"""
Module for fetching files via HTTP and FTP. Directly or over SSL (HTTPS) with
server certificate validation.
"""
import re
import os
import os.path
import pycurl
from pyanaconda.core.configuration.anaconda import conf
from org_fedora_oscap import utils
import logging
log = logging.getLogger("anaconda")
# everything else should be private
__all__ = ["fetch_data", "can_fetch_from"]
# prefixes of the URLs that need network connection
NET_URL_PREFIXES = ("http", "https", "ftp")
# prefixes of the URLs that may not need network connection
LOCAL_URL_PREFIXES = ("file",)
# TODO: needs improvements
HTTP_URL_RE_STR = r"(https?)://(.*)"
HTTP_URL_RE = re.compile(HTTP_URL_RE_STR)
FTP_URL_RE_STR = r"(ftp)://(.*)"
FTP_URL_RE = re.compile(FTP_URL_RE_STR)
FILE_URL_RE_STR = r"(file)://(.*)"
FILE_URL_RE = re.compile(FILE_URL_RE_STR)
class DataFetchError(Exception):
"""Parent class for the exception classes defined in this module."""
pass
class CertificateValidationError(DataFetchError):
"""Class for the certificate validation related errors."""
pass
class WrongRequestError(DataFetchError):
"""Class for the wrong combination of parameters errors."""
pass
class UnknownURLformatError(DataFetchError):
"""Class for invalid URL cases."""
pass
class FetchError(DataFetchError):
"""
Class for the errors when fetching data. Usually due to I/O errors.
"""
pass
def can_fetch_from(url):
"""
Function telling whether the fetch_data function understands the type of
given URL or not.
:param url: URL
:type url: str
:return: whether the type of the URL is supported or not
:rtype: str
"""
resources = NET_URL_PREFIXES + LOCAL_URL_PREFIXES
return any(url.startswith(prefix) for prefix in resources)
def fetch_data(url, out_file, ca_certs=None):
"""
Fetch data from a given URL. If the URL starts with https://, ca_certs can
be a path to PEM file with CA certificate chain to validate server
certificate.
:param url: URL of the data
:type url: str
:param out_file: path to the output file
:type out_file: str
:param ca_certs: path to a PEM file with CA certificate chain
:type ca_certs: str
:raise WrongRequestError: if a wrong combination of arguments is passed
(ca_certs file path given and url starting with
http://) or arguments don't have required format
:raise CertificateValidationError: if server certificate validation fails
:raise FetchError: if data fetching fails (usually due to I/O errors)
"""
# create the directory for the out_file if it doesn't exist
out_dir = os.path.dirname(out_file)
utils.ensure_dir_exists(out_dir)
if can_fetch_from(url):
_curl_fetch(url, out_file, ca_certs)
else:
msg = "Cannot fetch data from '%s': unknown URL format" % url
raise UnknownURLformatError(msg)
def _curl_fetch(url, out_file, ca_certs=None):
"""
Function that fetches data and writes it out to the given file path. If a
path to the file with CA certificates is given and the url starts with
'https', the server certificate is validated.
:param url: url of the data that has to start with 'http://' or "https://"
:type url: str
:param out_file: path to the output file
:type out_file: str
:param ca_certs: path to the file with CA certificates for server
certificate validation
:type ca_certs: str
:raise WrongRequestError: if a wrong combination of arguments is passed
(ca_certs file path given and url starting with
http://) or arguments don't have required format
:raise CertificateValidationError: if server certificate validation fails
:raise FetchError: if data fetching fails (usually due to I/O errors)
"""
if url.startswith("ftp"):
match = FTP_URL_RE.match(url)
if not match:
msg = "Wrong url not matching '%s'" % FTP_URL_RE_STR
raise WrongRequestError(msg)
else:
protocol, path = match.groups()
if '@' not in path:
# no user:pass given -> use anonymous login to the FTP server
url = protocol + "://anonymous:@" + path
elif url.startswith("file"):
match = FILE_URL_RE.match(url)
if not match:
msg = "Wrong url not matching '%s'" % FILE_URL_RE_STR
raise WrongRequestError(msg)
else:
match = HTTP_URL_RE.match(url)
if not match:
msg = "Wrong url not matching '%s'" % HTTP_URL_RE_STR
raise WrongRequestError(msg)
# the first group contains the protocol, the second one the rest
protocol = match.groups()[0]
if not out_file:
raise WrongRequestError("out_file cannot be an empty string")
if ca_certs and protocol != "https":
msg = "Cannot verify server certificate when using plain HTTP"
raise WrongRequestError(msg)
curl = pycurl.Curl()
curl.setopt(pycurl.URL, url)
if ca_certs and protocol == "https":
# the strictest verification
curl.setopt(pycurl.SSL_VERIFYHOST, 2)
curl.setopt(pycurl.SSL_VERIFYPEER, 1)
curl.setopt(pycurl.CAINFO, ca_certs)
# may be turned off by flags (specified on command line, take precedence)
if not conf.payload.verify_ssl:
log.warning("Disabling SSL verification due to the noverifyssl flag")
curl.setopt(pycurl.SSL_VERIFYHOST, 0)
curl.setopt(pycurl.SSL_VERIFYPEER, 0)
try:
with open(out_file, "wb") as fobj:
curl.setopt(pycurl.WRITEDATA, fobj)
curl.perform()
except pycurl.error as err:
# first arg is the error code
if err.args[0] == pycurl.E_SSL_CACERT:
msg = "Failed to connect to server and validate its "\
"certificate: %s" % err
raise CertificateValidationError(msg)
else:
msg = "Failed to fetch data: %s" % err
raise FetchError(msg)