feat(connection): add ssl_insecure parameter default to True

Author: Brooke-white

README.rst

@@ -144,6 +144,8 @@ Connection Parameters
 +-------------------------+--------------------------------------------------------------------------------------------+---------------+----------+
 | cluster_identifier      | String. The cluster identifier of the Amazon Redshift Cluster                              | None          | No       |
 +-------------------------+--------------------------------------------------------------------------------------------+---------------+----------+
+| ssl_insecure            | Bool. Specifies if IDP hosts server certificate will be verified                           | True          | No       |
++-------------------------+--------------------------------------------------------------------------------------------+---------------+----------+
 | db_user                 | String. The user ID to use with Amazon Redshift                                            | None          | No       |
 +-------------------------+--------------------------------------------------------------------------------------------+---------------+----------+
 | db_groups               | String. A comma-separated list of existing database group names that the DbUser joins for  | None          | No       |

redshift_connector/__init__.py

@@ -111,6 +111,7 @@ def connect(
     allow_db_user_override: bool = False,
     client_protocol_version: int = DEFAULT_PROTOCOL_VERSION,
     database_metadata_current_db_only: bool = True,
+    ssl_insecure: typing.Optional[bool] = None,
 ) -> Connection:
 
     info: RedshiftProperty = RedshiftProperty()
@@ -153,6 +154,7 @@ def connect(
         allow_db_user_override=allow_db_user_override,
         client_protocol_version=client_protocol_version,
         database_metadata_current_db_only=database_metadata_current_db_only,
+        ssl_insecure=ssl_insecure,
     )
 
     return Connection(

redshift_connector/iam_helper.py

@@ -65,6 +65,7 @@ def set_iam_properties(
     allow_db_user_override: bool,
     client_protocol_version: int,
     database_metadata_current_db_only: bool,
+    ssl_insecure: typing.Optional[bool],
 ) -> None:
     if info is None:
         raise InterfaceError("Invalid connection property setting. info must be specified")
@@ -90,6 +91,8 @@ def set_iam_properties(
         raise InterfaceError(
             "Invalid connection property setting. IAM must be enabled when using credentials " "via identity provider"
         )
+    elif (info.iam is False) and (ssl_insecure is not None):
+        raise InterfaceError("Invalid connection property setting. IAM must be enabled when using ssl_insecure")
     elif (info.iam is True) and (credentials_provider is None):
         raise InterfaceError(
             "Invalid connection property setting. " "Credentials provider cannot be None when IAM is enabled"
@@ -148,6 +151,9 @@ def set_iam_properties(
     info.force_lowercase = force_lowercase
     info.allow_db_user_override = allow_db_user_override
 
+    if ssl_insecure is not None:
+        info.sslInsecure = ssl_insecure
+
     # Azure specified parameters
     info.client_id = client_id
     info.idp_tenant = idp_tenant

redshift_connector/plugin/adfs_credentials_provider.py

@@ -30,7 +30,7 @@ def form_based_authentication(self: "AdfsCredentialsProvider") -> str:
             host=self.idp_host, port=str(self.idpPort)
         )
         try:
-            response: "requests.Response" = requests.get(url)
+            response: "requests.Response" = requests.get(url, verify=self.do_verify_ssl_cert())
             response.raise_for_status()
         except requests.exceptions.HTTPError as e:
             _logger.error("Request for SAML assertion when refreshing credentials was unsuccessful. {}".format(str(e)))
@@ -73,7 +73,7 @@ def form_based_authentication(self: "AdfsCredentialsProvider") -> str:
             url = "https://{host}:{port}{action}".format(host=self.idp_host, port=str(self.idpPort), action=action)
 
         try:
-            response = requests.post(url, data=payload)
+            response = requests.post(url, data=payload, verify=self.do_verify_ssl_cert())
             response.raise_for_status()
         except requests.exceptions.HTTPError as e:
             _logger.error("Request to refresh credentials was unsuccessful. {}".format(str(e)))

redshift_connector/plugin/azure_credentials_provider.py

@@ -69,7 +69,9 @@ def azure_oauth_based_authentication(self: "AzureCredentialsProvider") -> str:
         }
 
         try:
-            response: "requests.Response" = requests.post(url, data=payload, headers=headers)
+            response: "requests.Response" = requests.post(
+                url, data=payload, headers=headers, verify=self.do_verify_ssl_cert()
+            )
             response.raise_for_status()
         except requests.exceptions.HTTPError as e:
             _logger.error("Request for authentication from Azure was unsuccessful. {}".format(str(e)))

redshift_connector/plugin/browser_azure_credentials_provider.py

@@ -114,7 +114,7 @@ def fetch_saml_response(self: "BrowserAzureCredentialsProvider", token):
             "redirect_uri": self.redirectUri,
         }
         try:
-            response = requests.post(url, data=payload, headers=headers)
+            response = requests.post(url, data=payload, headers=headers, verify=self.do_verify_ssl_cert())
             response.raise_for_status()
         except requests.exceptions.HTTPError as e:
             _logger.error("Request for authentication from Microsoft was unsuccessful. {}".format(str(e)))

redshift_connector/plugin/okta_credentials_provider.py

@@ -39,7 +39,9 @@ def okta_authentication(self: "OktaCredentialsProvider") -> str:
         headers: typing.Dict[str, str] = okta_headers
         payload: typing.Dict[str, typing.Optional[str]] = {"username": self.user_name, "password": self.password}
         try:
-            response: "requests.Response" = requests.post(url, data=json.dumps(payload), headers=headers)
+            response: "requests.Response" = requests.post(
+                url, data=json.dumps(payload), headers=headers, verify=self.do_verify_ssl_cert()
+            )
             response.raise_for_status()
         except requests.exceptions.HTTPError as e:
             _logger.error("Request for authentication from Okta was unsuccessful. {}".format(str(e)))
@@ -76,7 +78,7 @@ def handle_saml_assertion(self: "OktaCredentialsProvider", okta_session_token: s
             host=self.idp_host, app_name=self.app_name, app_id=self.app_id, session_token=okta_session_token
         )
         try:
-            response: "requests.Response" = requests.get(url)
+            response: "requests.Response" = requests.get(url, verify=self.do_verify_ssl_cert())
             response.raise_for_status()
         except requests.exceptions.HTTPError as e:
             _logger.error("Request for SAML assertion from Okta was unsuccessful. {}".format(str(e)))

redshift_connector/plugin/ping_credentials_provider.py

@@ -32,7 +32,7 @@ def get_saml_assertion(self: "PingCredentialsProvider") -> str:
             host=self.idp_host, port=str(self.idpPort), sp_id=self.partner_sp_id
         )
         try:
-            response: "requests.Response" = requests.get(url)
+            response: "requests.Response" = requests.get(url, verify=self.do_verify_ssl_cert())
             response.raise_for_status()
         except requests.exceptions.HTTPError as e:
             _logger.error("Request for SAML assertion when refreshing credentials was unsuccessful. {}".format(str(e)))
@@ -90,7 +90,7 @@ def get_saml_assertion(self: "PingCredentialsProvider") -> str:
         if action and action.startswith("/"):
             url = "https://{host}:{port}{action}".format(host=self.idp_host, port=str(self.idpPort), action=action)
         try:
-            response = requests.post(url, data=payload)
+            response = requests.post(url, data=payload, verify=self.do_verify_ssl_cert())
             response.raise_for_status()
         except requests.exceptions.HTTPError as e:
             _logger.error("Request to refresh credentials was unsuccessful. {}".format(str(e)))

redshift_connector/plugin/saml_credentials_provider.py

@@ -46,6 +46,9 @@ def add_parameter(self: "SamlCredentialsProvider", info: RedshiftProperty) -> No
         self.region = info.region
         self.principal = info.principal
 
+    def do_verify_ssl_cert(self: "SamlCredentialsProvider") -> bool:
+        return not self.sslInsecure
+
     def get_credentials(self: "SamlCredentialsProvider") -> CredentialsHolder:
         key: str = self.get_cache_key()
         if key not in self.cache or self.cache[key].is_expired():

test/integration/plugin/test_credentials_providers.py

@@ -115,6 +115,15 @@ def test_invalid_db_group(idp_arg):
         redshift_connector.connect(**idp_arg)
 
 
+@pytest.mark.parametrize("idp_arg", NON_BROWSER_IDP, indirect=True)
+@pytest.mark.parametrize("ssl_insecure_val", [True, False])
+def test_ssl_insecure_is_used(idp_arg, ssl_insecure_val):
+    idp_arg["ssl_insecure"] = ssl_insecure_val
+
+    with redshift_connector.connect(**idp_arg):
+        pass
+
+
 @pytest.mark.parametrize("idp_arg", ALL_IDP, indirect=True)
 def testSslAndIam(idp_arg):
     idp_arg["ssl"] = False