-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Allow HTTPS requests to use tls_ciphers
#20179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
0eeb208
to
63b5b09
Compare
|
||
request_overrides = {} | ||
if new_options.get('verify') != self.options['verify']: | ||
if new_options.get('verify') is True: |
Check failure
Code scanning / CodeQL
Use of insecure SSL/TLS version High
call to ssl.SSLContext
Insecure SSL/TLS protocol version TLSv1_1 allowed by
call to ssl.SSLContext
Copilot Autofix
AI 15 days ago
Copilot could not generate an autofix suggestion
Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dkirov-dd this turns out to be more involved, I'll do it in a separate PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
small stuff left at this point!
Co-authored-by: Ilia Kurenkov <ilia.kurenkov@datadoghq.com>
Review from iliakur is dismissed. Related teams and files:
- agent-integrations
- datadog_checks_base/datadog_checks/base/utils/http.py
Review from iliakur is dismissed. Related teams and files:
- agent-integrations
- datadog_checks_base/datadog_checks/base/utils/http.py
- datadog_checks_base/datadog_checks/base/utils/tls.py
- datadog_checks_dev/datadog_checks/dev/plugin/pytest.py
- harbor/tests/conftest.py
Review from nubtron is dismissed. Related teams and files:
- agent-integrations
- datadog_checks_base/datadog_checks/base/utils/http.py
- datadog_checks_base/datadog_checks/base/utils/tls.py
- datadog_checks_dev/datadog_checks/dev/plugin/pytest.py
- harbor/tests/conftest.py
What does this PR do?
This PR modifies the behavior of the
RequestsWrapper
to make use ofrequests.Session
for all requests.It extends the allowed TLS ciphers to all those that are allowed by the compile-time configuration.
This was achieved using the
Session
class's HTTPSAdapter
, which passes the customSSLContext
to the underlyingurllib3
functions.Note
Many unit and integration tests that were previously mocking
requests.get
or otherrequests
methods needed to be modified with these changes in mind.N.B: These test should most likely be rewritten in a subsequent PR to use higher-level mocks. This would prevent future PRs that would change logic inside the
RequestsWrapper
to have to fix hundreds of tests.Motivation
The integration config provides a
tls_ciphers
parameter that was not utilized uniformly throughout HTTPS requests. Most notably, it had no effect on the requests made through the AgentCheck'shttp
attribute.Allowing the modification of cipher suites is essential to support the broadest array of use cases.
For example, some users have endpoints that do not accept any of Python's ssl.SSLCipher default cipher suites, leading to these endpoints being unusable with our checks.
Important
The goal for this PR is to only extend the realm of usable endpoints for end users.
All existing interfaces, inputs, and outputs remain unchanged.
No user action is required to benefit from the improvements.
Review checklist (to be filled by reviewers)
qa/skip-qa
label if the PR doesn't need to be tested during QA.backport/<branch-name>
label to the PR and it will automatically open a backport PR once this one is merged