Add support for system truststore

Secrus · Jan 15, 2025 · a0d2e18 · a0d2e18
1 parent 1e1e272
commit a0d2e18
Show file tree

Hide file tree

Showing 7 changed files with 69 additions and 2 deletions.
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -25,6 +25,7 @@ dependencies = [
     "tomlkit (>=0.11.4,<1.0.0)",
     # trove-classifiers uses calver, so version is unclamped
     "trove-classifiers (>=2022.5.19)",
+    "truststore (>=0.10.0,<1.0.0) ; python_version >= '3.10'",
     "virtualenv (>=20.26.6,<21.0.0)",
     "xattr (>=1.0.0,<2.0.0) ; sys_platform == 'darwin'",
 ]
@@ -187,6 +188,7 @@ module = [
     'shellingham.*',
     'virtualenv.*',
     'xattr.*',
+    'truststore.*' # not available on Python < 3.10
 ]
 ignore_missing_imports = true
 

diff --git a/src/poetry/config/config.py b/src/poetry/config/config.py
@@ -136,6 +136,8 @@ class Config:
         "keyring": {
             "enabled": True,
         },
+        # TODO: Flip to default True on the next release after dropping Python 3.9
+        "system-truststore": False,
     }
 
     def __init__(self, use_environment: bool = True) -> None:
@@ -303,6 +305,7 @@ def _get_normalizer(name: str) -> Callable[[str], Any]:
             "solver.lazy-wheel",
             "system-git-client",
             "keyring.enabled",
+            "system-truststore",
         }:
             return boolean_normalizer
 

diff --git a/src/poetry/console/application.py b/src/poetry/console/application.py
@@ -226,6 +226,7 @@ def _run(self, io: IO) -> int:
         self._configure_custom_application_options(io)
 
         self._load_plugins(io)
+        self._load_system_truststore()
 
         with directory(self._working_directory):
             exit_code: int = super()._run(io)
@@ -441,6 +442,15 @@ def _load_plugins(self, io: IO) -> None:
 
         self._plugins_loaded = True
 
+    @staticmethod
+    def _load_system_truststore() -> None:
+        from poetry.utils.ssl_truststore import is_truststore_enabled
+
+        if is_truststore_enabled():
+            import truststore
+
+            truststore.inject_into_ssl()
+
 
 def main() -> int:
     exit_code: int = Application().run()

diff --git a/src/poetry/utils/ssl_truststore.py b/src/poetry/utils/ssl_truststore.py
@@ -0,0 +1,32 @@
+from __future__ import annotations
+
+import logging
+import sys
+
+from poetry.config.config import Config
+
+
+logger = logging.getLogger(__name__)
+
+
+def _is_truststore_available() -> bool:
+    if sys.version_info < (3, 10):
+        logger.debug("Disabling truststore because Python version isn't 3.10+")
+        return False
+
+    try:
+        import ssl  # noqa: F401
+    except ImportError:
+        logger.warning("Disabling truststore since ssl support is missing")
+        return False
+
+    try:
+        import truststore  # noqa: F401
+    except ImportError:
+        logger.warning("Disabling truststore because `truststore` package is missing`")
+        return False
+    return True
+
+
+def is_truststore_enabled() -> bool:
+    return Config.create().get("system-truststore") and _is_truststore_available()
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -337,7 +337,8 @@ def git_mock(mocker: MockerFixture, request: FixtureRequest) -> None:
 
 
 @pytest.fixture
-def http() -> Iterator[type[httpretty.httpretty]]:
+def http(mocker: MockerFixture) -> Iterator[type[httpretty.httpretty]]:
+    mocker.patch("truststore.inject_into_ssl")
     httpretty.reset()
     with httpretty.enabled(allow_net_connect=False, verbose=True):
         yield httpretty

diff --git a/tests/console/commands/test_config.py b/tests/console/commands/test_config.py
@@ -64,6 +64,7 @@ def test_list_displays_default_value_if_not_set(
 requests.max-retries = 0
 solver.lazy-wheel = true
 system-git-client = false
+system-truststore = false
 virtualenvs.create = true
 virtualenvs.in-project = null
 virtualenvs.options.always-copy = false
@@ -96,6 +97,7 @@ def test_list_displays_set_get_setting(
 requests.max-retries = 0
 solver.lazy-wheel = true
 system-git-client = false
+system-truststore = false
 virtualenvs.create = false
 virtualenvs.in-project = null
 virtualenvs.options.always-copy = false
@@ -149,6 +151,7 @@ def test_unset_setting(
 requests.max-retries = 0
 solver.lazy-wheel = true
 system-git-client = false
+system-truststore = false
 virtualenvs.create = true
 virtualenvs.in-project = null
 virtualenvs.options.always-copy = false
@@ -180,6 +183,7 @@ def test_unset_repo_setting(
 requests.max-retries = 0
 solver.lazy-wheel = true
 system-git-client = false
+system-truststore = false
 virtualenvs.create = true
 virtualenvs.in-project = null
 virtualenvs.options.always-copy = false
@@ -309,6 +313,7 @@ def test_list_displays_set_get_local_setting(
 requests.max-retries = 0
 solver.lazy-wheel = true
 system-git-client = false
+system-truststore = false
 virtualenvs.create = false
 virtualenvs.in-project = null
 virtualenvs.options.always-copy = false
@@ -349,6 +354,7 @@ def test_list_must_not_display_sources_from_pyproject_toml(
 requests.max-retries = 0
 solver.lazy-wheel = true
 system-git-client = false
+system-truststore = false
 virtualenvs.create = true
 virtualenvs.in-project = null
 virtualenvs.options.always-copy = false