CM-38532 - Fix certificate issues on macOS; fix homebrew build (#241)

MarshalX · web-flow · commit e260141f34e2 · 2024-07-23T17:03:10.000+02:00
diff --git a/cycode/cli/main.py b/cycode/cli/main.py
@@ -1,9 +1,5 @@
 from multiprocessing import freeze_support
 
-# DO NOT REMOVE OR MOVE THIS LINE
-# this is required to use certificates system store with requests packaged with PyInstaller
-import pip_system_certs.wrapt_requests  # noqa: F401
-
 from cycode.cli.commands.main_cli import main_cli
 
 if __name__ == '__main__':
diff --git a/cycode/cyclient/cycode_client_base.py b/cycode/cyclient/cycode_client_base.py
@@ -1,12 +1,42 @@
-from typing import ClassVar, Dict, Optional
+import os
+import platform
+import ssl
+from typing import Callable, ClassVar, Dict, Optional
 
-from requests import Response, exceptions, request
+import requests
+from requests import Response, exceptions
+from requests.adapters import HTTPAdapter
 
 from cycode.cli.exceptions.custom_exceptions import HttpUnauthorizedError, NetworkError
 from cycode.cyclient import config, logger
 from cycode.cyclient.headers import get_cli_user_agent, get_correlation_id
 
 
+class SystemStorageSslContext(HTTPAdapter):
+    def init_poolmanager(self, *args, **kwargs) -> None:
+        default_context = ssl.create_default_context()
+        default_context.load_default_certs()
+        kwargs['ssl_context'] = default_context
+        return super().init_poolmanager(*args, **kwargs)
+
+    def cert_verify(self, *args, **kwargs) -> None:
+        super().cert_verify(*args, **kwargs)
+        conn = kwargs['conn'] if 'conn' in kwargs else args[0]
+        conn.ca_certs = None
+
+
+def _get_request_function() -> Callable:
+    if platform.system() == 'Darwin':
+        return requests.request
+
+    if os.environ.get('REQUESTS_CA_BUNDLE') or os.environ.get('CURL_CA_BUNDLE'):
+        return requests.request
+
+    session = requests.Session()
+    session.mount('https://', SystemStorageSslContext())
+    return session.request
+
+
 class CycodeClientBase:
     MANDATORY_HEADERS: ClassVar[Dict[str, str]] = {
         'User-Agent': get_cli_user_agent(),
@@ -56,6 +86,7 @@ def _execute(
 
         try:
             headers = self.get_request_headers(headers, without_auth=without_auth)
+            request = _get_request_function()
             response = request(method=method, url=url, timeout=timeout, headers=headers, **kwargs)
 
             content = 'HIDDEN' if hide_response_content_log else response.text
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -41,7 +41,6 @@ requests = ">=2.24,<3.0"
 urllib3 = "1.26.19"  # lock v1 to avoid issues with openssl and old Python versions (<3.9.11) on macOS
 sentry-sdk = ">=2.8.0,<3.0"
 pyjwt = ">=2.8.0,<3.0"
-pip-system-certs = ">=4.0,<5.0"
 
 [tool.poetry.group.test.dependencies]
 mock = ">=4.0.3,<4.1.0"
