def request(): try: pool = HTTPSConnectionPool(self.host, self.port, assert_fingerprint=fingerprint) response = pool.urlopen("GET", "/", preload_content=False, timeout=Timeout(connect=1, read=0.001)) response.read() finally: pool.close()
def request(): try: pool = HTTPSConnectionPool(self.host, self.port, assert_fingerprint=fingerprint) response = pool.urlopen('GET', '/', preload_content=False, timeout=Timeout(connect=1, read=0.001)) response.read() finally: pool.close()
class HTTP(object): """ Wrapper for HTTP method calls. """ @staticmethod def authorization(user, password): return 'Basic ' + b64encode((user + ":" + password).encode("utf-8")).decode("ascii") def __init__(self, uri, headers, verified): self.uri = uri self.verified = verified parts = urlsplit(uri) scheme = parts.scheme host = parts.hostname port = parts.port if scheme == "http": from urllib3 import HTTPConnectionPool self._http = HTTPConnectionPool("%s:%d" % (host, port)) elif scheme == "https": from urllib3 import HTTPSConnectionPool if verified: from certifi import where self._http = HTTPSConnectionPool("%s:%d" % (host, port), cert_reqs="CERT_REQUIRED", ca_certs=where()) else: self._http = HTTPSConnectionPool("%s:%d" % (host, port)) else: raise ValueError("Unsupported scheme %r" % scheme) self.path = parts.path if "auth" in headers: user, password = headers.pop("auth") headers["Authorization"] = 'Basic ' + b64encode( (ustr(user) + u":" + ustr(password)).encode("utf-8")).decode("ascii") self.headers = headers def __del__(self): self.close() def __eq__(self, other): try: return self.uri == other.uri except AttributeError: return False def __ne__(self, other): return not self.__eq__(other) def request(self, method, url, fields=None, headers=None, **urlopen_kw): from neo4j.v1 import ServiceUnavailable from urllib3.exceptions import MaxRetryError try: if self.verified: return self._http.request(method, url, fields, headers, **urlopen_kw) else: with catch_warnings(): simplefilter("ignore") return self._http.request(method, url, fields, headers, **urlopen_kw) except MaxRetryError: raise ServiceUnavailable("Cannot send %s request to <%s>" % (method, url)) def get_json(self, ref): """ Perform an HTTP GET to this resource and return JSON. """ rs = self.request("GET", self.path + ref, headers=self.headers) try: if rs.status == 200: return json_loads(rs.data.decode('utf-8')) else: self.raise_error(rs.status, rs.data) finally: rs.close() def post(self, ref, json, expected): """ Perform an HTTP POST to this resource. """ headers = dict(self.headers) if json is not None: headers["Content-Type"] = "application/json" json = json_dumps(json).encode('utf-8') rs = self.request("POST", self.path + ref, headers=self.headers, body=json) if rs.status not in expected: self.raise_error(rs.status, rs.data) return rs def delete(self, ref, expected): """ Perform an HTTP DELETE to this resource. """ rs = self.request("DELETE", self.path + ref, headers=self.headers) if rs.status not in expected: self.raise_error(rs.status, rs.data) return rs def close(self): if self._http and self._http.pool: self._http.close() def raise_error(self, status_code, data): if status_code == UNAUTHORIZED: raise AuthError(self.uri) if status_code == FORBIDDEN: raise Forbidden(self.uri) if data: content = json_loads(data.decode('utf-8')) else: content = {} message = content.pop("message", "HTTP request to <%s> returned unexpected status code %s" % (self.uri, status_code)) error = GraphError(message, **content) error.http_status_code = status_code raise error
