Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stop providing a hardcoded CA bundle #489

Merged
merged 9 commits into from
May 9, 2024
Merged

Stop providing a hardcoded CA bundle #489

merged 9 commits into from
May 9, 2024

Conversation

maxbelanger
Copy link
Contributor

@maxbelanger maxbelanger commented May 6, 2024
edited
Loading

The SDK no longer provides a CA bundle to verify SSL connections. This also allows us to remove the runtime dependency on pkg_resources and thus setuptools.

The ca_certs parameter is still supported, so users can pin with their own CA bundle if they so choose. Otherwise, the default verification mechanism in the requests library now applies (this uses certifi and/or system certificates, depending on the configuration).

Improves integration tests to cover both scenarios (i.e. when a bundle is provided, and when one isn't).

Checklist

General Contributing

  • Have you read the Code of Conduct and signed the CLA?

Is This a Code Change?

  • SDK Code Change
  • Example/Test Code Change

Validation

  • Does tox pass?
  • Do the tests pass?

@maxbelanger maxbelanger changed the title Remove certificate pinning from the SDK Don't use certificate pinning by default May 7, 2024
@maxbelanger maxbelanger changed the title Don't use certificate pinning by default Remove SDK-provided CA cert pinning May 7, 2024
@maxbelanger maxbelanger requested review from sderickson and greg-db May 7, 2024 06:42
@maxbelanger maxbelanger marked this pull request as ready for review May 7, 2024 06:42
sderickson
sderickson approved these changes May 8, 2024
View reviewed changes
Copy link
Contributor

@sderickson sderickson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks Max!

@codecov Codecov
Copy link

codecov bot commented May 8, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 64.26%. Comparing base (75596da) to head (d5ee9c8).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #489   +/-   ##
=======================================
  Coverage   64.26%   64.26%           
=======================================
  Files          31       31           
  Lines       52609    52606    -3     
  Branches     3841     3841           
=======================================
+ Hits        33807    33808    +1     
+ Misses      18641    18638    -3     
+ Partials      161      160    -1
Flag Coverage Δ
integration 64.17% <100.00%> (+<0.01%) ⬆️
unit 63.70% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@maxbelanger maxbelanger changed the title Remove SDK-provided CA cert pinning Stop providing a hardcoded CA bundle May 9, 2024
april
april approved these changes May 9, 2024
View reviewed changes
Copy link

@april april left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few minor changes

dropbox/session.py Show resolved Hide resolved
test/integration/test_dropbox.py Show resolved Hide resolved
test/integration/test_dropbox.py
# TODO: backend is no longer returning `BadInputError`
# with pytest.raises(BadInputError,) as cm:
# malformed_token_dbx.files_list_folder('')
# assert 'token is malformed' in cm.value.message
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we remove these comments, or is the intention to fix this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The intention is to fix this in a future PR. This is also not technically introduced in this PR, I've just moved this test out of the class.

@maxbelanger maxbelanger merged commit 41e4b00 into main May 9, 2024
28 checks passed
@maxbelanger maxbelanger deleted the remove-pinning branch May 9, 2024 21:19
@tlambert03 tlambert03 mentioned this pull request May 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@april april april approved these changes

@sderickson sderickson sderickson approved these changes

@greg-db greg-db Awaiting requested review from greg-db

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@maxbelanger @sderickson @april