dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

python3Packages.requests: patch in CA bundles

Browse Source 
The requests library defaults to using the certificates from the
certifi library when not otherwise specified.  If I understand the
discussion at #8247 correctly, we should instead patch it so that it
follows the following priority order:

1. the path pointed to by the environment variable $NIX_SSL_CERT_FILE

2. /etc/ssl/certs/ca-certificates.crt

3. whatever it was doing before (in this case, using certifi)

This commit implements that.
This commit is contained in:
Keshav Kini 2021-05-16 20:43:11 -07:00 committed by Jonathan Ringer
parent b3c54f5c07
commit 11f7c3310f
No known key found for this signature in database
GPG Key ID: 5C841D3CFDFEC4E0
2 changed files with 62 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
pkgs/development/python-modules/requests/0001-Prefer-NixOS-Nix-default-CA-bundles-over-certifi.patch Normal file
View File

@ -0,0 +1,60 @@
From b36083efafec5a3c1c5864cd0b62367ddf3856ae Mon Sep 17 00:00:00 2001
From: Keshav Kini <keshav.kini@gmail.com>
Date: Sun, 16 May 2021 20:35:24 -0700
Subject: [PATCH] Prefer NixOS/Nix default CA bundles over certifi
Normally, requests gets its default CA bundle from the certifi
package. On NixOS and when using Nix on non-NixOS platforms, we would
rather default to using our own certificate bundles controlled by the
Nix/NixOS user.
This commit overrides requests.certs.where(), which previously was
just aliased to certifi.where(), so that now it does the following:
- When run by Nix on non-NixOS, the environment variable
$NIX_SSL_CERT_FILE will point to the CA bundle we're using, so we
use that.
- When running on NixOS, the CA bundle we're using has the static path
/etc/ssl/certs/ca-certificates.crt , so we use that.
- Otherwise, we fall back to the original behavior of using certifi's
CA bundle. Higher in the call stack, users of requests can also
explicitly specify a CA bundle to use, which overrides all this
logic.
---
requests/certs.py | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/requests/certs.py b/requests/certs.py
index d1a378d7..faf462b7 100644
--- a/requests/certs.py
+++ b/requests/certs.py
@@ -12,7 +12,23 @@ If you are packaging Requests, e.g., for a Linux distribution or a managed
environment, you can change the definition of where() to return a separately
packaged CA bundle.
"""
-from certifi import where
+
+import os
+
+import certifi
+
+
+def where():
+ nix_ssl_cert_file = os.getenv("NIX_SSL_CERT_FILE")
+ if nix_ssl_cert_file and os.path.exists(nix_ssl_cert_file):
+ return nix_ssl_cert_file
+
+ nixos_ca_bundle = "/etc/ssl/certs/ca-certificates.crt"
+ if os.path.exists(nixos_ca_bundle):
+ return nixos_ca_bundle
+
+ return certifi.where()
+
if __name__ == '__main__':
print(where())
--
2.31.1

2
pkgs/development/python-modules/requests/default.nix
View File

@ -20,6 +20,8 @@ buildPythonPackage rec {
sha256 = "sha256-J5c91KkEpPE7JjoZyGbBO5KjntHJZGVfAl8/jT11uAQ=";
};
patches = [ ./0001-Prefer-NixOS-Nix-default-CA-bundles-over-certifi.patch ];
postPatch = ''
# Use latest idna
substituteInPlace setup.py --replace ",<3" ""