fix env cert validation override

* fixes #201 * ensures that `server_cert_validation` takes precedence over code/env CA path overrides * adds basic unit test coverage of verify behavior
diyan · Jan 12, 2018 · 848b00d · 848b00d
1 parent eb6a408
commit 848b00d
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 17 deletions.
diff --git a/winrm/tests/test_transport.py b/winrm/tests/test_transport.py
@@ -1,21 +1,63 @@
 # coding=utf-8
 import os
+import tempfile
 from winrm.transport import Transport
 
 
-def test_build_session():
-    transport = Transport(endpoint="Endpoint",
+def test_build_session_cert_validate():
+    t_default = Transport(endpoint="Endpoint",
                           server_cert_validation='validate',
                           username='test',
                           password='test',
                           auth_method='basic',
                           )
-    os.environ['REQUESTS_CA_BUNDLE'] = 'path_to_REQUESTS_CA_CERT'
-    transport.build_session()
-    assert(transport.session.verify == 'path_to_REQUESTS_CA_CERT')
-    del os.environ['REQUESTS_CA_BUNDLE']
+    t_ca_override = Transport(endpoint="Endpoint",
+                              server_cert_validation='validate',
+                              username='test',
+                              password='test',
+                              auth_method='basic',
+                              ca_trust_path='overridepath',
+                              )
+    try:
+        os.environ['REQUESTS_CA_BUNDLE'] = 'path_to_REQUESTS_CA_CERT'
+        t_default.build_session()
+        t_ca_override.build_session()
+        assert(t_default.session.verify == 'path_to_REQUESTS_CA_CERT')
+        assert(t_ca_override.session.verify == 'overridepath')
+    finally:
+        del os.environ['REQUESTS_CA_BUNDLE']
 
-    os.environ['CURL_CA_BUNDLE'] = 'path_to_CURL_CA_CERT'
-    transport.build_session()
-    assert(transport.session.verify == 'path_to_CURL_CA_CERT')
-    del os.environ['CURL_CA_BUNDLE']
+    try:
+        os.environ['CURL_CA_BUNDLE'] = 'path_to_CURL_CA_CERT'
+        t_default.build_session()
+        t_ca_override.build_session()
+        assert(t_default.session.verify == 'path_to_CURL_CA_CERT')
+        assert (t_ca_override.session.verify == 'overridepath')
+    finally:
+        del os.environ['CURL_CA_BUNDLE']
+
+
+def test_build_session_cert_ignore():
+    t_default = Transport(endpoint="Endpoint",
+                          server_cert_validation='ignore',
+                          username='test',
+                          password='test',
+                          auth_method='basic',
+                          )
+    t_ca_override = Transport(endpoint="Endpoint",
+                              server_cert_validation='ignore',
+                              username='test',
+                              password='test',
+                              auth_method='basic',
+                              ca_trust_path='boguspath'
+                              )
+    try:
+        os.environ['REQUESTS_CA_BUNDLE'] = 'path_to_REQUESTS_CA_CERT'
+        os.environ['CURL_CA_BUNDLE'] = 'path_to_CURL_CA_CERT'
+        t_default.build_session()
+        t_ca_override.build_session()
+        assert(isinstance(t_default.session.verify, bool) and not t_default.session.verify)
+        assert (isinstance(t_ca_override.session.verify, bool) and not t_ca_override.session.verify)
+    finally:
+        del os.environ['REQUESTS_CA_BUNDLE']
+        del os.environ['CURL_CA_BUNDLE']
diff --git a/winrm/transport.py b/winrm/transport.py
@@ -147,19 +147,21 @@ def __init__(
     def build_session(self):
         session = requests.Session()
 
-        session.verify = self.server_cert_validation == 'validate'
-        if session.verify and self.ca_trust_path:
-                session.verify = self.ca_trust_path
-
-        # configure proxies from HTTP/HTTPS_PROXY envvars
+        # allow some settings to be merged from env
         session.trust_env = True
         settings = session.merge_environment_settings(url=self.endpoint, proxies={}, stream=None,
                                                       verify=None, cert=None)
 
-        # we're only applying proxies and/or verify from env, other settings are ignored
+        # get proxy settings from env
+        # FUTURE: allow proxy to be passed in directly to supersede this value
         session.proxies = settings['proxies']
 
-        if settings['verify'] is not None or self.ca_trust_path is not None:
+        # specified validation mode takes precedence
+        session.verify = self.server_cert_validation == 'validate'
+
+        # patch in CA path override if one was specified in init or env
+        if session.verify and (self.ca_trust_path is not None or settings['verify'] is not None):
+            # session.verify can be either a bool or path to a CA store; prefer passed-in value over env if both are present
             session.verify = self.ca_trust_path or settings['verify']
 
         encryption_available = False