Remove driver config option trust (#1177)

Remove deprecated driver configuration option `trust`. 
Use `trusted_certificates` instead.

Remove the associated constants `neo4j.TRUST_ALL_CERTIFICATES` and 
`neo4j.TRUST_SYSTEM_CA_SIGNED_CERTIFICATES`.

Author: robsdedude

CHANGELOG.md

@@ -56,6 +56,9 @@ See also https://github.com/neo4j/neo4j-python-driver/wiki for a full changelog.
   If you were calling it directly, please use `Record.__getitem__(slice(...))` or simply `record[...]` instead.
 - Remove deprecated class `neo4j.Bookmark` in favor of `neo4j.Bookmarks`.
 - Remove deprecated class `session.last_bookmark()` in favor of `last_bookmarks()`.
+- Remove deprecated driver configuration option `trust`.  
+  Use `trusted_certificates` instead.
+  - Remove the associated constants `neo4j.TRUST_ALL_CERTIFICATES` and `neo4j.TRUST_SYSTEM_CA_SIGNED_CERTIFICATES`.
 - Make undocumented classes `ResolvedAddress`, `ResolvedIPv4Address`, and `ResolvedIPv6Address` private.
 - Rework `PreviewWarning`.
   - Remove `ExperimentalWarning` and turn the few left instances of it into `PreviewWarning`.

docs/source/api.rst

@@ -401,7 +401,6 @@ Additional configuration can be provided via the :class:`neo4j.Driver` construct
 + :ref:`max-connection-pool-size-ref`
 + :ref:`max-transaction-retry-time-ref`
 + :ref:`resolver-ref`
-+ :ref:`trust-ref`
 + :ref:`ssl-context-ref`
 + :ref:`trusted-certificates-ref`
 + :ref:`client-certificate-ref`
@@ -568,39 +567,6 @@ For example:
 :Default: :data:`None`
 
 
-.. _trust-ref:
-
-``trust``
----------
-Specify how to determine the authenticity of encryption certificates provided by the Neo4j instance on connection.
-
-This setting is only available for URI schemes ``bolt://`` and ``neo4j://`` (:ref:`uri-ref`).
-
-This setting does not have any effect if ``encrypted`` is set to ``False`` or a
-custom ``ssl_context`` is configured.
-
-:Type: ``neo4j.TRUST_SYSTEM_CA_SIGNED_CERTIFICATES``, ``neo4j.TRUST_ALL_CERTIFICATES``
-
-.. py:attribute:: neo4j.TRUST_ALL_CERTIFICATES
-
-   Trust any server certificate (default). This ensures that communication
-   is encrypted but does not verify the server certificate against a
-   certificate authority. This option is primarily intended for use with
-   the default auto-generated server certificate.
-
-.. py:attribute:: neo4j.TRUST_SYSTEM_CA_SIGNED_CERTIFICATES
-
-   Trust server certificates that can be verified against the system
-   certificate authority. This option is primarily intended for use with
-   full certificates.
-
-:Default: ``neo4j.TRUST_SYSTEM_CA_SIGNED_CERTIFICATES``.
-
-.. deprecated:: 5.0
-    This configuration option is deprecated and will be removed in a future
-    release. Please use :ref:`trusted-certificates-ref` instead.
-
-
 .. _ssl-context-ref:
 
 ``ssl_context``

src/neo4j/__init__.py

@@ -103,8 +103,6 @@
     READ_ACCESS,
     ServerInfo,
     SYSTEM_DATABASE,
-    TRUST_ALL_CERTIFICATES,
-    TRUST_SYSTEM_CA_SIGNED_CERTIFICATES,
     WRITE_ACCESS,
 )
 
@@ -113,8 +111,6 @@
     "DEFAULT_DATABASE",
     "READ_ACCESS",
     "SYSTEM_DATABASE",
-    "TRUST_ALL_CERTIFICATES",
-    "TRUST_SYSTEM_CA_SIGNED_CERTIFICATES",
     "WRITE_ACCESS",
     "Address",
     "AsyncBoltDriver",

src/neo4j/_async/config.py

@@ -20,9 +20,7 @@
 
 from .._async_compat.concurrency import AsyncLock
 from .._conf import (
-    _trust_to_trusted_certificates,
     Config,
-    DeprecatedAlternative,
     TrustAll,
     TrustCustomCAs,
     TrustSystemCAs,
@@ -57,13 +55,6 @@ class AsyncPoolConfig(Config):
     # The maximum amount of time to wait for a TCP connection to be
     # established.
 
