
loc_certs = [glob.glob(os.path.join(cert_path, x)) for x in ['*.pem', '*.crt']]
loc_certs = [_path_update(cert) for sublist in loc_certs for cert in sublist]
# Update requests certificates - for Conda install:
if do_requests:
if ('requests' in sys.modules) and ('certifi' in sys.modules) and len(loc_certs)>0:
print("Requests SSL configuration started...")
req_status = update_certs(requests.certs.where(), loc_certs) # Location of Python's requests cert file
print(" ".join(["Requests Config:", req_status]))
print("Requests SSL configuration complete.")
elif 'requests' not in sys.modules:
print("Python requests library not installed, skipping requests update. Is conda installed?")
elif 'certifi' not in sys.modules:
print("Python certifi library not installed, skipping certifi update. Is conda installed?")
elif len(loc_certs) < 1:
print("No certificate *.pem or *.crt' files found at {}, skipping certificate update.".format(os.path.abspath(loc_certs)))
# Update environment variables:
if (prepend_env) or (set_env):
print("Environment variables configuration started...")
set_prepend_envs(set_env, prepend_env)
print("Environment variables configuration complete.")
# Update pip config:
if do_pip:
print("Pip SSL configuration started...")
if do_requests and ('requests' in sys.modules) and ('certifi' in sys.modules):
pip_cert_loc = requests.certs.where()
else:
pip_cert_loc = ssl.get_default_verify_paths().cafile
pip_status = update_certs(pip_cert_loc, loc_certs)
print(" ".join(["Pip Config:", pip_status]))
pip_status = ssl_pip(pth_cert=pip_cert_loc, pth_prepend="cert=")
print(" ".join(["Pip Config:", pip_status]))
print("Pip SSL configuration complete.")
# Update AWS config (if present). Requires admin priviledges.
if do_aws:
if platform.system() == 'Windows':
aws_cert_win = "C:\\Program Files\\Amazon\\AWSCLI\\botocore\\vendored\\requests\\cacert.pem"
aws_cert_win = _path_update(aws_cert_win)
print(aws_cert_win)
if os.path.isfile(aws_cert_win):
print("AWS CLI SSL configuration started...")
aws_cert_status = update_certs(aws_cert_win, loc_certs)
print(" ".join(["AWS CLI SSL config:", aws_cert_status]))
print("AWS CLI SSL configuration complete.")
else:
print("The --aws flag only applies to windows. Skipping...")
def __init__(self, web_interface_url, user_pwd, svn_branch='trunk', svn_revision='HEAD',
thread_count=1, result_poll_interval=2, user_agent=None, version=None):
"""
Creates a new WebInterface object.
The given svn revision is resolved (e.g. 'HEAD' -> 17495).
@param web_interface_url: the base URL of the VerifierCloud's web interface
@param user_pwd: user name and password in the format '<user_name>:<password>' or none if no authentification is required
@param svn_branch: the svn branch name or 'trunk', defaults to 'trunk'
@param svn_revision: the svn revision number or 'HEAD', defaults to 'HEAD'
@param thread_count: the number of threads for fetching results in parallel
@param result_poll_interval: the number of seconds to wait between polling results
"""
if not (1 <= thread_count <= MAX_SUBMISSION_THREADS):
sys.exit("Invalid number {} of client threads, needs to be between 1 and {}.".format(thread_count, MAX_SUBMISSION_THREADS))
if not 1 <= result_poll_interval:
sys.exit("Poll interval {} is too small, needs to be at least 1s.".format(result_poll_interval))
if not web_interface_url[-1] == '/':
web_interface_url += '/'
default_headers = {'Connection': 'Keep-Alive'}
if user_agent:
default_headers['User-Agent'] = \
'{}/{} (Python/{} {}/{})'.format(user_agent, version, platform.python_version(), platform.system(), platform.release())
urllib.parse.urlparse(web_interface_url) # sanity check
self._web_interface_url = web_interface_url
logging.info('Using VerifierCloud at %s', web_interface_url)
self._connection = requests.Session()
self._connection.headers.update(default_headers)
try:
cert_paths = ssl.get_default_verify_paths()
cert_path = cert_paths.cafile or cert_paths.capath # both might be None
