Accepting request 708287 from devel:languages:python

- Skip test_source_address_error as we raise different error with fixes that we provide in new python2/3 - Add more test to skip as with new openssl some behaviour changed and we can't rely on them anymore - Unbundle the six, rfc3986, and backports.ssl_match_hostname - Update to 1.25.3: * Change HTTPSConnection to load system CA certificates when ca_certs, ca_cert_dir, and ssl_context are unspecified. (Pull #1608, Issue #1603) * Upgrade bundled rfc3986 to v1.3.2. (Pull #1609, Issue #1605) - Update to 1.25.2: * Change is_ipaddress to not detect IPvFuture addresses. (Pull #1583) * Change parse_url to percent-encode invalid characters within the path, query, and target components. (Pull #1586) * Add support for Google's Brotli package. (Pull #1572, Pull #1579) * Upgrade bundled rfc3986 to v1.3.1 (Pull #1578) - Require all the deps from the secure list rather than Recommend. This makes the check to be run always and ensure the urls are "secure". - Remove ndg-httpsclient as it is not needed since 2015 - Add missing dependency on brotlipy - Fix the tests to pass again - update to 1.25 (bsc#1132663, CVE-2019-11236): * Require and validate certificates by default when using HTTPS * Upgraded ``urllib3.utils.parse_url()`` to be RFC 3986 compliant. * Added support for ``key_password`` for ``HTTPSConnectionPool`` to use encrypted ``key_file`` without creating your own ``SSLContext`` object. OBS-URL: https://build.opensuse.org/request/show/708287 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-urllib3?expand=0&rev=27
2019-06-18 12:48:06 +00:00 · 2019-06-18 12:48:06 +00:00 · b2ede91d4c
commit b2ede91d4c
parent ff60925403 d9ccae276f
7 changed files with 158 additions and 56 deletions
--- a/python-urllib3.changes
+++ b/python-urllib3.changes
@ -1,3 +1,67 @@
+-------------------------------------------------------------------
+Fri Jun  7 11:40:05 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com>
+
+- Skip test_source_address_error as we raise different error with
+  fixes that we provide in new python2/3
+
+-------------------------------------------------------------------
+Wed May 29 08:59:29 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com>
+
+- Add more test to skip as with new openssl some behaviour changed
+  and we can't rely on them anymore
+
+-------------------------------------------------------------------
+Wed May 29 08:20:27 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com>
+
+- Unbundle the six, rfc3986, and backports.ssl_match_hostname
+
+-------------------------------------------------------------------
+Fri May 24 19:16:21 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com>
+
+- Update to 1.25.3:
+  * Change HTTPSConnection to load system CA certificates when ca_certs, ca_cert_dir, and ssl_context are unspecified. (Pull #1608, Issue #1603)
+  * Upgrade bundled rfc3986 to v1.3.2. (Pull #1609, Issue #1605)
+
+-------------------------------------------------------------------
+Mon May  6 11:18:36 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com>
+
+- Update to 1.25.2:
+  * Change is_ipaddress to not detect IPvFuture addresses. (Pull #1583)
+  * Change parse_url to percent-encode invalid characters within the path, query, and target components. (Pull #1586)
+  * Add support for Google's Brotli package. (Pull #1572, Pull #1579)
+  * Upgrade bundled rfc3986 to v1.3.1 (Pull #1578)
+- Require all the deps from the secure list rather than Recommend.
+  This makes the check to be run always and ensure the urls are
+  "secure".
+- Remove ndg-httpsclient as it is not needed since 2015
+
+-------------------------------------------------------------------
+Tue Apr 23 10:27:36 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com>
+
+- Add missing dependency on brotlipy
+- Fix the tests to pass again
+
+-------------------------------------------------------------------
+Tue Apr 23 04:04:50 UTC 2019 - Thomas Bechtold <tbechtold@suse.com>
+
+- update to 1.25 (bsc#1132663, CVE-2019-11236):
+  * Require and validate certificates by default when using HTTPS
+  * Upgraded ``urllib3.utils.parse_url()`` to be RFC 3986 compliant.
+  * Added support for ``key_password`` for ``HTTPSConnectionPool`` to use
+    encrypted ``key_file`` without creating your own ``SSLContext`` object.
+  * Add TLSv1.3 support to CPython, pyOpenSSL, and SecureTransport ``SSLContext``
+    implementations. (Pull #1496)
+  * Switched the default multipart header encoder from RFC 2231 to HTML 5 working draft.
+  * Fixed issue where OpenSSL would block if an encrypted client private key was
+    given and no password was given. Instead an ``SSLError`` is raised.
+  * Added support for Brotli content encoding. It is enabled automatically if
+  ``brotlipy`` package is installed which can be requested with
+  ``urllib3[brotli]`` extra.
+  * Drop ciphers using DSS key exchange from default TLS cipher suites.
+    Improve default ciphers when using SecureTransport.
+  * Implemented a more efficient ``HTTPResponse.__iter__()`` method.
+- Drop urllib3-test-ssl-drop-sslv3.patch . No longer needed
+
 -------------------------------------------------------------------
 Thu Apr 18 00:02:07 CEST 2019 - Matej Cepl <mcepl@suse.com>