-    #: Trust
-    trust = DeprecatedAlternative(
-        "trusted_certificates", _trust_to_trusted_certificates
-    )
-    # Specify how to determine the authenticity of encryption certificates
-    # provided by the Neo4j instance on connection.
-
     #: Custom Resolver
     resolver = None
     # Custom resolver function, returning list of resolved addresses.

src/neo4j/_async/driver.py

@@ -68,8 +68,6 @@
     parse_routing_context,
     READ_ACCESS,
     ServerInfo,
-    TRUST_ALL_CERTIFICATES,
-    TRUST_SYSTEM_CA_SIGNED_CERTIFICATES,
     URI_SCHEME_BOLT,
     URI_SCHEME_BOLT_SECURE,
     URI_SCHEME_BOLT_SELF_SIGNED_CERTIFICATE,
@@ -134,10 +132,6 @@ def driver(
             liveness_check_timeout: float | None = ...,
             max_connection_pool_size: int = ...,
             connection_timeout: float = ...,
-            trust: (
-                te.Literal["TRUST_ALL_CERTIFICATES"]
-                | te.Literal["TRUST_SYSTEM_CA_SIGNED_CERTIFICATES"]
-            ) = ...,
             resolver: (
                 t.Callable[[Address], t.Iterable[Address]]
                 | t.Callable[[Address], t.Awaitable[t.Iterable[Address]]]
@@ -213,20 +207,6 @@ def driver(
                     _AsyncStaticClientCertificateProvider(client_certificate)
                 )
 
-            # TODO: 6.0 - remove "trust" config option
-            if "trust" in config and config["trust"] not in {
-                TRUST_ALL_CERTIFICATES,
-                TRUST_SYSTEM_CA_SIGNED_CERTIFICATES,
-            }:
-                raise ConfigurationError(
-                    "The config setting `trust` values are {!r}".format(
-                        [
-                            TRUST_ALL_CERTIFICATES,
-                            TRUST_SYSTEM_CA_SIGNED_CERTIFICATES,
-                        ]
-                    )
-                )
-
             if "trusted_certificates" in config and not isinstance(
                 config["trusted_certificates"], TrustStore
             ):
@@ -243,16 +223,14 @@ def driver(
                 SECURITY_TYPE_SECURE,
             } and (
                 "encrypted" in config
-                or "trust" in config
                 or "trusted_certificates" in config
                 or "ssl_context" in config
             ):
-                # TODO: 6.0 - remove "trust" from error message
                 raise ConfigurationError(
-                    'The config settings "encrypted", "trust", '
-                    '"trusted_certificates", and "ssl_context" can only be '
-                    "used with the URI schemes {!r}. Use the other URI "
-                    "schemes {!r} for setting encryption settings.".format(
+                    'The config settings "encrypted", "trusted_certificates", '
+                    'and "ssl_context" can only be used with the URI schemes '
+                    "{!r}. Use the other URI schemes {!r} for setting "
+                    "encryption settings.".format(
                         [
                             URI_SCHEME_BOLT,
                             URI_SCHEME_NEO4J,

src/neo4j/_conf.py

@@ -25,8 +25,6 @@
 )
 from .api import (
     DEFAULT_DATABASE,
-    TRUST_ALL_CERTIFICATES,
-    TRUST_SYSTEM_CA_SIGNED_CERTIFICATES,
     WRITE_ACCESS,
 )
 from .exceptions import ConfigurationError
@@ -344,13 +342,6 @@ def __iter__(self):
         return iter(self.keys())
 
