justin/new-site
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
new-site/scripts/workers/services/telecom/undetected_browser.py
justin 17318f6e7d feat(healthcare): route NPPES/PECOS Playwright flows through residential SOCKS proxy 
CMS healthcare portals (NPPES, PECOS, I&A) block datacenter IPs, so the
healthcare browser automation needs to egress via the residential proxy on
hg409y7ez04.sn.mynetname.net (username 'performancewest').

- undetected_browser: use_proxy now accepts an env-var name, so callers can
  select a domain-specific proxy. _proxy_config(proxy_env) reads it and falls
  back to UNDETECTED_PROXY_URL. Healthcare uses 'HEALTHCARE_PROXY_URL'.
- probe_npi_undetected: launches with use_proxy='HEALTHCARE_PROXY_URL' when set.
- npi_provider: documents that the (future) automated NPPES/PECOS flows must
  use the healthcare proxy.
- Plumb HEALTHCARE_PROXY_URL (+ UNDETECTED_PROXY_URL fallback) through the
  ansible env template and docker-compose workers env.

The credential itself is NOT in the repo. Set the full URL in the ansible
vault as vault_healthcare_proxy_url:
  socks5://performancewest:<password>@hg409y7ez04.sn.mynetname.net:<port>
Verified parsing + Playwright proxy-dict wiring with a unit test.
2026-06-05 14:36:01 -05:00

