Merge pull request #321 from KostyaEsmukov/requests_adapter_respect_verify

Respect `verify` option in requests adapter

Author: Lukasa

hyper/contrib.py

@@ -15,7 +15,7 @@
     HTTPAdapter = object
 
 from hyper.common.connection import HTTPConnection
-from hyper.compat import urlparse
+from hyper.compat import urlparse, ssl
 from hyper.tls import init_context
 
 
@@ -29,7 +29,7 @@ def __init__(self, *args, **kwargs):
         #: A mapping between HTTP netlocs and ``HTTP20Connection`` objects.
         self.connections = {}
 
-    def get_connection(self, host, port, scheme, cert=None):
+    def get_connection(self, host, port, scheme, cert=None, verify=True):
         """
         Gets an appropriate HTTP/2 connection object based on
         host/port/scheme/cert tuples.
@@ -40,22 +40,29 @@ def get_connection(self, host, port, scheme, cert=None):
             port = 80 if not secure else 443
 
         ssl_context = None
-        if cert is not None:
+        if not verify:
+            verify = False
             ssl_context = init_context(cert=cert)
+            ssl_context.check_hostname = False
+            ssl_context.verify_mode = ssl.CERT_NONE
+        elif verify is True and cert is not None:
+            ssl_context = init_context(cert=cert)
+        elif verify is not True:
+            ssl_context = init_context(cert_path=verify, cert=cert)
 
         try:
-            conn = self.connections[(host, port, scheme, cert)]
+            conn = self.connections[(host, port, scheme, cert, verify)]
         except KeyError:
             conn = HTTPConnection(
                 host,
                 port,
                 secure=secure,
                 ssl_context=ssl_context)
-            self.connections[(host, port, scheme, cert)] = conn
+            self.connections[(host, port, scheme, cert, verify)] = conn
 
         return conn
 
-    def send(self, request, stream=False, cert=None, **kwargs):
+    def send(self, request, stream=False, cert=None, verify=True, **kwargs):
         """
         Sends a HTTP message to the server.
         """
@@ -64,7 +71,8 @@ def send(self, request, stream=False, cert=None, **kwargs):
             parsed.hostname,
             parsed.port,
             parsed.scheme,
-            cert=cert)
+            cert=cert,
+            verify=verify)
 
         # Build the selector.
         selector = parsed.path

test/test_hyper.py

@@ -18,7 +18,7 @@
 )
 from hyper.common.headers import HTTPHeaderMap
 from hyper.common.util import to_bytestring, HTTPVersion
-from hyper.compat import zlib_compressobj, is_py2
+from hyper.compat import zlib_compressobj, is_py2, ssl
 from hyper.contrib import HTTP20Adapter
 import hyper.http20.errors as errors
 import errno
@@ -31,6 +31,7 @@
 TEST_DIR = os.path.abspath(os.path.dirname(__file__))
 TEST_CERTS_DIR = os.path.join(TEST_DIR, 'certs')
 CLIENT_PEM_FILE = os.path.join(TEST_CERTS_DIR, 'nopassword.pem')
+SERVER_CERT_FILE = os.path.join(TEST_CERTS_DIR, 'server.crt')
 
 
 def decode_frame(frame_data):
@@ -1129,6 +1130,29 @@ def test_adapter_accept_client_certificate(self):
             'http',
             cert=CLIENT_PEM_FILE)
         assert conn1 is conn2
+        assert conn1._conn.ssl_context.check_hostname
+        assert conn1._conn.ssl_context.verify_mode == ssl.CERT_REQUIRED
+
+    def test_adapter_respects_disabled_ca_verification(self):
+        a = HTTP20Adapter()
+        conn = a.get_connection(
+            'http2bin.org',
+            80,
+            'http',
+            verify=False,
+            cert=CLIENT_PEM_FILE)
+        assert not conn._conn.ssl_context.check_hostname
+        assert conn._conn.ssl_context.verify_mode == ssl.CERT_NONE
+
+    def test_adapter_respects_custom_ca_verification(self):
+        a = HTTP20Adapter()
+        conn = a.get_connection(
+            'http2bin.org',
+            80,
+            'http',
+            verify=SERVER_CERT_FILE)
+        assert conn._conn.ssl_context.check_hostname
+        assert conn._conn.ssl_context.verify_mode == ssl.CERT_REQUIRED
 
 
 class TestUtilities(object):