class HTTP(object): """ Wrapper for HTTP method calls. """ def __init__(self, uri): self.uri = uri parts = urlsplit(uri) scheme = parts.scheme host = parts.hostname port = parts.port if scheme == "http": from urllib3 import HTTPConnectionPool self._http = HTTPConnectionPool("%s:%d" % (host, port)) elif scheme == "https": from urllib3 import HTTPSConnectionPool self._http = HTTPSConnectionPool("%s:%d" % (host, port)) else: raise ValueError("Unsupported scheme %r" % scheme) self.path = parts.path self._headers = get_http_headers(scheme, host, port) def __del__(self): self.close() def __eq__(self, other): try: return self.uri == other.uri except AttributeError: return False def __ne__(self, other): return not self.__eq__(other) def request(self, method, url, fields=None, headers=None, **urlopen_kw): from neo4j.v1 import ServiceUnavailable from urllib3.exceptions import MaxRetryError try: return self._http.request(method, url, fields, headers, **urlopen_kw) except MaxRetryError: raise ServiceUnavailable("Cannot send %r request to %r" % (method, url)) def get_json(self, ref): """ Perform an HTTP GET to this resource and return JSON. """ rs = self.request("GET", self.path + ref, headers=self._headers) try: if rs.status == 200: return json_loads(rs.data.decode('utf-8')) else: raise_error(self.uri, rs.status, rs.data) finally: rs.close() def post(self, ref, json, expected): """ Perform an HTTP POST to this resource. """ headers = dict(self._headers) if json is not None: headers["Content-Type"] = "application/json" json = json_dumps(json).encode('utf-8') rs = self.request("POST", self.path + ref, headers=self._headers, body=json) if rs.status not in expected: raise_error(self.uri, rs.status, rs.data) return rs def delete(self, ref, expected): """ Perform an HTTP DELETE to this resource. """ rs = self.request("DELETE", self.path + ref, headers=self._headers) if rs.status not in expected: raise_error(self.uri, rs.status, rs.data) return rs def close(self): if self._http and self._http.pool: self._http.close()
class TestHTTPS(HTTPSDummyServerTestCase): tls_protocol_name = None def setup_method(self, method): self._pool = HTTPSConnectionPool(self.host, self.port, ca_certs=DEFAULT_CA) def teardown_method(self, method): self._pool.close() def test_simple(self): r = self._pool.request("GET", "/") assert r.status == 200, r.data @fails_on_travis_gce def test_dotted_fqdn(self): pool = HTTPSConnectionPool(self.host + ".", self.port, ca_certs=DEFAULT_CA) r = pool.request("GET", "/") assert r.status == 200, r.data def test_client_intermediate(self): client_cert, client_key = ( DEFAULT_CLIENT_CERTS["certfile"], DEFAULT_CLIENT_CERTS["keyfile"], ) https_pool = HTTPSConnectionPool( self.host, self.port, key_file=client_key, cert_file=client_cert, ca_certs=DEFAULT_CA, ) r = https_pool.request("GET", "/certificate") subject = json.loads(r.data.decode("utf-8")) assert subject["organizationalUnitName"].startswith( "Testing server cert") def test_client_no_intermediate(self): client_cert, client_key = ( DEFAULT_CLIENT_NO_INTERMEDIATE_CERTS["certfile"], DEFAULT_CLIENT_NO_INTERMEDIATE_CERTS["keyfile"], ) https_pool = HTTPSConnectionPool( self.host, self.port, cert_file=client_cert, key_file=client_key, ca_certs=DEFAULT_CA, ) try: https_pool.request("GET", "/certificate", retries=False) except SSLError as e: if not ("alert unknown ca" in str(e) or "invalid certificate chain" in str(e) or "unknown Cert