From 0af86add7bae03489cff4a14a60d885c1b8aa4ec Mon Sep 17 00:00:00 2001 From: Julia Lahovnik <126178122+jlahovnik@users.noreply.github.com> Date: Fri, 9 Aug 2024 09:40:43 +0200 Subject: [PATCH] fix(plugins): add ssl_verify where necessary and remove where unnecessary (#1289) --- eodag/plugins/authentication/keycloak.py | 4 ++++ eodag/plugins/authentication/openid_connect.py | 14 +++++++++++++- eodag/plugins/authentication/token.py | 3 +++ eodag/plugins/authentication/token_exchange.py | 2 ++ eodag/resources/providers.yml | 16 ---------------- tests/units/test_auth_plugins.py | 9 +++++++++ 6 files changed, 31 insertions(+), 17 deletions(-) diff --git a/eodag/plugins/authentication/keycloak.py b/eodag/plugins/authentication/keycloak.py index 6a1a8b957..e0a7ebda8 100644 --- a/eodag/plugins/authentication/keycloak.py +++ b/eodag/plugins/authentication/keycloak.py @@ -117,6 +117,7 @@ def _request_new_token(self) -> Dict[str, Any]: "grant_type": self.GRANT_TYPE, } credentials = {k: v for k, v in self.config.credentials.items()} + ssl_verify = getattr(self.config, "ssl_verify", True) try: response = self.session.post( self.TOKEN_URL_TEMPLATE.format( @@ -126,6 +127,7 @@ def _request_new_token(self) -> Dict[str, Any]: data=dict(req_data, **credentials), headers=USER_AGENT, timeout=HTTP_REQ_TIMEOUT, + verify=ssl_verify, ) response.raise_for_status() except requests.exceptions.Timeout as exc: @@ -142,6 +144,7 @@ def _get_token_with_refresh_token(self) -> Dict[str, str]: "grant_type": "refresh_token", "refresh_token": self.token_info["refresh_token"], } + ssl_verify = getattr(self.config, "ssl_verify", True) try: response = self.session.post( self.TOKEN_URL_TEMPLATE.format( @@ -151,6 +154,7 @@ def _get_token_with_refresh_token(self) -> Dict[str, str]: data=req_data, headers=USER_AGENT, timeout=HTTP_REQ_TIMEOUT, + verify=ssl_verify, ) response.raise_for_status() except requests.RequestException as e: diff --git a/eodag/plugins/authentication/openid_connect.py b/eodag/plugins/authentication/openid_connect.py index 3c816c9f7..19493852f 100644 --- a/eodag/plugins/authentication/openid_connect.py +++ b/eodag/plugins/authentication/openid_connect.py @@ -336,10 +336,12 @@ def _get_token_with_refresh_token(self) -> Dict[str, str]: post_request_kwargs: Any = { self.config.token_exchange_post_data_method: token_data } + ssl_verify = getattr(self.config, "ssl_verify", True) try: token_response = self.session.post( self.config.token_uri, timeout=HTTP_REQ_TIMEOUT, + verify=ssl_verify, **post_request_kwargs, ) token_response.raise_for_status() @@ -363,11 +365,13 @@ def authenticate_user(self, state: str) -> Response: "state": state, "redirect_uri": self.config.redirect_uri, } + ssl_verify = getattr(self.config, "ssl_verify", True) authorization_response = self.session.get( self.config.authorization_uri, params=params, headers=USER_AGENT, timeout=HTTP_REQ_TIMEOUT, + verify=ssl_verify, ) login_document = etree.HTML(authorization_response.text) @@ -401,7 +405,11 @@ def authenticate_user(self, state: str) -> Response: if not auth_uri: raise MisconfiguredError("authentication_uri is missing") return self.session.post( - auth_uri, data=login_data, headers=USER_AGENT, timeout=HTTP_REQ_TIMEOUT + auth_uri, + data=login_data, + headers=USER_AGENT, + timeout=HTTP_REQ_TIMEOUT, + verify=ssl_verify, ) def