From 3ba5dbf23f6dd6ec834fdb72c971b3de7a39ffd4 Mon Sep 17 00:00:00 2001 From: verycarefully Date: Mon, 8 Aug 2016 12:09:38 -0400 Subject: [PATCH 1/4] Opt-in behavior to ignore system proxies. --- code/client/munkilib/fetch.py | 3 +++ code/client/munkilib/gurl.py | 11 +++++++++++ 2 files changed, 14 insertions(+) diff --git a/code/client/munkilib/fetch.py b/code/client/munkilib/fetch.py index c243afcc..eb0e82c5 100644 --- a/code/client/munkilib/fetch.py +++ b/code/client/munkilib/fetch.py @@ -184,9 +184,12 @@ def get_url(url, destinationpath, cache_data = gurl_obj.get_stored_headers() del gurl_obj + ignore_system_proxy = munkicommon.pref('IgnoreSystemProxies') + options = {'url': url, 'file': tempdownloadpath, 'follow_redirects': follow_redirects, + 'ignore_system_proxy': ignore_system_proxy, 'can_resume': resume, 'additional_headers': header_dict_from_list(custom_headers), 'download_only_if_changed': onlyifnewer, diff --git a/code/client/munkilib/gurl.py b/code/client/munkilib/gurl.py index 71bfb79f..07c742bf 100644 --- a/code/client/munkilib/gurl.py +++ b/code/client/munkilib/gurl.py @@ -33,6 +33,9 @@ from objc import super # PyLint cannot properly find names inside Cocoa libraries, so issues bogus # No name 'Foo' in module 'Bar' warnings. Disable them. # pylint: disable=E0611 + +from CFNetwork import kCFNetworkProxiesHTTPSEnable, kCFNetworkProxiesHTTPEnable + from Foundation import NSBundle, \ NSRunLoop, NSDate, \ NSObject, NSURL, NSURLConnection, \ @@ -176,6 +179,7 @@ class Gurl(NSObject): return self.follow_redirects = options.get('follow_redirects', False) + self.ignore_system_proxy = options.get('ignore_system_proxy', False) self.destination_path = options.get('file') self.can_resume = options.get('can_resume', False) self.url = options.get('url') @@ -244,6 +248,13 @@ class Gurl(NSObject): if NSURLSESSION_AVAILABLE: configuration = \ NSURLSessionConfiguration.defaultSessionConfiguration() + + # (optional) set connections to ignore system proxies + if self.ignore_system_proxy == True: + configuration.setConnectionProxyDictionary_( + { kCFNetworkProxiesHTTPEnable: False, + kCFNetworkProxiesHTTPSEnable: False }) + # set minumum supported TLS protocol (defaults to TLS1) configuration.setTLSMinimumSupportedProtocol_( self.minimum_tls_protocol) From 66d02caeaff7b83acfa09b21e25f4e518e62766f Mon Sep 17 00:00:00 2001 From: verycarefully Date: Mon, 8 Aug 2016 12:25:41 -0400 Subject: [PATCH 2/4] Fix lint warnings. --- code/client/munkilib/gurl.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/code/client/munkilib/gurl.py b/code/client/munkilib/gurl.py index 07c742bf..fb39e366 100644 --- a/code/client/munkilib/gurl.py +++ b/code/client/munkilib/gurl.py @@ -250,10 +250,10 @@ class Gurl(NSObject): NSURLSessionConfiguration.defaultSessionConfiguration() # (optional) set connections to ignore system proxies - if self.ignore_system_proxy == True: - configuration.setConnectionProxyDictionary_( - { kCFNetworkProxiesHTTPEnable: False, - kCFNetworkProxiesHTTPSEnable: False }) + if self.ignore_system_proxy is True: + configuration.setConnectionProxyDictionary_( + {kCFNetworkProxiesHTTPEnable: False, + kCFNetworkProxiesHTTPSEnable: False}) # set minumum supported TLS protocol (defaults to TLS1) configuration.setTLSMinimumSupportedProtocol_( @@ -477,7 +477,7 @@ class Gurl(NSObject): def handleRedirect_newRequest_withCompletionHandler_( self, response, request, completionHandler): '''Handle the redirect request''' - if response == None: + if response is None: # the request has changed the NSURLRequest in order to standardize # its format, for example, changing a request for # http://www.apple.com to http://www.apple.com/. This occurs because @@ -504,7 +504,7 @@ class Gurl(NSObject): newParsedURL = urlparse(newURL) # This code was largely based on the work of Andreas Fuchs # (https://github.com/munki/munki/pull/465) - if self.follow_redirects == True or self.follow_redirects == 'all': + if self.follow_redirects is True or self.follow_redirects == 'all': # Allow the redirect self.log('Allowing redirect to: %s' % newURL) if completionHandler: From 9eda5213c0255408e69301bacfa9e9fc7ca9c00c Mon Sep 17 00:00:00 2001 From: verycarefully Date: Mon, 8 Aug 2016 14:23:58 -0400 Subject: [PATCH 3/4] Fix up more lint errors. --- code/client/munkilib/fetch.py | 16 +++++++++++----- code/client/munkilib/gurl.py | 23 +++++++++++------------ 2 files changed, 22 insertions(+), 17 deletions(-) diff --git a/code/client/munkilib/fetch.py b/code/client/munkilib/fetch.py index eb0e82c5..96af2ddb 100644 --- a/code/client/munkilib/fetch.py +++ b/code/client/munkilib/fetch.py @@ -99,22 +99,27 @@ class GurlError(Exception): """General