rspec/rules/S4830/python/rule.adoc

== Why is this an issue?

include::../description.adoc[]

=== Noncompliant code example

https://github.com/psf/requests[psf/requests] library:

[source,python]
----
import requests

requests.request('GET', 'https://example.domain', verify=False) # Noncompliant
requests.get('https://example.domain', verify=False) # Noncompliant
----

Python https://docs.python.org/3/library/ssl.html[ssl standard] library:

[source,python]
----
import ssl

ctx1 = ssl._create_unverified_context() # Noncompliant: by default certificate validation is not done
ctx2 = ssl._create_stdlib_context() # Noncompliant: by default certificate validation is not done

ctx3 = ssl.create_default_context()
ctx3.verify_mode = ssl.CERT_NONE # Noncompliant
----

https://github.com/pyca/pyopenssl[pyca/pyopenssl] library:

[source,python]
----
from OpenSSL import SSL

ctx1 = SSL.Context(SSL.TLSv1_2_METHOD) # Noncompliant: by default certificate validation is not done

ctx2 = SSL.Context(SSL.TLSv1_2_METHOD)
ctx2.set_verify(SSL.VERIFY_NONE, verify_callback) # Noncompliant
----

=== Compliant solution

https://github.com/psf/requests[psf/requests] library:

[source,python]
----
import requests

requests.request('GET', 'https://example.domain', verify=True)
requests.request('GET', 'https://example.domain', verify='/path/to/CAbundle')
requests.get(url='https://example.domain') # by default certificate validation is enabled
----

Python https://docs.python.org/3/library/ssl.html[ssl standard] library:

[source,python]
----
import ssl

ctx = ssl.create_default_context()
ctx.verify_mode = ssl.CERT_REQUIRED

ctx = ssl._create_default_https_context() # by default certificate validation is enabled
----

https://github.com/pyca/pyopenssl[pyca/pyopenssl] library:

[source,python]
----
from OpenSSL import SSL

ctx = SSL.Context(SSL.TLSv1_2_METHOD)
ctx.set_verify(SSL.VERIFY_PEER, verify_callback) # Compliant
ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback) # Compliant
ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT | SSL.VERIFY_CLIENT_ONCE, verify_callback) # Compliant
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]