1 """PipSession and supporting code, containing all pip-specific
2 network request configuration and behavior.
31 from pip
._vendor
import requests
, urllib3
32 from pip
._vendor
.cachecontrol
import CacheControlAdapter
as _BaseCacheControlAdapter
33 from pip
._vendor
.requests
.adapters
import DEFAULT_POOLBLOCK
, BaseAdapter
34 from pip
._vendor
.requests
.adapters
import HTTPAdapter
as _BaseHTTPAdapter
35 from pip
._vendor
.requests
.models
import PreparedRequest
, Response
36 from pip
._vendor
.requests
.structures
import CaseInsensitiveDict
37 from pip
._vendor
.urllib3
.connectionpool
import ConnectionPool
38 from pip
._vendor
.urllib3
.exceptions
import InsecureRequestWarning
40 from pip
import __version__
41 from pip
._internal
.metadata
import get_default_environment
42 from pip
._internal
.models
.link
import Link
43 from pip
._internal
.network
.auth
import MultiDomainBasicAuth
44 from pip
._internal
.network
.cache
import SafeFileCache
46 # Import ssl from compat so the initial import occurs in only one place.
47 from pip
._internal
.utils
.compat
import has_tls
48 from pip
._internal
.utils
.glibc
import libc_ver
49 from pip
._internal
.utils
.misc
import build_url_from_netloc
, parse_netloc
50 from pip
._internal
.utils
.urls
import url_to_path
53 from ssl
import SSLContext
55 from pip
._vendor
.urllib3
.poolmanager
import PoolManager
58 logger
= logging
.getLogger(__name__
)
60 SecureOrigin
= Tuple
[str, str, Optional
[Union
[int, str]]]
63 # Ignore warning raised when using --trusted-host.
64 warnings
.filterwarnings("ignore", category
=InsecureRequestWarning
)
67 SECURE_ORIGINS
: List
[SecureOrigin
] = [
68 # protocol, hostname, port
69 # Taken from Chrome's list of secure origins (See: http://bit.ly/1qrySKC)
71 ("*", "localhost", "*"),
72 ("*", "127.0.0.0/8", "*"),
73 ("*", "::1/128", "*"),
75 # ssh is always secure.
80 # These are environment variables present when running under various
81 # CI systems. For each variable, some CI systems that use the variable
82 # are indicated. The collection was chosen so that for each of a number
83 # of popular systems, at least one of the environment variables is used.
84 # This list is used to provide some indication of and lower bound for
85 # CI traffic to PyPI. Thus, it is okay if the list is not comprehensive.
86 # For more background, see: https://github.com/pypa/pip/issues/5499
87 CI_ENVIRONMENT_VARIABLES
= (
92 # AppVeyor, CircleCI, Codeship, Gitlab CI, Shippable, Travis CI
94 # Explicit environment variable.
99 def looks_like_ci() -> bool:
101 Return whether it looks like pip is running under CI.
103 # We don't use the method of checking for a tty (e.g. using isatty())
104 # because some CI systems mimic a tty (e.g. Travis CI). Thus that
105 # method doesn't provide definitive information in either direction.
106 return any(name
in os
.environ
for name
in CI_ENVIRONMENT_VARIABLES
)
109 def user_agent() -> str:
