- Add patch inject-default-ca-bundles.patch:

* Inject the default CA bundles if they are not specified. (bsc#1226321, bsc#1231500) OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-requests?expand=0&rev=189
2024-10-17 06:31:35 +00:00
parent 016535e6aa
commit 52f2b3a7cb
3 changed files with 137 additions and 2 deletions
--- a/inject-default-ca-bundles.patch
+++ b/inject-default-ca-bundles.patch
@@ -0,0 +1,126 @@
+From 2769cb607d4e696e2fe70802d4246ccc5abd64a8 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Wed, 29 May 2024 12:48:48 -0700
+Subject: [PATCH 1/3] Consider cert settings when using default context
+
+---
+ src/requests/adapters.py | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/src/requests/adapters.py b/src/requests/adapters.py
+index 9a58b16025..991b7e21c9 100644
+--- a/src/requests/adapters.py
+++ b/src/requests/adapters.py
+@@ -87,6 +87,23 @@ def SOCKSProxyManager(*args, **kwargs):
+     _preloaded_ssl_context = None
+ 
+ 
+def _should_use_default_context(
+    verify: "bool | str | None",
+    client_cert: "typing.Tuple[str, str] | str | None",
+    poolmanager_kwargs: typing.Dict[str, typing.Any],
+) -> bool:
+    # Determine if we have and should use our default SSLContext
+    # to optimize performance on standard requests.
+    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
+    should_use_default_ssl_context = (
+        verify is True
+        and _preloaded_ssl_context is not None
+        and not has_poolmanager_ssl_context
+        and client_cert is None
+    )
+    return should_use_default_ssl_context
+
+
+ def _urllib3_request_context(
+     request: "PreparedRequest",
+     verify: "bool | str | None",
+@@ -98,19 +115,12 @@ def _urllib3_request_context(
+     parsed_request_url = urlparse(request.url)
+     scheme = parsed_request_url.scheme.lower()
+     port = parsed_request_url.port
+-
+-    # Determine if we have and should use our default SSLContext
+-    # to optimize performance on standard requests.
+     poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {})
+-    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
+-    should_use_default_ssl_context = (
+-        _preloaded_ssl_context is not None and not has_poolmanager_ssl_context
+-    )
+ 
+     cert_reqs = "CERT_REQUIRED"
+     if verify is False:
+         cert_reqs = "CERT_NONE"
+-    elif verify is True and should_use_default_ssl_context:
+    elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
+         pool_kwargs["ssl_context"] = _preloaded_ssl_context
+     elif isinstance(verify, str):
+         if not os.path.isdir(verify):
+
+From e341df3efa0323072fab5d16307e2a20295675b9 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Fri, 31 May 2024 11:41:48 -0700
+Subject: [PATCH 2/3] Set default ca_cert bundle if verify is True
+
+---
+ src/requests/adapters.py | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/src/requests/adapters.py b/src/requests/adapters.py
+index 991b7e21c9..ba5a0ec4f0 100644
+--- a/src/requests/adapters.py
+++ b/src/requests/adapters.py
+@@ -118,15 +118,23 @@ def _urllib3_request_context(
+     poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {})
+ 
+     cert_reqs = "CERT_REQUIRED"
+    cert_loc = None
+     if verify is False:
+         cert_reqs = "CERT_NONE"
+     elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
+         pool_kwargs["ssl_context"] = _preloaded_ssl_context
+    elif verify is True:
+        # Set default ca cert location if none provided
+        cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
+     elif isinstance(verify, str):
+-        if not os.path.isdir(verify):
+-            pool_kwargs["ca_certs"] = verify
+        cert_loc = verify
+
+    if cert_loc is not None:
+        if not os.path.isdir(cert_loc):
+            pool_kwargs["ca_certs"] = cert_loc
+         else:
+-            pool_kwargs["ca_cert_dir"] = verify
+            pool_kwargs["ca_cert_dir"] = cert_loc
+
+     pool_kwargs["cert_reqs"] = cert_reqs
+     if client_cert is not None:
+         if isinstance(client_cert, tuple) and len(client_cert) == 2:
+
+From da96a92e2eb6dfe7c74704267bcb8f9fd6fb92b0 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Fri, 31 May 2024 12:20:11 -0700
+Subject: [PATCH 3/3] Correct comment to match actual behavior
+
+---
+ src/requests/adapters.py | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/src/requests/adapters.py b/src/requests/adapters.py
+index ba5a0ec4f0..54143f9e6b 100644
+--- a/src/requests/adapters.py
+++ b/src/requests/adapters.py
+@@ -334,10 +334,8 @@ def cert_verify(self, conn, url, verify, cert):
+         if url.lower().startswith("https") and verify:
+             conn.cert_reqs = "CERT_REQUIRED"
+ 
+-            # Only load the CA certificates if 'verify' is a string indicating the CA bundle to use.
+-            # Otherwise, if verify is a boolean, we don't load anything since
+-            # the connection will be using a context with the default certificates already loaded,
+-            # and this avoids a call to the slow load_verify_locations()
+            # Only load the CA certificates if `verify` is a
+            # string indicating the CA bundle to use.
+             if verify is not True:
+                 # `verify` must be a str with a path then
+                 cert_loc = verify
--- a/python-requests.changes
+++ b/python-requests.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Oct 17 06:30:14 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Add patch inject-default-ca-bundles.patch:
+  * Inject the default CA bundles if they are not specified.
+    (bsc#1226321, bsc#1231500)
+
 -------------------------------------------------------------------
 Thu Aug 29 03:17:43 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>

--- a/python-requests.spec
+++ b/python-requests.spec
@@ -32,6 +32,8 @@ Summary:        Python HTTP Library
 License:        Apache-2.0
 URL:            https://docs.python-requests.org/
 Source:         https://files.pythonhosted.org/packages/source/r/requests/requests-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM gh#psf/requests#6731
+Patch0:         inject-default-ca-bundles.patch
 BuildRequires:  %{python_module base >= 3.7}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  fdupes
@@ -117,8 +119,8 @@ touch Pipfile
 %files %{python_files}
 %license LICENSE
 %doc HISTORY.md README.md
-%{python_sitelib}/requests/
-%{python_sitelib}/requests-*
+%{python_sitelib}/requests
+%{python_sitelib}/requests-%{version}*.egg-info
 %endif

 %changelog