feat: added possibility to specify certificate file path to verify the peer

bednar · bednar · commit 18c7ae89efc0 · 2020-09-24T11:07:09.000+02:00
diff --git a/README.rst b/README.rst
@@ -170,6 +170,7 @@ The following options are supported:
 - ``token`` - the token to use for the authorization
 - ``timeout`` - socket timeout in ms (default value is 10000)
 - ``verify_ssl`` - set this to false to skip verifying SSL certificate when calling API from https server
+- ``ssl_ca_cert`` - set this to customize the certificate file to verify the peer
 
 .. code-block:: python
 
@@ -195,6 +196,7 @@ Supported properties are:
 - ``INFLUXDB_V2_TOKEN`` - the token to use for the authorization
 - ``INFLUXDB_V2_TIMEOUT`` - socket timeout in ms (default value is 10000)
 - ``INFLUXDB_V2_VERIFY_SSL`` - set this to false to skip verifying SSL certificate when calling API from https server
+- ``INFLUXDB_V2_SSL_CA_CERT`` - set this to customize the certificate file to verify the peer
 
 .. code-block:: python
 
diff --git a/influxdb_client/client/influxdb_client.py b/influxdb_client/client/influxdb_client.py
@@ -33,6 +33,7 @@ def __init__(self, url, token, debug=None, timeout=10000, enable_gzip=False, org
                             supports the Gzip compression.
         :param org: organization name (used as a default in query and write API)
         :key bool verify_ssl: Set this to false to skip verifying SSL certificate when calling API from https server.
+        :key str ssl_ca_cert: Set this to customize the certificate file to verify the peer.
         :key urllib3.util.retry.Retry retries: Set the default retry strategy that is used for all HTTP requests
                                                except batching writes. As a default there is no one retry strategy.
 
@@ -52,6 +53,7 @@ def __init__(self, url, token, debug=None, timeout=10000, enable_gzip=False, org
         conf.enable_gzip = enable_gzip
         conf.debug = debug
         conf.verify_ssl = kwargs.get('verify_ssl', True)
+        conf.ssl_ca_cert = kwargs.get('ssl_ca_cert', None)
 
         auth_token = self.token
         auth_header_name = "Authorization"
@@ -73,6 +75,7 @@ def from_config_file(cls, config_file: str = "config.ini", debug=None, enable_gz
             - token
             - timeout,
             - verify_ssl
+            - ssl_ca_cert
         """
         config = configparser.ConfigParser()
         config.read(config_file)
@@ -94,17 +97,21 @@ def from_config_file(cls, config_file: str = "config.ini", debug=None, enable_gz
         if config.has_option('influx2', 'verify_ssl'):
             verify_ssl = config['influx2']['verify_ssl']
 
+        ssl_ca_cert = None
+        if config.has_option('influx2', 'ssl_ca_cert'):
+            ssl_ca_cert = config['influx2']['ssl_ca_cert']
+
         default_tags = None
 
         if config.has_section('tags'):
             default_tags = dict(config.items('tags'))
 
         if timeout:
             return cls(url, token, debug=debug, timeout=int(timeout), org=org, default_tags=default_tags,
-                       enable_gzip=enable_gzip, verify_ssl=_to_bool(verify_ssl))
+                       enable_gzip=enable_gzip, verify_ssl=_to_bool(verify_ssl), ssl_ca_cert=ssl_ca_cert)
 
         return cls(url, token, debug=debug, org=org, default_tags=default_tags, enable_gzip=enable_gzip,
-                   verify_ssl=_to_bool(verify_ssl))
+                   verify_ssl=_to_bool(verify_ssl), ssl_ca_cert=ssl_ca_cert)
 