111 Return a string representing the user agent.
113 data
: Dict
[str, Any
] = {
114 "installer": {"name": "pip", "version": __version__}
,
115 "python": platform
.python_version(),
117 "name": platform
.python_implementation(),
121 if data
["implementation"]["name"] == "CPython":
122 data
["implementation"]["version"] = platform
.python_version()
123 elif data
["implementation"]["name"] == "PyPy":
124 pypy_version_info
= sys
.pypy_version_info
# type: ignore
125 if pypy_version_info
.releaselevel
== "final":
126 pypy_version_info
= pypy_version_info
[:3]
127 data
["implementation"]["version"] = ".".join(
128 [str(x
) for x
in pypy_version_info
]
130 elif data
["implementation"]["name"] == "Jython":
132 data
["implementation"]["version"] = platform
.python_version()
133 elif data
["implementation"]["name"] == "IronPython":
135 data
["implementation"]["version"] = platform
.python_version()
137 if sys
.platform
.startswith("linux"):
138 from pip
._vendor
import distro
140 linux_distribution
= distro
.name(), distro
.version(), distro
.codename()
141 distro_infos
: Dict
[str, Any
] = dict(
144 zip(["name", "version", "id"], linux_distribution
),
150 zip(["lib", "version"], libc_ver()),
154 distro_infos
["libc"] = libc
156 data
["distro"] = distro_infos
158 if sys
.platform
.startswith("darwin") and platform
.mac_ver()[0]:
159 data
["distro"] = {"name": "macOS", "version": platform.mac_ver()[0]}
161 if platform
.system():
162 data
.setdefault("system", {})["name"] = platform
.system()
164 if platform
.release():
165 data
.setdefault("system", {})["release"] = platform
.release()
167 if platform
.machine():
168 data
["cpu"] = platform
.machine()
173 data
["openssl_version"] = ssl
.OPENSSL_VERSION
175 setuptools_dist
= get_default_environment().get_distribution("setuptools")
176 if setuptools_dist
is not None:
177 data
["setuptools_version"] = str(setuptools_dist
.version
)
179 if shutil
.which("rustc") is not None:
180 # If for any reason `rustc --version` fails, silently ignore it
182 rustc_output
= subprocess
.check_output(
183 ["rustc", "--version"], stderr
=subprocess
.STDOUT
, timeout
=0.5
188 if rustc_output
.startswith(b
"rustc "):
189 # The format of `rustc --version` is:
190 # `b'rustc 1.52.1 (9bc8c42bb 2021-05-09)\n'`
191 # We extract just the middle (1.52.1) part
192 data
["rustc_version"] = rustc_output
.split(b
" ")[1].decode()
194 # Use None rather than False so as not to give the impression that
195 # pip knows it is not being run under CI. Rather, it is a null or
196 # inconclusive result. Also, we include some value rather than no
197 # value to make it easier to know that the check has been run.
198 data
["ci"] = True if looks_like_ci() else None
200 user_data
= os
.environ
.get("PIP_USER_AGENT_USER_DATA")
201 if user_data
is not None:
202 data
["user_data"] = user_data
204 return "{data[installer][name]}/{data[installer][version]} {json}".format(
206 json
=json
.dumps(data
, separators
=(",", ":"), sort_keys
=True),
210 class LocalFSAdapter(BaseAdapter
):
213 request
: PreparedRequest
,
214 stream
: bool = False,
215 timeout
: Optional
[Union
[float, Tuple
[float, float]]] = None,
216 verify
: Union
[bool, str] = True,
217 cert
: Optional
[Union
[str, Tuple
[str, str]]] = None,
218 proxies
: Optional
[Mapping
[str, str]] = None,
220 pathname
= url_to_path(request
.url
)
223 resp
.status_code
= 200
224 resp
.url
= request
.url
227 stats
= os
.stat(pathname
)
228 except OSError as exc
:
229 # format the exception raised as a io.BytesIO object,
230 # to return a better error message:
231 resp
.status_code
= 404
232 resp
.reason
= type(exc
).__name
__
233 resp
.raw
= io
.BytesIO(f
"{resp.reason}: {exc}".encode("utf8"))
235 modified
= email
.utils
.formatdate(stats
.st_mtime
, usegmt
=True)
236 content_type
= mimetypes
.guess_type(pathname
)[0] or "text/plain"
237 resp
.headers
= CaseInsensitiveDict(
239 "Content-Type": content_type
,
240 "Content-Length": stats
.st_size
,
241 "Last-Modified": modified
,
245 resp
.raw
= open(pathname
, "rb")
246 resp
.close
= resp
.raw
.close
250 def close(self
) -> None:
254 class _SSLContextAdapterMixin
:
255 """Mixin to add the ``ssl_context`` constructor argument to HTTP adapters.
257 The additional argument is forwarded directly to the pool manager. This allows us
258 to dynamically decide what SSL store to use at runtime, which is used to implement
259 the optional ``truststore`` backend.
