import asyncio import os import pathlib import platform import ssl import sys from contextlib import suppress from re import match as match_regex from typing import Awaitable, Callable from unittest import mock from uuid import uuid4 import proxy import pytest from yarl import URL import aiohttp from aiohttp import ClientResponse, web from aiohttp.client_exceptions import ClientConnectionError from aiohttp.helpers import IS_MACOS, IS_WINDOWS from aiohttp.pytest_plugin import AiohttpServer ASYNCIO_SUPPORTS_TLS_IN_TLS = sys.version_info >= (3, 11) @pytest.fixture def secure_proxy_url(tls_certificate_pem_path): """Return the URL of an instance of a running secure proxy. This fixture also spawns that instance and tears it down after the test. """ proxypy_args = [ # --threadless does not work on windows, see # https://github.com/abhinavsingh/proxy.py/issues/492 "--threaded" if os.name == "nt" else "--threadless", "--num-workers", "1", # the tests only send one query anyway "--hostname", "127.0.0.1", # network interface to listen to "--port", 0, # ephemeral port, so that kernel allocates a free one "--cert-file", tls_certificate_pem_path, # contains both key and cert "--key-file", tls_certificate_pem_path, # contains both key and cert ] if not IS_MACOS and not IS_WINDOWS: proxypy_args.append("--threadless") # use asyncio with proxy.Proxy(input_args=proxypy_args) as proxy_instance: yield URL.build( scheme="https", host=str(proxy_instance.flags.hostname), port=proxy_instance.flags.port, ) @pytest.fixture def web_server_endpoint_payload(): return str(uuid4()) @pytest.fixture(params=("http", "https")) def web_server_endpoint_type(request): return request.param @pytest.fixture async def web_server_endpoint_url( aiohttp_server, ssl_ctx, web_server_endpoint_payload, web_server_endpoint_type, ): server_kwargs = ( { "ssl": ssl_ctx, } if web_server_endpoint_type == "https" else {} ) async def handler(*args, **kwargs): return web.Response(text=web_server_endpoint_payload) app = web.Application() app.router.add_route("GET", "/", handler) server = await aiohttp_server(app, **server_kwargs) return URL.build( scheme=web_server_endpoint_type, host=server.host, port=server.port, ) @pytest.mark.skipif( not ASYNCIO_SUPPORTS_TLS_IN_TLS, reason="asyncio on this python does not support TLS in TLS", ) @pytest.mark.parametrize("web_server_endpoint_type", ("http", "https")) @pytest.mark.filterwarnings(r"ignore:.*ssl.OP_NO_SSL*") # Filter out the warning from # https://github.com/abhinavsingh/proxy.py/blob/30574fd0414005dfa8792a6e797023e862bdcf43/proxy/common/utils.py#L226 # otherwise this test will fail because the proxy will die with an error. @pytest.mark.usefixtures("loop") async def test_secure_https_proxy_absolute_path( client_ssl_ctx: ssl.SSLContext, secure_proxy_url: URL, web_server_endpoint_url: str, web_server_endpoint_payload: str, ) -> None: """Ensure HTTP(S) sites are accessible through a secure proxy.""" conn = aiohttp.TCPConnector() sess = aiohttp.ClientSession(connector=conn) async with sess.get( web_server_endpoint_url, proxy=secure_proxy_url, ssl=client_ssl_ctx, # used for both proxy and endpoint connections ) as response: assert response.status == 200 assert await response.text() == web_server_endpoint_payload await sess.close() await conn.close() await asyncio.sleep(0.1) # https://docs.aiohttp.org/en/v3.8.0/client_advanced.html#graceful-shutdown await asyncio.sleep(0.1) @pytest.mark.parametrize("web_server_endpoint_type", ("https",)) @pytest.mark.usefixtures("loop") @pytest.mark.skipif( ASYNCIO_SUPPORTS_TLS_IN_TLS, reason="asyncio on this python supports TLS in TLS" ) @pytest.mark.filterwarnings(r"ignore:.