except AttributeError: # not available on old Python
cert_path = None
self._connection.verify = cert_path or True # make sure that verification is enabled
if user_pwd:
self._connection.auth = (user_pwd.split(":")[0], user_pwd.split(":")[1])
self._base64_user_pwd = base64.b64encode(user_pwd.encode("utf-8")).decode("utf-8")
else:
self._base64_user_pwd = None
self._unfinished_runs = {}
self._unfinished_runs_lock = threading.Lock()
self._downloading_result_futures = {}
self._download_attempts = {}
self.thread_count = thread_count
self._executor = ThreadPoolExecutor(thread_count)
self._thread_local = threading.local()
self._hash_code_cache = {}
self._group_id = str(random.randint(0, 1000000))
self._read_hash_code_cache()
self._resolved_tool_revision(svn_branch, svn_revision)
self._tool_name = self._request_tool_name()
try:
self._result_downloader = SseResultDownloader(self, result_poll_interval)
except:
self._result_downloader = PollingResultDownloader(self, result_poll_interval)
def test_openssl():
import ssl
ssl.PROTOCOL_TLSv1_2
if isosx:
cafile = ssl.get_default_verify_paths().cafile
if not cafile or not cafile.endswith('/mozilla-ca-certs.pem') or not os.access(cafile, os.R_OK):
raise ValueError('Mozilla CA certs not loaded')
fprint('SSL OK!')
def main():
openssl_dir, openssl_cafile = os.path.split(
ssl.get_default_verify_paths().openssl_cafile)
# no content in this folder
os.listdir(openssl_dir)
# non existent file
print(os.path.exists(openssl_cafile))
print(platform.system().lower())
def test_openssl():
import ssl
ssl.PROTOCOL_TLSv1_2
if isosx:
cafile = ssl.get_default_verify_paths().cafile
if not cafile or not cafile.endswith(
'/mozilla-ca-certs.pem') or not os.access(cafile, os.R_OK):
raise ValueError('Mozilla CA certs not loaded')
fprint('SSL OK!')
def init_app(self, app):
ssl_defaults = ssl.get_default_verify_paths()
# Default config
app.config.setdefault("LDAP_SERVER", "localhost")
app.config.setdefault("LDAP_PORT", 389)
app.config.setdefault("LDAP_BINDDN", None)
app.config.setdefault("LDAP_SECRET", None)
app.config.setdefault("LDAP_CONNECT_TIMEOUT", 10)
app.config.setdefault("LDAP_READ_ONLY", False)
app.config.setdefault("LDAP_VALID_NAMES", None)
app.config.setdefault("LDAP_PRIVATE_KEY_PASSWORD", None)
app.config.setdefault("LDAP_RAISE_EXCEPTIONS", False)
app.config.setdefault("LDAP_CONNECTION_STRATEGY", SYNC)
app.config.setdefault("LDAP_USE_SSL", False)
app.config.setdefault("LDAP_USE_TLS", True)
app.config.setdefault("LDAP_TLS_VERSION", ssl.PROTOCOL_TLSv1_2)
app.config.setdefault("LDAP_REQUIRE_CERT", ssl.CERT_REQUIRED)
app.config.setdefault("LDAP_CLIENT_PRIVATE_KEY", None)
app.config.setdefault("LDAP_CLIENT_CERT", None)
app.config.setdefault("LDAP_CA_CERTS_FILE", ssl_defaults.cafile)
app.config.setdefault("LDAP_CA_CERTS_PATH", ssl_defaults.capath)
app.config.setdefault("LDAP_CA_CERTS_DATA", None)
app.config.setdefault("FORCE_ATTRIBUTE_VALUE_AS_LIST", False)
self.tls = Tls(
local_private_key_file=app.config["LDAP_CLIENT_PRIVATE_KEY"],
local_certificate_file=app.config["LDAP_CLIENT_CERT"],
validate=app.config["LDAP_REQUIRE_CERT"]
if app.config.get("LDAP_CLIENT_CERT") else ssl.CERT_NONE,
version=app.config["LDAP_TLS_VERSION"],
ca_certs_file=app.config["LDAP_CA_CERTS_FILE"],
valid_names=app.config["LDAP_VALID_NAMES"],
ca_certs_path=app.config["LDAP_CA_CERTS_PATH"],
ca_certs_data=app.config["LDAP_CA_CERTS_DATA"],
local_private_key_password=app.config["LDAP_PRIVATE_KEY_PASSWORD"],
)
self.ldap_server = Server(
host=app.config.get("LDAP_HOST") or app.config.get("LDAP_SERVER"),
port=app.config["LDAP_PORT"],
use_ssl=app.config["LDAP_USE_SSL"],
connect_timeout=app.config["LDAP_CONNECT_TIMEOUT"],
tls=self.tls,
get_info=ALL,
)
# Store ldap_conn object to extensions
app.extensions["ldap_conn"] = self
# Teardown appcontext
app.teardown_appcontext(self.teardown)
def verify_certs_chain(certs_chain: List[crypto.X509], amazon_cert: crypto.X509) -> bool:
"""Verifies if Amazon and additional certificates creates chain of trust to a root CA.