252 lines
9.1 KiB
Python
Raw Blame History

"""Undetected Playwright launcher for FCC / USAC / BDC portals.
All automated filing handlers (RMD, CPNI, Form 499-A, BDC) go through this
helper instead of importing ``playwright`` directly. We prefer ``patchright``
(a drop-in Playwright replacement that patches ``navigator.webdriver``, CDP
leakage, runtime-enable fingerprints, and the ``--disable-blink-features=
AutomationControlled`` artifact) and fall back to vanilla Playwright with
the same stealth init scripts we use in ``scripts/formation/base.py`` if
patchright is not installed.
State formation portals that sit behind Incapsula/Akamai (Nevada, Delaware,
etc.) should also use this helper — see ``docs/state-automation-status.md``
for the list.
Optional residential proxy support: set ``UNDETECTED_PROXY_URL`` in the
environment (e.g. ``socks5://user:pass@proxy.example.com:1080``) and pass
``use_proxy=True`` when launching. Healthcare NPPES/PECOS flows use a
dedicated ``HEALTHCARE_PROXY_URL`` (residential SOCKS proxy, username
``performancewest``) via ``use_proxy="HEALTHCARE_PROXY_URL"``; it falls back
to ``UNDETECTED_PROXY_URL`` if the healthcare-specific var is unset.
"""
from __future__ import annotations
import logging
import os
import random
from contextlib import asynccontextmanager
from typing import TYPE_CHECKING, AsyncIterator
if TYPE_CHECKING:
from playwright.async_api import Browser, BrowserContext, Page, Playwright
logger = logging.getLogger(__name__)
# Prefer patchright; fall back to playwright with manual stealth patches.
_USING_PATCHRIGHT = False
try:
from patchright.async_api import async_playwright # type: ignore
_USING_PATCHRIGHT = True
logger.info("undetected_browser: using patchright")
except ImportError:
from playwright.async_api import async_playwright # type: ignore
logger.warning(
"undetected_browser: patchright not installed — falling back to "
"vanilla playwright with home-grown stealth patches. Install with "
"`pip install patchright` and run `patchright install chromium` "
"for best results against bot-detection-heavy portals."
)
# Common modern Chrome UAs. We rotate between a handful so that a burst of
# concurrent submissions doesn't all look like the same client.
_USER_AGENTS = [
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 "
"(KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 "
"(KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 "
"(KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36",
]
# Common viewports; mildly jittered per-launch to vary fingerprint.
_VIEWPORTS = [
{"width": 1280, "height": 900},
{"width": 1440, "height": 900},
{"width": 1536, "height": 864},
{"width": 1920, "height": 1080},
]
# Init script run on every page — only used on the vanilla-playwright path;
# patchright handles all of these patches (and many more) internally.
_STEALTH_INIT_SCRIPT = """
Object.defineProperty(navigator, 'webdriver', { get: () => undefined });
Object.defineProperty(navigator, 'plugins', {
get: () => [1, 2, 3, 4, 5].map(() => ({ name: 'Chrome PDF Plugin' })),
});
Object.defineProperty(navigator, 'languages', { get: () => ['en-US', 'en'] });
window.chrome = { runtime: {} };
const originalQuery = window.navigator.permissions && window.navigator.permissions.query;
if (originalQuery) {
window.navigator.permissions.query = (parameters) =>
parameters.name === 'notifications'
? Promise.resolve({ state: Notification.permission })
: originalQuery(parameters);
}
"""
def _proxy_config(proxy_env: str = "UNDETECTED_PROXY_URL") -> dict | None:
"""Read a proxy URL env var and turn it into a Playwright proxy dict.
``proxy_env`` names the environment variable to read (default
``UNDETECTED_PROXY_URL``). Callers that need a dedicated upstream — e.g.
the healthcare NPPES/PECOS flows, which route through the residential
SOCKS proxy — pass ``use_proxy="HEALTHCARE_PROXY_URL"`` so the credential
is configured in exactly one place (the env / ansible vault).
The URL may be ``http://`` or ``socks5://`` and may embed credentials:
``socks5://user:pass@host:port``.
"""
url = os.environ.get(proxy_env, "").strip()
# Allow a single shared residential proxy to back several domain-specific
# env names: if the requested var is unset, fall back to the generic one.
if not url and proxy_env != "UNDETECTED_PROXY_URL":
url = os.environ.get("UNDETECTED_PROXY_URL", "").strip()
if not url:
return None
# Playwright's proxy dict supports: server, username, password, bypass
from urllib.parse import urlparse
parsed = urlparse(url)
server = f"{parsed.scheme}://{parsed.hostname}"
if parsed.port:
server += f":{parsed.port}"
cfg: dict = {"server": server}
if parsed.username:
cfg["username"] = parsed.username
if parsed.password:
cfg["password"] = parsed.password
return cfg
async def launch_context(
playwright: "Playwright",
*,
headless: bool = True,
use_proxy: "bool | str" = False,
timezone_id: str = "America/New_York",
locale: str = "en-US",
storage_state: str | None = None,
) -> "tuple[Browser, BrowserContext]":
"""Launch a Chromium browser + context with stealth settings.
``use_proxy`` may be ``True`` (read ``UNDETECTED_PROXY_URL``) or the name
of a specific env var, e.g. ``"HEALTHCARE_PROXY_URL"`` for the residential
proxy used by the NPPES/PECOS healthcare flows.
Returns ``(browser, context)`` — caller is responsible for closing both
(prefer the :func:`undetected_browser` context manager instead).
"""
launch_args = [
"--no-sandbox",
"--disable-setuid-sandbox",
"--disable-dev-shm-usage",
]
# On the vanilla-playwright path we add the extra flag that hides the
# AutomationControlled fingerprint. Patchright already does this (and
# adding the flag with patchright is harmless but redundant).
if not _USING_PATCHRIGHT:
launch_args.append("--disable-blink-features=AutomationControlled")
browser = await playwright.chromium.launch(
headless=headless,
args=launch_args,
)
context_kwargs: dict = {
"viewport": random.choice(_VIEWPORTS),
"user_agent": random.choice(_USER_AGENTS),
"locale": locale,
"timezone_id": timezone_id,
"java_script_enabled": True,
}
if use_proxy:
proxy_env = use_proxy if isinstance(use_proxy, str) else "UNDETECTED_PROXY_URL"
proxy = _proxy_config(proxy_env)
if proxy:
context_kwargs["proxy"] = proxy
logger.info(
"undetected_browser: routing through proxy %s (from %s)",
proxy.get("server"),
proxy_env,
)
else:
logger.warning(
"undetected_browser: use_proxy set but %s is unset", proxy_env
)
if storage_state:
context_kwargs["storage_state"] = storage_state
context = await browser.new_context(**context_kwargs)
if not _USING_PATCHRIGHT:
await context.add_init_script(_STEALTH_INIT_SCRIPT)
return browser, context
@asynccontextmanager
async def undetected_browser(
*,
headless: bool = True,
use_proxy: "bool | str" = False,
timezone_id: str = "America/New_York",
locale: str = "en-US",
storage_state: str | None = None,
) -> AsyncIterator["tuple[BrowserContext, Page]"]:
"""Async context manager yielding a (context, page) pair.
``use_proxy`` may be ``True`` (read ``UNDETECTED_PROXY_URL``) or the name
of a specific env var, e.g. ``"HEALTHCARE_PROXY_URL"`` for the residential
proxy the NPPES/PECOS flows route through.
Example::
async with undetected_browser(headless=False) as (ctx, page):
await page.goto("https://apps.fcc.gov/rmd/")
...
"""
async with async_playwright() as pw:
browser, context = await launch_context(
pw,
headless=headless,
use_proxy=use_proxy,
timezone_id=timezone_id,
locale=locale,
storage_state=storage_state,
)
try:
page = await context.new_page()
yield context, page
finally:
await context.close()
await browser.close()
# ─── Human-like interaction helpers (lifted from scripts/formation/base.py) ──
async def human_delay(min_s: float = 1.0, max_s: float = 3.0) -> None:
"""Random delay to appear human. Mirrors the formation base helper."""
import asyncio
await asyncio.sleep(random.uniform(min_s, max_s))
async def type_slowly(page: "Page", selector: str, text: str, delay_ms: int = 50) -> None:
"""Type text character-by-character with jitter."""
await page.click(selector)
for char in text:
await page.type(selector, char, delay=delay_ms + random.randint(0, 30))
def is_using_patchright() -> bool:
"""Return True if patchright is the active backend."""
return _USING_PATCHRIGHT
Reference in a new issue View git blame Copy permalink