[1.26] Vendor ssl.match_hostname to avoid Python 3.10 deprecation warning

8 files changed, 51 insertions, 35 deletions

diff --git a/setup.py b/setup.py
index cab4b175..43c724ce 100755
--- a/setup.py
+++ b/setup.py
@@ -75,7 +75,6 @@ setup(
     packages=[
         "urllib3",
         "urllib3.packages",
-        "urllib3.packages.ssl_match_hostname",
         "urllib3.packages.backports",
         "urllib3.contrib",
         "urllib3.contrib._securetransport",
diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
index 78a96e9e..23383d12 100644
--- a/src/urllib3/connection.py
+++ b/src/urllib3/connection.py
@@ -52,7 +52,6 @@ from .exceptions import (
     SubjectAltNameWarning,
     SystemTimeWarning,
 )
-from .packages.ssl_match_hostname import CertificateError, match_hostname
 from .util import SKIP_HEADER, SKIPPABLE_HEADERS, connection
 from .util.ssl_ import (
     assert_fingerprint,
@@ -62,6 +61,7 @@ from .util.ssl_ import (
     resolve_ssl_version,
     ssl_wrap_socket,
 )
+from .util.ssl_match_hostname import CertificateError, match_hostname
 
 log = logging.getLogger(__name__)
 
diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py
index 40f8e204..27a00604 100644
--- a/src/urllib3/connectionpool.py
+++ b/src/urllib3/connectionpool.py
@@ -36,7 +36,6 @@ from .exceptions import (
 )
 from .packages import six
 from .packages.six.moves import queue
-from .packages.ssl_match_hostname import CertificateError
 from .request import RequestMethods
 from .response import HTTPResponse
 from .util.connection import is_connection_dropped
@@ -45,6 +44,7 @@ from .util.queue import LifoQueue
 from .util.request import set_file_position
 from .util.response import assert_header_parsing
 from .util.retry import Retry
+from .util.ssl_match_hostname import CertificateError
 from .util.timeout import Timeout
 from .util.url import Url, _encode_target
 from .util.url import _normalize_host as normalize_host
diff --git a/src/urllib3/packages/__init__.py b/src/urllib3/packages/__init__.py
index fce4caa6..e69de29b 100644
--- a/src/urllib3/packages/__init__.py
+++ b/src/urllib3/packages/__init__.py
@@ -1,5 +0,0 @@
-from __future__ import absolute_import
-
-from . import ssl_match_hostname
-
-__all__ = ("ssl_match_hostname",)
diff --git a/src/urllib3/packages/ssl_match_hostname/__init__.py b/src/urllib3/packages/ssl_match_hostname/__init__.py
deleted file mode 100644
index ef3fde52..00000000
--- a/src/urllib3/packages/ssl_match_hostname/__init__.py
+++ /dev/null
@@ -1,24 +0,0 @@
-import sys
-
-try:
-    # Our match_hostname function is the same as 3.10's, so we only want to
-    # import the match_hostname function if it's at least that good.
-    # We also fallback on Python 3.10+ because our code doesn't emit
-    # deprecation warnings and is the same as Python 3.10 otherwise.
-    if sys.version_info < (3, 5) or sys.version_info >= (3, 10):
-        raise ImportError("Fallback to vendored code")
-
-    from ssl import CertificateError, match_hostname
-except ImportError:
-    try:
-        # Backport of the function from a pypi module
-        from backports.ssl_match_hostname import (  # type: ignore
-            CertificateError,
-            match_hostname,
-        )
-    except ImportError:
-        # Our vendored copy
-        from ._implementation import CertificateError, match_hostname  # type: ignore
-
-# Not needed, but documenting what we provide.
-__all__ = ("CertificateError", "match_hostname")
diff --git a/src/urllib3/packages/ssl_match_hostname/_implementation.py b/src/urllib3/util/ssl_match_hostname.py
index 689208d3..a4b4a569 100644
--- a/src/urllib3/packages/ssl_match_hostname/_implementation.py
+++ b/src/urllib3/util/ssl_match_hostname.py
@@ -9,7 +9,7 @@ import sys
 # ipaddress has been backported to 2.6+ in pypi.  If it is installed on the
 # system, use it to handle IPAddress ServerAltnames (this was added in
 # python-3.5) otherwise only do DNS matching.  This allows
-# backports.ssl_match_hostname to continue to be used in Python 2.7.
+# util.ssl_match_hostname to continue to be used in Python 2.7.
 try:
     import ipaddress
 except ImportError:
@@ -78,7 +78,8 @@ def _dnsname_match(dn, hostname, max_wildcards=1):
 
