o Qa2@sddlmZddlZejdkrddlmZnddlmZddlZddlm Z ddl m Z ddl m Z zdd l m Z WneyIdd lm Z Ynwdd lmZdd lmZmZdd lmZd gZGdddeZGdd d eZdS))absolute_importN)r)httplib)debug) Semaphore)time)urlparse)Config)ParameterErrorS3SSLCertificateError)getBucketFromHostnameConnManc@sjeZdZdZdZeddZeddZeddZed d Z d d Z d dZ edddZ ddZ dS)http_connectionNFcCsJt}d}ztj|d}Wn tyYnw|r#|js#d|_td|S)N)cafileFz+Disabling SSL certificate hostname checking)r sslcreate_default_contextAttributeErrorcheck_ssl_hostnamecheck_hostnamer)rcfgcontextr,/usr/lib/python3/dist-packages/S3/ConnMan.py_ssl_verified_context(s  z%http_connection._ssl_verified_contextcCs8tdd}z tj|tjd}W|StyY|Sw)Nz"Disabling SSL certificate checking)r cert_reqs)rr_create_unverified_context CERT_NONEr)rrrrr_ssl_unverified_context6s z'http_connection._ssl_unverified_contextcCsBd}z|rtjntj}tj||||d}W|Sty Y|Sw)N)rkeyfilecertfiler)r CERT_REQUIREDrrr)r rcheck_server_certrrrrrr_ssl_client_auth_contextAs z(http_connection._ssl_client_auth_contextcCstjrtjSt}|j}|dkrd}|jpd}|jpd}td|td|td||dur9t|||j |}n|j rBt |}nt |}|t_dt_|S)NzUsing ca_certs_file %szUsing ssl_client_cert_file %szUsing ssl_client_key_file %sT) r context_setrr ca_certs_filessl_client_cert_filessl_client_key_filerr#check_ssl_certificaterr)rrr rrrrr _ssl_contextNs&       zhttp_connection._ssl_contextcCstd|dd}|}tdtjj}|D]D\}}|dkr\|}|dr3|dr3|ds=|dr@|dr@d S||d tj d kr\||d tj d r\d Sqd S)a Wildcard matching for *.s3.amazonaws.com and similar per region. Per http://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html: "We recommend that all bucket names comply with DNS naming conventions." Per http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html: "When using virtual hosted-style buckets with SSL, the SSL wild card certificate only matches buckets that do not contain periods. To work around this, use HTTP or write your own certificate verification logic." Therefore, we need a custom validation routine that allows mybucket.example.com.s3.amazonaws.com to be considered a valid hostname for the *.s3.amazonaws.com wildcard cert, and for the region-specific *.s3-[region].amazonaws.com wildcard cert. We also forgive non-S3 wildcard certificates should the hostname match, to allow compatibility with other S3 API-compatible storage providers. z6checking SSL subjectAltName as forgiving wildcard certsubjectAltNamerhttps://DNSz*.s3z.amazonaws.comz.amazonaws.com.cnT*)bucketlocationr$F) rgetlowerr r host_buckethostname startswithendswithbucket_location)selfcertr4sancleaned_host_bucket_configkeyvaluerrrforgive_wildcard_certis6   z%http_connection.forgive_wildcard_certc Cs~|jj}z t||jWdStyYdSty#YdSty>}z| ||js3|WYd}~dSd}~wwN) csock getpeercertrmatch_hostnamer4r ValueErrorS3CertificateErrorr>)r8r9errrrCs   zhttp_connection.match_hostnamec Csz4t}t|\}}|rd|vrtdd}|rd|_n|r#|j}nd}tj||||d}tdW|Styaztj|||d}tdWY|Sty`t||}td YY|Sww) N.zHBucket name contains "." character, disabling initial SSL hostname checkFT)rrz=httplib.HTTPSConnection() has both context and check_hostname)rz*httplib.HTTPSConnection() has only contextz@httplib.HTTPSConnection() has neither context nor check_hostname)rr*r rrrHTTPSConnection TypeError)r4portr bucket_namesuccessrconnrrr_https_connections4       z!http_connection._https_connectioncCs8||_||_d|_td|}|j|_|j|_|jr-|jdkr-|jd|_td|jnd|_ |j sZ|rHt |j|j|_ td|j|jnNt |j|j|_ td|j|jn<|rt |j |j|_ td|j |j|jrs|jptd}|j |j|td |j|nt |j |j|_ td |j |jt|_dS) Nrr,/zendpoint path set to %sz#non-proxied HTTPSConnection(%s, %s)z"non-proxied HTTPConnection(%s, %s)zproxied HTTPSConnection(%s, %s)iztunnel to %s, %szproxied HTTPConnection(%s, %s))ridcounterr r4rJpathrstripr proxy_hostrrNr@rHTTPConnection proxy_port set_tunnelrlast_used_time)r8rPr4rrparsed_hostnamerJrrr__init__s4  zhttp_connection.__init__r?)__name__ __module__ __qualname__rr% staticmethodrrr#r*r>rCrNrZrrrrr$s     (  $rc@sLeZdZejZejZeZiZdZ e d ddZ e ddZ e ddZ dS) ri NcCsHt}|dur |j}d}|jdkr%|rtjdkrtdd|j|jf}n d|r*dp+d|f}tj |tj vr>gtj |<tj |rutj | }t }||j |jkre||j kretd|j|jfntdt|d}tj |sCtj|std |t||||}|j|jr|jr|jr||jd 7_|S) Nr$iz6use_https=True can't be used with proxy on Python <2.7z proxy://%s:%sz http%s://%ssz)ConnMan.get(): re-using connection: %s#%dz)ConnMan.get(): closing expired connectionz*ConnMan.get(): creating new connection: %sr)r use_httpsrTsys hexversionr rVr conn_pool_semacquire conn_poolpoprrXconnection_max_agerrPrQclosereleaserr@connectrr)rrC)r4rrrMconn_idcur_timerrrr1sD           z ConnMan.getcCs|jdrt|tddS|jtjkr"t|tddSt}|js3t|tddSt |_ tj tj |j|tj td|j|jfdS)Nzproxy://zFConnMan.put(): closing proxy connection (keep-alive not yet supported)z+ConnMan.put(): closing over-used connectionz?ConnMan.put(): closing connection (connection pooling disabled)z2ConnMan.put(): connection put back to pool (%s#%d))rPr5rrhrrQconn_max_counterr connection_poolingrrXrcrdreappendri)rMrrrrput"s(         z ConnMan.putcCs|r |jdSdSr?)r@rh)rMrrrrh>sz ConnMan.closer?)r[r\r]r _CS_REQ_SENTCONTINUErrcrermr^r1rprhrrrrrs % ) __future__rra version_infoCustom_httplib3xrCustom_httplib27rloggingr threadingrrr ImportError urllib.parser Exceptionsr r Utilsr __all__objectrrrrrrs*         R