nixpkgs-suyu/pkgs/development/python-modules/requests/0001-Prefer-NixOS-Nix-default-CA-bundles-over-certifi.patch
Keshav Kini 11f7c3310f
python3Packages.requests: patch in CA bundles
The requests library defaults to using the certificates from the
certifi library when not otherwise specified.  If I understand the
discussion at #8247 correctly, we should instead patch it so that it
follows the following priority order:

1. the path pointed to by the environment variable $NIX_SSL_CERT_FILE

2. /etc/ssl/certs/ca-certificates.crt

3. whatever it was doing before (in this case, using certifi)

This commit implements that.
2021-06-21 16:48:40 -07:00

60 lines
1.9 KiB
Diff

From b36083efafec5a3c1c5864cd0b62367ddf3856ae Mon Sep 17 00:00:00 2001
From: Keshav Kini <keshav.kini@gmail.com>
Date: Sun, 16 May 2021 20:35:24 -0700
Subject: [PATCH] Prefer NixOS/Nix default CA bundles over certifi
Normally, requests gets its default CA bundle from the certifi
package. On NixOS and when using Nix on non-NixOS platforms, we would
rather default to using our own certificate bundles controlled by the
Nix/NixOS user.
This commit overrides requests.certs.where(), which previously was
just aliased to certifi.where(), so that now it does the following:
- When run by Nix on non-NixOS, the environment variable
$NIX_SSL_CERT_FILE will point to the CA bundle we're using, so we
use that.
- When running on NixOS, the CA bundle we're using has the static path
/etc/ssl/certs/ca-certificates.crt , so we use that.
- Otherwise, we fall back to the original behavior of using certifi's
CA bundle. Higher in the call stack, users of requests can also
explicitly specify a CA bundle to use, which overrides all this
logic.
---
requests/certs.py | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/requests/certs.py b/requests/certs.py
index d1a378d7..faf462b7 100644
--- a/requests/certs.py
+++ b/requests/certs.py
@@ -12,7 +12,23 @@ If you are packaging Requests, e.g., for a Linux distribution or a managed
environment, you can change the definition of where() to return a separately
packaged CA bundle.
"""
-from certifi import where
+
+import os
+
+import certifi
+
+
+def where():
+ nix_ssl_cert_file = os.getenv("NIX_SSL_CERT_FILE")
+ if nix_ssl_cert_file and os.path.exists(nix_ssl_cert_file):
+ return nix_ssl_cert_file
+
+ nixos_ca_bundle = "/etc/ssl/certs/ca-certificates.crt"
+ if os.path.exists(nixos_ca_bundle):
+ return nixos_ca_bundle
+
+ return certifi.where()
+
if __name__ == '__main__':
print(where())
--
2.31.1