Authority" in str(e) or # https://github.com/urllib3/urllib3/issues/1422 "connection closed via error" in str(e) or "WSAECONNRESET" in str(e)): raise except ProtocolError as e: if not ("An existing connection was forcibly closed by the remote host" in str(e) # Python 3.7.4+ or "WSAECONNRESET" in str(e) # Windows or "EPIPE" in str(e) # macOS ): raise @requires_ssl_context_keyfile_password def test_client_key_password(self): client_cert, client_key = ( DEFAULT_CLIENT_CERTS["certfile"], PASSWORD_CLIENT_KEYFILE, ) https_pool = HTTPSConnectionPool( self.host, self.port, ca_certs=DEFAULT_CA, key_file=client_key, cert_file=client_cert, key_password="******", ) r = https_pool.request("GET", "/certificate") subject = json.loads(r.data.decode("utf-8")) assert subject["organizationalUnitName"].startswith( "Testing server cert") @requires_ssl_context_keyfile_password def test_client_encrypted_key_requires_password(self): client_cert, client_key = ( DEFAULT_CLIENT_CERTS["certfile"], PASSWORD_CLIENT_KEYFILE, ) with pytest.raises(SSLError) as e: HTTPSConnectionPool( self.host, self.port, key_file=client_key, cert_file=client_cert, key_password=None, ) assert "password is required" in str(e.value) def test_verified(self): with HTTPSConnectionPool(self.host, self.port, cert_reqs="CERT_REQUIRED", ca_certs=DEFAULT_CA) as https_pool: with mock.patch("warnings.warn") as warn: r = https_pool.request("GET", "/") assert r.status == 200 # Modern versions of Python, or systems using PyOpenSSL, don't # emit warnings. if (sys.version_info >= (2, 7, 9) or util.IS_PYOPENSSL or util.IS_SECURETRANSPORT): assert not warn.called, warn.call_args_list else: assert warn.called if util.HAS_SNI: call = warn.call_args_list[0] else: call = warn.call_args_list[1] error = call[0][1] assert error == InsecurePlatformWarning def test_verified_with_context(self): ctx = util.ssl_.create_urllib3_context(cert_reqs=ssl.CERT_REQUIRED) ctx.load_verify_locations(cafile=DEFAULT_CA) with HTTPSConnectionPool(self.host, self.port, ssl_context=ctx) as https_pool: with mock.patch("warnings.warn") as warn: r = https_pool.request("GET", "/") assert r.status == 200 # Modern versions of Python, or systems using PyOpenSSL, don't # emit warnings. if (sys.version_info >= (2, 7, 9) or util.IS_PYOPENSSL or util.IS_SECURETRANSPORT): assert not warn.called, warn.call_args_list else: assert warn.called if util.HAS_SNI: call = warn.call_args_list[0] else: call = warn.call_args_list[1] error = call[0][1] assert error == InsecurePlatformWarning def test_context_combines_with_ca_certs(self): ctx = util.ssl_.create_urllib3_context(cert_reqs=ssl.CERT_REQUIRED) with HTTPSConnectionPool(self.host, self.port, ca_certs=DEFAULT_CA, ssl_context=ctx) as https_pool: with mock.patch("warnings.warn") as warn: r = https_pool.request("GET", "/") assert r.status == 200 # Modern versions of Python, or systems using PyOpenSSL, don't # emit warnings. if (sys.version_info >= (2, 7, 9) or util.IS_PYOPENSSL or util.IS_SECURETRANSPORT): assert not warn.called, warn.call_args_list else: assert warn.called if util.HAS_SNI: call = warn.call_args_list[0] else: call = warn.call_args_list[1] error = call[0][1] assert error == InsecurePlatformWarning @onlyPy279OrNewer @notSecureTransport # SecureTransport does not support cert directories @notOpenSSL098 # OpenSSL 0.9.8 does not support cert directories def test_ca_dir_verified(self): with HTTPSConnectionPool(self.host, self.port, cert_reqs="CERT_REQUIRED", ca_cert_dir=DEFAULT_CA_DIR) as