core/homeassistant/components/cert_expiry/helper.py

"""Helper functions for the Cert Expiry platform."""
import asyncio
import datetime
from functools import cache
import socket
import ssl
from typing import Any

from homeassistant.core import HomeAssistant
from homeassistant.util import dt as dt_util

from .const import TIMEOUT
from .errors import (
    ConnectionRefused,
    ConnectionTimeout,
    ResolveFailed,
    ValidationFailure,
)


@cache
def _get_default_ssl_context() -> ssl.SSLContext:
    """Return the default SSL context."""
    return ssl.create_default_context()


async def async_get_cert(
    hass: HomeAssistant,
    host: str,
    port: int,
) -> dict[str, Any]:
    """Get the certificate for the host and port combination."""
    async with asyncio.timeout(TIMEOUT):
        transport, _ = await hass.loop.create_connection(
            asyncio.Protocol,
            host,
            port,
            ssl=_get_default_ssl_context(),
            happy_eyeballs_delay=0.25,
            server_hostname=host,
        )
    try:
        return transport.get_extra_info("peercert")  # type: ignore[no-any-return]
    finally:
        transport.close()


async def get_cert_expiry_timestamp(
    hass: HomeAssistant,
    hostname: str,
    port: int,
) -> datetime.datetime:
    """Return the certificate's expiration timestamp."""
    try:
        cert = await async_get_cert(hass, hostname, port)
    except socket.gaierror as err:
        raise ResolveFailed(f"Cannot resolve hostname: {hostname}") from err
    except asyncio.TimeoutError as err:
        raise ConnectionTimeout(
            f"Connection timeout with server: {hostname}:{port}"
        ) from err
    except ConnectionRefusedError as err:
        raise ConnectionRefused(
            f"Connection refused by server: {hostname}:{port}"
        ) from err
    except ssl.CertificateError as err:
        raise ValidationFailure(err.verify_message) from err
    except ssl.SSLError as err:
        raise ValidationFailure(err.args[0]) from err

    ts_seconds = ssl.cert_time_to_seconds(cert["notAfter"])
    return dt_util.utc_from_timestamp(ts_seconds)
Enable cert_expiry config entries (#25624) * Enable cert_expiry config entries * add black * lint fixes * Rerun black * Black on json files is a bad idea * Work on comments * Forgot the lint * More comment work * Correctly set defaults * More comments * Add codeowner * Fix black * More comments implemented * Removed the catch * Add helper.py from cert_expiry to .coveragerc 2019-08-28 17:35:09 +00:00			`"""Helper functions for the Cert Expiry platform."""`
Convert cert_expiry to use asyncio (#106919) 2024-01-05 18:03:53 +00:00			`import asyncio`
			`import datetime`
Reduce I/O from cert_expiry (#94399) 2023-06-10 17:53:09 +00:00			`from functools import cache`
Enable cert_expiry config entries (#25624) * Enable cert_expiry config entries * add black * lint fixes * Rerun black * Black on json files is a bad idea * Work on comments * Forgot the lint * More comment work * Correctly set defaults * More comments * Add codeowner * Fix black * More comments implemented * Removed the catch * Add helper.py from cert_expiry to .coveragerc 2019-08-28 17:35:09 +00:00			`import socket`
			`import ssl`
Convert cert_expiry to use asyncio (#106919) 2024-01-05 18:03:53 +00:00			`from typing import Any`
Enable cert_expiry config entries (#25624) * Enable cert_expiry config entries * add black * lint fixes * Rerun black * Black on json files is a bad idea * Work on comments * Forgot the lint * More comment work * Correctly set defaults * More comments * Add codeowner * Fix black * More comments implemented * Removed the catch * Add helper.py from cert_expiry to .coveragerc 2019-08-28 17:35:09 +00:00
Add typings to Certificate Expiry integration (#75945) 2022-07-31 11:26:16 +00:00			`from homeassistant.core import HomeAssistant`
Import `util.dt` as `dt_util` in `components/[a-d]*` (#93756) 2023-05-29 21:02:06 +00:00			`from homeassistant.util import dt as dt_util`
Add expiration timestamp to cert_expiry sensors (#36399) * Add expiration timestamp to cert_expiry sensors * Clear timestamp if cert becomes invalid * Use timezone-aware timestamps * Use DataUpdateCoordinator, split timestamp to separate sensor * Use UTC, simpler add/remove handling * Review fixes * Fix incomplete mock that fails in 3.8 * Use static timestamps, improve helper method name 2020-06-18 16:29:46 +00:00
Enable cert_expiry config entries (#25624) * Enable cert_expiry config entries * add black * lint fixes * Rerun black * Black on json files is a bad idea * Work on comments * Forgot the lint * More comment work * Correctly set defaults * More comments * Add codeowner * Fix black * More comments implemented * Removed the catch * Add helper.py from cert_expiry to .coveragerc 2019-08-28 17:35:09 +00:00			`from .const import TIMEOUT`
Refactor Certificate Expiry Sensor (#32066) * Cert Expiry refactor * Unused parameter * Reduce delay * Deprecate 'name' config * Use config entry unique_id * Fix logic bugs found with tests * Rewrite tests to use config flow core interfaces, validate created sensors * Update strings * Minor consistency fix * Review fixes, complete test coverage * Move error handling to helper * Subclass exceptions * Better tests * Use first object reference * Fix docstring 2020-03-02 13:44:24 +00:00			`from .errors import (`
			`ConnectionRefused,`
			`ConnectionTimeout,`
			`ResolveFailed,`
			`ValidationFailure,`
			`)`
Enable cert_expiry config entries (#25624) * Enable cert_expiry config entries * add black * lint fixes * Rerun black * Black on json files is a bad idea * Work on comments * Forgot the lint * More comment work * Correctly set defaults * More comments * Add codeowner * Fix black * More comments implemented * Removed the catch * Add helper.py from cert_expiry to .coveragerc 2019-08-28 17:35:09 +00:00