--- a/python-urllib3.spec
+++ b/python-urllib3.spec
@ -18,55 +18,62 @@

 %{?!python_module:%define python_module() python-%{**} python3-%{**}}
 %define oldpython python
-
 %global flavor @BUILD_FLAVOR@%{nil}
 %if "%{flavor}" == "test"
-%define test 1
+%define psuffix -test
 %bcond_without test
 %else
+%define psuffix %{nil}
 %bcond_with test
 %endif
-%if %{with test}
-Name:           python-urllib3-%{flavor}
-%else
-Name:           python-urllib3
-%endif
-Version:        1.24.2
+Name:           python-urllib3%{psuffix}
+Version:        1.25.3
 Release:        0
 Summary:        HTTP library with thread-safe connection pooling, file post, and more
 License:        MIT
 Group:          Development/Languages/Python
 URL:            http://urllib3.readthedocs.org/
 Source:         https://files.pythonhosted.org/packages/source/u/urllib3/urllib3-%{version}.tar.gz
+# Wrapper for ssl to unbundle ssl_match_hostname
+Source1:        ssl_match_hostname_py3.py
 # PATCH-FEATURE-UPSTREAM -- use set_default_verify_paths() if no certificate path is supplied
 # should be removed in the future, see SR#437853
-Patch2:         urllib3-ssl-default-context.patch
-# PATCH-FIX-OPENSUSE -- do not use unsupported SSLv3 in tests
-Patch3:         urllib3-test-ssl-drop-sslv3.patch
+Patch0:         urllib3-ssl-default-context.patch
 # PATCH-FIX-UPSTREAM python-urllib3-recent-date.patch gh#shazow/urllib3#1303, boo#1074247 dimstar@opensuse.org -- Fix test suite, use correct date
-Patch4:         python-urllib3-recent-date.patch
+Patch1:         python-urllib3-recent-date.patch
+# for SSL module on older distros
+BuildRequires:  %{oldpython}
 BuildRequires:  %{python_module PySocks}
 BuildRequires:  %{python_module psutil}
+BuildRequires:  %{python_module rfc3986}
 BuildRequires:  %{python_module setuptools}
+BuildRequires:  %{python_module six}
 BuildRequires:  fdupes
+BuildRequires:  python-backports.ssl_match_hostname
 BuildRequires:  python-rpm-macros
+BuildRequires:  python2-ipaddress
+#!BuildIgnore:  python-requests
+Requires:       ca-certificates-mozilla
+Requires:       python-cryptography
+Requires:       python-idna
+Requires:       python-pyOpenSSL
+Requires:       python-rfc3986
+Requires:       python-six
+BuildArch:      noarch
+%ifpython2
+Requires:       python-backports.ssl_match_hostname
+%endif
 %if %{with test}
+BuildRequires:  %{python_module brotlipy}
+BuildRequires:  %{python_module idna}
 BuildRequires:  %{python_module mock >= 1.3.0}
 BuildRequires:  %{python_module pytest}
 BuildRequires:  %{python_module tornado >= 4.2.1}
+BuildRequires:  %{python_module urllib3 >= %{version}}
 %endif
-#!BuildIgnore:  python-requests
-BuildArch:      noarch
 %if 0%{?suse_version} >= 1000 || 0%{?fedora_version} >= 24
-Recommends:     ca-certificates-mozilla
-Recommends:     python-cryptography
-Recommends:     python-idna
-Recommends:     python-ndg-httpsclient
-Recommends:     python-pyOpenSSL
+Recommends:     python-brotlipy
 %endif
-# for SSL module on older distros
-BuildRequires:  %{oldpython}
-BuildRequires:  python2-ipaddress
 %ifpython2
 Requires:       python-ipaddress
 %endif
@ -90,46 +97,85 @@ Highlights