https_pool: with mock.patch("warnings.warn") as warn: r = https_pool.request("GET", "/") assert r.status == 200 assert not warn.called, warn.call_args_list def test_invalid_common_name(self): with HTTPSConnectionPool("127.0.0.1", self.port, cert_reqs="CERT_REQUIRED", ca_certs=DEFAULT_CA) as https_pool: try: https_pool.request("GET", "/") self.fail("Didn't raise SSL invalid common name") except MaxRetryError as e: assert isinstance(e.reason, SSLError) assert "doesn't match" in str( e.reason) or "certificate verify failed" in str(e.reason) def test_verified_with_bad_ca_certs(self): with HTTPSConnectionPool(self.host, self.port, cert_reqs="CERT_REQUIRED", ca_certs=DEFAULT_CA_BAD) as https_pool: try: https_pool.request("GET", "/") self.fail("Didn't raise SSL error with bad CA certs") except MaxRetryError as e: assert isinstance(e.reason, SSLError) assert "certificate verify failed" in str(e.reason), ( "Expected 'certificate verify failed', instead got: %r" % e.reason) def test_verified_without_ca_certs(self): # default is cert_reqs=None which is ssl.CERT_NONE with HTTPSConnectionPool(self.host, self.port, cert_reqs="CERT_REQUIRED") as https_pool: try: https_pool.request("GET", "/") self.fail("Didn't raise SSL error with no CA certs when" "CERT_REQUIRED is set") except MaxRetryError as e: assert isinstance(e.reason, SSLError) # there is a different error message depending on whether or # not pyopenssl is injected assert ("No root certificates specified" in str(e.reason) # PyPy sometimes uses all-caps here or "certificate verify failed" in str(e.reason).lower() or "invalid certificate chain" in str(e.reason)), ( "Expected 'No root certificates specified', " "'certificate verify failed', or " "'invalid certificate chain', " "instead got: %r" % e.reason) def test_unverified_ssl(self): """ Test that bare HTTPSConnection can connect, make requests """ with HTTPSConnectionPool(self.host, self.port, cert_reqs=ssl.CERT_NONE) as pool: with mock.patch("warnings.warn") as warn: r = pool.request("GET", "/") assert r.status == 200 assert warn.called # Modern versions of Python, or systems using PyOpenSSL, only emit # the unverified warning. Older systems may also emit other # warnings, which we want to ignore here. calls = warn.call_args_list assert InsecureRequestWarning in [x[0][1] for x in calls] def test_ssl_unverified_with_ca_certs(self): with HTTPSConnectionPool(self.host, self.port, cert_reqs="CERT_NONE", ca_certs=DEFAULT_CA_BAD) as pool: with mock.patch("warnings.warn") as warn: r = pool.request("GET", "/") assert r.status == 200 assert warn.called # Modern versions of Python, or systems using PyOpenSSL, only emit # the unverified warning. Older systems may also emit other # warnings, which we want to ignore here. calls = warn.call_args_list if (sys.version_info >= (2, 7, 9) or util.IS_PYOPENSSL or util.IS_SECURETRANSPORT): category = calls[0][0][1] elif util.HAS_SNI: category = calls[1][0][1] else: category = calls[2][0][1] assert category == InsecureRequestWarning def test_assert_hostname_false(self): with HTTPSConnectionPool("localhost", self.port, cert_reqs="CERT_REQUIRED", ca_certs=DEFAULT_CA) as https_pool: https_pool.assert_hostname = False https_pool.request("GET", "/") def test_assert_specific_hostname(self): with HTTPSConnectionPool("localhost", self.port, cert_reqs="CERT_REQUIRED", ca_certs=DEFAULT_CA) as https_pool: https_pool.assert_hostname = "localhost" https_pool.request("GET", "/") def test_server_hostname(self): with