Add disable_ssl_verification() method to Session class

Nik V · djc · commit 30084151e077 · 2015-01-10T16:43:31.000+01:00
Python 2.7.9 has started performing SSL verification by default, which
made it impossible to connect to couchdb instances with self-signed
certs over SSL. Setting this flag true re-enables the pre 2.7.9 behavior.
diff --git a/couchdb/client.py b/couchdb/client.py
@@ -271,6 +271,12 @@ class Database(object):
     2
 
     >>> del server['python-tests']
+
+    If you need to connect to a database with an unverified or self-signed SSL
+    certificate, you can re-initialize your ConnectionPool as follows (only
+    applicable for Python 2.7.9+):
+
+    >>> db.resource.session.disable_ssl_verification()
     """
 
     def __init__(self, url, name=None, session=None):
diff --git a/couchdb/http.py b/couchdb/http.py
@@ -17,6 +17,7 @@
 import socket
 import time
 import sys
+import ssl
 
 try:
     from threading import Lock
@@ -53,7 +54,7 @@ class NagleMixin:
 
         Based on code originally copied from Python 2.7's httplib module.
         """
-        
+
         def endheaders(self, message_body=None):
             if self.__dict__['_HTTPConnection__state'] == _CS_REQ_STARTED:
                 self.__dict__['_HTTPConnection__state'] = _CS_REQ_SENT
@@ -216,10 +217,25 @@ def __init__(self, cache=None, timeout=None, max_redirects=5,
         self.cache = cache
         self.max_redirects = max_redirects
         self.perm_redirects = {}
-        self.connection_pool = ConnectionPool(timeout)
+        self._disable_ssl_verification = False
+        self._timeout = timeout
+        self.connection_pool = ConnectionPool(
+            self._timeout,
+            disable_ssl_verification=self._disable_ssl_verification)
         self.retry_delays = list(retry_delays) # We don't want this changing on us.
         self.retryable_errors = set(retryable_errors)
 
+    def disable_ssl_verification(self):
+        """
+        Disable verification of SSL certificates and re-initialize the ConnectionPool.
+        Only applicable on Python 2.7.9+ as previous versions of Python don't verify
+        SSL certs.
+
+        :return:
+        """
+        self._disable_ssl_verification = True
+        self.connection_pool = ConnectionPool(self._timeout, disable_ssl_verification=self._disable_ssl_verification)
+
     def request(self, method, url, body=None, headers=None, credentials=None,
                 num_redirects=0):
         if url in self.perm_redirects:
@@ -420,11 +436,23 @@ def _clean(self):
         self.by_url = dict(ls[-self.keep_size:])
 
 
+class InsecureHTTPSConnection(HTTPSConnection):
+    """ Wrapper class to create an HTTPSConnection without SSl verification (the default behavior in
+    Python < 2.7.9).
+
+    See: https://docs.python.org/2/library/httplib.html#httplib.HTTPSConnection
+    """
+    def __init__(self, *a, **k):
+        k['context'] = ssl._create_unverified_context()
+        HTTPSConnection.__init__(self, *a, **k)
+
+
 class ConnectionPool(object):
     """HTTP connection pool."""
 
-    def __init__(self, timeout):
+    def __init__(self, timeout, disable_ssl_verification=False):
         self.timeout = timeout
+        self.disable_ssl_verification = disable_ssl_verification
         self.conns = {} # HTTP connections keyed by (scheme, host)
         self.lock = Lock()
 
@@ -448,7 +476,10 @@ def get(self, url):
             if scheme == 'http':
                 cls = HTTPConnection
             elif scheme == 'https':
-                cls = HTTPSConnection
+                if self.disable_ssl_verification:
+                    cls = InsecureHTTPSConnection
+                else:
+                    cls = HTTPSConnection
             else:
                 raise ValueError('%s is not a supported scheme' % scheme)
             conn = cls(host, timeout=self.timeout)
