From 76a2c8a1eb1771b5255e8582b7e9823d072e8ef4 Mon Sep 17 00:00:00 2001
From: Tom Clegg <tclegg@veritasgenetics.com>
Date: Fri, 29 Jun 2018 15:40:22 -0400
Subject: [PATCH] 13547: Avoid leaking insecure flag between different configs.

Even if the default configuration file/environment indicates a local
cluster that doesn't need verification, a program like arv-copy can
also connect to a remote cluster using a settings/config file that has
verification enabled. In this case, TLS verification should be
enabled.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg@veritasgenetics.com>
---
 sdk/python/arvados/keep.py           | 10 +++-------
 sdk/python/tests/test_keep_client.py |  2 ++
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/sdk/python/arvados/keep.py b/sdk/python/arvados/keep.py
index dab4d271a3..71e101cf4c 100644
--- a/sdk/python/arvados/keep.py
+++ b/sdk/python/arvados/keep.py
@@ -768,14 +768,10 @@ class KeepClient(object):
         if local_store is None:
             local_store = os.environ.get('KEEP_LOCAL_STORE')
 
-        if config.flag_is_true('ARVADOS_API_HOST_INSECURE'):
-            self.insecure = True
+        if api_client is None:
+            self.insecure = config.flag_is_true('ARVADOS_API_HOST_INSECURE')
         else:
-            self.insecure = False
-
-        if api_client is not None:
-            if not self.insecure and api_client.insecure:
-                self.insecure = True
+            self.insecure = api_client.insecure
 
         self.block_cache = block_cache if block_cache else KeepBlockCache()
         self.timeout = timeout
diff --git a/sdk/python/tests/test_keep_client.py b/sdk/python/tests/test_keep_client.py
index 872c93bae2..7c9ff735a5 100644
--- a/sdk/python/tests/test_keep_client.py
+++ b/sdk/python/tests/test_keep_client.py
@@ -1257,6 +1257,8 @@ class KeepClientAPIErrorTest(unittest.TestCase):
             def __getattr__(self, r):
                 if r == "api_token":
                     return "abc"
+                elif r == "insecure":
+                    return False
                 else:
                     raise arvados.errors.KeepReadError()
         keep_client = arvados.KeepClient(api_client=ApiMock(),
-- 
2.30.2