make verify_ssl=False turn off certificate verification too (#129)

eli-darkly · web-flow · commit ad248d653f57 · 2020-03-19T16:34:32.000-07:00
diff --git a/ldclient/util.py b/ldclient/util.py
@@ -98,24 +98,21 @@ def status(self):
 def create_http_pool_manager(num_pools=1, verify_ssl=False, target_base_uri=None, force_proxy=None):
     proxy_url = force_proxy or _get_proxy_url(target_base_uri)
 
-    if not verify_ssl:
-        if proxy_url is None:
-            return urllib3.PoolManager(num_pools=num_pools)
-        else:
-            return urllib3.ProxyManager(proxy_url, num_pools=num_pools)
-    
+    cert_reqs = 'CERT_REQUIRED' if verify_ssl else 'CERT_NONE'
+    ca_certs = certifi.where() if verify_ssl else None
+
     if proxy_url is None:
         return urllib3.PoolManager(
             num_pools=num_pools,
-            cert_reqs='CERT_REQUIRED',
-            ca_certs=certifi.where()
+            cert_reqs=cert_reqs,
+            ca_certs=ca_certs
             )
     else:
         return urllib3.ProxyManager(
             proxy_url,
             num_pools=num_pools,
-            cert_reqs='CERT_REQUIRED',
-            ca_certs=certifi.where()
+            cert_reqs=cert_reqs,
+            ca_certs = ca_certs
         )
 
 def _get_proxy_url(target_base_uri):
diff --git a/testing/http_util.py b/testing/http_util.py
@@ -2,6 +2,7 @@
 from six import iteritems
 from six.moves import BaseHTTPServer, queue
 import socket
+import ssl
 from threading import Thread
 
 def get_available_port():
@@ -12,16 +13,28 @@ def get_available_port():
     return port
 
 def start_server():
-    sw = MockServerWrapper(get_available_port())
+    sw = MockServerWrapper(get_available_port(), False)
+    sw.start()
+    return sw
+
+def start_secure_server():
+    sw = MockServerWrapper(get_available_port(), True)
     sw.start()
     return sw
 
 class MockServerWrapper(Thread):
-    def __init__(self, port):
+    def __init__(self, port, secure):
         Thread.__init__(self)
         self.port = port
-        self.uri = 'http://localhost:%d' % port
+        self.uri = '%s://localhost:%d' % ('https' if secure else 'http', port)
         self.server = BaseHTTPServer.HTTPServer(('localhost', port), MockServerRequestHandler)
+        if secure:
+            self.server.socket = ssl.wrap_socket(   
+                self.server.socket,
+                certfile='./testing/selfsigned.pem', # this is a pre-generated self-signed cert that is valid for 100 years
+                keyfile='./testing/selfsigned.key',
+                server_side=True
+            )
         self.server.server_wrapper = self
         self.matchers = {}
         self.requests = queue.Queue()
diff --git a/testing/selfsigned.key b/testing/selfsigned.key
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIIWkym77UXCR7NludcOuJyUc+KwjcWhNstarQewjH/4ZoAoGCCqGSM49
+AwEHoUQDQgAELb4Nb3GZRIOgsiFCRPxEFXYYb9JIR/ViYM76/EKNII7nl5cLQaNG
+5BGo7ZVF47nePRerqzluEXHRTMt3oul2yw==
+-----END EC PRIVATE KEY-----
diff --git a/testing/selfsigned.pem b/testing/selfsigned.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBZzCCAQ6gAwIBAgIRAJL5RmnJTnoxpf27KVMMnecwCgYIKoZIzj0EAwIwDzEN
+MAsGA1UEChMEVGVzdDAgFw0yMDAzMTgyMTEyNDVaGA8yMTIwMDIyMzIxMTI0NVow
+DzENMAsGA1UEChMEVGVzdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABC2+DW9x
+mUSDoLIhQkT8RBV2GG/SSEf1YmDO+vxCjSCO55eXC0GjRuQRqO2VReO53j0Xq6s5
+bhFx0UzLd6LpdsujSTBHMA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggrBgEF
+BQcDATAPBgNVHRMBAf8EBTADAQH/MA8GA1UdEQQIMAaHBH8AAAEwCgYIKoZIzj0E
+AwIDRwAwRAIgXUpCMZGxpjXrWS9Z6K0fHzOAnMmjp78n8ZPMdRKb2eYCIBEmP6MK
+O3TJdhTVnB5O3CnC9X/lCGViUR+njcH+sU3z
+-----END CERTIFICATE-----
diff --git a/testing/test_ldclient_tls.py b/testing/test_ldclient_tls.py
@@ -0,0 +1,35 @@
+from ldclient.client import LDClient, Config
+from testing.http_util import start_secure_server
+import pytest
+import sys
+
+# These tests are skipped in Python 3.3 because the embedded HTTPS server does not work correctly, causing a
+# TLS handshake failure on the client side. It's unclear whether this is a problem with the self-signed
+# certificate we are using or with some other server settings, but it does not appear to be a client-side
+# problem.
+
+@pytest.mark.skipif(sys.version_info.major == 3 and sys.version_info.minor == 3, reason = "test is skipped in Python 3.3")
+def test_cannot_connect_with_selfsigned_cert_if_ssl_verify_is_true():
+    with start_secure_server() as server:
+        server.setup_json_response('/sdk/latest-all', { 'flags': {}, 'segments': {} })
+        config = Config(
+            sdk_key = 'sdk_key',
+            base_uri = server.uri,
+            stream = False
+        )
+        with LDClient(config = config, start_wait = 1.5) as client:
+            assert not client.is_initialized()
+
+@pytest.mark.skipif(sys.version_info.major == 3 and sys.version_info.minor == 3, reason = "test is skipped in Python 3.3")
+def test_can_connect_with_selfsigned_cert_if_ssl_verify_is_false():
+    with start_secure_server() as server:
+        server.setup_json_response('/sdk/latest-all', { 'flags': {}, 'segments': {} })
+        config = Config(
+            sdk_key = 'sdk_key',
+            base_uri = server.uri,
+            stream = False,
+            send_events = False,
+            verify_ssl = False
+        )
+        with LDClient(config = config) as client:
+            assert client.is_initialized()
