misc: introduce setting to disable https checks for given hostnames (#81541)

2023-09-24 14:10:08 +02:00 · 2023-09-24 14:10:08 +02:00 · 7a671f7e74
parent 441ac49c58
commit 7a671f7e74
3 changed files with 18 additions and 5 deletions
--- a/passerelle/settings.py
+++ b/passerelle/settings.py
@ -280,6 +280,9 @@ CONNECTORS_SETTINGS = {}
 # List of authorized content-types, as regular expressions, for substitutions
 REQUESTS_SUBSTITUTIONS_CONTENT_TYPES = [r'text/.*', r'application/(.*\+)?json', r'application/(.*\+)?xml']

+# List of hosntames where certificate errors should be ignored
+REQUESTS_IGNORE_HTTPS_CERTIFICATE_ERRORS = []
+
 # Passerelle can receive big requests (for example base64 encoded files)
 DATA_UPLOAD_MAX_MEMORY_SIZE = 100 * 1024 * 1024

--- a/passerelle/utils/init.py
+++ b/passerelle/utils/init.py
@ -366,11 +366,10 @@ class Request(RequestSession):

        # search in legacy urls
        legacy_urls_mapping = getattr(settings, 'LEGACY_URLS_MAPPING', None)
-        if legacy_urls_mapping:
-            splitted_url = urllib.parse.urlparse(url)
-            hostname = splitted_url.netloc
-            if hostname in legacy_urls_mapping:
-                url = splitted_url._replace(netloc=legacy_urls_mapping[hostname]).geturl()
+        splitted_url = urllib.parse.urlparse(url)
+        hostname = splitted_url.netloc
+        if legacy_urls_mapping and hostname in legacy_urls_mapping:
+            url = splitted_url._replace(netloc=legacy_urls_mapping[hostname]).geturl()

        if self.resource:
            if 'auth' not in kwargs:
@ -394,6 +393,9 @@ class Request(RequestSession):
                if proxy:
                    kwargs['proxies'] = {'http': proxy, 'https': proxy}

+        if hostname in settings.REQUESTS_IGNORE_HTTPS_CERTIFICATE_ERRORS:
+            kwargs['verify'] = False
+
        if method == 'GET' and cache_duration:
            cache_key = hashlib.md5(force_bytes('%r;%r' % (url, kwargs))).hexdigest()
            cache_content = cache.get(cache_key)
--- a/tests/test_requests.py
+++ b/tests/test_requests.py
@ -325,6 +325,14 @@ def test_resource_certificates(mocked_get, caplog, endpoint_response):
    assert mocked_get.call_args[1].get('verify') is True
    assert 'cert' not in mocked_get.call_args[1]

+    with override_settings(REQUESTS_IGNORE_HTTPS_CERTIFICATE_ERRORS=['example.com']):
+        request.get('http://example.net/whatever')
+        assert mocked_get.call_args[1].get('verify') is True
+
+    with override_settings(REQUESTS_IGNORE_HTTPS_CERTIFICATE_ERRORS=['example.net']):
+        request.get('http://example.net/whatever')
+        assert mocked_get.call_args[1].get('verify') is False
+
    resource.verify_cert = False
    request.get('http://example.net/whatever')
    assert mocked_get.call_args[1].get('verify') is False