You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@arrow.apache.org by tu...@apache.org on 2023/01/25 09:46:25 UTC

[arrow-rs] branch master updated: Add ClientOption.allow_insecure (#3600)

This is an automated email from the ASF dual-hosted git repository.

tustvold pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/arrow-rs.git


The following commit(s) were added to refs/heads/master by this push:
     new 98d35d3e4 Add ClientOption.allow_insecure (#3600)
98d35d3e4 is described below

commit 98d35d3e4351e12fcd6d882a8cb8670c90c770f8
Author: Daniel Poelzleithner <gi...@poelzi.org>
AuthorDate: Wed Jan 25 10:46:19 2023 +0100

    Add ClientOption.allow_insecure (#3600)
    
    * Add ClientOption.allow_insecure
    
    Add option to allow insecure https connections.
    In local isolated test environments, it is normal to use self signed, local
    certificates for automated integration testing.
    
    * clarify  with_allow_invalid_certificates
    
    Co-authored-by: Raphael Taylor-Davies <17...@users.noreply.github.com>
    
    Co-authored-by: Raphael Taylor-Davies <17...@users.noreply.github.com>
---
 object_store/src/client/mod.rs | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/object_store/src/client/mod.rs b/object_store/src/client/mod.rs
index f07377e98..d019e8119 100644
--- a/object_store/src/client/mod.rs
+++ b/object_store/src/client/mod.rs
@@ -52,6 +52,7 @@ pub struct ClientOptions {
     default_headers: Option<HeaderMap>,
     proxy_url: Option<String>,
     allow_http: bool,
+    allow_insecure: bool,
     timeout: Option<Duration>,
     connect_timeout: Option<Duration>,
     pool_idle_timeout: Option<Duration>,
@@ -106,6 +107,21 @@ impl ClientOptions {
         self.allow_http = allow_http;
         self
     }
+    /// Allows connections to invalid SSL certificates
+    /// * false (default):  Only valid HTTPS certificates are allowed
+    /// * true:  All HTTPS certificates are allowed
+    ///
+    /// # Warning
+    ///
+    /// You should think very carefully before using this method. If
+    /// invalid certificates are trusted, *any* certificate for *any* site
+    /// will be trusted for use. This includes expired certificates. This
+    /// introduces significant vulnerabilities, and should only be used
+    /// as a last resort or for testing
+    pub fn with_allow_invalid_certificates(mut self, allow_insecure: bool) -> Self {
+        self.allow_insecure = allow_insecure;
+        self
+    }
 
     /// Only use http1 connections
     pub fn with_http1_only(mut self) -> Self {
@@ -259,6 +275,10 @@ impl ClientOptions {
             builder = builder.http2_prior_knowledge()
         }
 
+        if self.allow_insecure {
+            builder = builder.danger_accept_invalid_certs(self.allow_insecure)
+        }
+
         builder
             .https_only(!self.allow_http)
             .build()