 %prep
 %setup -q -n urllib3-%{version}
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
+%autopatch -p1
 find . -type f -exec chmod a-x '{}' \;
+find . -name __pycache__ -type d -exec rm -fr {} +
+
+# Drop the dummyserver tests, they fail in OBS
+rm test/with_dummyserver/test_proxy_poolmanager.py
+rm test/with_dummyserver/test_poolmanager.py
+# Don't run the Google App Engine tests
+rm -r test/appengine/

 %build
 %python_build

 %install
+%if !%{with test}
 %python_install
+
 %{python_expand \
 $python -m compileall -d %{$python_sitelib} %{buildroot}%{$python_sitelib}/urllib3/
 $python -O -m compileall -d %{$python_sitelib} %{buildroot}%{$python_sitelib}/urllib3/
-%fdupes %{buildroot}%{$python_sitelib}
 }

+# Unbundle the Python 2 build
+rm -rf %{buildroot}/%{python2_sitelib}/urllib3/packages/six.py*
+rm -rf %{buildroot}/%{python2_sitelib}/urllib3/packages/ssl_match_hostname/
+rm -rf %{buildroot}/%{python2_sitelib}/urllib3/packages/rfc3986/
+
+mkdir -p %{buildroot}/%{python2_sitelib}/urllib3/packages/
+ln -s %{python2_sitelib}/six.py %{buildroot}/%{python2_sitelib}/urllib3/packages/six.py
+ln -s %{python2_sitelib}/six.pyc %{buildroot}/%{python2_sitelib}/urllib3/packages/six.pyc
+ln -s %{python2_sitelib}/six.pyo %{buildroot}/%{python2_sitelib}/urllib3/packages/six.pyo
+ln -s %{python2_sitelib}/backports/ssl_match_hostname \
+      %{buildroot}/%{python2_sitelib}/urllib3/packages/ssl_match_hostname
+ln -s %{python2_sitelib}/rfc3986/ \
+      %{buildroot}/%{python2_sitelib}/urllib3/packages/rfc3986
+# Unbundle the Python 3 build
+rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/six.py*
+rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/six*
+rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/ssl_match_hostname/
+rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/rfc3986/
+
+mkdir -p %{buildroot}/%{python3_sitelib}/urllib3/packages/
+cp -a %{SOURCE1} %{buildroot}/%{python3_sitelib}/urllib3/packages/ssl_match_hostname.py
+ln -s %{python3_sitelib}/six.py %{buildroot}/%{python3_sitelib}/urllib3/packages/six.py
+ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.opt-1.pyc \
+      %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/
+ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.pyc \
+      %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/
+ln -s %{python3_sitelib}/rfc3986/ \
+      %{buildroot}/%{python3_sitelib}/urllib3/packages/rfc3986
+
+%python_expand %fdupes %{buildroot}%{$python_sitelib}
+%endif
+
 %check
 %if %{with test}
-skiplist='not test_select_interrupt_exception and not test_selector_error and not timeout and not test_request_host_header_ignores_fqdn_dot and not test_dotted_fqdn'
+skiplist='not test_select_interrupt_exception and not test_selector_error and not timeout and not test_request_host_header_ignores_fqdn_dot and not test_dotted_fqdn and not TestImportWithoutSSL'
 case $(uname -m) in
 ppc*)
 skiplist="$skiplist and not test_select_timing and not test_select_multiple_interrupts_with_event and not test_interrupt_wait_for_read_with_event and not test_select_interrupt_with_event";;
 esac
+# the tls13 tests are not run in upstream travis and they fail for us
+# lets wait for upstream to sort it out first
+skiplist="$skiplist and not test_set_ssl_version_to_tls_version"
+# the certificate validation is much stricter in new openssl so skip
+# tests which would not validate it
+skiplist="$skiplist and not test_client_no_intermediate"
+# we have patch to fix source address errors in python and raise different
+# error than urllib3 expects in its tests
+skiplist="$skiplist and not test_source_address_error"

