cli, session: Add cache-trusted-hosts option

Allows users to cache results even from unsafe yet trusted hosts Resolves pypa#7847
NoahGorny · Mar 23, 2020 · ae4d7ca · ae4d7ca
1 parent 399d403
commit ae4d7ca
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 5 deletions.
diff --git a/src/pip/_internal/cli/cmdoptions.py b/src/pip/_internal/cli/cmdoptions.py
@@ -675,6 +675,14 @@ def _handle_no_cache_dir(option, opt, value, parser):
     # some (valid) form.
     parser.values.cache_dir = False
 
+cache_trusted_hosts = partial(
+    Option,
+    '--cache-trusted-hosts',
+    dest='cache_trusted_hosts',
+    action='store_true',
+    default=False,
+    help="Cache results from trusted-hosts.",
+)  # type: Callable[..., Option]
 
 no_cache = partial(
     Option,
@@ -952,6 +960,7 @@ def check_list_path_option(options):
         cert,
         client_cert,
         cache_dir,
+        cache_trusted_hosts,
         no_cache,
         disable_pip_version_check,
         no_color,

diff --git a/src/pip/_internal/cli/req_command.py b/src/pip/_internal/cli/req_command.py
@@ -96,6 +96,7 @@ def _build_session(self, options, retries=None, timeout=None):
                 if options.cache_dir else None
             ),
             retries=retries if retries is not None else options.retries,
+            cache_trusted_hosts=option.cache_trusted_hosts,
             trusted_hosts=options.trusted_hosts,
             index_urls=self._get_index_urls(options),
         )

diff --git a/src/pip/_internal/network/session.py b/src/pip/_internal/network/session.py
@@ -235,6 +235,7 @@ def __init__(self, *args, **kwargs):
         retries = kwargs.pop("retries", 0)
         cache = kwargs.pop("cache", None)
         trusted_hosts = kwargs.pop("trusted_hosts", [])  # type: List[str]
+        cache_trusted_hosts = kwargs.pop("cache_trusted_hosts", False)
         index_urls = kwargs.pop("index_urls", None)
 
         super(PipSession, self).__init__(*args, **kwargs)
@@ -278,16 +279,25 @@ def __init__(self, *args, **kwargs):
                 cache=SafeFileCache(cache),
                 max_retries=retries,
             )
+            if cache_trusted_hosts:
+                # If the user wants to cache trusted-hosts anyway, we let him do so
+                # This adapter disables HTTPS validation, as well as caching the response
+                self._trusted_host_adapter = InsecureCacheControlAdapter(
+                    cache=SafeFileCache(cache),
+                    max_retries=retries,
+                )
         else:
             secure_adapter = HTTPAdapter(max_retries=retries)
 
         # Our Insecure HTTPAdapter disables HTTPS validation. It does not
-        # support caching (see above) so we'll use it for all http:// URLs as
-        # well as any https:// host that we've marked as ignoring TLS errors
-        # for.
+        # support caching (see above) so we'll use it for all http:// URLs.
+        # If cache-trusted-host was not specified, we will also use it for
+        # https:// hosts that we've marked as ignoring TLS errors for (trusted-hosts).
         insecure_adapter = InsecureHTTPAdapter(max_retries=retries)
-        # Save this for later use in add_trusted_host().
-        self._trusted_host_adapter = insecure_adapter
+
+        if not hasattr(self, "_trusted_host_adapter"):
+            # User chosen to not cache trusted hosts or cache is disabled
+            self._trusted_host_adapter = insecure_adapter
 
         self.mount("https://", secure_adapter)
         self.mount("http://", insecure_adapter)