*ssl.OP_NO_SSL*") # Filter out the warning from # https://github.com/abhinavsingh/proxy.py/blob/30574fd0414005dfa8792a6e797023e862bdcf43/proxy/common/utils.py#L226 # otherwise this test will fail because the proxy will die with an error. async def test_https_proxy_unsupported_tls_in_tls( client_ssl_ctx: ssl.SSLContext, secure_proxy_url: URL, web_server_endpoint_type: str, ) -> None: """Ensure connecting to TLS endpoints w/ HTTPS proxy needs patching. This also checks that a helpful warning on how to patch the env is displayed. """ url = URL.build(scheme=web_server_endpoint_type, host="python.org") escaped_host_port = ":".join((url.host.replace(".", r"\."), str(url.port))) escaped_proxy_url = str(secure_proxy_url).replace(".", r"\.") conn = aiohttp.TCPConnector() sess = aiohttp.ClientSession(connector=conn) expected_warning_text = ( r"^" r"An HTTPS request is being sent through an HTTPS proxy\. " "This support for TLS in TLS is known to be disabled " r"in the stdlib asyncio \(Python <3\.11\)\. This is why you'll probably see " r"an error in the log below\.\n\n" r"It is possible to enable it via monkeypatching\. " r"For more details, see:\n" r"\* https://bugs\.python\.org/issue37179\n" r"\* https://github\.com/python/cpython/pull/28073\n\n" r"You can temporarily patch this as follows:\n" r"\* https://docs\.aiohttp\.org/en/stable/client_advanced\.html#proxy-support\n" r"\* https://github\.com/aio-libs/aiohttp/discussions/6044\n$" ) type_err = ( r"transport is not supported by start_tls\(\)" ) expected_exception_reason = ( r"^" "Cannot initialize a TLS-in-TLS connection to host " f"{escaped_host_port!s} through an underlying connection " f"to an HTTPS proxy {escaped_proxy_url!s} ssl:{client_ssl_ctx!s} " f"[{type_err!s}]" r"$" ) with ( pytest.warns( RuntimeWarning, match=expected_warning_text, ), pytest.raises( ClientConnectionError, match=expected_exception_reason, ) as conn_err, ): async with sess.get(url, proxy=secure_proxy_url, ssl=client_ssl_ctx): pass assert isinstance(conn_err.value.__cause__, TypeError) assert match_regex(f"^{type_err!s}$", str(conn_err.value.__cause__)) await sess.close() await conn.close() await asyncio.sleep(0.1) @pytest.mark.skipif( platform.system() == "Windows" or sys.implementation.name != "cpython", reason="uvloop is not supported on Windows and non-CPython implementations", ) @pytest.mark.filterwarnings(r"ignore:.*ssl.OP_NO_SSL*") # Filter out the warning from # https://github.com/abhinavsingh/proxy.py/blob/30574fd0414005dfa8792a6e797023e862bdcf43/proxy/common/utils.py#L226 # otherwise this test will fail because the proxy will die with an error. async def test_uvloop_secure_https_proxy( client_ssl_ctx: ssl.SSLContext, secure_proxy_url: URL, uvloop_loop: asyncio.AbstractEventLoop, ) -> None: """Ensure HTTPS sites are accessible through a secure proxy without warning when using uvloop.""" conn = aiohttp.TCPConnector(force_close=True) sess = aiohttp.ClientSession(connector=conn) try: url = URL("https://example.com") async with sess.get( url, proxy=secure_proxy_url, ssl=client_ssl_ctx ) as response: assert response.status == 200 # Ensure response body is read to completion await response.read() finally: await sess.close() await conn.close() await asyncio.sleep(0) await asyncio.sleep(0.1) @pytest.fixture def proxy_test_server(aiohttp_raw_server, loop, monkeypatch): # Handle all proxy requests and imitate remote server response. _patch_ssl_transport(monkeypatch) default_response = dict(status=200, headers=None, body=None) proxy_mock = mock.Mock() async def proxy_handler(request): proxy_mock.request = request proxy_mock.requests_list.append(request) response = default_response.copy() if isinstance(proxy_mock.return_value, dict): response.update(proxy_mock.return_value) headers = response["headers"] if not headers: headers = {} if request.method == "CONNECT": response["body"] = None