 def _to_unicode(obj):
     if isinstance(obj, str) and sys.version_info < (3,):
-        obj = unicode(obj, encoding="ascii", errors="strict")
+        # ignored flake8 # F821 to support python 2.7 function
+        obj = unicode(obj, encoding="ascii", errors="strict")  # noqa: F821
     return obj
 
 
diff --git a/test/test_connection.py b/test/test_connection.py
index afcd9bd1..7ac0ecc2 100644
--- a/test/test_connection.py
+++ b/test/test_connection.py
@@ -79,6 +79,51 @@ class TestConnection(object):
         # Assert no error is raised
         _match_hostname(cert, asserted_hostname)
 
+    def test_match_hostname_ip_address(self):
+        cert = {"subjectAltName": [("IP Address", "1.1.1.1")]}
+        asserted_hostname = "1.1.1.2"
+        try:
+            with mock.patch("urllib3.connection.log.warning") as mock_log:
+                _match_hostname(cert, asserted_hostname)
+        except CertificateError as e:
+            assert "hostname '1.1.1.2' doesn't match '1.1.1.1'" in str(e)
+            mock_log.assert_called_once_with(
+                "Certificate did not match expected hostname: %s. Certificate: %s",
+                "1.1.1.2",
+                {"subjectAltName": [("IP Address", "1.1.1.1")]},
+            )
+            assert e._peer_cert == cert
+
+    def test_match_hostname_no_dns(self):
+        cert = {"subjectAltName": [("DNS", "")]}
+        asserted_hostname = "bar"
+        try:
+            with mock.patch("urllib3.connection.log.warning") as mock_log:
+                _match_hostname(cert, asserted_hostname)
+        except CertificateError as e:
+            assert "hostname 'bar' doesn't match ''" in str(e)
+            mock_log.assert_called_once_with(
+                "Certificate did not match expected hostname: %s. Certificate: %s",
+                "bar",
+                {"subjectAltName": [("DNS", "")]},
+            )
+            assert e._peer_cert == cert
+
+    def test_match_hostname_startwith_wildcard(self):
+        cert = {"subjectAltName": [("DNS", "*")]}
+        asserted_hostname = "foo"
+        _match_hostname(cert, asserted_hostname)
+
+    def test_match_hostname_dnsname(self):
+        cert = {"subjectAltName": [("DNS", "xn--p1b6ci4b4b3a*.xn--11b5bs8d")]}
+        asserted_hostname = "xn--p1b6ci4b4b3a*.xn--11b5bs8d"
+        _match_hostname(cert, asserted_hostname)
+
+    def test_match_hostname_include_wildcard(self):
+        cert = {"subjectAltName": [("DNS", "foo*")]}
+        asserted_hostname = "foobar"
+        _match_hostname(cert, asserted_hostname)
+
     def test_recent_date(self):
         # This test is to make sure that the RECENT_DATE value
         # doesn't get too far behind what the current date is.
diff --git a/test/test_connectionpool.py b/test/test_connectionpool.py
index eec6bd27..5b5cd4a3 100644
--- a/test/test_connectionpool.py
+++ b/test/test_connectionpool.py
@@ -29,8 +29,8 @@ from urllib3.exceptions import (
 from urllib3.packages.six.moves import http_client as httplib
 from urllib3.packages.six.moves.http_client import HTTPException
 from urllib3.packages.six.moves.queue import Empty
-from urllib3.packages.ssl_match_hostname import CertificateError
 from urllib3.response import HTTPResponse
+from urllib3.util.ssl_match_hostname import CertificateError
 from urllib3.util.timeout import Timeout
 
 from .test_response import MockChunkedEncodingResponse, MockSock