Args:
certs_chain: List of pycrypto X509 intermediate certificates from signature chain URL.
amazon_cert: Pycrypto X509 Amazon certificate.
Returns:
result: True if verification was successful, False if not.
"""
store = crypto.X509Store()
# add certificates from Amazon provided certs chain
for cert in certs_chain:
store.add_cert(cert)
# add CA certificates
default_verify_paths = ssl.get_default_verify_paths()
default_verify_file = default_verify_paths.cafile
default_verify_file = Path(default_verify_file).resolve() if default_verify_file else None
default_verify_path = default_verify_paths.capath
default_verify_path = Path(default_verify_path).resolve() if default_verify_path else None
ca_files = [ca_file for ca_file in default_verify_path.iterdir()] if default_verify_path else []
if default_verify_file:
ca_files.append(default_verify_file)
for ca_file in ca_files:
ca_file: Path
if ca_file.is_file():
with ca_file.open('r', encoding='ascii') as crt_f:
ca_certs_txt = crt_f.read()
ca_certs = extract_certs(ca_certs_txt)
for cert in ca_certs:
store.add_cert(cert)
# add CA certificates (Windows)
ssl_context = ssl.create_default_context()
der_certs = ssl_context.get_ca_certs(binary_form=True)
pem_certs = '\n'.join([ssl.DER_cert_to_PEM_cert(der_cert) for der_cert in der_certs])
ca_certs = extract_certs(pem_certs)
for ca_cert in ca_certs:
store.add_cert(ca_cert)
store_context = crypto.X509StoreContext(store, amazon_cert)
try:
store_context.verify_certificate()
result = True
except crypto.X509StoreContextError:
result = False
return result
def _configure_ssl(self, properties):
if (not properties or
not self._SSL_PROPS.intersection(set(iter(properties)))):
return None
mode = proton.SSLDomain.MODE_CLIENT
if properties.get('x-ssl-server', properties.get('x-server')):
mode = proton.SSLDomain.MODE_SERVER
identity = properties.get('x-ssl-identity')
ca_file = properties.get('x-ssl-ca-file')
if (not ca_file and properties.get('x-ssl') and
hasattr(ssl, 'get_default_verify_paths')):
ca_file = ssl.get_default_verify_paths().cafile
hostname = properties.get('x-ssl-peer-name',
properties.get('hostname'))
# default to most secure level of certificate validation
if not ca_file:
vdefault = 'no-verify'
elif not hostname:
vdefault = 'verify-cert'
else:
vdefault = 'verify-peer'
vmode = properties.get('x-ssl-verify-mode', vdefault)
try:
vmode = self._VERIFY_MODES[vmode]
except KeyError:
raise proton.SSLException("bad value for x-ssl-verify-mode: '%s'" %
vmode)
if vmode == proton.SSLDomain.VERIFY_PEER_NAME:
if not hostname or not ca_file:
raise proton.SSLException("verify-peer needs x-ssl-peer-name"
" and x-ssl-ca-file")
elif vmode == proton.SSLDomain.VERIFY_PEER:
if not ca_file:
raise proton.SSLException("verify-cert needs x-ssl-ca-file")
# This will throw proton.SSLUnavailable if SSL support is not installed
domain = proton.SSLDomain(mode)
if identity:
# our identity:
domain.set_credentials(identity[0], identity[1], identity[2])
if ca_file:
# how we verify peers:
domain.set_trusted_ca_db(ca_file)
domain.set_peer_authentication(vmode, ca_file)
if mode == proton.SSLDomain.MODE_SERVER:
if properties.get('x-ssl-allow-cleartext'):
domain.allow_unsecured_client()