265 ssl_context
: Optional
["SSLContext"] = None,
268 self
._ssl
_context
= ssl_context
269 super().__init
__(**kwargs
)
271 def init_poolmanager(
275 block
: bool = DEFAULT_POOLBLOCK
,
278 if self
._ssl
_context
is not None:
279 pool_kwargs
.setdefault("ssl_context", self
._ssl
_context
)
280 return super().init_poolmanager( # type: ignore[misc]
281 connections
=connections
,
288 class HTTPAdapter(_SSLContextAdapterMixin
, _BaseHTTPAdapter
):
292 class CacheControlAdapter(_SSLContextAdapterMixin
, _BaseCacheControlAdapter
):
296 class InsecureHTTPAdapter(HTTPAdapter
):
299 conn
: ConnectionPool
,
301 verify
: Union
[bool, str],
302 cert
: Optional
[Union
[str, Tuple
[str, str]]],
304 super().cert_verify(conn
=conn
, url
=url
, verify
=False, cert
=cert
)
307 class InsecureCacheControlAdapter(CacheControlAdapter
):
310 conn
: ConnectionPool
,
312 verify
: Union
[bool, str],
313 cert
: Optional
[Union
[str, Tuple
[str, str]]],
315 super().cert_verify(conn
=conn
, url
=url
, verify
=False, cert
=cert
)
318 class PipSession(requests
.Session
):
319 timeout
: Optional
[int] = None
325 cache
: Optional
[str] = None,
326 trusted_hosts
: Sequence
[str] = (),
327 index_urls
: Optional
[List
[str]] = None,
328 ssl_context
: Optional
["SSLContext"] = None,
332 :param trusted_hosts: Domains not to emit warnings for when not using
335 super().__init
__(*args
, **kwargs
)
337 # Namespace the attribute with "pip_" just in case to prevent
338 # possible conflicts with the base class.
339 self
.pip_trusted_origins
: List
[Tuple
[str, Optional
[int]]] = []
341 # Attach our User Agent to the request
342 self
.headers
["User-Agent"] = user_agent()
344 # Attach our Authentication handler to the session
345 self
.auth
= MultiDomainBasicAuth(index_urls
=index_urls
)
347 # Create our urllib3.Retry instance which will allow us to customize
348 # how we handle retries.
349 retries
= urllib3
.Retry(
350 # Set the total number of retries that a particular request can
353 # A 503 error from PyPI typically means that the Fastly -> Origin
354 # connection got interrupted in some way. A 503 error in general
355 # is typically considered a transient error so we'll go ahead and
357 # A 500 may indicate transient error in Amazon S3
358 # A 520 or 527 - may indicate transient error in CloudFlare
359 status_forcelist
=[500, 503, 520, 527],
360 # Add a small amount of back off between failed requests in
361 # order to prevent hammering the service.
365 # Our Insecure HTTPAdapter disables HTTPS validation. It does not
366 # support caching so we'll use it for all http:// URLs.
367 # If caching is disabled, we will also use it for
368 # https:// hosts that we've marked as ignoring
369 # TLS errors for (trusted-hosts).
370 insecure_adapter
= InsecureHTTPAdapter(max_retries
=retries
)
372 # We want to _only_ cache responses on securely fetched origins or when
373 # the host is specified as trusted. We do this because
374 # we can't validate the response of an insecurely/untrusted fetched
375 # origin, and we don't want someone to be able to poison the cache and
376 # require manual eviction from the cache to fix it.
