From 9319dda0ec04dcbf50b8e9e248ef51759890172b Mon Sep 17 00:00:00 2001
From: Johannes Langer <jo.langer@gmail.com>
Date: Sat, 21 Oct 2017 01:36:14 +0200
Subject: [PATCH] Added ability to ignore cert for oauth2 provider (#971)

* Added ability to ignore cert for oauth2 provider

This is useful for development environments where the OAuth provider
doesn't have a valid cert!

* Setting default for OAUTH2_VERIFY_CERT to true
---
 docs/administration.rst | 7 +++++++
 lemur/auth/views.py     | 9 +++++----
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/docs/administration.rst b/docs/administration.rst
index fca81f1a..b9b229b7 100644
--- a/docs/administration.rst
+++ b/docs/administration.rst
@@ -496,6 +496,13 @@ For more information about how to use social logins, see: `Satellizer <https://g
 
             OAUTH2_AUTH_ENDPOINT = "https://<youroauthserver>/oauth2/v1/authorize"
 
+.. data:: OAUTH2_VERIFY_CERT
+    :noindex:
+
+        ::
+
+            OAUTH2_VERIFY_CERT = True
+
 .. data:: GOOGLE_CLIENT_ID
     :noindex:
 
diff --git a/lemur/auth/views.py b/lemur/auth/views.py
index c5af7606..efc1cff4 100644
--- a/lemur/auth/views.py
+++ b/lemur/auth/views.py
@@ -289,6 +289,7 @@ class OAuth2(Resource):
         # you can either discover these dynamically or simply configure them
         access_token_url = current_app.config.get('OAUTH2_ACCESS_TOKEN_URL')
         user_api_url = current_app.config.get('OAUTH2_USER_API_URL')
+        verify_cert = current_app.config.get('OAUTH2_VERIFY_CERT', True)
 
         # the secret and cliendId will be given to you when you signup for the provider
         token = '{0}:{1}'.format(args['clientId'], current_app.config.get("OAUTH2_SECRET"))
@@ -302,9 +303,9 @@ class OAuth2(Resource):
 
         # exchange authorization code for access token.
         # Try Params first
-        r = requests.post(access_token_url, headers=headers, params=params)
+        r = requests.post(access_token_url, headers=headers, params=params, verify=verify_cert)
         if r.status_code == 400:
-            r = requests.post(access_token_url, headers=headers, data=params)
+            r = requests.post(access_token_url, headers=headers, data=params, verify=verify_cert)
         id_token = r.json()['id_token']
         access_token = r.json()['access_token']
 
@@ -313,7 +314,7 @@ class OAuth2(Resource):
         jwks_url = current_app.config.get('OAUTH2_JWKS_URL')
 
         # retrieve the key material as specified by the token header
-        r = requests.get(jwks_url)
+        r = requests.get(jwks_url, verify=verify_cert)
         for key in r.json()['keys']:
             if key['kid'] == header_data['kid']:
                 secret = get_rsa_public_key(key['n'], key['e'])
@@ -338,7 +339,7 @@ class OAuth2(Resource):
         headers = {'authorization': 'Bearer {0}'.format(access_token)}
 
         # retrieve information about the current user.
-        r = requests.get(user_api_url, headers=headers)
+        r = requests.get(user_api_url, headers=headers, verify=verify_cert)
         profile = r.json()
 
         user = user_service.get_by_email(profile['email'])