- Add patch inject-default-ca-bundles.patch:

* Inject the default CA bundles if they are not specified.
    (bsc#1226321, bsc#1231500)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-requests?expand=0&rev=189

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

_multibuild

@@ -0,0 +1,3 @@
+<multibuild>
+  <package>test</package>
+</multibuild>

inject-default-ca-bundles.patch

@@ -0,0 +1,126 @@
+From 2769cb607d4e696e2fe70802d4246ccc5abd64a8 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Wed, 29 May 2024 12:48:48 -0700
+Subject: [PATCH 1/3] Consider cert settings when using default context
+
+---
+ src/requests/adapters.py | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/src/requests/adapters.py b/src/requests/adapters.py
+index 9a58b16025..991b7e21c9 100644
+--- a/src/requests/adapters.py
++++ b/src/requests/adapters.py
+@@ -87,6 +87,23 @@ def SOCKSProxyManager(*args, **kwargs):
+     _preloaded_ssl_context = None
+ 
+ 
++def _should_use_default_context(
++    verify: "bool | str | None",
++    client_cert: "typing.Tuple[str, str] | str | None",
++    poolmanager_kwargs: typing.Dict[str, typing.Any],
++) -> bool:
++    # Determine if we have and should use our default SSLContext
++    # to optimize performance on standard requests.
++    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
++    should_use_default_ssl_context = (
++        verify is True
++        and _preloaded_ssl_context is not None
++        and not has_poolmanager_ssl_context
++        and client_cert is None
++    )
++    return should_use_default_ssl_context
++
++
+ def _urllib3_request_context(
+     request: "PreparedRequest",
+     verify: "bool | str | None",
+@@ -98,19 +115,12 @@ def _urllib3_request_context(
+     parsed_request_url = urlparse(request.url)
+     scheme = parsed_request_url.scheme.lower()
+     port = parsed_request_url.port
+-
+-    # Determine if we have and should use our default SSLContext
+-    # to optimize performance on standard requests.
+     poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {})
+-    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
+-    should_use_default_ssl_context = (
+-        _preloaded_ssl_context is not None and not has_poolmanager_ssl_context
+-    )
+ 
+     cert_reqs = "CERT_REQUIRED"
+     if verify is False:
+         cert_reqs = "CERT_NONE"
+-    elif verify is True and should_use_default_ssl_context:
++    elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
+         pool_kwargs["ssl_context"] = _preloaded_ssl_context
+     elif isinstance(verify, str):
+         if not os.path.isdir(verify):
+
+From e341df3efa0323072fab5d16307e2a20295675b9 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Fri, 31 May 2024 11:41:48 -0700
+Subject: [PATCH 2/3] Set default ca_cert bundle if verify is True
+
+---
+ src/requests/adapters.py | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/src/requests/adapters.py b/src/requests/adapters.py
+index 991b7e21c9..ba5a0ec4f0 100644
+--- a/src/requests/adapters.py
++++ b/src/requests/adapters.py
+@@ -118,15 +118,23 @@ def _urllib3_request_context(
+     poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {})
+ 
+     cert_reqs = "CERT_REQUIRED"
++    cert_loc = None
+     if verify is False:
+         cert_reqs = "CERT_NONE"
+     elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
+         pool_kwargs["ssl_context"] = _preloaded_ssl_context
++    elif verify is True:
++        # Set default ca cert location if none provided
++        cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
+     elif isinstance(verify, str):
+-        if not os.path.isdir(verify):
+-            pool_kwargs["ca_certs"] = verify
++        cert_loc = verify
++
++    if cert_loc is not None:
++        if not os.path.isdir(cert_loc):
++            pool_kwargs["ca_certs"] = cert_loc
+         else:
+-            pool_kwargs["ca_cert_dir"] = verify
++            pool_kwargs["ca_cert_dir"] = cert_loc
++
+     pool_kwargs["cert_reqs"] = cert_reqs
+     if client_cert is not None:
+         if isinstance(client_cert, tuple) and len(client_cert) == 2:
+
+From da96a92e2eb6dfe7c74704267bcb8f9fd6fb92b0 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Fri, 31 May 2024 12:20:11 -0700
+Subject: [PATCH 3/3] Correct comment to match actual behavior
+
+---
+ src/requests/adapters.py | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/src/requests/adapters.py b/src/requests/adapters.py
+index ba5a0ec4f0..54143f9e6b 100644
+--- a/src/requests/adapters.py
++++ b/src/requests/adapters.py
+@@ -334,10 +334,8 @@ def cert_verify(self, conn, url, verify, cert):
+         if url.lower().startswith("https") and verify:
+             conn.cert_reqs = "CERT_REQUIRED"
+ 
+-            # Only load the CA certificates if 'verify' is a string indicating the CA bundle to use.
+-            # Otherwise, if verify is a boolean, we don't load anything since
+-            # the connection will be using a context with the default certificates already loaded,
+-            # and this avoids a call to the slow load_verify_locations()
++            # Only load the CA certificates if `verify` is a
++            # string indicating the CA bundle to use.
+             if verify is not True:
+                 # `verify` must be a str with a path then
+                 cert_loc = verify