     @classmethod
     def from_env_properties(cls, debug=None, enable_gzip=False):
@@ -117,12 +124,14 @@ def from_env_properties(cls, debug=None, enable_gzip=False):
             - INFLUXDB_V2_TOKEN
             - INFLUXDB_V2_TIMEOUT
             - INFLUXDB_V2_VERIFY_SSL
+            - INFLUXDB_V2_SSL_CA_CERT
         """
         url = os.getenv('INFLUXDB_V2_URL', "http://localhost:8086")
         token = os.getenv('INFLUXDB_V2_TOKEN', "my-token")
         timeout = os.getenv('INFLUXDB_V2_TIMEOUT', "10000")
         org = os.getenv('INFLUXDB_V2_ORG', "my-org")
         verify_ssl = os.getenv('INFLUXDB_V2_VERIFY_SSL', "True")
+        ssl_ca_cert = os.getenv('INFLUXDB_V2_SSL_CA_CERT', None)
 
         default_tags = dict()
 
@@ -131,7 +140,7 @@ def from_env_properties(cls, debug=None, enable_gzip=False):
                 default_tags[key[16:].lower()] = value
 
         return cls(url, token, debug=debug, timeout=int(timeout), org=org, default_tags=default_tags,
-                   enable_gzip=enable_gzip, verify_ssl=_to_bool(verify_ssl))
+                   enable_gzip=enable_gzip, verify_ssl=_to_bool(verify_ssl), ssl_ca_cert=ssl_ca_cert)
 
     def write_api(self, write_options=WriteOptions(), point_settings=PointSettings()) -> WriteApi:
         """
diff --git a/tests/config-ssl-ca-cert.ini b/tests/config-ssl-ca-cert.ini
@@ -0,0 +1,11 @@
+[influx2]
+url=http://localhost:8086
+org=my-org
+token=my-token
+timeout=6000
+ssl_ca_cert=/path/to/my/cert
+
+[tags]
+id = 132-987-655
+customer = California Miner
+data_center = ${env.data_center}
diff --git a/tests/test_InfluxDBClient.py b/tests/test_InfluxDBClient.py
@@ -60,16 +60,40 @@ def test_init_from_file_ssl(self):
         self.assertFalse(self.client.api_client.configuration.verify_ssl)
 
     def test_init_from_env_ssl_default(self):
-        del os.environ["INFLUXDB_V2_VERIFY_SSL"]
+        if os.getenv("INFLUXDB_V2_VERIFY_SSL"):
+            del os.environ["INFLUXDB_V2_VERIFY_SSL"]
         self.client = InfluxDBClient.from_env_properties()
 
         self.assertTrue(self.client.api_client.configuration.verify_ssl)
 
     def test_init_from_env_ssl(self):
-        os.environ["INFLUXDB_V2_VERIFY_SSL"] = "False"
+        os.environ["INFLUXDB_V2_SSL_CA_CERT"] = "/my/custom/path"
         self.client = InfluxDBClient.from_env_properties()
 
-        self.assertFalse(self.client.api_client.configuration.verify_ssl)
+        self.assertEqual("/my/custom/path", self.client.api_client.configuration.ssl_ca_cert)
+
+    def test_init_from_file_ssl_ca_cert_default(self):
+        self.client = InfluxDBClient.from_config_file(f'{os.path.dirname(__file__)}/config.ini')
+
+        self.assertIsNone(self.client.api_client.configuration.ssl_ca_cert)
+
+    def test_init_from_file_ssl_ca_cert(self):
+        self.client = InfluxDBClient.from_config_file(f'{os.path.dirname(__file__)}/config-ssl-ca-cert.ini')
+
+        self.assertEqual("/path/to/my/cert", self.client.api_client.configuration.ssl_ca_cert)
+
+    def test_init_from_env_ssl_ca_cert_default(self):
+        if os.getenv("INFLUXDB_V2_SSL_CA_CERT"):
+            del os.environ["INFLUXDB_V2_SSL_CA_CERT"]
+        self.client = InfluxDBClient.from_env_properties()
+
+        self.assertIsNone(self.client.api_client.configuration.ssl_ca_cert)
+
+    def test_init_from_env_ssl_ca_cert(self):
+        os.environ["INFLUXDB_V2_SSL_CA_CERT"] = "/my/custom/path/to/cert"
+        self.client = InfluxDBClient.from_env_properties()
+
+        self.assertEqual("/my/custom/path/to/cert", self.client.api_client.configuration.ssl_ca_cert)
 
 
 class ServerWithSelfSingedSSL(http.server.SimpleHTTPRequestHandler):
