ó Òbc@@s1ddlmZddlZejdkr>ddlmZnddlmZddlZddlm Z ddl m Z ddl m Z ydd l m Z Wn!ek rÁdd lm Z nXdd lmZdd lmZmZdd lmZd gZdefd„ƒYZd efd„ƒYZdS(i(tabsolute_importNii(thttplib(tdebug(t Semaphore(ttime(turlparse(tConfig(tParameterErrortS3SSLCertificateError(tgetBucketFromHostnametConnManthttp_connectioncB@s}eZdZeZed„ƒZed„ƒZed„ƒZ ed„ƒZ d„Z d„Z edd„ƒZ d„ZRS( cC@sctƒ}d}ytjd|ƒ}Wntk r8nX|r_|j r_t|_tdƒn|S(Ntcafileu+Disabling SSL certificate hostname checking( RtNonetssltcreate_default_contexttAttributeErrortcheck_ssl_hostnametFalsetcheck_hostnameR(R tcfgtcontext((sJ/oak/stanford/groups/akundaje/marinovg/programs/s3cmd-master/S3/ConnMan.pyt_ssl_verified_context(s    cC@sGtdƒd}ytjd|dtjƒ}Wntk rBnX|S(Nu"Disabling SSL certificate checkingR t cert_reqs(RR Rt_create_unverified_contextt CERT_NONER(R R((sJ/oak/stanford/groups/akundaje/marinovg/programs/s3cmd-master/S3/ConnMan.pyt_ssl_unverified_context6s  c C@s^d}y@|rtjntj}tjd|d|d|d|ƒ}Wntk rYnX|S(NR tkeyfiletcertfileR(R Rt CERT_REQUIREDRRR(RRtcheck_server_certR RR((sJ/oak/stanford/groups/akundaje/marinovg/programs/s3cmd-master/S3/ConnMan.pyt_ssl_client_auth_contextAs  cC@sætjrtjStƒ}|j}|dkr7d}n|jpCd}|jpRd}td|ƒtd|ƒtd|ƒ|dk r¦tj |||j |ƒ}n*|j rÁtj |ƒ}ntj |ƒ}|t_t t_|S(NtuUsing ca_certs_file %suUsing ssl_client_cert_file %suUsing ssl_client_key_file %s(R t context_setRRt ca_certs_fileR tssl_client_cert_filetssl_client_key_fileRRtcheck_ssl_certificateRRtTrue(RR RRR((sJ/oak/stanford/groups/akundaje/marinovg/programs/s3cmd-master/S3/ConnMan.pyt _ssl_contextNs&            cC@stdƒ|jdd ƒ}|jƒ}tdtjƒj}xÓ|D]Ë\}}|dkrE|jƒ}|jdƒr–|jdƒr–|jdƒs´|jdƒr¸|jdƒr¸t S||idd 6tj jƒd 6kr|j|id d 6tj jƒd 6ƒrt SqEqEWt S( sú Wildcard matching for *.s3.amazonaws.com and similar per region. Per http://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html: "We recommend that all bucket names comply with DNS naming conventions." Per http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html: "When using virtual hosted-style buckets with SSL, the SSL wild card certificate only matches buckets that do not contain periods. To work around this, use HTTP or write your own certificate verification logic." Therefore, we need a custom validation routine that allows mybucket.example.com.s3.amazonaws.com to be considered a valid hostname for the *.s3.amazonaws.com wildcard cert, and for the region-specific *.s3-[region].amazonaws.com wildcard cert. We also forgive non-S3 wildcard certificates should the hostname match, to allow compatibility with other S3 API-compatible storage providers. u6checking SSL subjectAltName as forgiving wildcard certtsubjectAltNameshttps://tDNSs*.s3s.amazonaws.coms.amazonaws.com.cnt*tbuckettlocationR (( RtgettlowerRRt host_bucketthostnamet startswithtendswithR&tbucket_locationR(tselftcertR0tsantcleaned_host_bucket_configtkeytvalue((sJ/oak/stanford/groups/akundaje/marinovg/programs/s3cmd-master/S3/ConnMan.pytforgive_wildcard_certis"    ! ! cC@sƒ|jjjƒ}ytj||jƒWnStk r=dStk rNdStk r~}|j ||jƒs|‚qnXdS(N( tctsockt getpeercertRtmatch_hostnameR0Rt ValueErrortS3CertificateErrorR:(R4R5te((sJ/oak/stanford/groups/akundaje/marinovg/programs/s3cmd-master/S3/ConnMan.pyR>‘s  cC@sy™tjƒ}t|ƒ\}}|rXd|krXtdƒt}|rpt|_qpn|rj|j}nt}tj||d|d|ƒ}tdƒWngt k ry&tj||d|ƒ}tdƒWqt k rþtj||ƒ}tdƒqXnX|S(Nt.uHBucket name contains "." character, disabling initial SSL hostname checkRRu=httplib.HTTPSConnection() has both context and check_hostnameu*httplib.HTTPSConnection() has only contextu@httplib.HTTPSConnection() has neither context nor check_hostname( R R'R RRRR&RtHTTPSConnectiont TypeError(R0tportRt bucket_nametsuccessRtconn((sJ/oak/stanford/groups/akundaje/marinovg/programs/s3cmd-master/S3/ConnMan.pyt_https_connectionŸs*     cC@s¿||_||_d|_td|ƒ}|j|_|j|_|jrƒ|jdkrƒ|jjdƒ|_td|jƒn d|_|j s|rÏt j |j|jƒ|_ td|j|jƒq¯tj|j|jƒ|_ td|j|jƒn¬|r~t j |j |jƒ|_ td|j |jƒ|jrL|jpOd}|j j|j|ƒtd |j|ƒn1tj|j |jƒ|_ td |j |jƒtƒ|_dS( Nishttps://t/uendpoint path set to %su#non-proxied HTTPSConnection(%s, %s)u"non-proxied HTTPConnection(%s, %s)uproxied HTTPSConnection(%s, %s)i»utunnel to %s, %suproxied HTTPConnection(%s, %s)(RtidtcounterRR0REtpathtrstripRR t proxy_hostR RIR;RtHTTPConnectiont proxy_portt set_tunnelRtlast_used_time(R4RKR0RRtparsed_hostnameRE((sJ/oak/stanford/groups/akundaje/marinovg/programs/s3cmd-master/S3/ConnMan.pyt__init__Äs2       N(t__name__t __module__R RRR!t staticmethodRRRR'R:R>RIRU(((sJ/oak/stanford/groups/akundaje/marinovg/programs/s3cmd-master/S3/ConnMan.pyR $s   ( $cB@s_eZejZejZeƒZiZdZe dd„ƒZ e d„ƒZ e d„ƒZ RS(i cC@sÌtƒ}|dkr!|j}nd}|jdkrs|rZtjdkrZtdƒ‚nd|j|jf}nd|r‚dp…d|f}tj j ƒ|tj kr»gtj |(R0RRRHtconn_idtcur_time((sJ/oak/stanford/groups/akundaje/marinovg/programs/s3cmd-master/S3/ConnMan.pyR-üs@          cC@sâ|jjdƒr-tj|ƒtdƒdS|jtjkrZtj|ƒtdƒdStƒ}|js‡tj|ƒtdƒdSt ƒ|_ tj j ƒtj |jj|ƒtj jƒtd|j|jfƒdS(Nsproxy://sFConnMan.put(): closing proxy connection (keep-alive not yet supported)s+ConnMan.put(): closing over-used connections?ConnMan.put(): closing connection (connection pooling disabled)s2ConnMan.put(): connection put back to pool (%s#%d)(RKR1R RbRRLtconn_max_counterRtconnection_poolingRRSR]R^R_tappendRc(RHR((sJ/oak/stanford/groups/akundaje/marinovg/programs/s3cmd-master/S3/ConnMan.pytput"s&           cC@s|r|jjƒndS(N(R;Rb(RH((sJ/oak/stanford/groups/akundaje/marinovg/programs/s3cmd-master/S3/ConnMan.pyRb>sN(RVRWRt _CS_REQ_SENTtCONTINUERR]R_RgRXR R-RjRb(((sJ/oak/stanford/groups/akundaje/marinovg/programs/s3cmd-master/S3/ConnMan.pyR õs   %(ii(t __future__RR[t version_infotCustom_httplib3xRtCustom_httplib27RtloggingRt threadingRRRt ImportErrort urllib.parseRt ExceptionsRRtUtilsR t__all__tobjectR R (((sJ/oak/stanford/groups/akundaje/marinovg/programs/s3cmd-master/S3/ConnMan.pyt s$    Ñ