From 4af47487a279f494fd3118a01d21b401cd770d2b Mon Sep 17 00:00:00 2001
From: Maura Hausman <mhausman@wayfair.com>
Date: Mon, 24 Jul 2017 18:16:06 -0400
Subject: [PATCH] Support SSL verification via internal CA bundle

- Also updates documentation
- See issues #204 and #270
---
 docs/cli.rst                |  7 ++++---
 gitlab/config.py            | 17 +++++++++++++++++
 gitlab/tests/test_config.py | 15 +++++++++++++++
 3 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/docs/cli.rst b/docs/cli.rst
index 92140ef67..8d0550bf9 100644
--- a/docs/cli.rst
+++ b/docs/cli.rst
@@ -61,9 +61,10 @@ parameters. You can override the values in each GitLab server section.
      - Possible values
      - Description
    * - ``ssl_verify``
-     - ``True`` or ``False``
-     - Verify the SSL certificate. Set to ``False`` if your SSL certificate is
-       auto-signed.
+     - ``True``, ``False``, or a ``str``
+     - Verify the SSL certificate. Set to ``False`` to disable verification,
+       though this will create warnings. Any other value is interpreted as path
+       to a CA_BUNDLE file or directory with certificates of trusted CAs.
    * - ``timeout``
      - Integer
      - Number of seconds to wait for an answer before failing.
diff --git a/gitlab/config.py b/gitlab/config.py
index d5e87b670..d1c29d0ca 100644
--- a/gitlab/config.py
+++ b/gitlab/config.py
@@ -61,11 +61,28 @@ def __init__(self, gitlab_id=None, config_files=None):
         self.ssl_verify = True
         try:
             self.ssl_verify = self._config.getboolean('global', 'ssl_verify')
+        except ValueError:
+            # Value Error means the option exists but isn't a boolean.
+            # Get as a string instead as it should then be a local path to a
+            # CA bundle.
+            try:
+                self.ssl_verify = self._config.get('global', 'ssl_verify')
+            except Exception:
+                pass
         except Exception:
             pass
         try:
             self.ssl_verify = self._config.getboolean(self.gitlab_id,
                                                       'ssl_verify')
+        except ValueError:
+            # Value Error means the option exists but isn't a boolean.
+            # Get as a string instead as it should then be a local path to a
+            # CA bundle.
+            try:
+                self.ssl_verify = self._config.get(self.gitlab_id,
+                                                   'ssl_verify')
+            except Exception:
+                pass
         except Exception:
             pass
 
diff --git a/gitlab/tests/test_config.py b/gitlab/tests/test_config.py
index 73830a1c9..83d7daaac 100644
--- a/gitlab/tests/test_config.py
+++ b/gitlab/tests/test_config.py
@@ -40,6 +40,11 @@
 private_token = GHIJKL
 ssl_verify = false
 timeout = 10
+
+[three]
+url = https://three.url
+private_token = MNOPQR
+ssl_verify = /path/to/CA/bundle.crt
 """
 
 no_default_config = u"""[global]
@@ -109,3 +114,13 @@ def test_valid_data(self, m_open):
         self.assertEqual("GHIJKL", cp.token)
         self.assertEqual(10, cp.timeout)
         self.assertEqual(False, cp.ssl_verify)
+
+        fd = six.StringIO(valid_config)
+        fd.close = mock.Mock(return_value=None)
+        m_open.return_value = fd
+        cp = config.GitlabConfigParser(gitlab_id="three")
+        self.assertEqual("three", cp.gitlab_id)
+        self.assertEqual("https://three.url", cp.url)
+        self.assertEqual("MNOPQR", cp.token)
+        self.assertEqual(2, cp.timeout)
+        self.assertEqual("/path/to/CA/bundle.crt", cp.ssl_verify)