python-poetry · maayanbar13 · May 29, 2020 · Sep 12, 2020 · Sep 12, 2020 · Sep 12, 2020
diff --git a/docs/repositories.md b/docs/repositories.md
@@ -21,7 +21,6 @@ on PyPI.
 
 This represents most cases and will likely be enough for most users.
 
-
 ## Using a private repository
 
 However, at times, you may need to keep your package private while still being
@@ -65,8 +64,8 @@ call to `config`.
 ```bash
 poetry config http-basic.pypi username password
 ```
-{{% /note %}}
 
+{{% /note %}}
 
 You can also specify the username and password when using the `publish` command
 with the `--username` and `--password` options.
@@ -110,8 +109,9 @@ poetry config -- http-basic.pypi myUsername -myPasswordStartingWithDash
 ```
 
 #### Custom certificate authority and mutual TLS authentication
+
 Poetry supports repositories that are secured by a custom certificate authority as well as those that require
-certificate-based client authentication.  The following will configure the "foo" repository to validate the repository's
+certificate-based client authentication. The following will configure the "foo" repository to validate the repository's
 certificate using a custom certificate authority and use a client certificate (note that these config variables do not
 both need to be set):
 
@@ -147,6 +147,7 @@ name = "foo"
 url = "https://foo.bar/simple/"
 secondary = true
 ```
+
 {{% /note %}}
 
 If your private repository requires HTTP Basic Auth be sure to add the username and
@@ -156,7 +157,6 @@ a custom certificate authority or client certificates, similarly refer to the ex
 `certificates` section. Poetry will use these values to authenticate to your private repository when downloading or
 looking for packages.
 
