Drop (broken) support for GIT_OPT_ADD_SSL_X509_CERT

Author: ambv

pygit2/options.py

@@ -307,7 +307,6 @@ def option(option_type: Option, arg1: Any = NOT_PASSED, arg2: Any = NOT_PASSED)
         Set the maximum number of objects to include in a pack.
     """
 
-    # Handle GET options with size_t output
     if option_type in (
         C.GIT_OPT_GET_MWINDOW_SIZE,
         C.GIT_OPT_GET_MWINDOW_MAPPED_LIMIT,
@@ -320,7 +319,6 @@ def option(option_type: Option, arg1: Any = NOT_PASSED, arg2: Any = NOT_PASSED)
         check_error(err)
         return size_ptr[0]
 
-    # Handle SET options with size_t input
     elif option_type in (
         C.GIT_OPT_SET_MWINDOW_SIZE,
         C.GIT_OPT_SET_MWINDOW_MAPPED_LIMIT,
@@ -338,7 +336,6 @@ def option(option_type: Option, arg1: Any = NOT_PASSED, arg2: Any = NOT_PASSED)
         check_error(err)
         return None
 
-    # Handle GET_SEARCH_PATH
     elif option_type == C.GIT_OPT_GET_SEARCH_PATH:
         check_args(option_type, arg1, arg2, 1)
 
@@ -357,7 +354,6 @@ def option(option_type: Option, arg1: Any = NOT_PASSED, arg2: Any = NOT_PASSED)
 
         return result
 
-    # Handle SET_SEARCH_PATH
     elif option_type == C.GIT_OPT_SET_SEARCH_PATH:
         check_args(option_type, arg1, arg2, 2)
 
@@ -375,7 +371,6 @@ def option(option_type: Option, arg1: Any = NOT_PASSED, arg2: Any = NOT_PASSED)
         check_error(err)
         return None
 
-    # Handle SET_CACHE_OBJECT_LIMIT
     elif option_type == C.GIT_OPT_SET_CACHE_OBJECT_LIMIT:
         check_args(option_type, arg1, arg2, 2)
 
@@ -394,7 +389,6 @@ def option(option_type: Option, arg1: Any = NOT_PASSED, arg2: Any = NOT_PASSED)
         check_error(err)
         return None
 
-    # Handle SET_CACHE_MAX_SIZE
     elif option_type == C.GIT_OPT_SET_CACHE_MAX_SIZE:
         check_args(option_type, arg1, arg2, 1)
 
@@ -408,7 +402,6 @@ def option(option_type: Option, arg1: Any = NOT_PASSED, arg2: Any = NOT_PASSED)
         check_error(err)
         return None
 
-    # Handle GET_CACHED_MEMORY
     elif option_type == C.GIT_OPT_GET_CACHED_MEMORY:
         check_args(option_type, arg1, arg2, 0)
 
@@ -418,7 +411,6 @@ def option(option_type: Option, arg1: Any = NOT_PASSED, arg2: Any = NOT_PASSED)
         check_error(err)
         return (current_ptr[0], allowed_ptr[0])
 
-    # Handle SET_SSL_CERT_LOCATIONS
     elif option_type == C.GIT_OPT_SET_SSL_CERT_LOCATIONS:
         check_args(option_type, arg1, arg2, 2)
 
@@ -465,7 +457,6 @@ def option(option_type: Option, arg1: Any = NOT_PASSED, arg2: Any = NOT_PASSED)
         check_error(err)
         return None
 
-    # Handle GET_OWNER_VALIDATION
     elif option_type == C.GIT_OPT_GET_OWNER_VALIDATION:
         check_args(option_type, arg1, arg2, 0)
 
@@ -474,7 +465,6 @@ def option(option_type: Option, arg1: Any = NOT_PASSED, arg2: Any = NOT_PASSED)
         check_error(err)
         return bool(enabled_ptr[0])
 
-    # Handle GET_TEMPLATE_PATH
     elif option_type == C.GIT_OPT_GET_TEMPLATE_PATH:
         check_args(option_type, arg1, arg2, 0)
 
@@ -492,7 +482,6 @@ def option(option_type: Option, arg1: Any = NOT_PASSED, arg2: Any = NOT_PASSED)
 
         return result
 
-    # Handle SET_TEMPLATE_PATH
     elif option_type == C.GIT_OPT_SET_TEMPLATE_PATH:
         check_args(option_type, arg1, arg2, 1)
 
@@ -508,7 +497,6 @@ def option(option_type: Option, arg1: Any = NOT_PASSED, arg2: Any = NOT_PASSED)
         check_error(err)
         return None
 
-    # Handle GET_USER_AGENT
     elif option_type == C.GIT_OPT_GET_USER_AGENT:
         check_args(option_type, arg1, arg2, 0)
 
@@ -526,7 +514,6 @@ def option(option_type: Option, arg1: Any = NOT_PASSED, arg2: Any = NOT_PASSED)
 
         return result
 
-    # Handle SET_USER_AGENT
     elif option_type == C.GIT_OPT_SET_USER_AGENT:
         check_args(option_type, arg1, arg2, 1)
 