response["headers"] = headers resp = web.Response(**response) await resp.prepare(request) await resp.write_eof() return resp async def proxy_server(): proxy_mock.request = None proxy_mock.auth = None proxy_mock.requests_list = [] server = await aiohttp_raw_server(proxy_handler) proxy_mock.server = server proxy_mock.url = server.make_url("/") return proxy_mock return proxy_server @pytest.fixture() def get_request(loop): async def _request(method="GET", *, url, trust_env=False, **kwargs): connector = aiohttp.TCPConnector(ssl=False, loop=loop) async with aiohttp.ClientSession( connector=connector, trust_env=trust_env ) as client: async with client.request(method, url, **kwargs) as resp: return resp return _request async def test_proxy_http_absolute_path(proxy_test_server, get_request) -> None: url = "http://aiohttp.io/path?query=yes" proxy = await proxy_test_server() await get_request(url=url, proxy=proxy.url) assert len(proxy.requests_list) == 1 assert proxy.request.method == "GET" assert proxy.request.host == "aiohttp.io" assert proxy.request.path_qs == "/path?query=yes" async def test_proxy_http_raw_path(proxy_test_server, get_request) -> None: url = "http://aiohttp.io:2561/space sheep?q=can:fly" raw_url = "/space%20sheep?q=can:fly" proxy = await proxy_test_server() await get_request(url=url, proxy=proxy.url) assert proxy.request.host == "aiohttp.io" assert proxy.request.path_qs == raw_url async def test_proxy_http_idna_support(proxy_test_server, get_request) -> None: url = "http://éé.com/" proxy = await proxy_test_server() await get_request(url=url, proxy=proxy.url) assert proxy.request.host == "éé.com" assert proxy.request.path_qs == "/" async def test_proxy_http_connection_error(get_request) -> None: url = "http://aiohttp.io/path" proxy_url = "http://localhost:2242/" with pytest.raises(aiohttp.ClientConnectorError): await get_request(url=url, proxy=proxy_url) async def test_proxy_http_bad_response(proxy_test_server, get_request) -> None: url = "http://aiohttp.io/path" proxy = await proxy_test_server() proxy.return_value = dict(status=502, headers={"Proxy-Agent": "TestProxy"}) resp = await get_request(url=url, proxy=proxy.url) assert resp.status == 502 assert resp.headers["Proxy-Agent"] == "TestProxy" async def test_proxy_http_auth(proxy_test_server, get_request) -> None: url = "http://aiohttp.io/path" proxy = await proxy_test_server() await get_request(url=url, proxy=proxy.url) assert "Authorization" not in proxy.request.headers assert "Proxy-Authorization" not in proxy.request.headers auth = aiohttp.BasicAuth("user", "pass") await get_request(url=url, auth=auth, proxy=proxy.url) assert "Authorization" in proxy.request.headers assert "Proxy-Authorization" not in proxy.request.headers await get_request(url=url, proxy_auth=auth, proxy=proxy.url) assert "Authorization" not in proxy.request.headers assert "Proxy-Authorization" in proxy.request.headers await get_request(url=url, auth=auth, proxy_auth=auth, proxy=proxy.url) assert "Authorization" in proxy.request.headers assert "Proxy-Authorization" in proxy.request.headers async def test_proxy_http_auth_utf8(proxy_test_server, get_request) -> None: url = "http://aiohttp.io/path" auth = aiohttp.BasicAuth("юзер", "пасс", "utf-8") proxy = await proxy_test_server() await get_request(url=url, auth=auth, proxy=proxy.url) assert "Authorization" in proxy.request.headers assert "Proxy-Authorization" not in proxy.request.headers async def test_proxy_http_auth_from_url(proxy_test_server, get_request) -> None: url = "http://aiohttp.io/path" proxy = await proxy_test_server() auth_url = URL(url).with_user("user").with_password("pass") await get_request(url=auth_url, proxy=proxy.url) assert "Authorization" in proxy.request.headers assert "Proxy-Authorization" not in proxy.request.headers proxy_url = URL(proxy.url).with_user("user").with_password("pass") await get_request(url=url, proxy=proxy_url) assert "Authorization" not in proxy.request.headers assert "Proxy-Authorization" in proxy.request.headers async def test_proxy_http_acquired_cleanup(proxy_test_server, loop) -> None: url = "http://aiohttp.io/path" conn = aiohttp.TCPConnector(loop=loop) sess = aiohttp.ClientSession(connector=conn, loop=loop) proxy = await proxy_test_server() assert 0 == len(conn._acquired) async with sess.get(url, proxy=proxy.url) as resp: pass assert resp.closed assert 0 == len(conn._acquired) await sess.close() await conn.close() @pytest.mark.skip("we need to reconsider how we test this") async def test_proxy_http_acquired_cleanup_force(proxy_test_server, loop) -> None: url = "http://aiohttp.io/path" conn = aiohttp.TCPConnector(force_close=True, loop=loop) sess = aiohttp.ClientSession(connector=conn, loop=loop) proxy = await proxy_test_server() assert 0 == len(conn._acquired) async def request(): async with sess.get(url, proxy=proxy.url): assert 1 == len(conn._acquired) await request() assert 0 == len(conn._acquired) await sess.close() await conn.close() @pytest.mark.skip("we need to reconsider how we test this") async def test_proxy_http_multi_conn_limit(proxy_test_server, loop) -> None: url = "http://aiohttp.io/path" limit, multi_conn_num = 1, 5 conn = aiohttp.TCPConnector(limit=limit, loop=loop) sess = aiohttp.ClientSession(connector=conn, loop=loop) proxy = await proxy_test_server() current_pid = None async def request(pid): # process requests only one by one nonlocal current_pid async with sess.get(url, proxy=proxy.url) as resp: current_pid = pid await asyncio.sleep(0.2, loop=loop) assert current_pid == pid return resp requests = [request(pid) for pid in range(multi_conn_num)] responses = await asyncio.gather(*requests, loop=loop) assert len(responses) == multi_conn_num assert {resp.status for resp in responses} == {200} await sess.close() await conn.close() @pytest.mark.xfail async def xtest_proxy_https_connect(proxy_test_server, get_request): proxy = await proxy_test_server() url = "https://www.google.com.ua/search?q=aiohttp proxy" await get_request(url=url, proxy=proxy.url) connect = proxy.requests_list[0] assert connect.method == "CONNECT" assert connect.path == "www.google.com.ua:443" assert connect.host == "www.google.com.ua" assert proxy.request.host == "www.google.com.ua" assert proxy.request.path_qs == "/search?q=aiohttp+proxy" @pytest.mark.xfail async def xtest_proxy_https_connect_with_port(proxy_test_server, get_request): proxy = await proxy_test_server() url = "https://secure.aiohttp.io:2242/path" await get_request(url=url, proxy=proxy.url) connect = proxy.requests_list[0] assert connect.method == "CONNECT" assert connect.path == "secure.aiohttp.io:2242" assert connect.host == "secure.aiohttp.io:2242" assert proxy.request.host == "secure.aiohttp.io:2242" assert proxy.request.path_qs == "/path" @pytest.mark.xfail async def xtest_proxy_https_send_body( proxy_test_server: Callable[[], Awaitable[mock.Mock]], loop: asyncio.AbstractEventLoop, ) -> None: sess = aiohttp.ClientSession() try: proxy = await proxy_test_server() proxy.return_value = {"status": 200, "body": b"1" * (2**20)} url = "https://www.google.com.ua/search?q=aiohttp proxy" async with sess.get(url, proxy=proxy.url) as resp: body = await resp.read() assert body == b"1" * (2**20) finally: await sess.close() @pytest.mark.xfail async def xtest_proxy_https_idna_support(proxy_test_server, get_request): url = "https://éé.com/" proxy = await proxy_test_server() await get_request(url=url, proxy=proxy.url) connect = proxy.requests_list[0] assert connect.method == "CONNECT" assert connect.path == "xn--9caa.com:443" assert connect.host == "xn--9caa.com" async def test_proxy_https_connection_error(get_request) -> None: url = "https://secure.aiohttp.io/path" proxy_url = "http://localhost:2242/" with pytest.raises(aiohttp.ClientConnectorError): await get_request(url=url, proxy=proxy_url) async def test_proxy_https_bad_response(proxy_test_server, get_request) -> None: url = "https://secure.aiohttp.io/path" proxy = await proxy_test_server() proxy.return_value = dict(status=502, headers={"Proxy-Agent": "TestProxy"}) with pytest.raises(aiohttp.ClientHttpProxyError): await get_request(url=url, proxy=proxy.url) assert len(proxy.requests_list) == 1 assert proxy.request.method == "CONNECT" # The following check fails on MacOS # assert proxy.request.path == 'secure.aiohttp.io:443' @pytest.mark.xfail async def xtest_proxy_https_auth(proxy_test_server, get_request): url = "https://secure.aiohttp.io/path" auth = aiohttp.BasicAuth("user", "pass") proxy = await proxy_test_server() await get_request(url=url, proxy=proxy.url) connect = proxy.requests_list[0] assert "Authorization" not in connect.headers assert "Proxy-Authorization" not in connect.headers assert "Authorization" not in proxy.request.headers assert "Proxy-Authorization" not in proxy.request.headers proxy = await proxy_test_server() await get_request(url=url, auth=auth, proxy=proxy.url) connect = proxy.requests_list[0] assert "Authorization" not in connect.headers assert "Proxy-Authorization" not in connect.headers assert "Authorization" in proxy.request.headers assert "Proxy-Authorization" not in proxy.request.headers proxy = await proxy_test_server() await get_request(url=url, proxy_auth=auth, proxy=proxy.url) connect = proxy.requests_list[0] assert "Authorization" not in connect.headers assert "Proxy-Authorization" in connect.headers assert "Authorization" not in proxy.request.headers assert "Proxy-Authorization" not in proxy.request.headers proxy = await proxy_test_server() await get_request(url=url, auth=auth, proxy_auth=auth, proxy=proxy.url) connect = proxy.requests_list[0] assert "Authorization" not in connect.headers assert "Proxy-Authorization" in connect.headers assert "Authorization" in proxy.request.headers assert "Proxy-Authorization" not in proxy.request.headers @pytest.mark.xfail async def xtest_proxy_https_acquired_cleanup(proxy_test_server, loop): url = "https://secure.aiohttp.io/path" conn = aiohttp.TCPConnector() sess = aiohttp.ClientSession(connector=conn) try: proxy = await proxy_test_server() assert 0 == len(conn._acquired) async def request() -> None: async with sess.get(url, proxy=proxy.url): assert 1 == len(conn._acquired) await request() assert 0 == len(conn._acquired) finally: await sess.close() await conn.close() @pytest.mark.xfail async def xtest_proxy_https_acquired_cleanup_force(proxy_test_server, loop): url = "https://secure.aiohttp.io/path" conn = aiohttp.TCPConnector(force_close=True) sess = aiohttp.ClientSession(connector=conn) try: proxy = await proxy_test_server() assert 0 == len(conn._acquired) async def request() -> None: async with sess.get(url, proxy=proxy.url): assert 1 == len(conn._acquired) await request() assert 0 == len(conn._acquired) finally: await sess.close() await conn.close() @pytest.mark.xfail async def xtest_proxy_https_multi_conn_limit(proxy_test_server, loop): url = "https://secure.aiohttp.io/path" limit, multi_conn_num = 1, 5 conn = aiohttp.TCPConnector(limit=limit, loop=loop) sess = aiohttp.ClientSession(connector=conn, loop=loop) proxy = await proxy_test_server() try: current_pid = None async def request(pid: int) -> ClientResponse: # process requests only one by one nonlocal current_pid async with sess.get(url, proxy=proxy.url) as resp: current_pid = pid await