-
Notifications
You must be signed in to change notification settings - Fork 2.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Support OS truststore for the TLS certificate verification
This commit add support for loading the OS truststore root certificates in addition to the "legacy" certifi bundle. It will come in handy for every user behind a company proxy or just using a private PyPI warehouse. Close #9249
- Loading branch information
Showing
6 changed files
with
173 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
from __future__ import annotations | ||
|
||
import typing | ||
|
||
from cachecontrol import CacheControlAdapter | ||
from requests.adapters import HTTPAdapter | ||
from wassima import RUSTLS_LOADED | ||
from wassima import generate_ca_bundle | ||
|
||
|
||
if typing.TYPE_CHECKING: | ||
from urllib3 import HTTPConnectionPool | ||
|
||
|
||
DEFAULT_CA_BUNDLE: str = generate_ca_bundle() | ||
|
||
|
||
class WithTrustStoreAdapter(HTTPAdapter): | ||
""" | ||
Inject the OS truststore in Requests. | ||
Certifi is still loaded in addition to the OS truststore for (strict) backward compatibility purposes. | ||
See https://github.com/jawah/wassima for more details. | ||
""" | ||
|
||
def cert_verify( | ||
self, | ||
conn: HTTPConnectionPool, | ||
url: str, | ||
verify: bool | str, | ||
cert: str | tuple[str, str], | ||
) -> None: | ||
#: only apply truststore cert if "verify" is set with default value "True". | ||
#: RUSTLS_LOADED means that "wassima" is not the py3 none wheel and does not fallback on "certifi" | ||
#: if "RUSTLS_LOADED" is False then "wassima" just return "certifi" bundle instead. | ||
if ( | ||
RUSTLS_LOADED | ||
and url.lower().startswith("https") | ||
and verify is True | ||
and hasattr(conn, "ca_cert_data") | ||
): | ||
# url starting with https already mean that conn is a HTTPSConnectionPool | ||
# the hasattr is to make mypy happy. | ||
conn.ca_cert_data = DEFAULT_CA_BUNDLE | ||
|
||
# still apply upstream logic as before | ||
super().cert_verify(conn, url, verify, cert) # type: ignore[no-untyped-call] | ||
|
||
|
||
class CacheControlWithTrustStoreAdapter(CacheControlAdapter): | ||
""" | ||
Same as WithTrustStoreAdapter but with CacheControlAdapter as its parent | ||
class. | ||
""" | ||
|
||
def cert_verify( | ||
self, | ||
conn: HTTPConnectionPool, | ||
url: str, | ||
verify: bool | str, | ||
cert: str | tuple[str, str], | ||
) -> None: | ||
if ( | ||
RUSTLS_LOADED | ||
and url.lower().startswith("https") | ||
and verify is True | ||
and hasattr(conn, "ca_cert_data") | ||
): | ||
conn.ca_cert_data = DEFAULT_CA_BUNDLE | ||
|
||
super().cert_verify(conn, url, verify, cert) # type: ignore[no-untyped-call] |