From 845cd45cc487493267df507cf022ef28f99267d5 Mon Sep 17 00:00:00 2001
From: Tim Jacomb <timjacomb1@gmail.com>
Date: Thu, 5 Dec 2024 09:41:44 +0000
Subject: [PATCH] Integrate truststore so System certificates are trusted
 automatically

---
 .../azure/cli/core/ssl_context_adaptor.py              | 10 ++++++++++
 src/azure-cli-core/azure/cli/core/util.py              |  2 ++
 src/azure-cli/requirements.py3.Darwin.txt              |  1 +
 src/azure-cli/requirements.py3.Linux.txt               |  1 +
 src/azure-cli/requirements.py3.windows.txt             |  1 +
 5 files changed, 15 insertions(+)
 create mode 100644 src/azure-cli-core/azure/cli/core/ssl_context_adaptor.py

diff --git a/src/azure-cli-core/azure/cli/core/ssl_context_adaptor.py b/src/azure-cli-core/azure/cli/core/ssl_context_adaptor.py
new file mode 100644
index 00000000000..ec4a0a4407e
--- /dev/null
+++ b/src/azure-cli-core/azure/cli/core/ssl_context_adaptor.py
@@ -0,0 +1,10 @@
+import requests.adapters
+import ssl
+import truststore
+
+class SSLContextAdapter(requests.adapters.HTTPAdapter):
+    def init_poolmanager(self, *args, **kwargs):
+        ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+
+        kwargs['ssl_context'] = ctx
+        return super(SSLContextAdapter, self).init_poolmanager(*args, **kwargs)
diff --git a/src/azure-cli-core/azure/cli/core/util.py b/src/azure-cli-core/azure/cli/core/util.py
index 7bc450ea9af..c4fdb96312a 100644
--- a/src/azure-cli-core/azure/cli/core/util.py
+++ b/src/azure-cli-core/azure/cli/core/util.py
@@ -906,6 +906,7 @@ def send_raw_request(cli_ctx, method, url, headers=None, uri_parameters=None,  #
     import uuid
     from requests import Session, Request
     from requests.structures import CaseInsensitiveDict
+    from azure.cli.core.ssl_context_adaptor import SSLContextAdapter
 
     result = CaseInsensitiveDict()
     for s in headers or []:
@@ -1027,6 +1028,7 @@ def send_raw_request(cli_ctx, method, url, headers=None, uri_parameters=None,  #
 
     # https://requests.readthedocs.io/en/latest/user/advanced/#prepared-requests
     s = Session()
+    s.mount(url, SSLContextAdapter())
     req = Request(method=method, url=url, headers=headers, params=uri_parameters, data=body)
     prepped = s.prepare_request(req)
 
diff --git a/src/azure-cli/requirements.py3.Darwin.txt b/src/azure-cli/requirements.py3.Darwin.txt
index fc5f5aaeb04..79dc0e2f208 100644
--- a/src/azure-cli/requirements.py3.Darwin.txt
+++ b/src/azure-cli/requirements.py3.Darwin.txt
@@ -127,6 +127,7 @@ semver==2.13.0
 six==1.16.0
 sshtunnel==0.1.5
 tabulate==0.8.9
+truststore==0.10.0
 urllib3==1.26.19
 wcwidth==0.1.7
 websocket-client==1.3.1
diff --git a/src/azure-cli/requirements.py3.Linux.txt b/src/azure-cli/requirements.py3.Linux.txt
index 8c5b5091283..72f612f3b78 100644
--- a/src/azure-cli/requirements.py3.Linux.txt
+++ b/src/azure-cli/requirements.py3.Linux.txt
@@ -128,6 +128,7 @@ semver==2.13.0
 six==1.16.0
 sshtunnel==0.1.5
 tabulate==0.8.9
+truststore==0.10.0
 urllib3==1.26.19
 wcwidth==0.1.7
 websocket-client==1.3.1
diff --git a/src/azure-cli/requirements.py3.windows.txt b/src/azure-cli/requirements.py3.windows.txt
index 2f00fa0faa4..1ee37e803e7 100644
--- a/src/azure-cli/requirements.py3.windows.txt
+++ b/src/azure-cli/requirements.py3.windows.txt
@@ -129,6 +129,7 @@ semver==2.13.0
 six==1.16.0
 sshtunnel==0.1.5
 tabulate==0.8.9
+truststore==0.10.0
 urllib3==1.26.19
 wcwidth==0.1.7
 websocket-client==1.3.1