fix: Modifying ssl_insecure connection parameter to be False by default.

bsharifi · bsharifi · commit 632c5bf24a95 · 2025-05-27T12:18:43.000-07:00
diff --git a/README.rst b/README.rst
@@ -387,7 +387,7 @@ Connection Parameters
 +-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+----------+
 | ssl                               | bool | If SSL is enabled                                                                                                                                                                                                                                                                                                                                                                                         | TRUE                   | No       |
 +-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+----------+
-| ssl_insecure                      | bool | Specifies if IDP hosts server certificate will be verified                                                                                                                                                                                                                                                                                                                                                | TRUE                   | No       |
+| ssl_insecure                      | bool | Specifies whether to disable the verification of the IdP host's server SSL certificate. ssl_insecure=True indicates that verification of the IdP host's server SSL certificate will be disabled. It is NOT recommended to disable the verification of an IdP host's server SSL certificate in a production environment.                                                                                   | False                  | No       |
 +-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+----------+
 | sslmode                           | str  | The security of the connection to Amazon Redshift. verify-ca and verify-full are supported.                                                                                                                                                                                                                                                                                                               | verify_ca              | No       |
 +-----------------------------------+------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------+----------+
diff --git a/redshift_connector/__init__.py b/redshift_connector/__init__.py
@@ -243,7 +243,7 @@ def connect(
     database_metadata_current_db_only : Optional[bool]
         Is `datashare <https://docs.aws.amazon.com/redshift/latest/dg/datashare-overview.html>`_ disabled. Default value is True, implying datasharing will not be used.
     ssl_insecure : Optional[bool]
-        Specifies if IdP host's server certificate will be verified. Default value is True
+        Specifies whether to disable the verification of the IdP host's server SSL certificate. Default value is False. ssl_insecure=True indicates that verification of the IdP host's server SSL certificate will be disabled. It is NOT recommended to disable the verification of an IdP host's server SSL certificate in a production environment.
     web_identity_token: Optional[str]
         A web identity token used for authentication with JWT.
     role_session_name: Optional[str]
@@ -366,7 +366,7 @@ def connect(
         if info.credentials_provider in IDC_OR_NATIVE_IDP_PLUGINS_LIST:
             raise InterfaceError("Authentication must use an SSL connection.")
 
-    if (info.iam is False) and (info.ssl_insecure is False):
+    if (info.iam is False) and (info.ssl_insecure is True):
         raise InterfaceError("Invalid connection property setting. IAM must be enabled when using ssl_insecure")
 
     if info.client_protocol_version not in ClientProtocolVersion.list():
diff --git a/redshift_connector/plugin/jwt_credentials_provider.py b/redshift_connector/plugin/jwt_credentials_provider.py
@@ -93,7 +93,7 @@ def refresh(self: "JwtCredentialsProvider") -> None:
             self.last_refreshed_credentials = credentials
 
     def do_verify_ssl_cert(self: "JwtCredentialsProvider") -> bool:
-        return self.ssl_insecure
+        return not self.ssl_insecure
 
     def get_idp_token(self: "JwtCredentialsProvider") -> str:
         jwt: str = self.get_jwt_assertion()
diff --git a/redshift_connector/redshift_property.py b/redshift_connector/redshift_property.py
@@ -106,8 +106,8 @@ def __init__(self: "RedshiftProperty", **kwargs):
             self.source_address: typing.Optional[str] = None
             # if SSL authentication will be used
             self.ssl: bool = True
-            # This property indicates whether the IDP hosts server certificate should be verified.
-            self.ssl_insecure: bool = True
+            # This property indicates whether to disable the verification of the IdP host's server SSL certificate.
+            self.ssl_insecure: bool = False
             # ssl mode: verify-ca or verify-full.
             self.sslmode: str = "verify-ca"
             # Use this property to enable or disable TCP keepalives.
diff --git a/test/unit/plugin/test_azure_oauth2_credentials_provider.py b/test/unit/plugin/test_azure_oauth2_credentials_provider.py
@@ -21,6 +21,11 @@ def make_valid_azure_oauth2_provider() -> typing.Tuple[BrowserAzureOAuth2Credent
     cp.add_parameter(rp)
     return cp, rp
 
+def test_default_parameters_azure_oauth2_specific() -> None:
+    acp, _ = make_valid_azure_oauth2_provider()
+    assert acp.ssl_insecure == False
+    assert acp.do_verify_ssl_cert() == True
+
 
 def test_add_parameter_sets_azure_oauth2_specific() -> None:
     acp, rp = make_valid_azure_oauth2_provider()
diff --git a/test/unit/plugin/test_jwt_credentials_provider.py b/test/unit/plugin/test_jwt_credentials_provider.py
@@ -1,3 +1,23 @@
+import typing
+from unittest.mock import patch
+
+import pytest  # type: ignore
+
+from redshift_connector import RedshiftProperty
+from redshift_connector.plugin import JwtCredentialsProvider
+
+@patch.multiple(JwtCredentialsProvider, __abstractmethods__=set())
+def make_valid_jwt_credentials_provider() -> typing.Tuple[JwtCredentialsProvider, RedshiftProperty]:
+    rp: RedshiftProperty = RedshiftProperty()
+    jcp: JwtCredentialsProvider = JwtCredentialsProvider()  # type: ignore
+    jcp.add_parameter(rp)
+    return jcp, rp
+
+def test_default_parameters_jwt_credentials_provider() -> None:
+    jcp, _ = make_valid_jwt_credentials_provider()
+    assert jcp.ssl_insecure == False
+    assert jcp.do_verify_ssl_cert() == True
+
 # import base64
 # import json
 # import typing
diff --git a/test/unit/plugin/test_saml_credentials_provider.py b/test/unit/plugin/test_saml_credentials_provider.py
@@ -20,6 +20,12 @@ def make_valid_saml_credentials_provider() -> typing.Tuple[SamlCredentialsProvid
     return scp, rp
 
 
+def test_default_parameters_saml_credentials_provider() -> None:
+    acp, _ = make_valid_saml_credentials_provider()
+    assert acp.ssl_insecure == False
+    assert acp.do_verify_ssl_cert() == True
+
+
 def test_get_cache_key_format_as_expected() -> None:
     scp, _ = make_valid_saml_credentials_provider()
     expected_cache_key: str = "{username}{password}{idp_host}{idp_port}{duration}{preferred_role}".format(
