check SSLREQCERT env var for disabling ssl verification

jlwalke2 · jlwalke2 · commit 6d0b9a3ee626 · 2019-07-18T13:05:21.000-04:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,8 +1,9 @@
 
 Unreleased
 ----------
-**Changed**
+**Improvements**
  - public_model task also defines methods mapped to MAS module steps when publishing to MAS.
+ - SSL verification can be disable with `SSLREQCERT` environment variable.
 
 
 v0.9.6 (2019-07-15)
diff --git a/src/sasctl/core.py b/src/sasctl/core.py
@@ -208,9 +208,13 @@ class Session(requests.Session):
 
     """
     def __init__(self, host, user=None, password=None, authinfo=None,
-                 protocol=None, port=None, verify_ssl=True):
+                 protocol=None, port=None, verify_ssl=None):
         super(Session, self).__init__()
 
+        if verify_ssl is None:
+            verify_ssl = os.environ.get('SSLREQCERT', 'yes')
+            verify_ssl = str(verify_ssl).lower() not in ('no', 'false')
+
         self._id = uuid4().hex
         self.message_log = logger.getChild('session.%s' % self._id)
 
diff --git a/tests/unit/test_session.py b/tests/unit/test_session.py
@@ -6,6 +6,7 @@
 
 import json
 import logging
+import os
 
 import pytest
 from six.moves import mock
@@ -200,6 +201,39 @@ def test_ssl_context():
     assert not isinstance(s.get_adapter('https://'), SSLContextAdapter)
 
 
+def test_verify_ssl():
+
+    with mock.patch('sasctl.core.Session.get_token', return_value='token'):
+        # Should verify SSL by default
+        s = Session('hostname', 'username', 'password')
+        assert s.verify == True
+
+        # Specify true with no issues
+        s = Session('hostname', 'username', 'password', verify_ssl=True)
+        assert s.verify == True
+
+        # Explicitly disable SSL verification
+        s = Session('hostname', 'username', 'password', verify_ssl=False)
+        assert s.verify == False
+
+        # Reuse SWAT env variable, if specified
+        os.environ['SSLREQCERT'] = 'NO'
+        s = Session('hostname', 'username', 'password')
+        assert s.verify == False
+
+        os.environ['SSLREQCERT'] = 'no'
+        s = Session('hostname', 'username', 'password')
+        assert s.verify == False
+
+        os.environ['SSLREQCERT'] = 'false'
+        s = Session('hostname', 'username', 'password')
+        assert s.verify == False
+
+        # Explicit should take precedence over environment variables
+        s = Session('hostname', 'username', 'password', verify_ssl=True)
+        assert s.verify == True
+
+
 def test_kerberos():
     with mock.patch('sasctl.core.Session._get_token_with_kerberos',
                     return_value='token'):
