feat: Support OS truststore for the TLS certificate verification

This commit add support for loading the OS truststore root certificates in addition to the "legacy" certifi bundle. It will come in handy for every user behind a company proxy or just using a private PyPI warehouse. Close #9249
python-poetry · Sep 12, 2024 · 7fece0d · 7fece0d
1 parent 3183126
commit 7fece0d
Show file tree

Hide file tree

Showing 5 changed files with 124 additions and 6 deletions.
diff --git a/docs/repositories.md b/docs/repositories.md
@@ -569,6 +569,10 @@ poetry config -- http-basic.pypi myUsername -myPasswordStartingWithDash
 
 ## Certificates
 
+### OS Truststore
+
+Poetry access the system truststore by default and retrieve the root certificates appropriately on Linux, Windows, and MacOS.
+
 ### Custom certificate authority and mutual TLS authentication
 
 Poetry supports repositories that are secured by a custom certificate authority as well as those that require

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -56,6 +56,7 @@ tomlkit = ">=0.11.4,<1.0.0"
 trove-classifiers = ">=2022.5.19"
 virtualenv = "^20.23.0"
 xattr = { version = "^1.0.0", markers = "sys_platform == 'darwin'" }
+wassima = "^1.1.2"
 
 [tool.poetry.group.dev.dependencies]
 pre-commit = ">=2.10"

diff --git a/src/poetry/utils/authenticator.py b/src/poetry/utils/authenticator.py
@@ -16,7 +16,6 @@
 import requests.auth
 import requests.exceptions
 
-from cachecontrol import CacheControlAdapter
 from cachecontrol.caches import FileCache
 from requests_toolbelt import user_agent
 
@@ -28,6 +27,7 @@
 from poetry.utils.constants import STATUS_FORCELIST
 from poetry.utils.password_manager import HTTPAuthCredential
 from poetry.utils.password_manager import PasswordManager
+from poetry.utils.truststore import WithTrustStoreAdapter
 
 
 if TYPE_CHECKING:
@@ -137,7 +137,7 @@ def create_session(self) -> requests.Session:
         if self._cache_control is None:
             return session
 
-        adapter = CacheControlAdapter(
+        adapter = WithTrustStoreAdapter(
             cache=self._cache_control,
             pool_maxsize=self._pool_size,
         )

diff --git a/src/poetry/utils/truststore.py b/src/poetry/utils/truststore.py
@@ -0,0 +1,26 @@
+from __future__ import annotations
+
+from cachecontrol import CacheControlAdapter
+from wassima import RUSTLS_LOADED
+from wassima import generate_ca_bundle
+
+
+DEFAULT_CA_BUNDLE = generate_ca_bundle()
+
+
+class WithTrustStoreAdapter(CacheControlAdapter):
+    """
+    Inject the OS truststore in Requests.
+    Certifi is still loaded in addition to the OS truststore for backward compatibility purposes.
+    See https://github.com/jawah/wassima for more details.
+    """
+
+    def cert_verify(self, conn, url, verify, cert):
+        #: only apply truststore cert if "verify" is set with default value "True".
+        #: RUSTLS_LOADED means that "wassima" is not the py3 none wheel and does not fallback on "certifi"
+        #: if "RUSTLS_LOADED" is False then "wassima" just return "certifi" bundle instead.
+        if RUSTLS_LOADED and url.lower().startswith("https") and verify is True:
+            conn.ca_cert_data = DEFAULT_CA_BUNDLE
+
+        # still apply upstream logic as before
+        super().cert_verify(conn, url, verify, cert)