Skip to content

Commit

Permalink
make verify_ssl=False turn off certificate verification too (#129)
Browse files Browse the repository at this point in the history
  • Loading branch information
eli-darkly authored Mar 19, 2020
1 parent 02f5626 commit ad248d6
Show file tree
Hide file tree
Showing 5 changed files with 73 additions and 13 deletions.
17 changes: 7 additions & 10 deletions ldclient/util.py
Original file line number Diff line number Diff line change
Expand Up @@ -98,24 +98,21 @@ def status(self):
def create_http_pool_manager(num_pools=1, verify_ssl=False, target_base_uri=None, force_proxy=None):
proxy_url = force_proxy or _get_proxy_url(target_base_uri)

if not verify_ssl:
if proxy_url is None:
return urllib3.PoolManager(num_pools=num_pools)
else:
return urllib3.ProxyManager(proxy_url, num_pools=num_pools)

cert_reqs = 'CERT_REQUIRED' if verify_ssl else 'CERT_NONE'
ca_certs = certifi.where() if verify_ssl else None

if proxy_url is None:
return urllib3.PoolManager(
num_pools=num_pools,
cert_reqs='CERT_REQUIRED',
ca_certs=certifi.where()
cert_reqs=cert_reqs,
ca_certs=ca_certs
)
else:
return urllib3.ProxyManager(
proxy_url,
num_pools=num_pools,
cert_reqs='CERT_REQUIRED',
ca_certs=certifi.where()
cert_reqs=cert_reqs,
ca_certs = ca_certs
)

def _get_proxy_url(target_base_uri):
Expand Down
19 changes: 16 additions & 3 deletions testing/http_util.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
from six import iteritems
from six.moves import BaseHTTPServer, queue
import socket
import ssl
from threading import Thread

def get_available_port():
Expand All @@ -12,16 +13,28 @@ def get_available_port():
return port

def start_server():
sw = MockServerWrapper(get_available_port())
sw = MockServerWrapper(get_available_port(), False)
sw.start()
return sw

def start_secure_server():
sw = MockServerWrapper(get_available_port(), True)
sw.start()
return sw

class MockServerWrapper(Thread):
def __init__(self, port):
def __init__(self, port, secure):
Thread.__init__(self)
self.port = port
self.uri = 'http://localhost:%d' % port
self.uri = '%s://localhost:%d' % ('https' if secure else 'http', port)
self.server = BaseHTTPServer.HTTPServer(('localhost', port), MockServerRequestHandler)
if secure:
self.server.socket = ssl.wrap_socket(
self.server.socket,
certfile='./testing/selfsigned.pem', # this is a pre-generated self-signed cert that is valid for 100 years
keyfile='./testing/selfsigned.key',
server_side=True
)
self.server.server_wrapper = self
self.matchers = {}
self.requests = queue.Queue()
Expand Down
5 changes: 5 additions & 0 deletions testing/selfsigned.key
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIIWkym77UXCR7NludcOuJyUc+KwjcWhNstarQewjH/4ZoAoGCCqGSM49
AwEHoUQDQgAELb4Nb3GZRIOgsiFCRPxEFXYYb9JIR/ViYM76/EKNII7nl5cLQaNG
5BGo7ZVF47nePRerqzluEXHRTMt3oul2yw==
-----END EC PRIVATE KEY-----
10 changes: 10 additions & 0 deletions testing/selfsigned.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
-----BEGIN CERTIFICATE-----
MIIBZzCCAQ6gAwIBAgIRAJL5RmnJTnoxpf27KVMMnecwCgYIKoZIzj0EAwIwDzEN
MAsGA1UEChMEVGVzdDAgFw0yMDAzMTgyMTEyNDVaGA8yMTIwMDIyMzIxMTI0NVow
DzENMAsGA1UEChMEVGVzdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABC2+DW9x
mUSDoLIhQkT8RBV2GG/SSEf1YmDO+vxCjSCO55eXC0GjRuQRqO2VReO53j0Xq6s5
bhFx0UzLd6LpdsujSTBHMA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggrBgEF
BQcDATAPBgNVHRMBAf8EBTADAQH/MA8GA1UdEQQIMAaHBH8AAAEwCgYIKoZIzj0E
AwIDRwAwRAIgXUpCMZGxpjXrWS9Z6K0fHzOAnMmjp78n8ZPMdRKb2eYCIBEmP6MK
O3TJdhTVnB5O3CnC9X/lCGViUR+njcH+sU3z
-----END CERTIFICATE-----
35 changes: 35 additions & 0 deletions testing/test_ldclient_tls.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
from ldclient.client import LDClient, Config
from testing.http_util import start_secure_server
import pytest
import sys

# These tests are skipped in Python 3.3 because the embedded HTTPS server does not work correctly, causing a
# TLS handshake failure on the client side. It's unclear whether this is a problem with the self-signed
# certificate we are using or with some other server settings, but it does not appear to be a client-side
# problem.

@pytest.mark.skipif(sys.version_info.major == 3 and sys.version_info.minor == 3, reason = "test is skipped in Python 3.3")
def test_cannot_connect_with_selfsigned_cert_if_ssl_verify_is_true():
with start_secure_server() as server:
server.setup_json_response('/sdk/latest-all', { 'flags': {}, 'segments': {} })
config = Config(
sdk_key = 'sdk_key',
base_uri = server.uri,
stream = False
)
with LDClient(config = config, start_wait = 1.5) as client:
assert not client.is_initialized()

@pytest.mark.skipif(sys.version_info.major == 3 and sys.version_info.minor == 3, reason = "test is skipped in Python 3.3")
def test_can_connect_with_selfsigned_cert_if_ssl_verify_is_false():
with start_secure_server() as server:
server.setup_json_response('/sdk/latest-all', { 'flags': {}, 'segments': {} })
config = Config(
sdk_key = 'sdk_key',
base_uri = server.uri,
stream = False,
send_events = False,
verify_ssl = False
)
with LDClient(config = config) as client:
assert client.is_initialized()

0 comments on commit ad248d6

Please sign in to comment.