-rm -rf build
-# pretend to be TRAVIS (this triggers timing tolerance)
-export TRAVIS=1
-%{python_expand PYTHONPATH="%{buildroot}%{$python_sitelib}" py.test-%$python_bin_suffix \
-                --ignore=test/appengine \
-                --ignore=test/with_dummyserver/test_proxy_poolmanager.py \
-                --ignore=test/with_dummyserver/test_poolmanager.py \
-                -k "${skiplist}" \
-                src/urllib3 test}
-rm -rf %{buildroot}%{_libexecdir}/python*
+export PYTHONDONTWRITEBYTECODE=1
+%pytest -k "${skiplist}"
 %endif

+%if ! %{with test}
 %files %{python_files}
 %license LICENSE.txt
 %doc CHANGES.rst CONTRIBUTORS.txt README.rst
-%if ! %{with test}
 %{python_sitelib}/urllib3
 %{python_sitelib}/urllib3-%{version}-py*.egg-info
 %endif
--- a/ssl_match_hostname_py3.py
+++ b/ssl_match_hostname_py3.py
@ -0,0 +1 @@
+from ssl import match_hostname, CertificateError
--- a/urllib3-1.24.2.tar.gz
+++ b/urllib3-1.24.2.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9a247273df709c4fedb38c711e44292304f73f39ab01beda9f6b9fc375669ac3
-size 230699
--- a/urllib3-1.25.3.tar.gz
+++ b/urllib3-1.25.3.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dbe59173209418ae49d485b87d1681aefa36252ee85884c31346debd19463232
+size 262150
--- a/urllib3-ssl-default-context.patch
+++ b/urllib3-ssl-default-context.patch
@ -1,5 +1,7 @@
--- a/src/urllib3/util/ssl_.py
-+++ b/src/urllib3/util/ssl_.py
+Index: urllib3-1.25/src/urllib3/util/ssl_.py
+===================================================================
+--- urllib3-1.25.orig/src/urllib3/util/ssl_.py
+++ urllib3-1.25/src/urllib3/util/ssl_.py
@@ -333,6 +333,8 @@ def ssl_wrap_socket(sock, keyfile=None,
     elif ssl_context is None and hasattr(context, 'load_default_certs'):
         # try to load OS default certs; works well on Windows (require Python3.4+)
@ -7,5 +9,5 @@
 +    elif cert_reqs != ssl.CERT_NONE and hasattr(context, 'set_default_verify_paths'):
 +        context.set_default_verify_paths()
 
-     if certfile:
-         context.load_cert_chain(certfile, keyfile)
+     # Attempt to detect if we get the goofy behavior of the
+     # keyfile being encrypted and OpenSSL asking for the
--- a/urllib3-test-ssl-drop-sslv3.patch
+++ b/urllib3-test-ssl-drop-sslv3.patch
@ -1,11 +0,0 @@
--- a/test/with_dummyserver/test_https.py
-+++ b/test/with_dummyserver/test_https.py
-@@ -557,7 +557,7 @@ class TestHTTPS(HTTPSDummyServerTestCase
- 
- class TestHTTPS_TLSv1(HTTPSDummyServerTestCase):
-     certs = DEFAULT_CERTS.copy()
-    certs['ssl_version'] = ssl.PROTOCOL_TLSv1
-+    certs['ssl_version'] = ssl.PROTOCOL_TLSv1_2
- 
-     def setUp(self):
-         self._pool = HTTPSConnectionPool(self.host, self.port)
				`@ -0,0 +1 @@`
				`from ssl import match_hostname, CertificateError`