add a ssl_context option to fingerprint - to allow the developer to override the automatically created ssl_context #2735
Conversation
…verride the automatically created ssl_context
aiohttp/connector.py
Outdated
| @@ -771,12 +778,18 @@ def _get_ssl_context(self, req): | |||
| sslcontext = req.ssl | |||
| if isinstance(sslcontext, ssl.SSLContext): | |||
| return sslcontext | |||
| if not (not isinstance(sslcontext, Fingerprint) or not (sslcontext.ssl_context is not None) or not isinstance( | |||
There was a problem hiding this comment.
There's too many negations, which is hard to understand instantly and easy to misunderstand. I think, this can (and should) be simplified.
There was a problem hiding this comment.
It seems to me that you want this check:
isinstance(sslcontext, Fingerprint) and isinstance(sslcontext.ssl_context, ssl.SSLContext)
aiohttp/connector.py
Outdated
| if sslcontext is not None: | ||
| # not verified or fingerprinted | ||
| return self._make_ssl_context(False) | ||
| sslcontext = self._ssl | ||
| if isinstance(sslcontext, ssl.SSLContext): | ||
| return sslcontext | ||
| if not (not isinstance(sslcontext, Fingerprint) or not (sslcontext.ssl_context is not None) or not isinstance( |
There was a problem hiding this comment.
This is a duplicate check. Consider code reuse, so that it won't result in diverse copy-paste in future.
…during the reformatting of the line
|
Hi, thank you for your comments I used some function in PyStorm to break the line - this apparently lead to it rewriting the expression without me checking. I reworked it - i would like to keep the "is not None" check as a precondition. I fixed the negation mess throu. But I see that this check is not done in the other branches - is isinstance "None"-safe? |
|
@stephan48 this is why I use Vim :) isinstance is "None-safe": |
|
yea :) for work stuff i tend to use windows & a IDE. for everything else vim on a ssh connection. thanks for that info. how about this: if ssl is None: # pragma: no cover
raise RuntimeError('SSL is not supported.')
def check_ssl(ssl_ctx):
if isinstance(ssl_ctx, ssl.SSLContext):
return ssl_ctx
if isinstance(ssl_ctx, Fingerprint) and isinstance(ssl_ctx.ssl_context, ssl.SSLContext):
return ssl_ctx.ssl_context
if ssl_ctx is not None:
# not verified or fingerprinted
return self._make_ssl_context(False)
if req.ssl is not None:
return check_ssl(req.ssl)
if self._ssl is not None:
return check_ssl(self._ssl)
return self._make_ssl_context(True) |
|
Your last if/return in |
|
Oh, and please update code in branch, cause it's fairly complicated to comment on such snippet + it's ripped out of context, which makes it hard to imagine how it would play with other parts of code around it. TIA. |
|
ping |
|
Hi, sadly I got overwhelmed by private and work stuff and i totally forgot to check back in here :( Would the changes/the version in the last commit(pre merge) be adequate? -- stephan |
Codecov Report
@@ Coverage Diff @@
## master #2735 +/- ##
==========================================
- Coverage 97.98% 97.95% -0.03%
==========================================
Files 40 40
Lines 7592 7595 +3
Branches 1323 1323
==========================================
+ Hits 7439 7440 +1
- Misses 51 52 +1
- Partials 102 103 +1
Continue to review full report at Codecov.
|
|
Do I assume correctly, that the code coverage complains about the new check_ssl function being undocumented? |
aiohttp/connector.py
Outdated
| def check_ssl(ssl_ctx): | ||
| if isinstance(ssl_ctx, ssl.SSLContext): | ||
| return ssl_ctx | ||
| if isinstance(ssl_ctx, Fingerprint) and \ |
There was a problem hiding this comment.
Please use brackets:
if (isinstance(ssl_ctx, Fingerprint) and
isinstance(ssl_ctx.ssl_context, ssl.SSLContext)):
return ssl_ctx.ssl_context
aiohttp/connector.py
Outdated
| return ssl_ctx | ||
| if isinstance(ssl_ctx, Fingerprint) and \ | ||
| isinstance(ssl_ctx.ssl_context, ssl.SSLContext): | ||
| return ssl_ctx.ssl_context |
There was a problem hiding this comment.
The line is not covered by tests
aiohttp/connector.py
Outdated
| return sslcontext | ||
| if sslcontext is not None: | ||
|
|
||
| def check_ssl(ssl_ctx): |
There was a problem hiding this comment.
The function has no closures, please rename it into _check_ssl and move to the module's top-level namespace
| return ssl_ctx | ||
| if (isinstance(ssl_ctx, Fingerprint) and | ||
| isinstance(ssl_ctx.ssl_context, ssl.SSLContext)): | ||
| return ssl_ctx.ssl_context |
There was a problem hiding this comment.
Please add a test for covering the line execution.
| # not verified or fingerprinted | ||
| return self._make_ssl_context(False) | ||
|
|
||
| if req.ssl is not None: |
There was a problem hiding this comment.
smth like this would look nicer that duplicate if-clauses:
_ssl = req.ssl or self._ssl
if _ssl is not None:
return self._check_ssl(_ssl)
This comment has been minimized.
This comment has been minimized.
|
I like the idea but sorry, I should close the PR. |
What do these changes do?
I faced the problem that with the aiohttp 3.0 ssl api changes i could no longer use fingerprint verification and client cert auth. As you could only specify one or the other. After a short talk with the developer we came to the conclusion that a way to solve the problem would be to add a ssl_context kwargs to the Fingerprint. This PR does exactly that.
Documentation is still missing.
Are there changes in behavior for the user?
As with the previous API aiohttp <=2 you can now use both methods again.
Related issue number
Nope
Checklist
will work on this tomorrow - its already late -
I think the code is well written
Unit tests for the changes exist
Documentation reflects the changes
If you provide code modification, please add yourself to
CONTRIBUTORS.txtAdd a new news fragment into the
CHANGESfolder<issue_id>.<type>for example (588.bugfix)issue_idchange it to the pr id after creating the pr.feature: Signifying a new feature..bugfix: Signifying a bug fix..doc: Signifying a documentation improvement..removal: Signifying a deprecation or removal of public API..misc: A ticket has been closed, but it is not of interest to users.