pn_ssl = proton.SSL(self._pn_transport, domain)
if hostname:
pn_ssl.peer_hostname = hostname
LOG.debug("SSL configured for connection %s", self._name)
return pn_ssl
def init_app(self, app):
ssl_defaults = ssl.get_default_verify_paths()
# Default config
app.config.setdefault('LDAP_SERVER', 'localhost')
app.config.setdefault('LDAP_PORT', 389)
app.config.setdefault('LDAP_BINDDN', None)
app.config.setdefault('LDAP_SECRET', None)
app.config.setdefault('LDAP_TIMEOUT', 10)
app.config.setdefault('LDAP_READ_ONLY', False)
app.config.setdefault('LDAP_VALID_NAMES', None)
app.config.setdefault('LDAP_PRIVATE_KEY_PASSWORD', None)
app.config.setdefault('LDAP_CONNECTION_STRATEGY', SYNC)
app.config.setdefault('LDAP_USE_SSL', False)
app.config.setdefault('LDAP_USE_TLS', True)
app.config.setdefault('LDAP_TLS_VERSION', ssl.PROTOCOL_TLSv1)
app.config.setdefault('LDAP_REQUIRE_CERT', ssl.CERT_REQUIRED)
app.config.setdefault('LDAP_CLIENT_PRIVATE_KEY', None)
app.config.setdefault('LDAP_CLIENT_CERT', None)
app.config.setdefault('LDAP_CA_CERTS_FILE', ssl_defaults.cafile)
app.config.setdefault('LDAP_CA_CERTS_PATH', ssl_defaults.capath)
app.config.setdefault('LDAP_CA_CERTS_DATA', None)
self.tls = Tls(
local_private_key_file=app.config['LDAP_CLIENT_PRIVATE_KEY'],
local_certificate_file=app.config['LDAP_CLIENT_CERT'],
validate=app.config['LDAP_REQUIRE_CERT'],
version=app.config['LDAP_TLS_VERSION'],
ca_certs_file=app.config['LDAP_CA_CERTS_FILE'],
valid_names=app.config['LDAP_VALID_NAMES'],
ca_certs_path=app.config['LDAP_CA_CERTS_PATH'],
ca_certs_data=app.config['LDAP_CA_CERTS_DATA'],
local_private_key_password=app.config['LDAP_PRIVATE_KEY_PASSWORD']
)
self.ldap_server = Server(
host=app.config['LDAP_SERVER'],
port=app.config['LDAP_PORT'],
use_ssl=app.config['LDAP_USE_SSL'],
tls=self.tls,
get_info=GET_ALL_INFO
)
# Store ldap_conn object to extensions
app.extensions['ldap_conn'] = self
# Teardown appcontext
app.teardown_appcontext(self.teardown)
def _wrap_sni_socket(sock, sslopt, hostname):
context = ssl.SSLContext(sslopt.get('ssl_version', ssl.PROTOCOL_SSLv23))
if sslopt.get('cert_reqs', ssl.CERT_NONE) != ssl.CERT_NONE:
capath = ssl.get_default_verify_paths().capath
context.load_verify_locations(cafile=sslopt.get('ca_certs', None),
capath=sslopt.get('ca_cert_path', capath))
return context.wrap_socket(
sock,
do_handshake_on_connect=sslopt.get('do_handshake_on_connect', True),
suppress_ragged_eofs=sslopt.get('suppress_ragged_eofs', True),
server_hostname=hostname,
)
def patch_certs(cert_path=None):
"""
Patch http certificates or ignore_ssl() if no certificates ca be found
:param cert_path: Path to the certificate file
"""
if not defaults.CACERTS_DEFAULT_PATH:
if cert_path:
https.patch_with_certs(cert_path)
else:
try:
from ssl import get_default_verify_paths
cert_path = get_default_verify_paths().cafile or \
get_default_verify_paths().openssl_cafile
except:
pass
if cert_path:
https.patch_with_certs(cert_path)
else:
logger.warn("COULD NOT FIND ANY CERTIFICATES, PLEASE SET THEM IN YOUR "
".kamakirc global section, option ca_certs")
https.patch_ignore_ssl()
def _initialize_tls_certificate_locations(self):
"""Set up initial TLS file and directory lookup locations."""
