From 9e3efa8acc84e366d153f02a62321eec51ce295b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9n=C3=A9lik=20Vero?= Date: Mon, 9 Feb 2026 13:14:41 +0100 Subject: [PATCH 1/3] fix ssl deactivation from catalog properties #2985 --- pyiceberg/catalog/rest/__init__.py | 2 +- tests/catalog/test_rest.py | 25 ++++++++++++++++++++++++- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/pyiceberg/catalog/rest/__init__.py b/pyiceberg/catalog/rest/__init__.py index 802be28565..608ce028ed 100644 --- a/pyiceberg/catalog/rest/__init__.py +++ b/pyiceberg/catalog/rest/__init__.py @@ -358,7 +358,7 @@ def _create_session(self) -> Session: # Sets the client side and server side SSL cert verification, if provided as properties. if ssl_config := self.properties.get(SSL): - if ssl_ca_bundle := ssl_config.get(CA_BUNDLE): + if (ssl_ca_bundle := ssl_config.get(CA_BUNDLE)) is not None: session.verify = ssl_ca_bundle if ssl_client := ssl_config.get(CLIENT): if all(k in ssl_client for k in (CERT, KEY)): diff --git a/tests/catalog/test_rest.py b/tests/catalog/test_rest.py index 9fb1fa9af5..b774aef89b 100644 --- a/tests/catalog/test_rest.py +++ b/tests/catalog/test_rest.py @@ -47,7 +47,7 @@ NoSuchViewError, OAuthError, ServerError, - TableAlreadyExistsError, + TableAlreadyExistsError, ValidationError, ) from pyiceberg.io import load_file_io from pyiceberg.partitioning import PartitionField, PartitionSpec @@ -1641,6 +1641,29 @@ def test_update_namespace_properties_invalid_namespace(rest_mock: Mocker) -> Non assert "Empty namespace identifier" in str(e.value) +def test_with_disabled_ssl_ca_bundle(rest_mock: Mocker) -> None: + from pydantic import ValidationError + def ssl_check_callback(req, _): + if req.verify: + raise AssertionError("SSL verification is still enabled") + # Given + rest_mock.get( + f"{TEST_URI}v1/config", + json=ssl_check_callback, + status_code=200, + ) + # Given + catalog_properties = { + "uri": TEST_URI, + "token": TEST_TOKEN, + "ssl": { + "cabundle": False, + } + } + with pytest.raises(ValidationError) as _: + RestCatalog("rest", **catalog_properties) + + def test_request_session_with_ssl_ca_bundle(monkeypatch: pytest.MonkeyPatch) -> None: # Given catalog_properties = { From ccc9b4aa3b1eeb4b3c6493392e3351b9ec4a49ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9n=C3=A9lik=20Vero?= Date: Tue, 10 Feb 2026 09:17:32 +0100 Subject: [PATCH 2/3] fix(lint): fix linting issues --- tests/catalog/test_rest.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/tests/catalog/test_rest.py b/tests/catalog/test_rest.py index b774aef89b..e88808f82d 100644 --- a/tests/catalog/test_rest.py +++ b/tests/catalog/test_rest.py @@ -26,6 +26,8 @@ from requests.adapters import HTTPAdapter from requests.exceptions import HTTPError from requests_mock import Mocker +from requests_mock.request import _RequestObjectProxy +from requests_mock.response import _Context import pyiceberg from pyiceberg.catalog import PropertiesUpdateSummary, load_catalog @@ -47,7 +49,7 @@ NoSuchViewError, OAuthError, ServerError, - TableAlreadyExistsError, ValidationError, + TableAlreadyExistsError, ) from pyiceberg.io import load_file_io from pyiceberg.partitioning import PartitionField, PartitionSpec @@ -1643,9 +1645,11 @@ def test_update_namespace_properties_invalid_namespace(rest_mock: Mocker) -> Non def test_with_disabled_ssl_ca_bundle(rest_mock: Mocker) -> None: from pydantic import ValidationError - def ssl_check_callback(req, _): + + def ssl_check_callback(req: _RequestObjectProxy, _: _Context) -> None: if req.verify: raise AssertionError("SSL verification is still enabled") + # Given rest_mock.get( f"{TEST_URI}v1/config", @@ -1658,10 +1662,10 @@ def ssl_check_callback(req, _): "token": TEST_TOKEN, "ssl": { "cabundle": False, - } + }, } with pytest.raises(ValidationError) as _: - RestCatalog("rest", **catalog_properties) + RestCatalog("rest", **catalog_properties) # type: ignore def test_request_session_with_ssl_ca_bundle(monkeypatch: pytest.MonkeyPatch) -> None: From 3e84d240699f3f69e31cbd26de8df5dc0da00470 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9n=C3=A9lik=20Vero?= Date: Tue, 10 Feb 2026 09:45:23 +0100 Subject: [PATCH 3/3] feat(test): simpler test without callback --- tests/catalog/test_rest.py | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/tests/catalog/test_rest.py b/tests/catalog/test_rest.py index e88808f82d..a7ce2d2031 100644 --- a/tests/catalog/test_rest.py +++ b/tests/catalog/test_rest.py @@ -26,8 +26,6 @@ from requests.adapters import HTTPAdapter from requests.exceptions import HTTPError from requests_mock import Mocker -from requests_mock.request import _RequestObjectProxy -from requests_mock.response import _Context import pyiceberg from pyiceberg.catalog import PropertiesUpdateSummary, load_catalog @@ -1644,18 +1642,6 @@ def test_update_namespace_properties_invalid_namespace(rest_mock: Mocker) -> Non def test_with_disabled_ssl_ca_bundle(rest_mock: Mocker) -> None: - from pydantic import ValidationError - - def ssl_check_callback(req: _RequestObjectProxy, _: _Context) -> None: - if req.verify: - raise AssertionError("SSL verification is still enabled") - - # Given - rest_mock.get( - f"{TEST_URI}v1/config", - json=ssl_check_callback, - status_code=200, - ) # Given catalog_properties = { "uri": TEST_URI, @@ -1664,8 +1650,8 @@ def ssl_check_callback(req: _RequestObjectProxy, _: _Context) -> None: "cabundle": False, }, } - with pytest.raises(ValidationError) as _: - RestCatalog("rest", **catalog_properties) # type: ignore + catalog = RestCatalog("rest", **catalog_properties) # type: ignore + assert catalog._session.verify is False def test_request_session_with_ssl_ca_bundle(monkeypatch: pytest.MonkeyPatch) -> None: