From 4f913a5f1c118e27f99c239b0f640a7b8b429e6f Mon Sep 17 00:00:00 2001 From: Julien Moura Date: Wed, 28 Feb 2024 16:27:21 +0100 Subject: [PATCH] feature: add an option to use native system certificates stores instead of bundled --- docs/usage/settings.md | 1 + qgis_deployment_toolbelt/utils/file_downloader.py | 6 ++++++ qgis_deployment_toolbelt/utils/journalizer.py | 6 ++++++ 3 files changed, 13 insertions(+) diff --git a/docs/usage/settings.md b/docs/usage/settings.md index 01dac2d0..6a575582 100644 --- a/docs/usage/settings.md +++ b/docs/usage/settings.md @@ -24,6 +24,7 @@ Some others parameters can be set using environment variables. | `QDT_LOCAL_WORK_DIR` | Local folder where QDT download remote resources (profiles, plugins, etc.) | `~/.cache/qgis-deployment-toolbelt/default/` | | `QDT_LOGS_DIR` | Folder where QDT writes the log files, which are automatically rotated. | `~/.cache/qgis-deployment-toolbelt/logs/` | | `QDT_QGIS_EXE_PATH` | Path to the QGIS executable to use. Used in shortcuts. | `/usr/bin/qgis` on Linux and MacOS, `%PROGRAMFILES%/QGIS 3.28/bin/qgis-ltr-bin.exe` on Windows. | +| `QDT_SSL_USE_SYSTEM_STORES` | By default, a bundle of SSL certificates is used, through [certifi](https://pypi.org/project/certifi/). If this environment variable is set to True, QDT tries to uses the system certificates store. Based on [truststore](https://truststore.readthedocs.io/). | `False` | ---- diff --git a/qgis_deployment_toolbelt/utils/file_downloader.py b/qgis_deployment_toolbelt/utils/file_downloader.py index 89f6313d..5796d6c5 100644 --- a/qgis_deployment_toolbelt/utils/file_downloader.py +++ b/qgis_deployment_toolbelt/utils/file_downloader.py @@ -7,9 +7,11 @@ # standard library import logging +from os import getenv from pathlib import Path # 3rd party +import truststore from requests import Session from requests.exceptions import ConnectionError, HTTPError from requests.utils import requote_uri @@ -18,6 +20,7 @@ from qgis_deployment_toolbelt.__about__ import __title_clean__, __version__ from qgis_deployment_toolbelt.utils.formatters import convert_octets from qgis_deployment_toolbelt.utils.proxies import get_proxy_settings +from qgis_deployment_toolbelt.utils.str2bool import str2bool # ############################################################################ # ########## GLOBALS ############# @@ -26,6 +29,9 @@ # logs logger = logging.getLogger(__name__) +if str2bool(getenv("QDT_SSL_USE_SYSTEM_STORES", False)): + truststore.inject_into_ssl() + logger.debug("Option to use native system certificates stores is enabled.") # ############################################################################ # ########## FUNCTIONS ########### diff --git a/qgis_deployment_toolbelt/utils/journalizer.py b/qgis_deployment_toolbelt/utils/journalizer.py index 2970ecb2..365f4084 100644 --- a/qgis_deployment_toolbelt/utils/journalizer.py +++ b/qgis_deployment_toolbelt/utils/journalizer.py @@ -17,6 +17,7 @@ # 3rd party import certifi +import truststore from requests.utils import DEFAULT_CA_BUNDLE_PATH # Imports depending on operating system @@ -29,6 +30,7 @@ from qgis_deployment_toolbelt.__about__ import __title__, __version__ from qgis_deployment_toolbelt.constants import get_qdt_logs_folder from qgis_deployment_toolbelt.utils.proxies import get_proxy_settings +from qgis_deployment_toolbelt.utils.str2bool import str2bool # ############################################################################ # ########## GLOBALS ############# @@ -141,6 +143,10 @@ def headers(): f"Certificate authority (CA) bundle to use: {getenv('REQUESTS_CA_BUNDLE', getenv('CURL_CA_BUNDLE'))}" ) + if str2bool(getenv("QDT_SSL_USE_SYSTEM_STORES", False)): + truststore.inject_into_ssl() + logger.debug("Option to use native system certificates stores is enabled.") + def get_logger_filepath() -> Path | None: """Retrieve log filepath within logger handlers.