@@ -538,7 +525,6 @@ def option(option_type: Option, arg1: Any = NOT_PASSED, arg2: Any = NOT_PASSED)
         check_error(err)
         return None
 
-    # Handle SET_SSL_CIPHERS
     elif option_type == C.GIT_OPT_SET_SSL_CIPHERS:
         check_args(option_type, arg1, arg2, 1)
 
@@ -800,28 +786,18 @@ def option(option_type: Option, arg1: Any = NOT_PASSED, arg2: Any = NOT_PASSED)
         check_error(err)
         return None
 
-    # Handle ADD_SSL_X509_CERT
+    # Not implemented - ADD_SSL_X509_CERT requires directly binding with OpenSSL
+    # as the API works accepts a X509* struct.  Use GIT_OPT_SET_SSL_CERT_LOCATIONS
+    # instead.
     elif option_type == C.GIT_OPT_ADD_SSL_X509_CERT:
-        check_args(option_type, arg1, arg2, 1)
-
-        cert = arg1
-        if isinstance(cert, (str, bytes)):
-            cert_bytes = to_bytes(cert)
-            cert_cdata = ffi.new('char[]', cert_bytes)
-            cert_len = len(cert_bytes)
-        else:
-            raise TypeError('certificate must be a string or bytes')
-
-        err = C.git_libgit2_opts(option_type, cert_cdata, ffi.cast('size_t', cert_len))
-        check_error(err)
-        return None
+        raise NotImplementedError("Use GIT_OPT_SET_SSL_CERT_LOCATIONS instead")
 
     # Not implemented - SET_ALLOCATOR is not feasible from Python level
     # because it requires providing C function pointers for memory management
     # (malloc, free, etc.) that must handle raw memory at the C level,
     # which cannot be safely implemented in pure Python.
-    elif option_type in (C.GIT_OPT_SET_ALLOCATOR,):
-        return NotImplemented
+    elif option_type == C.GIT_OPT_SET_ALLOCATOR:
+        raise NotImplementedError("Setting a custom allocator not possible from Python")
 
     else:
         raise ValueError(f'Invalid option {option_type}')

pygit2/settings.py

@@ -248,10 +248,6 @@ def set_ssl_ciphers(self, ciphers: str | bytes) -> None:
         """Set the SSL ciphers to use for HTTPS connections"""
         option(Option.SET_SSL_CIPHERS, ciphers)
 
-    def add_ssl_x509_cert(self, certificate: str | bytes) -> None:
-        """Add a trusted X.509 certificate for SSL/TLS connections"""
-        option(Option.ADD_SSL_X509_CERT, certificate)
-
     def enable_strict_object_creation(self, value: bool = True) -> None:
         """Enable or disable strict object creation validation"""
         option(Option.ENABLE_STRICT_OBJECT_CREATION, value)

test/test_options.py

@@ -23,6 +23,10 @@
 # the Free Software Foundation, 51 Franklin Street, Fifth Floor,
 # Boston, MA 02110-1301, USA.
 
+import sys
+
+import pytest
+
 import pygit2
 from pygit2 import option
 from pygit2.enums import ConfigLevel, ObjectType, Option
@@ -133,31 +137,25 @@ def test_owner_validation() -> None:
 
 
 def test_template_path() -> None:
-    # Get the initial template path
     original_path = option(Option.GET_TEMPLATE_PATH)
 
-    # Set a new template path
     test_path = '/tmp/test_templates'
     option(Option.SET_TEMPLATE_PATH, test_path)
     assert option(Option.GET_TEMPLATE_PATH) == test_path
 
-    # Reset to original path
     if original_path:
         option(Option.SET_TEMPLATE_PATH, original_path)
     else:
         option(Option.SET_TEMPLATE_PATH, None)
 
 
 def test_user_agent() -> None:
-    # Get the initial user agent
     original_agent = option(Option.GET_USER_AGENT)
 
-    # Set a new user agent
     test_agent = 'test-agent/1.0'
     option(Option.SET_USER_AGENT, test_agent)
     assert option(Option.GET_USER_AGENT) == test_agent
 
-    # Reset to original agent
     if original_agent:
         option(Option.SET_USER_AGENT, original_agent)
 
@@ -166,142 +164,99 @@ def test_pack_max_objects() -> None:
     __option(Option.GET_PACK_MAX_OBJECTS, Option.SET_PACK_MAX_OBJECTS, 100000)
 