self._default_tls_verify_paths = get_default_verify_paths()
try:
self.set_ssl_cert_locations(
self._default_tls_verify_paths.cafile,
self._default_tls_verify_paths.capath,
)
except GitError as git_err:
valid_msg = "TLS backend doesn't support certificate locations"
if str(git_err) != valid_msg:
raise
self._default_tls_verify_paths = None
self._ssl_cert_file = None
self._ssl_cert_dir = None
def __init__(self, state, *args, **kwargs):
cafile = ssl.get_default_verify_paths().openssl_cafile
# For some system / distribution, python can not detect system cafile path.
# In such case we fallback to the default path.
if not os.path.exists(cafile):
cafile = '/etc/ssl/certs/ca-certificates.crt'
if state.ssl_self_signed:
cafile = GetTLSCertPath(state.host)
ssl_options = {
'cert_reqs': ssl.CERT_REQUIRED,
'ca_certs': cafile
}
# ws4py does not allow you to specify SSLContext, but rather passing in the
# argument of ssl.wrap_socket
super(SSLEnabledWebSocketBaseClient, self).__init__(
ssl_options=ssl_options, *args, **kwargs)
def test_peer_certificate_verify(self):
import _ssl, ssl, gc
paths = ssl.get_default_verify_paths()
if not paths.capath and not paths.cafile:
skip("ssl.get_default_verify_paths() failed to return any path")
ctx = _ssl._SSLContext(_ssl.PROTOCOL_TLS)
ctx.verify_mode = _ssl.CERT_REQUIRED
ctx.load_verify_locations(capath=paths.capath, cafile=paths.cafile)
ss = ctx._wrap_socket(self.s._sock, False)
try:
ss.do_handshake()
except _ssl.SSLError as e:
if e.reason == 'CERTIFICATE_VERIFY_FAILED':
skip("Certificate verification failed. "
"Most likely we just don't have any CA certificates.")
assert ss.peer_certificate()
self.s.close()
del ss; gc.collect()
import gevent.queue
import gevent.socket
import os
import six
_CA_CERTS = None
try:
from ssl import get_default_verify_paths
except ImportError:
_CA_CERTS = None
else:
_certs = get_default_verify_paths()
_CA_CERTS = _certs.cafile or _certs.capath
if not _CA_CERTS or os.path.isdir(_CA_CERTS):
import certifi
_CA_CERTS = certifi.where()
try:
from ssl import _DEFAULT_CIPHERS
except ImportError:
# ssl._DEFAULT_CIPHERS in python2.7 branch.
_DEFAULT_CIPHERS = (
'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:'
'DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:ECDH+RC4:'
'DH+RC4:RSA+RC4:!aNULL:!eNULL:!MD5')
try:
from gevent import lock
except ImportError:
def default_paths(self):
""" https://docs.python.org/2/library/ssl.html#ssl.get_default_verify_paths """
return ssl.get_default_verify_paths()
import ssl
import sys
print(ssl.get_default_verify_paths())
context = ssl.create_default_context()
import socket
conn = context.wrap_socket(socket.socket(socket.AF_INET), server_hostname="www.python.org")
conn.connect(("www.python.org", 443))
print('OK https://www.python.org [Verified]')
conn.close()
conn = context.wrap_socket(socket.socket(socket.AF_INET), server_hostname="untrusted-root.badssl.com")
try:
conn.connect(("untrusted-root.badssl.com", 443))
except ssl.SSLError:
print('OK https://untrusted-root.badssl.com [Unverified]')
else:
print('FAIL https://untrusted-root.badssl.com [Verified]')
sys.exit(1)
finally:
conn.close()
import sys
from distutils import sysconfig
from distutils.command.install import install, SCHEME_KEYS # noqa
from pip.compat import WINDOWS, expanduser
from pip.utils import appdirs
# if the Python we're running on is new enough to have the needed API then
# we'll ask OpenSSL to give us the path to the default CA Bundle. If this API
# doesn't exist or we cannot resolve the path to an existing file, then we will
# simply set this to None. Setting this to None will have requests fall back
# and use it's default CA Bundle logic.
if getattr(ssl, "get_default_verify_paths", None):
CA_BUNDLE_PATH = ssl.get_default_verify_paths().cafile
else:
CA_BUNDLE_PATH = None
# Application Directories
USER_CACHE_DIR = appdirs.user_cache_dir("pip")
DELETE_MARKER_MESSAGE = '''\
This file is placed here by pip to indicate the source was put
here by pip.