asyncio.sleep(0.2) assert current_pid == pid return resp requests = [request(pid) for pid in range(multi_conn_num)] responses = await asyncio.gather(*requests, return_exceptions=True) # Filter out exceptions to count actual responses actual_responses = [r for r in responses if isinstance(r, ClientResponse)] assert len(actual_responses) == multi_conn_num assert {resp.status for resp in actual_responses} == {200} finally: await sess.close() await conn.close() def _patch_ssl_transport(monkeypatch): # Make ssl transport substitution to prevent ssl handshake. def _make_ssl_transport_dummy( self, rawsock, protocol, sslcontext, waiter=None, **kwargs ): return self._make_socket_transport( rawsock, protocol, waiter, extra=kwargs.get("extra"), server=kwargs.get("server"), ) monkeypatch.setattr( "asyncio.selector_events.BaseSelectorEventLoop._make_ssl_transport", _make_ssl_transport_dummy, ) original_is_file = pathlib.Path.is_file def mock_is_file(self): # make real netrc file invisible in home dir if self.name in ["_netrc", ".netrc"] and self.parent == self.home(): return False else: return original_is_file(self) async def test_proxy_from_env_http(proxy_test_server, get_request, mocker) -> None: url = "http://aiohttp.io/path" proxy = await proxy_test_server() mocker.patch.dict(os.environ, {"http_proxy": str(proxy.url)}) mocker.patch("pathlib.Path.is_file", mock_is_file) await get_request(url=url, trust_env=True) assert len(proxy.requests_list) == 1 assert proxy.request.method == "GET" assert proxy.request.host == "aiohttp.io" assert proxy.request.path_qs == "/path" assert "Proxy-Authorization" not in proxy.request.headers async def test_proxy_from_env_http_with_auth(proxy_test_server, get_request, mocker): url = "http://aiohttp.io/path" proxy = await proxy_test_server() auth = aiohttp.BasicAuth("user", "pass") mocker.patch.dict( os.environ, { "http_proxy": str( proxy.url.with_user(auth.login).with_password(auth.password) ) }, ) await get_request(url=url, trust_env=True) assert len(proxy.requests_list) == 1 assert proxy.request.method == "GET" assert proxy.request.host == "aiohttp.io" assert proxy.request.path_qs == "/path" assert proxy.request.headers["Proxy-Authorization"] == auth.encode() async def test_proxy_from_env_http_with_auth_from_netrc( proxy_test_server, get_request, tmp_path, mocker ): url = "http://aiohttp.io/path" proxy = await proxy_test_server() auth = aiohttp.BasicAuth("user", "pass") netrc_file = tmp_path / "test_netrc" netrc_file_data = "machine 127.0.0.1 login {} password {}".format( auth.login, auth.password, ) with netrc_file.open("w") as f: f.write(netrc_file_data) mocker.patch.dict( os.environ, {"http_proxy": str(proxy.url), "NETRC": str(netrc_file)} ) await get_request(url=url, trust_env=True) assert len(proxy.requests_list) == 1 assert proxy.request.method == "GET" assert proxy.request.host == "aiohttp.io" assert proxy.request.path_qs == "/path" assert proxy.request.headers["Proxy-Authorization"] == auth.encode() async def test_proxy_from_env_http_without_auth_from_netrc( proxy_test_server, get_request, tmp_path, mocker ): url = "http://aiohttp.io/path" proxy = await proxy_test_server() auth = aiohttp.BasicAuth("user", "pass") netrc_file = tmp_path / "test_netrc" netrc_file_data = "machine 127.0.0.2 login {} password {}".format( auth.login, auth.password, ) with netrc_file.open("w") as f: f.write(netrc_file_data) mocker.patch.dict( os.environ, {"http_proxy": str(proxy.url), "NETRC": str(netrc_file)} ) await get_request(url=url, trust_env=True) assert len(proxy.requests_list) == 1 assert proxy.request.method == "GET" assert proxy.request.host == "aiohttp.io" assert proxy.request.path_qs == "/path" assert "Proxy-Authorization" not in proxy.request.headers async def