13547: Avoid leaking insecure flag between different configs.

Even if the default configuration file/environment indicates a local
cluster that doesn't need verification, a program like arv-copy can
also connect to a remote cluster using a settings/config file that has
verification enabled. In this case, TLS verification should be
enabled.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg@veritasgenetics.com>

diff --git a/sdk/python/arvados/keep.py b/sdk/python/arvados/keep.py
index dab4d271a3d8d131569b3c6e0028d3ec80bb79af..71e101cf4c5073d40e78f73c0bf46a9ff231f937 100644 (file)
--- a/sdk/python/arvados/keep.py
+++ b/sdk/python/arvados/keep.py
@@ -768,14 +768,10 @@ class KeepClient(object):
         if local_store is None:
             local_store = os.environ.get('KEEP_LOCAL_STORE')
 
-        if config.flag_is_true('ARVADOS_API_HOST_INSECURE'):
-            self.insecure = True
+        if api_client is None:
+            self.insecure = config.flag_is_true('ARVADOS_API_HOST_INSECURE')
         else:
-            self.insecure = False
-
-        if api_client is not None:
-            if not self.insecure and api_client.insecure:
-                self.insecure = True
+            self.insecure = api_client.insecure
 
         self.block_cache = block_cache if block_cache else KeepBlockCache()
         self.timeout = timeout

diff --git a/sdk/python/tests/test_keep_client.py b/sdk/python/tests/test_keep_client.py
index 872c93bae25b5480de1cbf91400f716543415700..7c9ff735a5eeadc5624aec92f733985afb97eef9 100644 (file)
--- a/sdk/python/tests/test_keep_client.py
+++ b/sdk/python/tests/test_keep_client.py
@@ -1257,6 +1257,8 @@ class KeepClientAPIErrorTest(unittest.TestCase):
             def __getattr__(self, r):
                 if r == "api_token":
                     return "abc"
+                elif r == "insecure":
+                    return False
                 else:
                     raise arvados.errors.KeepReadError()
         keep_client = arvados.KeepClient(api_client=ApiMock(),