Once this package is successfully installed this source code will be
deleted (unless you remove this file).
'''
def default_paths(self):
return ssl.get_default_verify_paths()
from distutils.command.install import install, SCHEME_KEYS # noqa
from pip.compat import WINDOWS, expanduser
from pip.utils import appdirs
# if the Python we're running on is new enough to have the needed API then
# we'll ask OpenSSL to give us the path to the default CA Bundle. If this API
# doesn't exist or we cannot resolve the path to an existing file, then we will
# simply set this to None. Setting this to None will have requests fall back
# and use it's default CA Bundle logic.
# Ever since requests 2.9.0, requests has supported a CAPath in addition to a
# CAFile, because some systems (such as Debian) have a broken CAFile currently
# we'll go ahead and support both, prefering CAPath over CAfile.
if getattr(ssl, "get_default_verify_paths", None):
_ssl_paths = ssl.get_default_verify_paths()
# Ok, this is a little hairy because system trust stores are randomly
# broken in different and exciting ways and this should help fix that.
# Ideally we'd just not trust the system store, however that leads end
# users to be confused on systems like Debian that patch python-pip, even
# inside of a virtual environment, to support the system store. This would
# lead to pip trusting the system store when creating the virtual
# environment, but then switching to not doing that when upgraded to a
# version from PyPI. However, we can't *only* rely on the system store
# because not all systems actually have one, so at the end of the day we
# still need to fall back to trusting the bundled copy.
#
# Resolution Method:
#
# 1. We prefer a CAPath, however we will *only* prefer a CAPath if the
def tls_configure(sock, context, args, kwargs):
# FIXME: We should convert positional arguments to named ones, to
# make sure everything Just Works.
#
# Pop off any positional arguments that just want defaults
args = list(args)
while args and args[-1] is None:
args.pop(-1)
kwargs = copy.copy(kwargs)
if (not hasattr(ssl, 'OP_NO_SSLv3')) and not context:
# This build/version of Python is insecure!
# Force the protocol version to TLSv1.
kwargs['ssl_version'] = kwargs.get('ssl_version', ssl.PROTOCOL_TLSv1)
# Per-site configuration, SNI and TOFU!
hostname = None
accept_certs = []
if 'server_hostname' in kwargs:
hostname = '%s:%s' % (kwargs['server_hostname'], sock.getpeername()[1])
tls_settings = KNOWN_TLS_HOSTS.get(md5_hex(hostname))
# These defaults allow us to do certificate TOFU
if tls_settings is not None:
accept_certs = [c for c in tls_settings.accept_certs]
kwargs['cert_reqs'] = ssl.CERT_NONE
if context:
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
# Attempt to configure for Certificate Authorities
use_web_ca = kwargs.get('use_web_ca',
tls_settings is None or tls_settings.use_web_ca)
if use_web_ca:
try:
if context:
context.load_default_certs()
context.verify_mode = ssl.CERT_REQUIRED
context.check_hostname = True
accept_certs = None
elif 'ca_certs' in kwargs:
kwargs['cert_reqs'] = ssl.CERT_REQUIRED
accept_certs = None
elif hasattr(ssl, 'get_default_verify_paths'):
kwargs['cert_reqs'] = ssl.CERT_REQUIRED
kwargs['ca_certs'] = ssl.get_default_verify_paths().cafile
accept_certs = None
else:
# Fall back to TOFU.
pass
except (NameError, AttributeError):
# Old Python: Fall back to TOFU
pass
if context:
del kwargs['cert_reqs']
else:
# The context-less ssl.wrap_socket() doesn't understand this
# argument, so get rid of it.
del kwargs['server_hostname']
if 'use_web_ca' in kwargs:
del kwargs['use_web_ca']
return tuple(args), kwargs, hostname, accept_certs
