Get coverage back to 100%

[pquentin]

This means we should probably refactor the connection classes, but that would change the public API and I think it should be discussed in another pull request.

[codecov-io]

Codecov Report

Merging #1726 into master will increase coverage by 0.29%.
The diff coverage is n/a.

@@            Coverage Diff            @@
##           master   #1726      +/-   ##
=========================================
+ Coverage    99.7%    100%   +0.29%     
=========================================
  Files          22      22              
  Lines        2003    1976      -27     
=========================================
- Hits         1997    1976      -21     
+ Misses          6       0       -6

Impacted Files	Coverage Δ
src/urllib3/util/url.py	100% <ø> (+0.51%)	⬆️
src/urllib3/connection.py	100% <ø> (+2.05%)	⬆️
src/urllib3/util/timeout.py	100% <0%> (ø)	⬆️
src/urllib3/response.py	100% <0%> (ø)	⬆️
src/urllib3/contrib/_appengine_environ.py	100% <0%> (+20%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 109c70f...011d857. Read the comment docs.

[sethmlarson]

Few questions!

[sethmlarson]

We probably shouldn't remove this, what happens if a user has an unverified HTTPS connection, is this class used?

[pquentin]

No, it's not used, unverified connections go through VerifiedHTTPSConnection.

[sethmlarson]

Oh, huh. I wonder what the impact of nuking the class and rebinding the name would do to downstream. 🤷‍♂️

[pquentin]

I don't think anybody is using this class: connect() referenced variables that don't exist, so could not work. An additional wrinkle here is the bottom of the file:

if ssl:
    # Make a copy for testing.
    UnverifiedHTTPSConnection = HTTPSConnection
    HTTPSConnection = VerifiedHTTPSConnection

So one option is to merge VerifiedHTTPSConnection into HTTPSConnection, and add UnverifiedHTTPSConnection = HTTPSConnection at the end of the file.

[pquentin]

@sethmlarson I opened #1730 to unblock this pull request and talk about our options here, including the upstream impact.

[sethmlarson]

@zogzog Sorry for causing an issue. I've edited your above comment as I read it as sarcastic which isn't constructive. Hope you agree with my edit.

[pquentin]

Aurélien, je comprends ta colère, je sais ce que c'est de tomber sur un commit quelque part sur GitHub qui casse ton code. Je te présente d'ailleurs mes excuses. Maintenant que ça c'est dit, on apprécierait des interventions plus courtoises !

Indeed I had to add [...] 6 months ago because someone removed them or something

We would have appreciated a heads-up at this point! This would have avoided the whole issue.

I'd be happy to accept a pull request that restores a working and covered connect().

People should really understand that, even though it is generally considered a bad thing and should be discouraged, there is a need for unverified https connections that don't spit warnings on the console.

Can you use our fingerprinting feature if the certificate does not change too often?

Is silencing the warning an option?

By the way, it looks like the TLS certificate of https://pythonian.fr/ is currently expired.

[pquentin]

I mean, why don't you just silence the warning? Isn't this working for you?

import urllib3

urllib3.disable_warnings(urllib3.exceptions.SecurityWarning)
http = urllib3.PoolManager(cert_reqs="CERT_NONE")
r = http.request("GET", "https://pythonian.fr/webfiles/css.css")
print(r.status)

[pquentin]

Also, for what it's worth, here are the thoughts of Seth on verifying HTTPS: https://sethmlarson.dev/blog/2019-11-26/designing-for-real-world-https. I happen to fully agree.

[sethmlarson]

There's also this method (using certificate pinning as mentioned above) that doesn't require you to disable security warnings. :)

http = urllib3.PoolManager(
    cert_reqs="CERT_NONE",
    assert_fingerprint="e677022f45ad8ecfc7a66dbb8d57e9c7b01a52c9f880ecb104af6ee67ee9f18a"
)
resp = http.request("GET", "https://pythonian.fr/webfiles/css.css")

Just remember this PoolManager will only work for the one website. Might be worth even using a ConnectionPool instead.

[pquentin]

This is ready for another round of review!

[pquentin]

Travis fails because of #1733, I'll rebase this PR when it gets merged, that will fix the issue. AppVeyor fails because my test for #1715 is not fully reliable. I plan to fix this soon too. [edit: fixed in #1734]

[pquentin]

test_preserve_chunked_on_retry is a test that I recently added and it failed again. It was retried due to our flaky integration, but we got two different exceptions, both unexpected. The test is definitely not reliable on Windows, and I decided to change tactics to test this code path: an explicit Retry-After header. Opened #1743 for this.

[sethmlarson]

I'd like to release 1.25.7 before making large changes, will return to it after the release has been made. :)

[pquentin]

Works for me 👍

[pquentin]

@sethmlarson Is there anything I can do here? I understand that it's frightening, but I'm only removing code that was already broken anyway.

[sethmlarson]

This seems fine, if all downstream test suites are passing I've got a feeling we'll be okay.

[pquentin]

Thanks!