 
+@pytest.mark.skipif(sys.platform != 'win32', reason='Windows-specific feature')
 def test_windows_sharemode() -> None:
-    # This test might not work on non-Windows platforms
-    try:
-        __option(Option.GET_WINDOWS_SHAREMODE, Option.SET_WINDOWS_SHAREMODE, 1)
-    except Exception:
-        # May fail on non-Windows platforms
-        pass
+    __option(Option.GET_WINDOWS_SHAREMODE, Option.SET_WINDOWS_SHAREMODE, 1)
 
 
 def test_ssl_ciphers() -> None:
     # Setting SSL ciphers (no getter available)
     try:
         option(Option.SET_SSL_CIPHERS, 'DEFAULT')
     except pygit2.GitError as e:
-        # May fail if TLS backend doesn't support custom ciphers
-        if "TLS backend doesn't support custom ciphers" not in str(e):
-            raise
+        if "TLS backend doesn't support custom ciphers" in str(e):
+            pytest.skip(str(e))
+        raise
 
 
 def test_enable_http_expect_continue() -> None:
-    # Enable and disable HTTP expect continue
     option(Option.ENABLE_HTTP_EXPECT_CONTINUE, True)
     option(Option.ENABLE_HTTP_EXPECT_CONTINUE, False)
 
 
 def test_odb_priorities() -> None:
-    # Set ODB priorities
     option(Option.SET_ODB_PACKED_PRIORITY, 1)
     option(Option.SET_ODB_LOOSE_PRIORITY, 2)
 
 
 def test_extensions() -> None:
-    # Get initial extensions list
     original_extensions = option(Option.GET_EXTENSIONS)
     assert isinstance(original_extensions, list)
 
-    # Set extensions
     test_extensions = ['objectformat', 'worktreeconfig']
     option(Option.SET_EXTENSIONS, test_extensions, len(test_extensions))
 
-    # Verify they were set
     new_extensions = option(Option.GET_EXTENSIONS)
     assert isinstance(new_extensions, list)
 
-    # Check that our extensions are present
     # Note: libgit2 may add its own built-in extensions and sort them
     for ext in test_extensions:
         assert ext in new_extensions, f"Extension '{ext}' not found in {new_extensions}"
 
-    # Test with empty list
     option(Option.SET_EXTENSIONS, [], 0)
     empty_extensions = option(Option.GET_EXTENSIONS)
     assert isinstance(empty_extensions, list)
-    # Even with empty input, libgit2 may have built-in extensions
 
-    # Test with a custom extension
     custom_extensions = ['myextension', 'objectformat']
     option(Option.SET_EXTENSIONS, custom_extensions, len(custom_extensions))
     custom_result = option(Option.GET_EXTENSIONS)
     assert 'myextension' in custom_result
     assert 'objectformat' in custom_result
 
-    # Restore original extensions
     if original_extensions:
         option(Option.SET_EXTENSIONS, original_extensions, len(original_extensions))
     else:
-        # Reset to empty list if there were no extensions
         option(Option.SET_EXTENSIONS, [], 0)
 
-    # Verify restoration
     final_extensions = option(Option.GET_EXTENSIONS)
     assert set(final_extensions) == set(original_extensions)
 
 
 def test_homedir() -> None:
-    # Get the initial home directory
     original_homedir = option(Option.GET_HOMEDIR)
 
-    # Set a new home directory
     test_homedir = '/tmp/test_home'
     option(Option.SET_HOMEDIR, test_homedir)
     assert option(Option.GET_HOMEDIR) == test_homedir
 
-    # Reset to original home directory
     if original_homedir:
         option(Option.SET_HOMEDIR, original_homedir)
     else:
         option(Option.SET_HOMEDIR, None)
 
 
 def test_server_timeouts() -> None:
-    # Test connect timeout
     original_connect = option(Option.GET_SERVER_CONNECT_TIMEOUT)
     option(Option.SET_SERVER_CONNECT_TIMEOUT, 5000)
     assert option(Option.GET_SERVER_CONNECT_TIMEOUT) == 5000
     option(Option.SET_SERVER_CONNECT_TIMEOUT, original_connect)
 
-    # Test server timeout
     original_timeout = option(Option.GET_SERVER_TIMEOUT)
     option(Option.SET_SERVER_TIMEOUT, 10000)
     assert option(Option.GET_SERVER_TIMEOUT) == 10000
     option(Option.SET_SERVER_TIMEOUT, original_timeout)
 
 
 def test_user_agent_product() -> None:
-    # Get the initial user agent product
     original_product = option(Option.GET_USER_AGENT_PRODUCT)
 
-    # Set a new user agent product
     test_product = 'test-product'
     option(Option.SET_USER_AGENT_PRODUCT, test_product)
     assert option(Option.GET_USER_AGENT_PRODUCT) == test_product
 
-    # Reset to original product
     if original_product:
         option(Option.SET_USER_AGENT_PRODUCT, original_product)
 
 
-def test_add_ssl_x509_cert() -> None:
-    # Test adding an SSL certificate
-    # This is a minimal test certificate (not valid, but tests the API)
-    test_cert = '-----BEGIN CERTIFICATE-----\nMIIB...\n-----END CERTIFICATE-----'
-
-    try:
-        option(Option.ADD_SSL_X509_CERT, test_cert)
-    except pygit2.GitError as e:
-        # May fail if TLS backend doesn't support adding raw certs
-        # or if the certificate format is invalid
-        msg = str(e).lower()
-        if (
-            "tls backend doesn't support" not in msg
-            and 'invalid' not in msg
-            and 'failed to add raw x509 certificate' not in msg
-        ):
-            raise
-
-
 def test_mwindow_file_limit() -> None:
     __option(Option.GET_MWINDOW_FILE_LIMIT, Option.SET_MWINDOW_FILE_LIMIT, 100)