pkgs/development/python-modules/requests/ca-load-regression.patch at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / pkgs / development / python-modules / requests / ca-load-regression.patch
at master 5.1 kB view raw
  1From 2769cb607d4e696e2fe70802d4246ccc5abd64a8 Mon Sep 17 00:00:00 2001
  2From: Nate Prewitt <nate.prewitt@gmail.com>
  3Date: Wed, 29 May 2024 12:48:48 -0700
  4Subject: [PATCH 1/3] Consider cert settings when using default context
  5
  6---
  7 src/requests/adapters.py | 26 ++++++++++++++++++--------
  8 1 file changed, 18 insertions(+), 8 deletions(-)
  9
 10diff --git a/src/requests/adapters.py b/src/requests/adapters.py
 11index 9a58b16025..991b7e21c9 100644
 12--- a/src/requests/adapters.py
 13+++ b/src/requests/adapters.py
 14@@ -87,6 +87,23 @@ def SOCKSProxyManager(*args, **kwargs):
 15     _preloaded_ssl_context = None
 16 
 17 
 18+def _should_use_default_context(
 19+    verify: "bool | str | None",
 20+    client_cert: "typing.Tuple[str, str] | str | None",
 21+    poolmanager_kwargs: typing.Dict[str, typing.Any],
 22+) -> bool:
 23+    # Determine if we have and should use our default SSLContext
 24+    # to optimize performance on standard requests.
 25+    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
 26+    should_use_default_ssl_context = (
 27+        verify is True
 28+        and _preloaded_ssl_context is not None
 29+        and not has_poolmanager_ssl_context
 30+        and client_cert is None
 31+    )
 32+    return should_use_default_ssl_context
 33+
 34+
 35 def _urllib3_request_context(
 36     request: "PreparedRequest",
 37     verify: "bool | str | None",
 38@@ -98,19 +115,12 @@ def _urllib3_request_context(
 39     parsed_request_url = urlparse(request.url)
 40     scheme = parsed_request_url.scheme.lower()
 41     port = parsed_request_url.port
 42-
 43-    # Determine if we have and should use our default SSLContext
 44-    # to optimize performance on standard requests.
 45     poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {})
 46-    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
 47-    should_use_default_ssl_context = (
 48-        _preloaded_ssl_context is not None and not has_poolmanager_ssl_context
 49-    )
 50 
 51     cert_reqs = "CERT_REQUIRED"
 52     if verify is False:
 53         cert_reqs = "CERT_NONE"
 54-    elif verify is True and should_use_default_ssl_context:
 55+    elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
 56         pool_kwargs["ssl_context"] = _preloaded_ssl_context
 57     elif isinstance(verify, str):
 58         if not os.path.isdir(verify):
 59
 60From e341df3efa0323072fab5d16307e2a20295675b9 Mon Sep 17 00:00:00 2001
 61From: Nate Prewitt <nate.prewitt@gmail.com>
 62Date: Fri, 31 May 2024 11:41:48 -0700
 63Subject: [PATCH 2/3] Set default ca_cert bundle if verify is True
 64
 65---
 66 src/requests/adapters.py | 14 +++++++++++---
 67 1 file changed, 11 insertions(+), 3 deletions(-)
 68
 69diff --git a/src/requests/adapters.py b/src/requests/adapters.py
 70index 991b7e21c9..ba5a0ec4f0 100644
 71--- a/src/requests/adapters.py
 72+++ b/src/requests/adapters.py
 73@@ -118,15 +118,23 @@ def _urllib3_request_context(
 74     poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {})
 75 
 76     cert_reqs = "CERT_REQUIRED"
 77+    cert_loc = None
 78     if verify is False:
 79         cert_reqs = "CERT_NONE"
 80     elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
 81         pool_kwargs["ssl_context"] = _preloaded_ssl_context
 82+    elif verify is True:
 83+        # Set default ca cert location if none provided
 84+        cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
 85     elif isinstance(verify, str):
 86-        if not os.path.isdir(verify):
 87-            pool_kwargs["ca_certs"] = verify
 88+        cert_loc = verify
 89+
 90+    if cert_loc is not None:
 91+        if not os.path.isdir(cert_loc):
 92+            pool_kwargs["ca_certs"] = cert_loc
 93         else:
 94-            pool_kwargs["ca_cert_dir"] = verify
 95+            pool_kwargs["ca_cert_dir"] = cert_loc
 96+
 97     pool_kwargs["cert_reqs"] = cert_reqs
 98     if client_cert is not None:
 99         if isinstance(client_cert, tuple) and len(client_cert) == 2:
100
101From da96a92e2eb6dfe7c74704267bcb8f9fd6fb92b0 Mon Sep 17 00:00:00 2001
102From: Nate Prewitt <nate.prewitt@gmail.com>
103Date: Fri, 31 May 2024 12:20:11 -0700
104Subject: [PATCH 3/3] Correct comment to match actual behavior
105
106---
107 src/requests/adapters.py | 6 ++----
108 1 file changed, 2 insertions(+), 4 deletions(-)
109
110diff --git a/src/requests/adapters.py b/src/requests/adapters.py
111index ba5a0ec4f0..54143f9e6b 100644
112--- a/src/requests/adapters.py
113+++ b/src/requests/adapters.py
114@@ -334,10 +334,8 @@ def cert_verify(self, conn, url, verify, cert):
115         if url.lower().startswith("https") and verify:
116             conn.cert_reqs = "CERT_REQUIRED"
117 
118-            # Only load the CA certificates if 'verify' is a string indicating the CA bundle to use.
119-            # Otherwise, if verify is a boolean, we don't load anything since
120-            # the connection will be using a context with the default certificates already loaded,
121-            # and this avoids a call to the slow load_verify_locations()
122+            # Only load the CA certificates if `verify` is a
123+            # string indicating the CA bundle to use.
124             if verify is not True:
125                 # `verify` must be a str with a path then
126                 cert_loc = verify