From 8514c35760d0eba9a831bf10d3cb2fcaf7910534 Mon Sep 17 00:00:00 2001
From: Sylvain Hellegouarch <sh@defuze.org>
Date: Thu, 13 Feb 2020 14:01:59 +0100
Subject: [PATCH] Add flag to disable certificate verification

Closes #163

Signed-off-by: Sylvain Hellegouarch <sh@defuze.org>
---
 CHANGELOG.md         |  5 +++++
 chaoslib/loader.py   | 10 +++++++---
 tests/test_loader.py | 24 ++++++++++++++++++++++++
 3 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 02674a6..c9a5771 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,11 @@
 ### Added
 
 - Only apply rollbacks if experiment has progressed past the initial steady state hypothesis [#168](168)
+- Allow to not verify certificates when connecting to a HTTPS endpoint using [#163](163)
+  self-signed certificate.
+
+[168]: https://github.com/chaostoolkit/chaostoolkit-lib/issues/168
+[163]: https://github.com/chaostoolkit/chaostoolkit-lib/issues/163
 
 ### Changed
 
diff --git a/chaoslib/loader.py b/chaoslib/loader.py
index a8ffe2c..f3b36eb 100644
--- a/chaoslib/loader.py
+++ b/chaoslib/loader.py
@@ -69,8 +69,8 @@ def parse_experiment_from_http(response: requests.Response) -> Experiment:
         "only files with json, yaml or yml extensions are supported")
 
 
-def load_experiment(experiment_source: str,
-                    settings: Settings = None) -> Experiment:
+def load_experiment(experiment_source: str, settings: Settings = None,
+                    verify_tls: bool = True) -> Experiment:
     """
     Load an experiment from the given source.
 
@@ -90,6 +90,10 @@ def load_experiment(experiment_source: str,
         type: digest
         value: UIY
     ```
+
+    Set `verify_tls` to `False` if the source is a over a self-signed
+    certificate HTTP endpoint to instruct the loader to not verify the
+    certificates.
     """
     with controls(level="loader", context=experiment_source) as control:
         if os.path.exists(experiment_source):
@@ -117,7 +121,7 @@ def load_experiment(experiment_source: str,
                         auth["type"], auth["value"])
                     break
 
-        r = requests.get(experiment_source, headers=headers)
+        r = requests.get(experiment_source, headers=headers, verify=verify_tls)
         if r.status_code != 200:
             raise InvalidSource(
                 "Failed to fetch the experiment: {}".format(r.text))
diff --git a/tests/test_loader.py b/tests/test_loader.py
index d1b722b..43afe51 100644
--- a/tests/test_loader.py
+++ b/tests/test_loader.py
@@ -7,6 +7,7 @@
 from chaoslib.exceptions import InvalidSource, InvalidExperiment
 from chaoslib.loader import load_experiment, parse_experiment_from_file
 from chaoslib.types import Settings
+import requests
 
 from fixtures import experiments
 
@@ -121,3 +122,26 @@ def test_http_loads_fails_when_known_type():
         )
         with pytest.raises(InvalidExperiment):
             load_experiment('http://example.com/experiment.yaml')
+
+
+def test_https_no_verification():
+    with requests_mock.mock() as m:
+        m.get(
+            'https://example.com/experiment.yaml', status_code=200,
+            headers={"Content-Type": "text/css"},
+            text="body {}"
+        )
+        with pytest.raises(InvalidExperiment):
+            load_experiment(
+                'https://example.com/experiment.yaml', verify_tls=False)
+
+
+def test_https_with_verification():
+    with requests_mock.mock() as m:
+        m.get(
+            'https://example.com/experiment.yaml',
+            exc=requests.exceptions.SSLError
+        )
+        with pytest.raises(requests.exceptions.SSLError):
+            load_experiment(
+                'https://example.com/experiment.yaml', verify_tls=True)