Fix ifeval not passing CI

Co-authored-by: gaetan-ferry-sonarsource <112399173+gaetan-ferry-sonarsource@users.noreply.github.com>

rules/S4830/common/fix/cert-hostname-validation-overlap.adoc

@@ -0,0 +1 @@
+As part of its certification validation, {cert_framework_context} also verifies the server hostname with the certificate chain.

rules/S4830/python/how-to-fix-it/aiohttp.adoc

@@ -10,6 +10,10 @@ include::../../common/fix/code-rationale.adoc[]
 
 include::../../common/fix/code-rationale-setting.adoc[]
 
+:cert_framework_context: aiohttp
+
+include::../../common/fix/cert-hostname-validation-overlap.adoc[]
+
 ==== Noncompliant code example
 
 [source,python,diff-id=41,diff-type=noncompliant]

rules/S4830/python/how-to-fix-it/httpx.adoc

@@ -10,6 +10,10 @@ include::../../common/fix/code-rationale.adoc[]
 
 include::../../common/fix/code-rationale-setting.adoc[]
 
+:cert_framework_context: HTTPX
+
+include::../../common/fix/cert-hostname-validation-overlap.adoc[]
+
 ==== Noncompliant code example
 
 [source,python,diff-id=31,diff-type=noncompliant]

rules/S4830/python/how-to-fix-it/requests.adoc

@@ -10,6 +10,10 @@ include::../../common/fix/code-rationale.adoc[]
 
 include::../../common/fix/code-rationale-setting.adoc[]
 
+:cert_framework_context: Requests
+
+include::../../common/fix/cert-hostname-validation-overlap.adoc[]
+
 ==== Noncompliant code example
 
 [source,python,diff-id=11,diff-type=noncompliant]

rules/S5527/python/highlighting.adoc

@@ -0,0 +1,6 @@
+=== Highlighting
+
+For pyOpenSSL:
+
+* The `SSLContext` constructor should have a primary highlight
+* The `SSLConnector` constructor should have a secondary highlight

rules/S5527/python/how-to-fix-it/openssl.adoc

@@ -0,0 +1,46 @@
+== How to fix it in OpenSSL
+
+=== Code examples
+
+Currently, pyOpenSSL does not provide any public method to enable hostname verification.
+Therefore, it is recommended to use another SSL library. The `ssl` module
+of the Python standard library can be a great replacement for several use cases.
+
+==== Noncompliant code example
+
+[source,python,diff-id=11,diff-type=noncompliant]
+----
+import socket
+from OpenSSL import SSL
+
+ctx = SSL.Context(SSL.TLSv1_2_METHOD)  # Noncompliant
+ctx.set_verify(SSL.VERIFY_PEER)
+
+conn = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
+conn.connect(("www.example.com", 443))
+conn.send("GET / HTTP/1.0\r\nHost: www.example.com\r\n\r\n".encode())
+result = conn.recv(1024)
+
+conn.shutdown()
+conn.close()
+----
+
+==== Compliant solution
+
+[source,python,diff-id=11,diff-type=compliant]
+----
+import ssl
+import socket
+
+# By default, hostname verification is enabled
+ctx = ssl.create_default_context()
+
+with socket.create_connection(("www.example.com", 443)) as sock:
+    with ctx.wrap_socket(sock, server_hostname="www.example.com") as conn:
+        conn.send(f"GET / HTTP/1.0\r\nHost: www.example.com\r\n\r\n".encode())
+        conn.recv(1024)
+----
+
+=== How does this work?
+
+include::../../common/fix/validation.adoc[]

rules/S5527/python/how-to-fix-it/std.adoc

@@ -4,12 +4,8 @@
 
 include::../../common/fix/code-rationale.adoc[]
 
-Certificate validation is not enabled by default when
-``++_create_unverified_context++`` or ``++_create_stdlib_context++`` is used.  It is
-recommended to use `create_default_context`, without explicitly setting
-`check_hostname` to `False`. +
-Doing so creates a secure context that validates both hostnames and
-certificates.
+Certificate validation is not enabled by default when ``++_create_unverified_context++`` or ``++_create_stdlib_context++`` is used. It is recommended to use ``++create_default_context++`` instead. This method creates secure contexts that will check server hostnames and verify certificates (see S4830 for more information) by default. +
+If ``++create_default_context++`` cannot be used, then the ``check_hostname`` property must be set to ``True`` on the ``SSLContext``. Doing so also automatically enables certificate verification for this context.
 
 ==== Noncompliant code example
 
@@ -17,10 +13,10 @@ certificates.
 ----
 import ssl
 
-example = ssl._create_stdlib_context() # Noncompliant
+ctx1 = ssl.create_default_context()
+ctx1.check_hostname = False  # Noncompliant
 
-example = ssl._create_default_https_context()
-example.check_hostname = False # Noncompliant
+ctx2 = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)  # Noncompliant
 ----
 
 ==== Compliant solution
@@ -29,9 +25,11 @@ example.check_hostname = False # Noncompliant
 ----
 import ssl
 
-example = ssl.create_default_context()
+# By default, hostname verification is enabled
+ctx1 = ssl.create_default_context()
 
-example = ssl._create_default_https_context()
+ctx2 = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
+ctx2.check_hostname = True
 ----
 
 === How does this work?

rules/S5527/python/rule.adoc

@@ -10,6 +10,8 @@ include::../impact.adoc[]
 
 include::how-to-fix-it/std.adoc[]
 
+include::how-to-fix-it/openssl.adoc[]
+
 == Resources
 
 include::../common/resources/standards.adoc[]
@@ -22,6 +24,8 @@ ifdef::env-github,rspecator-view[]
 
 include::../message.adoc[]
 
+include::highlighting.adoc[]
+
 '''
 == Comments And Links
 (visible only on this page)