HTTPSConnectionPool( "127.0.0.1", self.port, cert_reqs="CERT_REQUIRED", ca_certs=DEFAULT_CA, server_hostname="localhost", ) as https_pool: conn = https_pool._new_conn() https_pool._start_conn(conn, connect_timeout=None) # Assert the wrapping socket is using the passed-through SNI name. # pyopenssl doesn't let you pull the server_hostname back off the # socket, so only add this assertion if the attribute is there (i.e. # the python ssl module). # XXX This is highly-specific to SyncBackend # See https://github.com/python-trio/urllib3/pull/54#discussion_r241683895 # for potential solutions sock = conn._sock._sock if hasattr(sock, "server_hostname"): assert sock.server_hostname == "localhost" def test_assert_fingerprint_md5(self): with HTTPSConnectionPool("localhost", self.port, cert_reqs="CERT_REQUIRED", ca_certs=DEFAULT_CA) as https_pool: https_pool.assert_fingerprint = ( "F2:06:5A:42:10:3F:45:1C:17:FE:E6:07:1E:8A:86:E5") https_pool.request("GET", "/") def test_assert_fingerprint_sha1(self): with HTTPSConnectionPool("localhost", self.port, cert_reqs="CERT_REQUIRED", ca_certs=DEFAULT_CA) as https_pool: https_pool.assert_fingerprint = ( "92:81:FE:85:F7:0C:26:60:EC:D6:B3:BF:93:CF:F9:71:CC:07:7D:0A") https_pool.request("GET", "/") def test_assert_fingerprint_sha256(self): with HTTPSConnectionPool("localhost", self.port, cert_reqs="CERT_REQUIRED", ca_certs=DEFAULT_CA) as https_pool: https_pool.assert_fingerprint = ( "C5:4D:0B:83:84:89:2E:AE:B4:58:BB:12:" "F7:A6:C4:76:05:03:88:D8:57:65:51:F3:" "1E:60:B0:8B:70:18:64:E6") https_pool.request("GET", "/") def test_assert_invalid_fingerprint(self): with HTTPSConnectionPool("127.0.0.1", self.port, cert_reqs="CERT_REQUIRED", ca_certs=DEFAULT_CA) as https_pool: https_pool.assert_fingerprint = ( "AA:AA:AA:AA:AA:AAAA:AA:AAAA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA") def _test_request(pool): with pytest.raises(MaxRetryError) as cm: pool.request("GET", "/", retries=0) assert isinstance(cm.value.reason, SSLError) _test_request(https_pool) https_pool._get_conn() # Uneven length https_pool.assert_fingerprint = "AA:A" _test_request(https_pool) https_pool._get_conn() # Invalid length https_pool.assert_fingerprint = "AA" _test_request(https_pool) def test_verify_none_and_bad_fingerprint(self): with HTTPSConnectionPool("127.0.0.1", self.port, cert_reqs="CERT_NONE", ca_certs=DEFAULT_CA_BAD) as https_pool: https_pool.assert_fingerprint = ( "AA:AA:AA:AA:AA:AAAA:AA:AAAA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA") with pytest.raises(MaxRetryError) as cm: https_pool.request("GET", "/", retries=0) assert isinstance(cm.value.reason, SSLError) def test_verify_none_and_good_fingerprint(self): with HTTPSConnectionPool("127.0.0.1", self.port, cert_reqs="CERT_NONE", ca_certs=DEFAULT_CA_BAD) as https_pool: https_pool.assert_fingerprint = ( "92:81:FE:85:F7:0C:26:60:EC:D6:B3:BF:93:CF:F9:71:CC:07:7D:0A") https_pool.request("GET", "/") @notSecureTransport def test_good_fingerprint_and_hostname_mismatch(self): # This test doesn't run with SecureTransport because we don't turn off # hostname validation without turning off all validation, which this # test doesn't do (deliberately). We should revisit this if we make # new decisions. with HTTPSConnectionPool("127.0.0.1", self.port, cert_reqs="CERT_REQUIRED", ca_certs=DEFAULT_CA) as https_pool: https_pool.assert_fingerprint = ( "92:81:FE:85:F7:0C:26:60:EC:D6:B3:BF:93:CF:F9:71:CC:07:7D:0A") https_pool.request("GET", "/") @requires_network