New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add a ssl_context option to fingerprint - to allow the developer to override the automatically created ssl_context #2735
add a ssl_context option to fingerprint - to allow the developer to override the automatically created ssl_context #2735
Conversation
…verride the automatically created ssl_context
aiohttp/connector.py
Outdated
@@ -771,12 +778,18 @@ def _get_ssl_context(self, req): | |||
sslcontext = req.ssl | |||
if isinstance(sslcontext, ssl.SSLContext): | |||
return sslcontext | |||
if not (not isinstance(sslcontext, Fingerprint) or not (sslcontext.ssl_context is not None) or not isinstance( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's too many negations, which is hard to understand instantly and easy to misunderstand. I think, this can (and should) be simplified.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems to me that you want this check:
isinstance(sslcontext, Fingerprint) and isinstance(sslcontext.ssl_context, ssl.SSLContext)
aiohttp/connector.py
Outdated
if sslcontext is not None: | ||
# not verified or fingerprinted | ||
return self._make_ssl_context(False) | ||
sslcontext = self._ssl | ||
if isinstance(sslcontext, ssl.SSLContext): | ||
return sslcontext | ||
if not (not isinstance(sslcontext, Fingerprint) or not (sslcontext.ssl_context is not None) or not isinstance( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a duplicate check. Consider code reuse, so that it won't result in diverse copy-paste in future.
…during the reformatting of the line
Hi, thank you for your comments I used some function in PyStorm to break the line - this apparently lead to it rewriting the expression without me checking. I reworked it - i would like to keep the "is not None" check as a precondition. I fixed the negation mess throu. But I see that this check is not done in the other branches - is isinstance "None"-safe? |
@stephan48 this is why I use Vim :) isinstance is "None-safe": |
yea :) for work stuff i tend to use windows & a IDE. for everything else vim on a ssh connection. thanks for that info. how about this: if ssl is None: # pragma: no cover
raise RuntimeError('SSL is not supported.')
def check_ssl(ssl_ctx):
if isinstance(ssl_ctx, ssl.SSLContext):
return ssl_ctx
if isinstance(ssl_ctx, Fingerprint) and isinstance(ssl_ctx.ssl_context, ssl.SSLContext):
return ssl_ctx.ssl_context
if ssl_ctx is not None:
# not verified or fingerprinted
return self._make_ssl_context(False)
if req.ssl is not None:
return check_ssl(req.ssl)
if self._ssl is not None:
return check_ssl(self._ssl)
return self._make_ssl_context(True) |
Your last if/return in |
Oh, and please update code in branch, cause it's fairly complicated to comment on such snippet + it's ripped out of context, which makes it hard to imagine how it would play with other parts of code around it. TIA. |
ping |
Hi, sadly I got overwhelmed by private and work stuff and i totally forgot to check back in here :( Would the changes/the version in the last commit(pre merge) be adequate? -- stephan |
Codecov Report
@@ Coverage Diff @@
## master #2735 +/- ##
==========================================
- Coverage 97.98% 97.95% -0.03%
==========================================
Files 40 40
Lines 7592 7595 +3
Branches 1323 1323
==========================================
+ Hits 7439 7440 +1
- Misses 51 52 +1
- Partials 102 103 +1
Continue to review full report at Codecov.
|
Do I assume correctly, that the code coverage complains about the new check_ssl function being undocumented? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The design looks good, please fix a couple notes
aiohttp/connector.py
Outdated
def check_ssl(ssl_ctx): | ||
if isinstance(ssl_ctx, ssl.SSLContext): | ||
return ssl_ctx | ||
if isinstance(ssl_ctx, Fingerprint) and \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use brackets:
if (isinstance(ssl_ctx, Fingerprint) and
isinstance(ssl_ctx.ssl_context, ssl.SSLContext)):
return ssl_ctx.ssl_context
aiohttp/connector.py
Outdated
return ssl_ctx | ||
if isinstance(ssl_ctx, Fingerprint) and \ | ||
isinstance(ssl_ctx.ssl_context, ssl.SSLContext): | ||
return ssl_ctx.ssl_context |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The line is not covered by tests
aiohttp/connector.py
Outdated
return sslcontext | ||
if sslcontext is not None: | ||
|
||
def check_ssl(ssl_ctx): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The function has no closures, please rename it into _check_ssl
and move to the module's top-level namespace
return ssl_ctx | ||
if (isinstance(ssl_ctx, Fingerprint) and | ||
isinstance(ssl_ctx.ssl_context, ssl.SSLContext)): | ||
return ssl_ctx.ssl_context |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a test for covering the line execution.
# not verified or fingerprinted | ||
return self._make_ssl_context(False) | ||
|
||
if req.ssl is not None: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
smth like this would look nicer that duplicate if-clauses:
_ssl = req.ssl or self._ssl
if _ssl is not None:
return self._check_ssl(_ssl)
This comment has been minimized.
This comment has been minimized.
I like the idea but sorry, I should close the PR. |
What do these changes do?
I faced the problem that with the aiohttp 3.0 ssl api changes i could no longer use fingerprint verification and client cert auth. As you could only specify one or the other. After a short talk with the developer we came to the conclusion that a way to solve the problem would be to add a ssl_context kwargs to the Fingerprint. This PR does exactly that.
Documentation is still missing.
Are there changes in behavior for the user?
As with the previous API aiohttp <=2 you can now use both methods again.
Related issue number
Nope
Checklist
will work on this tomorrow - its already late -
I think the code is well written
Unit tests for the changes exist
Documentation reflects the changes
If you provide code modification, please add yourself to
CONTRIBUTORS.txt
Add a new news fragment into the
CHANGES
folder<issue_id>.<type>
for example (588.bugfix)issue_id
change it to the pr id after creating the pr.feature
: Signifying a new feature..bugfix
: Signifying a bug fix..doc
: Signifying a documentation improvement..removal
: Signifying a deprecation or removal of public API..misc
: A ticket has been closed, but it is not of interest to users.