test_proxy_from_env_http_without_auth_from_wrong_netrc( proxy_test_server, get_request, tmp_path, mocker ): url = "http://aiohttp.io/path" proxy = await proxy_test_server() auth = aiohttp.BasicAuth("user", "pass") netrc_file = tmp_path / "test_netrc" invalid_data = f"machine 127.0.0.1 {auth.login} pass {auth.password}" with netrc_file.open("w") as f: f.write(invalid_data) mocker.patch.dict( os.environ, {"http_proxy": str(proxy.url), "NETRC": str(netrc_file)} ) await get_request(url=url, trust_env=True) assert len(proxy.requests_list) == 1 assert proxy.request.method == "GET" assert proxy.request.host == "aiohttp.io" assert proxy.request.path_qs == "/path" assert "Proxy-Authorization" not in proxy.request.headers @pytest.mark.xfail async def xtest_proxy_from_env_https(proxy_test_server, get_request, mocker): url = "https://aiohttp.io/path" proxy = await proxy_test_server() mocker.patch.dict(os.environ, {"https_proxy": str(proxy.url)}) mocker.patch("pathlib.Path.is_file", mock_is_file) await get_request(url=url, trust_env=True) assert len(proxy.requests_list) == 2 assert proxy.request.method == "GET" assert proxy.request.host == "aiohttp.io" assert proxy.request.path_qs == "/path" assert "Proxy-Authorization" not in proxy.request.headers @pytest.mark.xfail async def xtest_proxy_from_env_https_with_auth(proxy_test_server, get_request, mocker): url = "https://aiohttp.io/path" proxy = await proxy_test_server() auth = aiohttp.BasicAuth("user", "pass") mocker.patch.dict( os.environ, { "https_proxy": str( proxy.url.with_user(auth.login).with_password(auth.password) ) }, ) await get_request(url=url, trust_env=True) assert len(proxy.requests_list) == 2 assert proxy.request.method == "GET" assert proxy.request.host == "aiohttp.io" assert proxy.request.path_qs == "/path" assert "Proxy-Authorization" not in proxy.request.headers r2 = proxy.requests_list[0] assert r2.method == "CONNECT" assert r2.host == "aiohttp.io" assert r2.path_qs == "/path" assert r2.headers["Proxy-Authorization"] == auth.encode() async def test_proxy_auth() -> None: async with aiohttp.ClientSession() as session: with pytest.raises( ValueError, match=r"proxy_auth must be None or BasicAuth\(\) tuple" ): async with session.get( "http://python.org", proxy="http://proxy.example.com", proxy_auth=("user", "pass"), ): pass async def test_https_proxy_connect_tunnel_session_close_no_hang( aiohttp_server: AiohttpServer, ) -> None: """Test that CONNECT tunnel connections are not pooled.""" # Regression test for issue #11273. # Create a minimal proxy server # The CONNECT method is handled at the protocol level, not by the handler proxy_app = web.Application() proxy_server = await aiohttp_server(proxy_app) proxy_url = f"http://{proxy_server.host}:{proxy_server.port}" # Create session and make HTTPS request through proxy session = aiohttp.ClientSession() try: # This will fail during TLS upgrade because proxy doesn't establish tunnel with suppress(aiohttp.ClientError): async with session.get("https://example.com/test", proxy=proxy_url) as resp: await resp.read() # The critical test: Check if any connections were pooled with proxy=None # This is the root cause of the hang - CONNECT tunnel connections # should NOT be pooled connector = session.connector assert connector is not None # Count connections with proxy=None in the pool proxy_none_keys = [key for key in connector._conns if key.proxy is None] proxy_none_count = len(proxy_none_keys) # Before the fix, there would be a connection with proxy=None # After the fix, CONNECT tunnel connections are not pooled assert proxy_none_count == 0, ( f"Found {proxy_none_count} connections with proxy=None in pool. " f"CONNECT tunnel connections should not be pooled - this is bug #11273" ) finally: # Clean close await session.close()