 
-def _trust_to_trusted_certificates(pool_config, trust):
-    if trust == TRUST_SYSTEM_CA_SIGNED_CERTIFICATES:
-        pool_config.trusted_certificates = TrustSystemCAs()
-    elif trust == TRUST_ALL_CERTIFICATES:
-        pool_config.trusted_certificates = TrustAll()
-
-
 class WorkspaceConfig(Config):
     """WorkSpace configuration."""
 

src/neo4j/_sync/config.py

@@ -47,8 +47,6 @@
     "DEFAULT_DATABASE",
     "READ_ACCESS",
     "SYSTEM_DATABASE",
-    "TRUST_ALL_CERTIFICATES",
-    "TRUST_SYSTEM_CA_SIGNED_CERTIFICATES",
     "URI_SCHEME_BOLT",
     "URI_SCHEME_BOLT_ROUTING",
     "URI_SCHEME_BOLT_SECURE",
@@ -86,12 +84,6 @@
 
 URI_SCHEME_BOLT_ROUTING: te.Final[str] = "bolt+routing"
 
-# TODO: 6.0 - remove TRUST constants
-TRUST_SYSTEM_CA_SIGNED_CERTIFICATES: te.Final[str] = (
-    "TRUST_SYSTEM_CA_SIGNED_CERTIFICATES"  # Default
-)
-TRUST_ALL_CERTIFICATES: te.Final[str] = "TRUST_ALL_CERTIFICATES"
-
 SYSTEM_DATABASE: te.Final[str] = "system"
 DEFAULT_DATABASE: te.Final[None] = None  # Must be a non string hashable value
 

src/neo4j/_sync/driver.py

@@ -28,10 +28,6 @@
     Config,
     SessionConfig,
 )
-from neo4j.api import (
-    TRUST_ALL_CERTIFICATES,
-    TRUST_SYSTEM_CA_SIGNED_CERTIFICATES,
-)
 from neo4j.auth_management import (
     AsyncClientCertificateProviders,
     ClientCertificate,
@@ -146,52 +142,6 @@ def test_pool_config_consume_and_then_consume_again():
     assert consumed_pool_config.encrypted == "test"
 
 
-@pytest.mark.parametrize(
-    ("value_trust", "expected_trusted_certificates_cls"),
-    (
-        (TRUST_ALL_CERTIFICATES, TrustAll),
-        (TRUST_SYSTEM_CA_SIGNED_CERTIFICATES, TrustSystemCAs),
-    ),
-)
-def test_pool_config_deprecated_trust_config(
-    value_trust, expected_trusted_certificates_cls
-):
-    with pytest.warns(DeprecationWarning, match="trust.*trusted_certificates"):
-        consumed_pool_config = AsyncPoolConfig.consume({"trust": value_trust})
-    assert isinstance(
-        consumed_pool_config.trusted_certificates,
-        expected_trusted_certificates_cls,
-    )
-    assert not hasattr(consumed_pool_config, "trust")
-
-
-@pytest.mark.parametrize(
-    "value_trust",
-    (TRUST_ALL_CERTIFICATES, TRUST_SYSTEM_CA_SIGNED_CERTIFICATES),
-)
-@pytest.mark.parametrize(
-    "trusted_certificates",
-    (
-        TrustSystemCAs(),
-        TrustAll(),
-        TrustCustomCAs("foo"),
-        TrustCustomCAs("foo", "bar"),
-    ),
-)
-def test_pool_config_deprecated_and_new_trust_config(
-    value_trust, trusted_certificates
-):
-    with pytest.raises(
-        ConfigurationError, match="trusted_certificates.*trust"
-    ):
-        AsyncPoolConfig.consume(
-            {
-                "trust": value_trust,
-                "trusted_certificates": trusted_certificates,
-            }
-        )
-
-
 def test_config_consume_chain():
     test_config = {}