def test_https_timeout(self): timeout = Timeout(total=None, connect=0.001) with HTTPSConnectionPool( TARPIT_HOST, self.port, timeout=timeout, retries=False, cert_reqs="CERT_REQUIRED", ) as https_pool: with pytest.raises(ConnectTimeoutError): https_pool.request("GET", "/") timeout = Timeout(read=0.01) with HTTPSConnectionPool( self.host, self.port, timeout=timeout, retries=False, cert_reqs="CERT_REQUIRED", ) as https_pool: https_pool.assert_fingerprint = ( "92:81:FE:85:F7:0C:26:60:EC:D6:B3:BF:93:CF:F9:71:CC:07:7D:0A") timeout = Timeout(total=None) with HTTPSConnectionPool(self.host, self.port, timeout=timeout, cert_reqs="CERT_NONE") as https_pool: https_pool.request("GET", "/") @requires_network def test_enhanced_timeout(self): with HTTPSConnectionPool( TARPIT_HOST, self.port, timeout=Timeout(connect=0.001), retries=False, cert_reqs="CERT_REQUIRED", ) as https_pool: conn = https_pool._new_conn() with pytest.raises(ConnectTimeoutError): https_pool.request("GET", "/") with pytest.raises(ConnectTimeoutError): https_pool._make_request(conn, "GET", "/") with HTTPSConnectionPool( TARPIT_HOST, self.port, timeout=Timeout(connect=5), retries=False, cert_reqs="CERT_REQUIRED", ) as https_pool: with pytest.raises(ConnectTimeoutError): https_pool.request("GET", "/", timeout=Timeout(connect=0.001)) with HTTPSConnectionPool( TARPIT_HOST, self.port, timeout=Timeout(total=None), retries=False, cert_reqs="CERT_REQUIRED", ) as https_pool: conn = https_pool._new_conn() with pytest.raises(ConnectTimeoutError): https_pool.request("GET", "/", timeout=Timeout(total=None, connect=0.001)) def test_enhanced_ssl_connection(self): fingerprint = "92:81:FE:85:F7:0C:26:60:EC:D6:B3:BF:93:CF:F9:71:CC:07:7D:0A" with HTTPSConnectionPool( self.host, self.port, cert_reqs="CERT_REQUIRED", ca_certs=DEFAULT_CA, assert_fingerprint=fingerprint, ) as https_pool: r = https_pool.urlopen("GET", "/") assert r.status == 200 @onlyPy279OrNewer def test_ssl_correct_system_time(self): w = self._request_without_resource_warnings("GET", "/") assert [] == w @onlyPy279OrNewer def test_ssl_wrong_system_time(self): with mock.patch("urllib3._sync.connection.datetime") as mock_date: mock_date.date.today.return_value = datetime.date(1970, 1, 1) w = self._request_without_resource_warnings("GET", "/") assert len(w) == 1 warning = w[0] assert SystemTimeWarning == warning.category assert str(RECENT_DATE) in warning.message.args[0] def _request_without_resource_warnings(self, method, url): pool = HTTPSConnectionPool(self.host, self.port, cert_reqs="CERT_REQUIRED", ca_certs=DEFAULT_CA) with warnings.catch_warnings(record=True) as w: warnings.simplefilter("always") pool.request(method, url) return [x for x in w if not isinstance(x.message, ResourceWarning)] def test_set_ssl_version_to_tls_version(self): if self.tls_protocol_name is None: pytest.skip("Skipping base test class") self._pool.ssl_version = self.certs["ssl_version"] r = self._pool.request("GET", "/") assert r.status == 200, r.data def test_set_cert_default_cert_required(self): pool = HTTPSConnectionPool(self.host, self.port, ca_certs=DEFAULT_CA) assert pool.ssl_context.verify_mode == ssl.CERT_REQUIRED def test_tls_protocol_name_of_socket(self): if self.tls_protocol_name is None: pytest.skip("Skipping base test class") conn = self._pool._get_conn() conn.connect(self._pool.ssl_context) if not hasattr(conn._sock, "_version"): pytest.skip("_version() not available in backend") assert conn._sock._version() == self.tls_protocol_name