-
 ### Disabling the PyPI repository
 
 If you want your packages to be exclusively looked up from a private
@@ -170,3 +170,11 @@ default = true
 ```
 
 A default source will also be the fallback source if you add other sources.
+
+### Trusting a repository
+
+You can bypass SSL verification for a repository if you know it can be trusted (useful for private repositories):
+
+```bash
+poetry config certificates.foo.trusted true
+```
diff --git a/src/poetry/console/commands/config.py b/src/poetry/console/commands/config.py
@@ -255,20 +255,37 @@ def handle(self) -> int | None:
 
         # handle certs
         m = re.match(
-            r"(?:certificates)\.([^.]+)\.(cert|client-cert)", self.argument("key")
+            r"(?:certificates)\.([^.]+)\.(cert|client-cert|trusted)",
+            self.argument("key"),
         )
         if m:
+            key = f"certificates.{m.group(1)}.{m.group(2)}"
             if self.option("unset"):
                 config.auth_config_source.remove_property(
                     f"certificates.{m.group(1)}.{m.group(2)}"
                 )
 
                 return 0
-
+            if m.group(2) == "trusted":
+                from poetry.config.config import boolean_normalizer
+                from poetry.config.config import boolean_validator
+
+                self._handle_single_value(
+                    config.auth_config_source,
+                    key,
+                    (
+                        boolean_validator,
+                        boolean_normalizer,
+                        False,
+                    ),
+                    values,
+                )
             if len(values) == 1:
                 config.auth_config_source.add_property(
                     f"certificates.{m.group(1)}.{m.group(2)}", values[0]
                 )
+            elif len(values) == 1:
+                config.auth_config_source.add_property(key, values[0])
             else:
                 raise ValueError("You must pass exactly 1 value")
 

diff --git a/src/poetry/factory.py b/src/poetry/factory.py
@@ -15,6 +15,7 @@
 from poetry.plugins.plugin import Plugin
 from poetry.plugins.plugin_manager import PluginManager
 from poetry.poetry import Poetry
+from poetry.utils.helpers import get_trusted
 
 
 if TYPE_CHECKING:
@@ -175,6 +176,7 @@ def create_legacy_repository(
             config=auth_config,
             cert=get_cert(auth_config, name),
             client_cert=get_client_cert(auth_config, name),
+            trusted=get_trusted(auth_config, name),
         )
 
     @classmethod

diff --git a/src/poetry/installation/pip_installer.py b/src/poetry/installation/pip_installer.py
@@ -56,6 +56,8 @@ def install(self, package: Package, update: bool = False) -> None:
                     f" {parsed.hostname}</warning>"
                 )
                 args += ["--trusted-host", parsed.hostname]
+            elif repository.trusted:
+                args += ["--trusted-host", parsed.hostname]
 
             if repository.cert:
                 args += ["--cert", str(repository.cert)]

diff --git a/src/poetry/repositories/http.py b/src/poetry/repositories/http.py
@@ -43,11 +43,13 @@ def __init__(
         disable_cache: bool = False,
         cert: Path | None = None,
         client_cert: Path | None = None,
+        trusted: bool | None = False,
     ) -> None:
         super().__init__(name, "_http", disable_cache)
         self._url = url
         self._client_cert = client_cert
         self._cert = cert
+        self._trusted = trusted
 
         self._authenticator = Authenticator(
             config=config or Config(use_environment=True)
@@ -89,6 +91,10 @@ def cert(self) -> Path | None:
     def client_cert(self) -> Path | None:
         return self._client_cert
 
+    @property
+    def trusted(self) -> bool | None:
+        return self._trusted
+
     @property
     def authenticated_url(self) -> str:
         if not self._session.auth:

diff --git a/src/poetry/repositories/legacy_repository.py b/src/poetry/repositories/legacy_repository.py
@@ -30,12 +30,13 @@ def __init__(
         disable_cache: bool = False,
         cert: Path | None = None,
         client_cert: Path | None = None,
+        trusted: bool | None = False,
     ) -> None:
         if name == "pypi":
             raise ValueError("The name [pypi] is reserved for repositories")
 
         super().__init__(
-            name, url.rstrip("/"), config, disable_cache, cert, client_cert
+            name, url.rstrip("/"), config, disable_cache, cert, client_cert, trusted
         )
 
     def find_packages(self, dependency: Dependency) -> list[Package]:

diff --git a/src/poetry/utils/helpers.py b/src/poetry/utils/helpers.py
@@ -63,6 +63,14 @@ def get_client_cert(config: Config, repository_name: str) -> Path | None:
         return None
 
 
+def get_trusted(config: Config, repository_name: str) -> bool | None:
+    trusted = config.get(f"certificates.{repository_name}.trusted")
+    if trusted:
+        return bool(trusted)
+    else:
+        return None
+
+
 def _on_rm_error(func: Callable, path: str, exc_info: Exception) -> None:
     if not os.path.exists(path):
         return

diff --git a/tests/console/commands/test_config.py b/tests/console/commands/test_config.py
@@ -171,6 +171,16 @@ def test_set_cert(
     assert auth_config_source.config["certificates"]["foo"]["cert"] == "path/to/ca.pem"
 
 
+def test_set_trusted(
+    tester: CommandTester, auth_config_source: DictConfigSource, mocker: MockerFixture
+):
+    mocker.spy(ConfigSource, "__init__")
+
+    tester.execute("certificates.foo.trusted true")
+
+    assert auth_config_source.config["certificates"]["foo"]["trusted"] == "true"
+
+
 def test_config_installer_parallel(
     tester: CommandTester, command_tester_factory: CommandTesterFactory
 ):

diff --git a/tests/fixtures/with_trusted_source/README.rst b/tests/fixtures/with_trusted_source/README.rst
@@ -0,0 +1,2 @@
+My Package
+==========
diff --git a/tests/fixtures/with_trusted_source/pyproject.toml b/tests/fixtures/with_trusted_source/pyproject.toml
@@ -0,0 +1,62 @@
+[tool.poetry]
+name = "my-package"
+version = "1.2.3"
+description = "Some description."
+authors = [
+    "Sébastien Eustace <sebastien@eustace.io>"
+]
+license = "MIT"
+
+readme = "README.rst"
+
+homepage = "https://python-poetry.org"
+repository = "https://github.com/python-poetry/poetry"
+documentation = "https://python-poetry.org/docs"
+
+keywords = ["packaging", "dependency", "poetry"]
+
+classifiers = [
+    "Topic :: Software Development :: Build Tools",
+    "Topic :: Software Development :: Libraries :: Python Modules"
+]
+
+# Requirements
+[tool.poetry.dependencies]
+python = "~2.7 || ^3.6"
+cleo = "^0.6"
+pendulum = { git = "https://github.com/sdispater/pendulum.git", branch = "2.0" }
+requests = { version = "^2.18", optional = true, extras=[ "security" ] }
+pathlib2 = { version = "^2.2", python = "~2.7" }
+
+orator = { version = "^0.9", optional = true }
+
+# File dependency
+demo = { path = "../distributions/demo-0.1.0-py2.py3-none-any.whl" }
+
+# Dir dependency with setup.py
+my-package = { path = "../project_with_setup/" }
+
+# Dir dependency with pyproject.toml
+simple-project = { path = "../simple_project/" }
+
+
+[tool.poetry.extras]
+db = [ "orator" ]
+
+[tool.poetry.dev-dependencies]
+pytest = "~3.4"
+
+
+[tool.poetry.scripts]
+my-script = "my_package:main"
+
+
+[tool.poetry.plugins."blogtool.parsers"]
+".rst" = "some_module::SomeClass"
+
+
+[[tool.poetry.source]]
+name = "foo"
+url = "https://foo.bar/simple/"
+default = true
+trusted = true
diff --git a/tests/installation/test_pip_installer.py b/tests/installation/test_pip_installer.py
@@ -187,6 +187,36 @@ def test_requirement_git_develop_true(installer: PipInstaller, package_git: Pack
     assert result == expected
 
 
+def test_install_with_trusted_host():
+    pool = Pool()
+    host = "foo.bar"
+
+    default = LegacyRepository("default", f"https://{host}", trusted=True)
+
+    pool.add_repository(default, default=True)
+
+    null_env = NullEnv()
+
+    installer = PipInstaller(null_env, NullIO(), pool)
+
+    foo = Package(
+        "foo",
+        "0.0.0",
+        source_type="legacy",
+        source_reference=default._name,
+        source_url=default._url,
+    )
+
+    installer.install(foo)
+
+    assert len(null_env.executed) == 1
+    cmd = null_env.executed[0]
+    assert "--trusted-host" in cmd
+    trusted_host_index = cmd.index("--trusted-host")
+
+    assert cmd[trusted_host_index + 1] == host
+
+
 def test_uninstall_git_package_nspkg_pth_cleanup(
     mocker: MockerFixture, tmp_venv: VirtualEnv, pool: Pool
 ):

diff --git a/tests/utils/test_helpers.py b/tests/utils/test_helpers.py
@@ -10,6 +10,7 @@
 from poetry.utils.helpers import canonicalize_name
 from poetry.utils.helpers import get_cert
 from poetry.utils.helpers import get_client_cert
+from poetry.utils.helpers import get_trusted
 
 
 if TYPE_CHECKING:
@@ -86,6 +87,13 @@ def test_get_client_cert(config: Config):
     assert get_client_cert(config, "foo") == Path(client_cert)
 
 
+def test_get_trusted(config: Config):
+    trusted = "true"
+    config.merge({"certificates": {"foo": {"trusted": trusted}}})
+
+    assert get_trusted(config, "foo")
+
+
 test_canonicalize_name_cases = [
     ("flask", "flask"),
     ("Flask", "flask"),