Skip to content

fix(connect): warn when TLS verification is disabled #465

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tdstein wants to merge 1 commit into
base: feat/bootstrap-auth-tls-verify-python-settings-content-build
Choose a base branch
from
+49 −1
Open

fix(connect): warn when TLS verification is disabled #465

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions src/posit/connect/client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,16 @@

from __future__ import annotations

import warnings

from typing_extensions import TYPE_CHECKING, Optional, Union, overload

_TLS_VERIFY_DISABLED_WARNING = (
"TLS certificate verification is disabled. This is insecure and should "
"not be used in production. Pass a path to a CA bundle via `verify=` "
"instead."
)

from . import hooks, me, urls
from .auth import Auth, BootstrapAuth
from .config import Config
Expand Down Expand Up @@ -169,6 +177,12 @@ def __init__(self, *args, **kwargs) -> None:
>>> Client(url="https://connect.example.com", verify="/path/to/ca-bundle.crt")
"""
verify = kwargs.pop("verify", True)
if verify is False:
warnings.warn(
_TLS_VERIFY_DISABLED_WARNING,
UserWarning,
stacklevel=2,
)
api_key = None
url = None
if len(args) == 1 and isinstance(args[0], str):
Expand Down
36 changes: 35 additions & 1 deletion tests/posit/connect/test_client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,9 +85,43 @@ def test_verify_false(
MockConfig: MagicMock,
MockSession: MagicMock,
):
Client(url="https://connect.example.com", api_key="12345", verify=False)
with pytest.warns(UserWarning, match="TLS certificate verification is disabled"):
Client(url="https://connect.example.com", api_key="12345", verify=False)
assert MockSession.return_value.verify is False

def test_verify_false_emits_warning(
self,
MockAuth: MagicMock,
MockConfig: MagicMock,
MockSession: MagicMock,
):
with pytest.warns(UserWarning, match="TLS certificate verification is disabled"):
Client(url="https://connect.example.com", api_key="12345", verify=False)

def test_verify_true_no_warning(
self,
MockAuth: MagicMock,
MockConfig: MagicMock,
MockSession: MagicMock,
):
import warnings as _warnings

with _warnings.catch_warnings():
_warnings.simplefilter("error")
Client(url="https://connect.example.com", api_key="12345", verify=True)

def test_verify_ca_bundle_no_warning(
self,
MockAuth: MagicMock,
MockConfig: MagicMock,
MockSession: MagicMock,
):
import warnings as _warnings

with _warnings.catch_warnings():
_warnings.simplefilter("error")
Client(url="https://connect.example.com", api_key="12345", verify="/path/to/ca.crt")

def test_verify_ca_bundle(
self,
MockAuth: MagicMock,
Expand Down
Loading