Option to disable ssl verify (Poetry 1.1+)

docs/docs/repositories.md

@@ -134,3 +134,14 @@ default = true
 ```
 
 A default source will also be the fallback source if you add other sources.
+
+### Trusting a repository
+
+You can bypass SSL verification for a repository if you know it can be trusted (useful for corporate private repositories):
+
+```toml
+[[tool.poetry.source]]
+name = "foo"
+url = "https://foo.bar/simple/"
+trusted = true
+```

poetry/factory.py

@@ -152,4 +152,5 @@ def create_legacy_repository(
             auth=auth,
             cert=get_cert(auth_config, name),
             client_cert=get_client_cert(auth_config, name),
+            trusted=source.get("trusted", False),
         )

poetry/installation/pip_installer.py

@@ -51,6 +51,8 @@ def install(self, package, update=False):
                     )
                 )
                 args += ["--trusted-host", parsed.hostname]
+            elif repository.trusted:
+                args += ["--trusted-host", parsed.hostname]
 
             if repository.cert:
                 args += ["--cert", str(repository.cert)]

poetry/json/schemas/poetry-schema.json

@@ -523,6 +523,10 @@
                 "secondary": {
                     "type": "boolean",
                     "description": "Declare this repository as secondary, i.e. it will only be looked up last for packages."
+                },
+                "trusted": {
+                    "type": "boolean",
+                    "description": "Declare this repository as trusted, i.e. option --trusted-host will be used when installing packages with pip."
                 }
             }
         }

poetry/repositories/legacy_repository.py

@@ -3,6 +3,7 @@
 import warnings
 
 from collections import defaultdict
+from contextlib import contextmanager
 from typing import Generator
 from typing import Optional
 from typing import Union
@@ -159,7 +160,14 @@ def clean_link(self, url):
 
 class LegacyRepository(PyPiRepository):
     def __init__(
-        self, name, url, auth=None, disable_cache=False, cert=None, client_cert=None
+        self,
+        name,
+        url,
+        auth=None,
+        disable_cache=False,
+        cert=None,
+        client_cert=None,
+        trusted=False,
     ):  # type: (str, str, Optional[Auth], bool, Optional[Path], Optional[Path]) -> None
         if name == "pypi":
             raise ValueError("The name [pypi] is reserved for repositories")
@@ -170,6 +178,7 @@ def __init__(
         self._auth = auth
         self._client_cert = client_cert
         self._cert = cert
+        self._trusted = trusted
         self._cache_dir = REPOSITORY_CACHE_DIR / name
         self._cache = CacheManager(
             {
@@ -207,6 +216,10 @@ def cert(self):  # type: () -> Optional[Path]
     def client_cert(self):  # type: () -> Optional[Path]
         return self._client_cert
 
+    @property
+    def trusted(self):
+        return self._trusted
+
     @property
     def authenticated_url(self):  # type: () -> str
         if not self._auth:
@@ -372,14 +385,31 @@ def _get_release_info(self, name, version):  # type: (str, str) -> dict
 
         return data.asdict()
 
+    @contextmanager
+    def _trust_context(self):
+        import urllib3  # Not a direct dependency of poetry, should I use requests.packages.urllib3 instead ?
+
+        if self._trusted:
+            urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+        try:
+            yield
+        finally:
+            if self._trusted:
+                urllib3.warnings.simplefilter(
+                    "default", urllib3.exceptions.InsecureRequestWarning
+                )
+
     def _get(self, endpoint):  # type: (str) -> Union[Page, None]
         url = self._url + endpoint
-        try:
-            response = self.session.get(url)
-            if response.status_code == 404:
-                return
-            response.raise_for_status()
-        except requests.HTTPError as e:
-            raise RepositoryError(e)
+
+        with self._trust_context() as _:  # maybe use urllib3.warnings.catch_warnings() instead ?
