Honor REQUESTS_CA_BUNDLE env var

CHANGELOG.rst

@@ -2,6 +2,14 @@
 CHANGELOG
 =========
 
+Next Release (TBD)
+==================
+
+* Add support for the ``AWS_CA_BUNDLE`` environment variable so that users
+  can specify an alternate path to a cert bundle
+  (`issue 586 <https://github.com/aws/aws-cli/pull/586>`__)
+
+
 1.2.10
 ======
 

awscli/clidriver.py

@@ -11,6 +11,7 @@
 # ANY KIND, either express or implied. See the License for the specific
 # language governing permissions and limitations under the License.
 import sys
+import os
 import logging
 
 import botocore.session
@@ -515,10 +516,11 @@ def invoke(self, operation_object, parameters, parsed_globals):
         # for credentials so we can give a good error message.
         if not self._session.get_credentials():
             raise NoCredentialsError()
+        verify = self._resolve_verify_var(parsed_globals.no_verify_ssl)
         endpoint = operation_object.service.get_endpoint(
             region_name=parsed_globals.region,
-            endpoint_url=parsed_globals.endpoint_url)
-        endpoint.verify = not parsed_globals.no_verify_ssl
+            endpoint_url=parsed_globals.endpoint_url,
+            verify=verify)
         if operation_object.can_paginate and parsed_globals.paginate:
             pages = operation_object.paginate(endpoint, **parameters)
             self._display_response(operation_object, pages,
@@ -530,6 +532,14 @@ def invoke(self, operation_object, parameters, parsed_globals):
                                    parsed_globals)
         return 0
 
+    def _resolve_verify_var(self, no_verify_ssl):
+        verify = None
+        if no_verify_ssl:
+            verify = False
+        else:
+            verify = os.environ.get('AWS_CA_BUNDLE')
+        return verify
+
     def _display_response(self, operation, response, args):
         output = args.output
         if output is None:

tests/unit/test_clidriver.py

@@ -10,6 +10,7 @@
 # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
 # ANY KIND, either express or implied. See the License for the specific
 # language governing permissions and limitations under the License.
+import os
 from tests import unittest
 from tests.unit import BaseAWSCommandParamsTest
 import logging
@@ -316,6 +317,7 @@ def test_aws_with_endpoint_url(self):
                 'ec2 describe-instances --endpoint-url https://foobar.com/',
                 expected_rc=0)
         endpoint.assert_called_with(region_name=None,
+                                    verify=None,
                                     endpoint_url='https://foobar.com/')
 
     def test_aws_with_region(self):
@@ -328,8 +330,53 @@ def test_aws_with_region(self):
                 'ec2 describe-instances --region us-east-1',
                 expected_rc=0)
         endpoint.assert_called_with(region_name='us-east-1',
+                                    verify=None,
                                     endpoint_url=None)
 
+    def test_aws_with_verify_false(self):
+        with mock.patch('botocore.service.Service.get_endpoint') as endpoint:
+            http_response = models.Response()
+            http_response.status_code = 200
+            endpoint.return_value.make_request.return_value = (
+                http_response, {})
+            self.assert_params_for_cmd(
+                'ec2 describe-instances --region us-east-1 --no-verify-ssl',
+                expected_rc=0)
+        # Because we used --no-verify-ssl, get_endpoint should be
+        # called with verify=False
+        endpoint.assert_called_with(region_name='us-east-1',
+                                    verify=False,
+                                    endpoint_url=None)
+
+    def test_aws_with_cacert_env_var(self):
+        with mock.patch('botocore.endpoint.QueryEndpoint.__init__') as endpoint:
+            environ = {}
+            http_response = models.Response()
+            http_response.status_code = 200
+            endpoint.return_value = None
+            endpoint.make_request.return_value = (
+                http_response, {})
+            self.environ['AWS_CA_BUNDLE'] = '/path/cacert.pem'
+            self.assert_params_for_cmd(
+                'ec2 describe-instances --region us-east-1',
+                expected_rc=0)
+        call_args = endpoint.call_args
+        self.assertEqual(call_args[1]['verify'], '/path/cacert.pem')
+
+    def test_default_to_verifying_ssl(self):
+        with mock.patch('botocore.endpoint.QueryEndpoint.__init__') as endpoint:
+            environ = {}
+            http_response = models.Response()
+            http_response.status_code = 200
+            endpoint.return_value = None
+            endpoint.make_request.return_value = (
+                http_response, {})
+            self.assert_params_for_cmd(
+                'ec2 describe-instances --region us-east-1',
+                expected_rc=0)
+        call_args = endpoint.call_args
+        self.assertEqual(call_args[1]['verify'], True)
+
     def test_s3_with_region_and_endpoint_url(self):
         with mock.patch('botocore.service.Service.get_endpoint') as endpoint:
             http_response = models.Response()