pkgs/development/python-modules/requests/ca-load-regression.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126

From 2769cb607d4e696e2fe70802d4246ccc5abd64a8 Mon Sep 17 00:00:00 2001
From: Nate Prewitt <nate.prewitt@gmail.com>
Date: Wed, 29 May 2024 12:48:48 -0700
Subject: [PATCH 1/3] Consider cert settings when using default context

---
 src/requests/adapters.py | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/src/requests/adapters.py b/src/requests/adapters.py
index 9a58b16025..991b7e21c9 100644
--- a/src/requests/adapters.py
+++ b/src/requests/adapters.py
@@ -87,6 +87,23 @@ def SOCKSProxyManager(*args, **kwargs):
     _preloaded_ssl_context = None
 
 
+def _should_use_default_context(
+    verify: "bool | str | None",
+    client_cert: "typing.Tuple[str, str] | str | None",
+    poolmanager_kwargs: typing.Dict[str, typing.Any],
+) -> bool:
+    # Determine if we have and should use our default SSLContext
+    # to optimize performance on standard requests.
+    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
+    should_use_default_ssl_context = (
+        verify is True
+        and _preloaded_ssl_context is not None
+        and not has_poolmanager_ssl_context
+        and client_cert is None
+    )
+    return should_use_default_ssl_context
+
+
 def _urllib3_request_context(
     request: "PreparedRequest",
     verify: "bool | str | None",
@@ -98,19 +115,12 @@ def _urllib3_request_context(
     parsed_request_url = urlparse(request.url)
     scheme = parsed_request_url.scheme.lower()
     port = parsed_request_url.port
-
-    # Determine if we have and should use our default SSLContext
-    # to optimize performance on standard requests.
     poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {})
-    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
-    should_use_default_ssl_context = (
-        _preloaded_ssl_context is not None and not has_poolmanager_ssl_context
-    )
 
     cert_reqs = "CERT_REQUIRED"
     if verify is False:
         cert_reqs = "CERT_NONE"
-    elif verify is True and should_use_default_ssl_context:
+    elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
         pool_kwargs["ssl_context"] = _preloaded_ssl_context
     elif isinstance(verify, str):
         if not os.path.isdir(verify):

From e341df3efa0323072fab5d16307e2a20295675b9 Mon Sep 17 00:00:00 2001
From: Nate Prewitt <nate.prewitt@gmail.com>
Date: Fri, 31 May 2024 11:41:48 -0700
Subject: [PATCH 2/3] Set default ca_cert bundle if verify is True

---
 src/requests/adapters.py | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/requests/adapters.py b/src/requests/adapters.py
index 991b7e21c9..ba5a0ec4f0 100644
--- a/src/requests/adapters.py
+++ b/src/requests/adapters.py
@@ -118,15 +118,23 @@ def _urllib3_request_context(
     poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {})
 
     cert_reqs = "CERT_REQUIRED"
+    cert_loc = None
     if verify is False:
         cert_reqs = "CERT_NONE"
     elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
         pool_kwargs["ssl_context"] = _preloaded_ssl_context
+    elif verify is True:
+        # Set default ca cert location if none provided
+        cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
     elif isinstance(verify, str):
-        if not os.path.isdir(verify):
-            pool_kwargs["ca_certs"] = verify
+        cert_loc = verify
+
+    if cert_loc is not None:
+        if not os.path.isdir(cert_loc):
+            pool_kwargs["ca_certs"] = cert_loc
         else:
-            pool_kwargs["ca_cert_dir"] = verify
+            pool_kwargs["ca_cert_dir"] = cert_loc
+
     pool_kwargs["cert_reqs"] = cert_reqs
     if client_cert is not None:
         if isinstance(client_cert, tuple) and len(client_cert) == 2:

From da96a92e2eb6dfe7c74704267bcb8f9fd6fb92b0 Mon Sep 17 00:00:00 2001
From: Nate Prewitt <nate.prewitt@gmail.com>
Date: Fri, 31 May 2024 12:20:11 -0700
Subject: [PATCH 3/3] Correct comment to match actual behavior

---
 src/requests/adapters.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/requests/adapters.py b/src/requests/adapters.py
index ba5a0ec4f0..54143f9e6b 100644
--- a/src/requests/adapters.py
+++ b/src/requests/adapters.py
@@ -334,10 +334,8 @@ def cert_verify(self, conn, url, verify, cert):
         if url.lower().startswith("https") and verify:
             conn.cert_reqs = "CERT_REQUIRED"
 
-            # Only load the CA certificates if 'verify' is a string indicating the CA bundle to use.
-            # Otherwise, if verify is a boolean, we don't load anything since
-            # the connection will be using a context with the default certificates already loaded,
-            # and this avoids a call to the slow load_verify_locations()
+            # Only load the CA certificates if `verify` is a
+            # string indicating the CA bundle to use.
             if verify is not True:
                 # `verify` must be a str with a path then
                 cert_loc = verify