python-requests.spec

@@ -0,0 +1,126 @@
+#
+# spec file for package python-requests
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%global flavor @BUILD_FLAVOR@%{nil}
+%if "%{flavor}" == "test"
+%define psuffix -test
+%bcond_without test
+%else
+%define psuffix %{nil}
+%bcond_with test
+%endif
+%{?sle15_python_module_pythons}
+Name:           python-requests%{psuffix}
+Version:        2.32.3
+Release:        0
+Summary:        Python HTTP Library
+License:        Apache-2.0
+URL:            https://docs.python-requests.org/
+Source:         https://files.pythonhosted.org/packages/source/r/requests/requests-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM gh#psf/requests#6731
+Patch0:         inject-default-ca-bundles.patch
+BuildRequires:  %{python_module base >= 3.7}
+BuildRequires:  %{python_module setuptools}
+BuildRequires:  fdupes
+BuildRequires:  python-rpm-macros
+Requires:       ca-certificates
+Requires:       python
+Requires:       python-certifi >= 2017.4.17
+Requires:       python-charset-normalizer >= 2.0.0
+Requires:       python-idna >= 2.5
+Requires:       python-urllib3 >= 1.21.1
+BuildArch:      noarch
+%if 0%{?_no_weakdeps}
+Requires:       ca-certificates-mozilla
+Requires:       python-PySocks >= 1.5.6
+Requires:       python-cryptography >= 1.3.4
+Requires:       python-pyOpenSSL >= 0.14
+%else
+Recommends:     ca-certificates-mozilla
+Recommends:     python-PySocks >= 1.5.6
+Recommends:     python-cryptography >= 1.3.4
+Recommends:     python-pyOpenSSL >= 0.14
+%endif
+%if %{with test}
+BuildRequires:  %{python_module Brotli}
+BuildRequires:  %{python_module PySocks >= 1.5.6}
+BuildRequires:  %{python_module charset-normalizer >= 2.0.0}
+BuildRequires:  %{python_module idna >= 2.5}
+BuildRequires:  %{python_module pytest-httpbin >= 0.0.7}
+BuildRequires:  %{python_module pytest-mock}
+BuildRequires:  %{python_module pytest}
+BuildRequires:  %{python_module requests >= %{version}}
+BuildRequires:  %{python_module trustme}
+%endif
+%python_subpackages
+
+%description
+Requests is an HTTP library, written in Python, as an alternative
+to Python's builtin urllib2 which requires work (even
+method overrides) to perform basic tasks.
+
+Features of Requests:
+ - GET, HEAD, POST, PUT, DELETE Requests:
+   + HTTP Header Request Attachment.
+   + Data/Params Request Attachment.
+   + Multipart File Uploads.
+   + CookieJar Support.
+   + Redirection History.
+   + Redirection Recursion Urllib Fix.
+   + Automatic Decompression of GZipped Content.
+   + Unicode URL Support.
+ - Authentication:
+   + URL + HTTP Auth Registry.
+
+%prep
+%autosetup -p1 -n requests-%{version}
+
+# remove 'never' default parameter from digest-auth check
+# requires httpbin 0.6.0
+sed -i "s#\(httpbin.*\), 'never'#\1#" tests/test_requests.py
+
+%build
+%python_build
+
+%install
+%if !%{with test}
+%python_install
+# check that urllib3 is not installed
+test ! -e %{buildroot}%{python3_sitelib}/requests/packages/urllib3
+%python_expand %fdupes %{buildroot}%{$python_sitelib}
+%endif
+
+# NOTE(aplanas) If we do not have the certificates, we some of the
+# tests will fail, so for now we only run the tests in openSUSE
+%if 0%{?suse_version} && %{with test}
+%check
+touch Pipfile
+# exclude tests connecting to TARPIT
+# exclude test_https_warnings as is flaky
+%python_exec -m pytest -v tests -k "not (TestTimeout or connect or test_https_warnings or test_pyopenssl_redirect)"
+%endif
+
+%if !%{with test}
+%files %{python_files}
+%license LICENSE
+%doc HISTORY.md README.md
+%{python_sitelib}/requests
+%{python_sitelib}/requests-%{version}*.egg-info
+%endif
+
+%changelog