Reduce I/O from cert_expiry (#94399) 2023-06-10 17:53:09 +00:00			`@cache`
Enable strict typing for cert_expiry (#107860) 2024-01-12 11:32:17 +00:00			`def _get_default_ssl_context() -> ssl.SSLContext:`
Reduce I/O from cert_expiry (#94399) 2023-06-10 17:53:09 +00:00			`"""Return the default SSL context."""`
			`return ssl.create_default_context()`


Convert cert_expiry to use asyncio (#106919) 2024-01-05 18:03:53 +00:00			`async def async_get_cert(`
			`hass: HomeAssistant,`
Add typings to Certificate Expiry integration (#75945) 2022-07-31 11:26:16 +00:00			`host: str,`
			`port: int,`
Convert cert_expiry to use asyncio (#106919) 2024-01-05 18:03:53 +00:00			`) -> dict[str, Any]:`
Refactor Certificate Expiry Sensor (#32066) * Cert Expiry refactor * Unused parameter * Reduce delay * Deprecate 'name' config * Use config entry unique_id * Fix logic bugs found with tests * Rewrite tests to use config flow core interfaces, validate created sensors * Update strings * Minor consistency fix * Review fixes, complete test coverage * Move error handling to helper * Subclass exceptions * Better tests * Use first object reference * Fix docstring 2020-03-02 13:44:24 +00:00			`"""Get the certificate for the host and port combination."""`
Convert cert_expiry to use asyncio (#106919) 2024-01-05 18:03:53 +00:00			`async with asyncio.timeout(TIMEOUT):`
			`transport, _ = await hass.loop.create_connection(`
			`asyncio.Protocol,`
			`host,`
			`port,`
			`ssl=_get_default_ssl_context(),`
			`happy_eyeballs_delay=0.25,`
			`server_hostname=host,`
			`)`
			`try:`
Enable strict typing for cert_expiry (#107860) 2024-01-12 11:32:17 +00:00			`return transport.get_extra_info("peercert") # type: ignore[no-any-return]`
Convert cert_expiry to use asyncio (#106919) 2024-01-05 18:03:53 +00:00			`finally:`
			`transport.close()`
Refactor Certificate Expiry Sensor (#32066) * Cert Expiry refactor * Unused parameter * Reduce delay * Deprecate 'name' config * Use config entry unique_id * Fix logic bugs found with tests * Rewrite tests to use config flow core interfaces, validate created sensors * Update strings * Minor consistency fix * Review fixes, complete test coverage * Move error handling to helper * Subclass exceptions * Better tests * Use first object reference * Fix docstring 2020-03-02 13:44:24 +00:00

