check the SSLCALISTLOC environment variable for SSL CAs

Author: jlwalke2

CHANGELOG.md

@@ -4,6 +4,7 @@ Unreleased
 **Improvements**
  - public_model task also defines methods mapped to MAS module steps when publishing to MAS.
  - SSL verification can be disable with `SSLREQCERT` environment variable.
+ - CAs to use for validating SSL certificates can also be specified through the `SSLCALISTLOC` environment variable.
  - Added `execute_performance_task`
 
 **Changes**

doc/index.rst

@@ -272,6 +272,11 @@ Environment Variables
 
 .. envvar:: CAS_CLIENT_SSL_CA_LIST
 
+Client-side path to a certificate file containing :abbr:`CA (Certificate Authority)` certificates to be trusted.  Used by the :mod:`swat` module.  This
+will take precedence over :envvar:`SSLCALISTLOC` and :envvar:`REQUESTS_CA_BUNDLE`.
+
+.. envvar:: SSLCALISTLOC
+
 Client-side path to a certificate file containing :abbr:`CA (Certificate Authority)` certificates to be trusted.  Used by the :mod:`swat` module.  This
 will take precedence over :envvar:`REQUESTS_CA_BUNDLE`.
 

src/sasctl/core.py

@@ -207,10 +207,16 @@ class Session(requests.Session):
     filters
 
     """
-    def __init__(self, host, user=None, password=None, authinfo=None,
-                 protocol=None, port=None, verify_ssl=None):
+    def __init__(self, host,
+                 user=None,
+                 password=None,
+                 authinfo=None,
+                 protocol=None,
+                 port=None,
+                 verify_ssl=None):
         super(Session, self).__init__()
 
+        # Determine whether or not server SSL certificates should be verified.
         if verify_ssl is None:
             verify_ssl = os.environ.get('SSLREQCERT', 'yes')
             verify_ssl = str(verify_ssl).lower() not in ('no', 'false')
@@ -220,9 +226,10 @@ def __init__(self, host, user=None, password=None, authinfo=None,
 
         # If certificate path has already been set for SWAT package, make
         # Requests module reuse it.
-        if 'CAS_CLIENT_SSL_CA_LIST' in os.environ:
-            os.environ['REQUESTS_CA_BUNDLE'] = os.environ[
-                'CAS_CLIENT_SSL_CA_LIST']
+        for k in ['SSLCALISTLOC', 'CAS_CLIENT_SSL_CA_LIST']:
+            if k in os.environ:
+                os.environ['REQUESTS_CA_BUNDLE'] = os.environ[k]
+                break
 
         # If certificate path hasn't been specified in either environment
         # variable, replace the default adapter with one that will use the

tests/unit/test_session.py

@@ -176,8 +176,7 @@ def test_ssl_context():
     import os
     from sasctl.core import SSLContextAdapter
 
-    if 'CAS_CLIENT_SSL_CA_LIST' in os.environ: del os.environ[
-        'CAS_CLIENT_SSL_CA_LIST']
+    if 'CAS_CLIENT_SSL_CA_LIST' in os.environ: del os.environ['CAS_CLIENT_SSL_CA_LIST']
     if 'REQUESTS_CA_BUNDLE' in os.environ: del os.environ['REQUESTS_CA_BUNDLE']
 
     # Should default to SSLContextAdapter if no certificate paths are set
@@ -196,10 +195,25 @@ def test_ssl_context():
     os.environ['CAS_CLIENT_SSL_CA_LIST'] = 'path_for_swat'
     with mock.patch('sasctl.core.Session.get_token', return_value='token'):
         s = Session('hostname', 'username', 'password')
-    assert os.environ['CAS_CLIENT_SSL_CA_LIST'] == os.environ[
-        'REQUESTS_CA_BUNDLE']
+    assert os.environ['CAS_CLIENT_SSL_CA_LIST'] == os.environ['REQUESTS_CA_BUNDLE']
     assert not isinstance(s.get_adapter('https://'), SSLContextAdapter)
 
+    # Cleanup
+    del os.environ['CAS_CLIENT_SSL_CA_LIST']
+    del os.environ['REQUESTS_CA_BUNDLE']
+
+    # If SWAT env variable is set, it should override the Requests variable
+    os.environ['SSLCALISTLOC'] = 'path_for_swat'
+    with mock.patch('sasctl.core.Session.get_token', return_value='token'):
+        s = Session('hostname', 'username', 'password')
+    assert os.environ['SSLCALISTLOC'] == os.environ['REQUESTS_CA_BUNDLE']
+    assert 'CAS_CLIENT_SSL_CA_LIST' not in os.environ
+    assert not isinstance(s.get_adapter('https://'), SSLContextAdapter)
+
+    # Cleanup
+    del os.environ['SSLCALISTLOC']
+    del os.environ['REQUESTS_CA_BUNDLE']
+
 
 def test_verify_ssl():