+            try:
+                response = self.session.get(url, verify=not self._trusted)
+                if response.status_code == 404:
+                    return
+                response.raise_for_status()
+            except requests.HTTPError as e:
+                raise RepositoryError(e)
 
         return Page(url, response.content, response.headers)

tests/fixtures/with_trusted_source/README.rst

@@ -0,0 +1,2 @@
+My Package
+==========

tests/fixtures/with_trusted_source/pyproject.toml

@@ -0,0 +1,62 @@
+[tool.poetry]
+name = "my-package"
+version = "1.2.3"
+description = "Some description."
+authors = [
+    "Sébastien Eustace <[email protected]>"
+]
+license = "MIT"
+
+readme = "README.rst"
+
+homepage = "https://python-poetry.org"
+repository = "https://github.com/python-poetry/poetry"
+documentation = "https://python-poetry.org/docs"
+
+keywords = ["packaging", "dependency", "poetry"]
+
+classifiers = [
+    "Topic :: Software Development :: Build Tools",
+    "Topic :: Software Development :: Libraries :: Python Modules"
+]
+
+# Requirements
+[tool.poetry.dependencies]
+python = "~2.7 || ^3.6"
+cleo = "^0.6"
+pendulum = { git = "https://github.com/sdispater/pendulum.git", branch = "2.0" }
+requests = { version = "^2.18", optional = true, extras=[ "security" ] }
+pathlib2 = { version = "^2.2", python = "~2.7" }
+
+orator = { version = "^0.9", optional = true }
+
+# File dependency
+demo = { path = "../distributions/demo-0.1.0-py2.py3-none-any.whl" }
+
+# Dir dependency with setup.py
+my-package = { path = "../project_with_setup/" }
+
+# Dir dependency with pyproject.toml
+simple-project = { path = "../simple_project/" }
+
+
+[tool.poetry.extras]
+db = [ "orator" ]
+
+[tool.poetry.dev-dependencies]
+pytest = "~3.4"
+
+
+[tool.poetry.scripts]
+my-script = "my_package:main"
+
+
+[tool.poetry.plugins."blogtool.parsers"]
+".rst" = "some_module::SomeClass"
+
+
+[[tool.poetry.source]]
+name = "foo"
+url = "https://foo.bar/simple/"
+default = true
+trusted = true

tests/installation/test_pip_installer.py

@@ -156,6 +156,33 @@ def test_requirement_git_develop_true(installer, package_git):
     assert expected == result
 
 
+def test_install_with_trusted_host():
+    pool = Pool()
+    host = "foo.bar"
+
+    default = LegacyRepository("default", "https://{}".format(host), trusted=True)
+
+    pool.add_repository(default, default=True)
+
+    null_env = NullEnv()
+
+    installer = PipInstaller(null_env, NullIO(), pool)
+
+    foo = Package("foo", "0.0.0")
+    foo.source_type = "legacy"
+    foo.source_reference = default._name
+    foo.source_url = default._url
+
+    installer.install(foo)
+
+    assert len(null_env.executed) == 1
+    cmd = null_env.executed[0]
+    assert "--trusted-host" in cmd
+    trusted_host_index = cmd.index("--trusted-host")
+
+    assert cmd[trusted_host_index + 1] == host
+
+
 def test_uninstall_git_package_nspkg_pth_cleanup(mocker, tmp_venv, pool):
     # this test scenario requires a real installation using the pip installer
     installer = PipInstaller(tmp_venv, NullIO(), pool)

tests/test_factory.py

@@ -150,6 +150,12 @@ def test_poetry_with_default_source():
     assert 1 == len(poetry.pool.repositories)
 
 
+def test_poetry_with_trusted_source():
+    poetry = Factory().create_poetry(fixtures_dir / "with_trusted_source")
+
+    assert 1 == len(poetry.pool.repositories)
+
+
 def test_poetry_with_two_default_sources():
     with pytest.raises(ValueError) as e:
         Factory().create_poetry(fixtures_dir / "with_two_default_sources")