From 14bf8bbbd571b7ae78f6cd396f2bad0de0d51fa5 Mon Sep 17 00:00:00 2001
From: William Artero <william@artero.dev>
Date: Fri, 25 Mar 2022 12:43:40 +0100
Subject: [PATCH] [Bicep] fix: Use requests environment variables for CA bundle

Azure CLI relies on the requests python package, which
allows users to set custom CA bundle paths through two
environment variables: CURL_CA_BUNDLE and REQUESTS_CA_BUNDLE.

This is useful for cases where the host is behind a MITM proxy
that re-signs all SSL traffic for DPI, or due to a corporate
policy that defines which CA roots are to be trusted.

Enforcing a hard-coded bundle, like the one provided by the certifi
package, only forces users under similar use cases to modify the Python
site packages files, which is meant to be controlled only by the package
manager and thus it is not a good practice to configure the tool.
---
 .../azure/cli/command_modules/resource/_bicep.py     | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/azure-cli/azure/cli/command_modules/resource/_bicep.py b/src/azure-cli/azure/cli/command_modules/resource/_bicep.py
index ca6872f8eb7..55c139b8b56 100644
--- a/src/azure-cli/azure/cli/command_modules/resource/_bicep.py
+++ b/src/azure-cli/azure/cli/command_modules/resource/_bicep.py
@@ -109,8 +109,8 @@ def ensure_bicep_installation(release_tag=None, target_platform=None, stdout=Tru
                 print(f"Installing Bicep CLI {release_tag}...")
             else:
                 print("Installing Bicep CLI...")
-        ca_file = certifi.where()
-        request = urlopen(_get_bicep_download_url(system, release_tag, target_platform=target_platform), cafile=ca_file)
+        os.environ.setdefault("CURL_CA_BUNDLE", certifi.where())
+        request = urlopen(_get_bicep_download_url(system, release_tag, target_platform=target_platform))
         with open(installation_path, "wb") as f:
             f.write(request.read())
 
@@ -143,8 +143,8 @@ def is_bicep_file(file_path):
 
 def get_bicep_available_release_tags():
     try:
-        ca_file = certifi.where()
-        response = requests.get("https://aka.ms/BicepReleases", verify=ca_file)
+        os.environ.setdefault("CURL_CA_BUNDLE", certifi.where())
+        response = requests.get("https://aka.ms/BicepReleases")
         return [release["tag_name"] for release in response.json()]
     except IOError as err:
         raise ClientRequestError(f"Error while attempting to retrieve available Bicep versions: {err}.")
@@ -152,8 +152,8 @@ def get_bicep_available_release_tags():
 
 def get_bicep_latest_release_tag():
     try:
-        ca_file = certifi.where()
-        response = requests.get("https://aka.ms/BicepLatestRelease", verify=ca_file)
+        os.environ.setdefault("CURL_CA_BUNDLE", certifi.where())
+        response = requests.get("https://aka.ms/BicepLatestRelease")
         response.raise_for_status()
         return response.json()["tag_name"]
     except IOError as err: