Merge pull request #199 from jsteemann/feature/certificate-verification

joerg84 · web-flow · commit 7d8d9e073884 · 2022-04-13T17:38:30.000+02:00
allow to disable TLS certificate verification
diff --git a/arango/client.py b/arango/client.py
@@ -45,6 +45,8 @@ class ArangoClient:
         the de-serialized object. If not given, ``json.loads`` is used by
         default.
     :type deserializer: callable
+    :param verify_certificate: Verify TLS certificates.
+    :type verify_certificate: bool
     """
 
     def __init__(
@@ -55,6 +57,7 @@ def __init__(
         http_client: Optional[HTTPClient] = None,
         serializer: Callable[..., str] = lambda x: dumps(x),
         deserializer: Callable[[str], Any] = lambda x: loads(x),
+        verify_certificate: bool = True,
     ) -> None:
         if isinstance(hosts, str):
             self._hosts = [host.strip("/") for host in hosts.split(",")]
@@ -76,6 +79,10 @@ def __init__(
         self._deserializer = deserializer
         self._sessions = [self._http.create_session(h) for h in self._hosts]
 
+        # set flag for SSL/TLS certificate verification
+        for session in self._sessions:
+            session.verify = verify_certificate
+
     def __repr__(self) -> str:
         return f"<ArangoClient {','.join(self._hosts)}>"
 
@@ -110,6 +117,7 @@ def db(
         verify: bool = False,
         auth_method: str = "basic",
         superuser_token: Optional[str] = None,
+        verify_certificate: bool = True,
     ) -> StandardDatabase:
         """Connect to an ArangoDB database and return the database API wrapper.
 
@@ -130,6 +138,8 @@ def db(
             If set, parameters **username**, **password** and **auth_method**
             are ignored. This token is not refreshed automatically.
         :type superuser_token: str
+        :param verify_certificate: Verify TLS certificates.
+        :type verify_certificate: bool
         :return: Standard database API wrapper.
         :rtype: arango.database.StandardDatabase
         :raise arango.exceptions.ServerConnectionError: If **verify** was set
diff --git a/docs/certificates.rst b/docs/certificates.rst
@@ -0,0 +1,30 @@
+TLS certificate verification
+----------------------------
+
+When connecting against a server using an https/TLS connection, TLS certificates
+are verified by default.
+By default, self-signed certificates will cause trouble when connecting.
+
+.. code-block:: python
+
+    client = ArangoClient(hosts="https://localhost:8529")
+
+In order to make connections work even when using self-signed certificates, the
+`verify_certificates` option can be disabled when creating the `ArangoClient`
+instance:
+
+.. code-block:: python
+
+    client = ArangoClient(hosts="https://localhost:8529", verify_certificate=False)
+
+This will allow connecting, but the underlying `urllib3` library may still issue
+warnings due to the insecurity of using self-signed certificates.
+
+To turn off these warnings as well, you can add the following code to your client
+application:
+
+.. code-block:: python
+
+    import requests
+    requests.packages.urllib3.disable_warnings() 
+