Add typings to Certificate Expiry integration (#75945) 2022-07-31 11:26:16 +00:00			`async def get_cert_expiry_timestamp(`
			`hass: HomeAssistant,`
			`hostname: str,`
			`port: int,`
Convert cert_expiry to use asyncio (#106919) 2024-01-05 18:03:53 +00:00			`) -> datetime.datetime:`
Add expiration timestamp to cert_expiry sensors (#36399) * Add expiration timestamp to cert_expiry sensors * Clear timestamp if cert becomes invalid * Use timezone-aware timestamps * Use DataUpdateCoordinator, split timestamp to separate sensor * Use UTC, simpler add/remove handling * Review fixes * Fix incomplete mock that fails in 3.8 * Use static timestamps, improve helper method name 2020-06-18 16:29:46 +00:00			`"""Return the certificate's expiration timestamp."""`
Refactor Certificate Expiry Sensor (#32066) * Cert Expiry refactor * Unused parameter * Reduce delay * Deprecate 'name' config * Use config entry unique_id * Fix logic bugs found with tests * Rewrite tests to use config flow core interfaces, validate created sensors * Update strings * Minor consistency fix * Review fixes, complete test coverage * Move error handling to helper * Subclass exceptions * Better tests * Use first object reference * Fix docstring 2020-03-02 13:44:24 +00:00			`try:`
Convert cert_expiry to use asyncio (#106919) 2024-01-05 18:03:53 +00:00			`cert = await async_get_cert(hass, hostname, port)`
Exception chaining and wrapping improvements (#39320) * Remove unnecessary exception re-wraps * Preserve exception chains on re-raise We slap "from cause" to almost all possible cases here. In some cases it could conceivably be better to do "from None" if we really want to hide the cause. However those should be in the minority, and "from cause" should be an improvement over the corresponding raise without a "from" in all cases anyway. The only case where we raise from None here is in plex, where the exception for an original invalid SSL cert is not the root cause for failure to validate a newly fetched one. Follow local convention on exception variable names if there is a consistent one, otherwise `err` to match with majority of codebase. * Fix mistaken re-wrap in homematicip_cloud/hap.py Missed the difference between HmipConnectionError and HmipcConnectionError. * Do not hide original error on plex new cert validation error Original is not the cause for the new one, but showing old in the traceback is useful nevertheless. 2020-08-28 11:50:32 +00:00			`except socket.gaierror as err:`
			`raise ResolveFailed(f"Cannot resolve hostname: {hostname}") from err`
Convert cert_expiry to use asyncio (#106919) 2024-01-05 18:03:53 +00:00			`except asyncio.TimeoutError as err:`
Exception chaining and wrapping improvements (#39320) * Remove unnecessary exception re-wraps * Preserve exception chains on re-raise We slap "from cause" to almost all possible cases here. In some cases it could conceivably be better to do "from None" if we really want to hide the cause. However those should be in the minority, and "from cause" should be an improvement over the corresponding raise without a "from" in all cases anyway. The only case where we raise from None here is in plex, where the exception for an original invalid SSL cert is not the root cause for failure to validate a newly fetched one. Follow local convention on exception variable names if there is a consistent one, otherwise `err` to match with majority of codebase. * Fix mistaken re-wrap in homematicip_cloud/hap.py Missed the difference between HmipConnectionError and HmipcConnectionError. * Do not hide original error on plex new cert validation error Original is not the cause for the new one, but showing old in the traceback is useful nevertheless. 2020-08-28 11:50:32 +00:00			`raise ConnectionTimeout(`
			`f"Connection timeout with server: {hostname}:{port}"`
			`) from err`
			`except ConnectionRefusedError as err:`
			`raise ConnectionRefused(`
			`f"Connection refused by server: {hostname}:{port}"`
			`) from err`