exception for gurl errors""" pass + class HTTPError(Exception): """General exception for http/https errors""" pass + class MunkiDownloadError(Exception): """Base exception for download errors""" pass + class GurlDownloadError(MunkiDownloadError): """Gurl failed to download the item""" pass + class FileCopyError(MunkiDownloadError): """Download failed because of file copy errors.""" pass + class PackageVerificationError(MunkiDownloadError): """Package failed verification""" pass @@ -184,6 +189,7 @@ def get_url(url, destinationpath, cache_data = gurl_obj.get_stored_headers() del gurl_obj + # only works with NSURLSession (10.9 and newer) ignore_system_proxy = munkicommon.pref('IgnoreSystemProxies') options = {'url': url, @@ -239,13 +245,13 @@ def get_url(url, destinationpath, # safely kill the connection then re-raise connection.cancel() raise - except Exception, err: # too general, I know + except Exception, err: # too general, I know # Let us out! ... Safely! Unexpectedly quit dialogs are annoying... connection.cancel() # Re-raise the error as a GurlError raise GurlError(-1, str(err)) - if connection.error != None: + if connection.error is not None: # Gurl returned an error munkicommon.display_detail( 'Download error %s: %s', connection.error.code(), @@ -260,7 +266,7 @@ def get_url(url, destinationpath, raise GurlError(connection.error.code(), connection.error.localizedDescription()) - if connection.response != None: + if connection.response is not None: munkicommon.display_debug1('Status: %s', connection.status) munkicommon.display_debug1('Headers: %s', connection.headers) if connection.redirection != []: @@ -289,6 +295,7 @@ def get_url(url, destinationpath, raise HTTPError(connection.status, connection.headers.get('http_result_description', '')) + def getResourceIfChangedAtomically(url, destinationpath, custom_headers=None, @@ -333,7 +340,7 @@ def getResourceIfChangedAtomically(url, % destinationpath) #continue with normal if-modified-since/etag update methods. - if follow_redirects != True: + if follow_redirects is not True: # If we haven't explicitly said to follow redirect, # the preference decides follow_redirects = munkicommon.pref('FollowHTTPRedirects') @@ -555,4 +562,3 @@ def verifySoftwarePackageIntegrity(file_path, item_hash, always_hash=False): 'illegal value: %s' % munkicommon.pref('PackageVerificationMode')) return (False, chash) - diff --git a/code/client/munkilib/gurl.py b/code/client/munkilib/gurl.py index fb39e366..a0d63ea6 100644 --- a/code/client/munkilib/gurl.py +++ b/code/client/munkilib/gurl.py @@ -36,17 +36,16 @@ from objc import super from CFNetwork import kCFNetworkProxiesHTTPSEnable, kCFNetworkProxiesHTTPEnable -from Foundation import NSBundle, \ - NSRunLoop, NSDate, \ - NSObject, NSURL, NSURLConnection, \ - NSMutableURLRequest, \ - NSURLRequestReloadIgnoringLocalCacheData, \ - NSURLResponseUnknownLength, \ - NSLog, \ - NSURLCredential, NSURLCredentialPersistenceNone, \ - NSPropertyListSerialization, \ - NSPropertyListMutableContainersAndLeaves, \ - NSPropertyListXMLFormat_v1_0 +from Foundation import (NSBundle, NSRunLoop, NSDate, + NSObject, NSURL, NSURLConnection, + NSMutableURLRequest, + NSURLRequestReloadIgnoringLocalCacheData, + NSURLResponseUnknownLength, + NSLog, + NSURLCredential, NSURLCredentialPersistenceNone, + NSPropertyListSerialization, + NSPropertyListMutableContainersAndLeaves, + NSPropertyListXMLFormat_v1_0) try: from Foundation import NSURLSession, NSURLSessionConfiguration @@ -249,7 +248,7 @@ class Gurl(NSObject): configuration = \ NSURLSessionConfiguration.defaultSessionConfiguration() - # (optional) set connections to ignore system proxies + # optional: ignore system http/https proxies (10.9+ only) if self.ignore_system_proxy is True: configuration.setConnectionProxyDictionary_( {kCFNetworkProxiesHTTPEnable: False, From 293a5aa8329181dee092c19fb9fbf30881299448 Mon Sep 17 00:00:00 2001 From: verycarefully Date: Mon, 8 Aug 2016 14:27:40 -0400 Subject: [PATCH 4/4] Fix another lint error pep8 didn't catch. --- code/client/munkilib/fetch.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code/client/munkilib/fetch.py b/code/client/munkilib/fetch.py index 96af2ddb..9bf7cf5e 100644 --- a/code/client/munkilib/fetch.py +++ b/code/client/munkilib/fetch.py @@ -338,7 +338,7 @@ def getResourceIfChangedAtomically(url, munkicommon.log('Cached payload does not match hash in catalog, ' 'will check if changed and redownload: %s' % destinationpath) - #continue with normal if-modified-since/etag update methods. + # continue with normal if-modified-since/etag update methods. if follow_redirects is not True: # If we haven't explicitly said to follow redirect,