378 secure_adapter
= CacheControlAdapter(
379 cache
=SafeFileCache(cache
),
381 ssl_context
=ssl_context
,
383 self
._trusted
_host
_adapter
= InsecureCacheControlAdapter(
384 cache
=SafeFileCache(cache
),
388 secure_adapter
= HTTPAdapter(max_retries
=retries
, ssl_context
=ssl_context
)
389 self
._trusted
_host
_adapter
= insecure_adapter
391 self
.mount("https://", secure_adapter
)
392 self
.mount("http://", insecure_adapter
)
394 # Enable file:// urls
395 self
.mount("file://", LocalFSAdapter())
397 for host
in trusted_hosts
:
398 self
.add_trusted_host(host
, suppress_logging
=True)
400 def update_index_urls(self
, new_index_urls
: List
[str]) -> None:
402 :param new_index_urls: New index urls to update the authentication
405 self
.auth
.index_urls
= new_index_urls
407 def add_trusted_host(
408 self
, host
: str, source
: Optional
[str] = None, suppress_logging
: bool = False
411 :param host: It is okay to provide a host that has previously been
413 :param source: An optional source string, for logging where the host
416 if not suppress_logging
:
417 msg
= f
"adding trusted host: {host!r}"
418 if source
is not None:
419 msg
+= f
" (from {source})"
422 parsed_host
, parsed_port
= parse_netloc(host
)
423 if parsed_host
is None:
424 raise ValueError(f
"Trusted host URL must include a host part: {host!r}")
425 if (parsed_host
, parsed_port
) not in self
.pip_trusted_origins
:
426 self
.pip_trusted_origins
.append((parsed_host
, parsed_port
))
429 build_url_from_netloc(host
, scheme
="http") + "/", self
._trusted
_host
_adapter
431 self
.mount(build_url_from_netloc(host
) + "/", self
._trusted
_host
_adapter
)
434 build_url_from_netloc(host
, scheme
="http") + ":",
435 self
._trusted
_host
_adapter
,
437 # Mount wildcard ports for the same host.
438 self
.mount(build_url_from_netloc(host
) + ":", self
._trusted
_host
_adapter
)
440 def iter_secure_origins(self
) -> Generator
[SecureOrigin
, None, None]:
441 yield from SECURE_ORIGINS
442 for host
, port
in self
.pip_trusted_origins
:
443 yield ("*", host
, "*" if port
is None else port
)
445 def is_secure_origin(self
, location
: Link
) -> bool:
446 # Determine if this url used a secure transport mechanism
447 parsed
= urllib
.parse
.urlparse(str(location
))
448 origin_protocol
, origin_host
, origin_port
= (
454 # The protocol to use to see if the protocol matches.
455 # Don't count the repository type as part of the protocol: in
456 # cases such as "git+ssh", only use "ssh". (I.e., Only verify against
458 origin_protocol
= origin_protocol
.rsplit("+", 1)[-1]
460 # Determine if our origin is a secure origin by looking through our
461 # hardcoded list of secure origins, as well as any additional ones
462 # configured on this PackageFinder instance.
463 for secure_origin
in self
.iter_secure_origins():
464 secure_protocol
, secure_host
, secure_port
= secure_origin
465 if origin_protocol
!= secure_protocol
and secure_protocol
!= "*":
469 addr
= ipaddress
.ip_address(origin_host
or "")
470 network
= ipaddress
.ip_network(secure_host
)
472 # We don't have both a valid address or a valid network, so
473 # we'll check this origin against hostnames.
476 and origin_host
.lower() != secure_host
.lower()
477 and secure_host
!= "*"
481 # We have a valid address and network, so see if the address
482 # is contained within the network.
483 if addr
not in network
:
486 # Check to see if the port matches.
488 origin_port
!= secure_port
489 and secure_port
!= "*"
490 and secure_port
is not None
494 # If we've gotten here, then this origin matches the current
495 # secure origin and we should return True
498 # If we've gotten to this point, then the origin isn't secure and we
499 # will not accept it as a valid location to search. We will however
500 # log a warning that we are ignoring it.
502 "The repository located at %s is not a trusted or secure host and "
503 "is being ignored. If this repository is available via HTTPS we "
504 "recommend you use HTTPS instead, otherwise you may silence "
505 "this warning and allow it anyway with '--trusted-host %s'.",
512 def request(self
, method
: str, url
: str, *args
: Any
, **kwargs
: Any
) -> Response
:
513 # Allow setting a default timeout on a session
514 kwargs
.setdefault("timeout", self
.timeout
)
515 # Allow setting a default proxies on a session
516 kwargs
.setdefault("proxies", self
.proxies
)
518 # Dispatch the actual request
519 return super().request(method
, url
, *args
, **kwargs
)