nixpkgs/pkgs/development/python-modules/requests/0001-Prefer-NixOS-Nix-default-CA-bundles-over-certifi.patch

From b36083efafec5a3c1c5864cd0b62367ddf3856ae Mon Sep 17 00:00:00 2001
From: Keshav Kini <keshav.kini@gmail.com>
Date: Sun, 16 May 2021 20:35:24 -0700
Subject: [PATCH] Prefer NixOS/Nix default CA bundles over certifi

Normally, requests gets its default CA bundle from the certifi
package.  On NixOS and when using Nix on non-NixOS platforms, we would
rather default to using our own certificate bundles controlled by the
Nix/NixOS user.

This commit overrides requests.certs.where(), which previously was
just aliased to certifi.where(), so that now it does the following:

- When run by Nix on non-NixOS, the environment variable
  $NIX_SSL_CERT_FILE will point to the CA bundle we're using, so we
  use that.

- When running on NixOS, the CA bundle we're using has the static path
  /etc/ssl/certs/ca-certificates.crt , so we use that.

- Otherwise, we fall back to the original behavior of using certifi's
  CA bundle.  Higher in the call stack, users of requests can also
  explicitly specify a CA bundle to use, which overrides all this
  logic.
---
 requests/certs.py | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/requests/certs.py b/requests/certs.py
index d1a378d7..faf462b7 100644
--- a/requests/certs.py
+++ b/requests/certs.py
@@ -12,7 +12,23 @@ If you are packaging Requests, e.g., for a Linux distribution or a managed
 environment, you can change the definition of where() to return a separately
 packaged CA bundle.
 """
-from certifi import where
+
+import os
+
+import certifi
+
+
+def where():
+    nix_ssl_cert_file = os.getenv("NIX_SSL_CERT_FILE")
+    if nix_ssl_cert_file and os.path.exists(nix_ssl_cert_file):
+        return nix_ssl_cert_file
+
+    nixos_ca_bundle = "/etc/ssl/certs/ca-certificates.crt"
+    if os.path.exists(nixos_ca_bundle):
+        return nixos_ca_bundle
+
+    return certifi.where()
+
 
 if __name__ == '__main__':
     print(where())
-- 
2.31.1
python3Packages.requests: patch in CA bundles The requests library defaults to using the certificates from the certifi library when not otherwise specified. If I understand the discussion at #8247 correctly, we should instead patch it so that it follows the following priority order: 1. the path pointed to by the environment variable $NIX_SSL_CERT_FILE 2. /etc/ssl/certs/ca-certificates.crt 3. whatever it was doing before (in this case, using certifi) This commit implements that. 2021-05-17 04:43:11 +01:00			`From b36083efafec5a3c1c5864cd0b62367ddf3856ae Mon Sep 17 00:00:00 2001`
			`From: Keshav Kini <keshav.kini@gmail.com>`
			`Date: Sun, 16 May 2021 20:35:24 -0700`
			`Subject: [PATCH] Prefer NixOS/Nix default CA bundles over certifi`

			`Normally, requests gets its default CA bundle from the certifi`
			`package. On NixOS and when using Nix on non-NixOS platforms, we would`
			`rather default to using our own certificate bundles controlled by the`
			`Nix/NixOS user.`

			`This commit overrides requests.certs.where(), which previously was`
			`just aliased to certifi.where(), so that now it does the following:`

			`- When run by Nix on non-NixOS, the environment variable`
			`$NIX_SSL_CERT_FILE will point to the CA bundle we're using, so we`
			`use that.`

			`- When running on NixOS, the CA bundle we're using has the static path`
			`/etc/ssl/certs/ca-certificates.crt , so we use that.`

			`- Otherwise, we fall back to the original behavior of using certifi's`
			`CA bundle. Higher in the call stack, users of requests can also`
			`explicitly specify a CA bundle to use, which overrides all this`
			`logic.`
			`---`
			`requests/certs.py \| 18 +++++++++++++++++-`
			`1 file changed, 17 insertions(+), 1 deletion(-)`

			`diff --git a/requests/certs.py b/requests/certs.py`
			`index d1a378d7..faf462b7 100644`
			`--- a/requests/certs.py`
			`+++ b/requests/certs.py`
			`@@ -12,7 +12,23 @@ If you are packaging Requests, e.g., for a Linux distribution or a managed`
			`environment, you can change the definition of where() to return a separately`
			`packaged CA bundle.`
			`"""`
			`-from certifi import where`
			`+`
			`+import os`
			`+`
			`+import certifi`
			`+`
			`+`
			`+def where():`
			`+ nix_ssl_cert_file = os.getenv("NIX_SSL_CERT_FILE")`
			`+ if nix_ssl_cert_file and os.path.exists(nix_ssl_cert_file):`
			`+ return nix_ssl_cert_file`
			`+`
			`+ nixos_ca_bundle = "/etc/ssl/certs/ca-certificates.crt"`
			`+ if os.path.exists(nixos_ca_bundle):`
			`+ return nixos_ca_bundle`
			`+`
			`+ return certifi.where()`
			`+`

			`if __name__ == '__main__':`
			`print(where())`
			`--`
			`2.31.1`