grant_user_consent(self, authentication_response: Response) -> Response: @@ -415,11 +423,13 @@ def grant_user_consent(self, authentication_response: Response) -> Response: key: self._constant_or_xpath_extracted(value, user_consent_form) for key, value in self.config.user_consent_form_data.items() } + ssl_verify = getattr(self.config, "ssl_verify", True) return self.session.post( self.config.authorization_uri, data=user_consent_data, headers=USER_AGENT, timeout=HTTP_REQ_TIMEOUT, + verify=ssl_verify, ) def _prepare_token_post_data(self, token_data: Dict[str, Any]) -> Dict[str, Any]: @@ -467,10 +477,12 @@ def exchange_code_for_token(self, authorized_url: str, state: str) -> Response: post_request_kwargs: Any = { self.config.token_exchange_post_data_method: token_exchange_data } + ssl_verify = getattr(self.config, "ssl_verify", True) r = self.session.post( self.config.token_uri, headers=USER_AGENT, timeout=HTTP_REQ_TIMEOUT, + verify=ssl_verify, **post_request_kwargs, ) return r diff --git a/eodag/plugins/authentication/token.py b/eodag/plugins/authentication/token.py index d171eab1d..160060096 100644 --- a/eodag/plugins/authentication/token.py +++ b/eodag/plugins/authentication/token.py @@ -126,6 +126,7 @@ def _token_request( req_kwargs: Dict[str, Any] = { "headers": dict(self.config.headers, **USER_AGENT) } + ssl_verify = getattr(self.config, "ssl_verify", True) if self.refresh_token: logger.debug("fetching access token with refresh token") @@ -135,6 +136,7 @@ def _token_request( self.config.refresh_uri, data={"refresh_token": self.refresh_token}, timeout=HTTP_REQ_TIMEOUT, + verify=ssl_verify, **req_kwargs, ) response.raise_for_status() @@ -170,6 +172,7 @@ def _token_request( method=method, url=self.config.auth_uri, timeout=HTTP_REQ_TIMEOUT, + verify=ssl_verify, **req_kwargs, ) diff --git a/eodag/plugins/authentication/token_exchange.py b/eodag/plugins/authentication/token_exchange.py index a91b623fe..36789e4ae 100644 --- a/eodag/plugins/authentication/token_exchange.py +++ b/eodag/plugins/authentication/token_exchange.py @@ -100,12 +100,14 @@ def authenticate(self) -> CodeAuthorizedAuth: "audience": self.config.audience, } logger.debug("Getting target auth token") + ssl_verify = getattr(self.config, "ssl_verify", True) try: auth_response = self.subject.session.post( self.config.token_uri, data=auth_data, headers=USER_AGENT, timeout=HTTP_REQ_TIMEOUT, + verify=ssl_verify, ) auth_response.raise_for_status() except requests.exceptions.Timeout as exc: diff --git a/eodag/resources/providers.yml b/eodag/resources/providers.yml index d1e62d742..f52695042 100644 --- a/eodag/resources/providers.yml +++ b/eodag/resources/providers.yml @@ -26,7 +26,6 @@ api: !plugin type: UsgsApi need_auth: true - google_base_url: 'http://storage.googleapis.com/earthengine-public/landsat/' pagination: max_items_per_page: 5000 total_items_nb_key_path: '$.totalHits' @@ -539,7 +538,6 @@ - productPath auth: !plugin type: AwsAuth - ssl_verify: true --- !provider # MARK: theia @@ -875,8 +873,6 @@ issuerId: peps auth: !plugin type: GenericAuth - auth_uri: 'https://peps.cnes.fr/resto/api/users/connect' - ssl_verify: true --- !provider # MARK: creodias name: creodias @@ -1562,7 +1558,6 @@ Content-Type: application/json auth: !plugin type: GenericAuth - ssl_verify: true --- !provider # MARK: astraea_eod @@ -1691,7 +1686,6 @@ - tilePath auth: !plugin type: AwsAuth - ssl_verify: true --- !provider # MARK: usgs_satapi_aws @@ -1752,7 +1746,6 @@ ssl_verify: true auth: !plugin type: AwsAuth - ssl_verify: true --- !provider # MARK: earth_search @@ -1855,7 +1848,6 @@ - tilePath auth: !plugin type: AwsAuth - ssl_verify: true --- !provider # MARK: earth_search_cog @@ -1978,7 +1970,6 @@ default_bucket: 'gcp-public-data-sentinel-2' auth: !plugin type: AwsAuth - ssl_verify: true --- !provider # MARK: ecmwf name: ecmwf @@ -1990,8 +1981,6 @@ api: !plugin type: EcmwfApi api_endpoint: https://api.ecmwf.int/v1 - extract: false - ssl_verify: true metadata_mapping: productType: '$.productType' title: '$.id' @@ -2215,7 +2204,6 @@ auth: !plugin type: GenericAuth method: basic - ssl_verify: true download: !plugin type: HTTPDownload timeout: 30 @@ -2745,7 +2733,6 @@ auth: !plugin type: GenericAuth method: basic - ssl_verify: true download: !plugin type: HTTPDownload timeout: 30 @@ -3758,7 +3745,6 @@ auth: !plugin type: GenericAuth method: basic - ssl_verify: true --- !provider # MARK: meteoblue name: meteoblue @@ -4332,7 +4318,6 @@ ssl_verify: true auth: !plugin type: HTTPHeaderAuth - ssl_verify: true headers: X-API-Key: "{apikey}" @@ -6513,7 +6498,6 @@ auth: !plugin type: AwsAuth auth_error_code: 403 - ssl_verify: true products: # S1 S1_SAR_RAW: diff --git a/tests/units/test_auth_plugins.py b/tests/units/test_auth_plugins.py index 8f1f90aef..a14c78c4e 100644 --- a/tests/units/test_auth_plugins.py +++ b/tests/units/test_auth_plugins.py @@ -1419,6 +1419,7 @@ def test_plugins_auth_codeflowauth_get_token_with_refresh_token_ok( mock.ANY, auth_plugin.config.token_uri, timeout=HTTP_REQ_TIMEOUT, + verify=True, **post_request_kwargs, ) mock_request_new_token.assert_not_called() @@ -1475,6 +1476,7 @@ def test_plugins_auth_codeflowauth_grant_user_consent( data={"const_key": "const_value", "xpath_key": "additional value"}, headers=USER_AGENT, timeout=HTTP_REQ_TIMEOUT, + verify=True, ) @mock.patch( @@ -1526,6 +1528,7 @@ def test_plugins_auth_codeflowauth_authenticate_user_no_action( }, headers=USER_AGENT, timeout=HTTP_REQ_TIMEOUT, + verify=True, ) @mock.patch( @@ -1576,6 +1579,7 @@ def test_plugins_auth_codeflowauth_authenticate_user_no_authentication_uri( }, headers=USER_AGENT, timeout=HTTP_REQ_TIMEOUT, + verify=True, ) @mock.patch( @@ -1627,6 +1631,7 @@ def test_plugins_auth_codeflowauth_authenticate_user_ok( }, headers=USER_AGENT, timeout=HTTP_REQ_TIMEOUT, + verify=True, ) # Second request: post to the authentication URI mock_requests_post.assert_called_once_with( @@ -1639,6 +1644,7 @@ def test_plugins_auth_codeflowauth_authenticate_user_ok( }, headers=USER_AGENT, timeout=HTTP_REQ_TIMEOUT, + verify=True, ) # authenticate_user returns the authentication response self.assertEqual(mock_requests_post.return_value, auth_response) @@ -1699,6 +1705,7 @@ def test_plugins_auth_codeflowauth_exchange_code_for_token_ok( "state": state, "grant_type": "authorization_code", }, + verify=True, ) @mock.patch( @@ -1745,6 +1752,7 @@ def test_plugins_auth_codeflowauth_exchange_code_for_token_client_secret_ok( "state": state, "grant_type": "authorization_code", }, + verify=True, ) @mock.patch( @@ -1790,4 +1798,5 @@ def test_plugins_auth_codeflowauth_exchange_code_for_token_exchange_params_ok( "state": state, "grant_type": "authorization_code", }, + verify=True, )