switch to modern urllib3 via a shim

2026-06-28 18:01:36 +00:00 · 2023-08-21 14:21:59 +00:00
parent 2a38699595
commit 48c30dc266
5 changed files with 2206 additions and 12 deletions
--- a/src/gam/init.py
+++ b/src/gam/init.py
@@ -108,6 +108,9 @@ from filelock import FileLock

 from pathvalidate import sanitize_filename, sanitize_filepath

+import httplib2shim
+httplib2shim.patch()
+
 import googleapiclient
 import googleapiclient.discovery
 import googleapiclient.errors
@@ -120,6 +123,7 @@ import google.oauth2.service_account
 import google_auth_oauthlib.flow
 import google_auth_httplib2
 import httplib2
+import urllib3.exceptions

 httplib2.RETRIES = 5

@@ -2401,6 +2405,7 @@ def entityDoesNotExistWarning(entityType, entityName, i=0, count=0):

 def entityUnknownWarning(entityType, entityName, i=0, count=0):
  domain = getEmailAddressDomain(entityName)
+
  if (domain.endswith(GC.Values[GC.DOMAIN])) or (domain.endswith('google.com')):
    entityDoesNotExistWarning(entityType, entityName, i, count)
  else:
@@ -8870,8 +8875,11 @@ def _getServerTLSUsed(location):
  retries = 5
  for n in range(1, retries+1):
    try:
-      httpObj.request(url, headers={'user-agent': GAM_USER_AGENT})
-      cipher_name, tls_ver, _ = httpObj.connections[conn].sock.cipher()
+      resp = httpObj.pool.request('GET',
+                                  url,
+                                  headers={'user-agent': GAM_USER_AGENT},
+                                  preload_content=False)
+      cipher_name, tls_ver, _ = resp.connection.sock.cipher()
      return tls_ver, cipher_name
    except (httplib2.HttpLib2Error, RuntimeError) as e:
      if n != retries:
@@ -8921,11 +8929,17 @@ def getOSPlatform():

 # gam checkconnection
 def doCheckConnection():
-  hosts = ['api.github.com', 'raw.githubusercontent.com',
-           'accounts.google.com', 'oauth2.googleapis.com', 'www.googleapis.com']
+  hosts = ['api.github.com',
+           'raw.githubusercontent.com',
+           'accounts.google.com',
+           'oauth2.googleapis.com',
+           'www.googleapis.com']
  fix_hosts = {'calendar-json.googleapis.com': 'www.googleapis.com',
               'storage-api.googleapis.com': 'storage.googleapis.com'}
-  api_hosts = ['apps-apis.google.com', 'sites.google.com', 'versionhistory.googleapis.com', 'www.google.com']
+  api_hosts = ['apps-apis.google.com',
+               'sites.google.com',
+               'versionhistory.googleapis.com',
+               'www.google.com']
  for host in API.PROJECT_APIS:
    host = fix_hosts.get(host, host)
    if host not in api_hosts and host not in hosts:
@@ -8941,13 +8955,27 @@ def doCheckConnection():
  success_count = 0
  for host in hosts:
    try_count += 1
-    ip = socket.getaddrinfo(host, None)[0][-1][0] # works with ipv6
+    dns_err = None
+    ip = 'unknown'
+    try:
+        ip = socket.getaddrinfo(host, None)[0][-1][0] # works with ipv6
+    except socket.gaierror as err:
+        dns_err = f'{not_okay}\n   DNS failure: {err}\n'
+    except Exception as e:
+        dns_err = f'{not_okay}\n   Unknown DNS failure: {err}\n'
    check_line = f'Checking {host} ({ip}) ({try_count}/{host_count})...'
    writeStdout(f'{check_line:<100}')
    flushStdout()
+    if dns_err:
+        writeStdout(dns_err)
+        continue
    gen_firewall = 'You probably have security software or a firewall on your machine or network that is preventing GAM from making Internet connections. Check your network configuration or try running GAM on a hotspot or home network to see if the problem exists only on your organization\'s network.'
    try:
-      httpObj.request(f'https://{host}/', 'HEAD', headers=headers)
+      if host.startswith('http'):
+        url = host
+      else:
+        url = f'https://{host}:443/'
+      httpObj.request(url, 'HEAD', headers=headers)
      success_count += 1
      writeStdout(f'{okay}\n')
    except ConnectionRefusedError:
@@ -8956,15 +8984,16 @@ def doCheckConnection():
      writeStdout(f'{not_okay}\n    Connection reset by peer. {gen_firewall}\n')
    except httplib2.error.ServerNotFoundError:
      writeStdout(f'{not_okay}\n    Failed to find server. Your DNS is probably misconfigured.\n')
-    except ssl.SSLError as e:
-      if e.reason == 'SSLV3_ALERT_HANDSHAKE_FAILURE':
+    except ssl.SSLError as err:
+      err_type = type(err.args[0])
+      if err_type == ssl.SSLError:
        writeStdout(f'{not_okay}\n    GAM expects to connect with TLS 1.3 or newer and that failed. If your firewall / proxy server is not compatible with TLS 1.3 then you can tell GAM to allow TLS 1.2 by setting tls_min_version = TLSv1.2 in gam.cfg.\n')
-      elif e.reason == 'CERTIFICATE_VERIFY_FAILED':
+      elif err_type == ssl.SSLCertVerificationError:
        writeStdout(f'{not_okay}\n    Certificate verification failed. If you are behind a firewall / proxy server that does TLS / SSL inspection you may need to point GAM at your certificate authority file by setting cacerts_pem = /path/to/your/certauth.pem in gam.cfg.\n')
-      elif e.strerror.startswith('TLS/SSL connection has been closed\n'):
+      elif err.strerror and err.strerror.startswith('TLS/SSL connection has been closed\n'):
        writeStdout(f'{not_okay}\n    TLS connection was closed. {gen_firewall}\n')
      else:
-        writeStdout(f'{not_okay}\n    {str(e)}\n')
+        writeStdout(f'{not_okay}\n    {str(err)}\n')
    except TimeoutError:
      writeStdout(f'{not_okay}\n    Timed out trying to connect to host\n')
    except Exception as e:
--- a/src/gam/gamlib/glverlibs.py
+++ b/src/gam/gamlib/glverlibs.py
@@ -29,5 +29,6 @@ GAM_VER_LIBS = ['cryptography',
                'httplib2',
                'passlib',
                'python-dateutil',
+                'urllib3',
                'yubikey-manager',
                ]