Refactor Certificate Expiry Sensor (#32066) * Cert Expiry refactor * Unused parameter * Reduce delay * Deprecate 'name' config * Use config entry unique_id * Fix logic bugs found with tests * Rewrite tests to use config flow core interfaces, validate created sensors * Update strings * Minor consistency fix * Review fixes, complete test coverage * Move error handling to helper * Subclass exceptions * Better tests * Use first object reference * Fix docstring 2020-03-02 13:44:24 +00:00			`except ssl.CertificateError as err:`
Exception chaining and wrapping improvements (#39320) * Remove unnecessary exception re-wraps * Preserve exception chains on re-raise We slap "from cause" to almost all possible cases here. In some cases it could conceivably be better to do "from None" if we really want to hide the cause. However those should be in the minority, and "from cause" should be an improvement over the corresponding raise without a "from" in all cases anyway. The only case where we raise from None here is in plex, where the exception for an original invalid SSL cert is not the root cause for failure to validate a newly fetched one. Follow local convention on exception variable names if there is a consistent one, otherwise `err` to match with majority of codebase. * Fix mistaken re-wrap in homematicip_cloud/hap.py Missed the difference between HmipConnectionError and HmipcConnectionError. * Do not hide original error on plex new cert validation error Original is not the cause for the new one, but showing old in the traceback is useful nevertheless. 2020-08-28 11:50:32 +00:00			`raise ValidationFailure(err.verify_message) from err`
Refactor Certificate Expiry Sensor (#32066) * Cert Expiry refactor * Unused parameter * Reduce delay * Deprecate 'name' config * Use config entry unique_id * Fix logic bugs found with tests * Rewrite tests to use config flow core interfaces, validate created sensors * Update strings * Minor consistency fix * Review fixes, complete test coverage * Move error handling to helper * Subclass exceptions * Better tests * Use first object reference * Fix docstring 2020-03-02 13:44:24 +00:00			`except ssl.SSLError as err:`
Exception chaining and wrapping improvements (#39320) * Remove unnecessary exception re-wraps * Preserve exception chains on re-raise We slap "from cause" to almost all possible cases here. In some cases it could conceivably be better to do "from None" if we really want to hide the cause. However those should be in the minority, and "from cause" should be an improvement over the corresponding raise without a "from" in all cases anyway. The only case where we raise from None here is in plex, where the exception for an original invalid SSL cert is not the root cause for failure to validate a newly fetched one. Follow local convention on exception variable names if there is a consistent one, otherwise `err` to match with majority of codebase. * Fix mistaken re-wrap in homematicip_cloud/hap.py Missed the difference between HmipConnectionError and HmipcConnectionError. * Do not hide original error on plex new cert validation error Original is not the cause for the new one, but showing old in the traceback is useful nevertheless. 2020-08-28 11:50:32 +00:00			`raise ValidationFailure(err.args[0]) from err`
Refactor Certificate Expiry Sensor (#32066) * Cert Expiry refactor * Unused parameter * Reduce delay * Deprecate 'name' config * Use config entry unique_id * Fix logic bugs found with tests * Rewrite tests to use config flow core interfaces, validate created sensors * Update strings * Minor consistency fix * Review fixes, complete test coverage * Move error handling to helper * Subclass exceptions * Better tests * Use first object reference * Fix docstring 2020-03-02 13:44:24 +00:00
			`ts_seconds = ssl.cert_time_to_seconds(cert["notAfter"])`
Import `util.dt` as `dt_util` in `components/[a-d]*` (#93756) 2023-05-29 21:02:06 +00:00			`return dt_util.utc_from_timestamp(ts_seconds)`