[Python][Client] Default to system CA instead of certifi

[rparini]

Resolves #6506

Gets the Python client to use the system Certificate Authority bundle by default for verifying ssl connections (like the Python standard library does, as described in PEP 476) instead of relying on the external certifi python package for the default. See #6506 for the reasons for this change.

For the urllib3 python client this is achieved by passing configuration.ssl_ca_cert directly to urllib3.PoolManager or urllib3.ProxyManager’s ca_certs argument. Then ca_certs be None by default and in this case urllib3 (from version 1.25.3) will load the system CA certificates, as described here.

I have done the same with the asyncio python client since the ssl.create_default_context will also use the system’s default CA certificates if cafile, capath and cadata are all None, as documented here.

I have additionally:

• Removed certifi as a dependency
• Required urllib3 >= 1.25.3

These changes would be breaking for anyone relying on the certifi certificates, although I imagine most people’s system default CA certificates are adequate and in this case the change would not be noticed. Any user still wanting to use the certifi certificates could continue to do so by setting configuration.ssl_ca_cert=certifi.where().

PR checklist

• Read the contribution guidelines.
• Pull Request title clearly describes the work in the pull request and Pull Request description provides details about how to validate the work. Missing information here may result in delayed response from the community.
• If contributing template-only or documentation-only changes which will change sample output, build the project beforehand.
• Run the shell script ./bin/generate-samples.shto update all Petstore samples related to your fix. This is important, as CI jobs will verify all generator outputs of your HEAD commit as it would merge with master. These must match the expectations made by your contribution. You may regenerate an individual generator by passing the relevant config(s) as an argument to the script, for example ./bin/generate-samples.sh bin/configs/java*. For Windows users, please run the script in Git BASH.
• File the PR against the correct branch: master
• Copy the technical committee to review the pull request if your PR is targeting a particular programming language.

@taxpon @frol @mbohlool @cbornet @kenjones-cisco @tomplus @Jyhess @arun-nalla @spacether

[spacether]

@rparini this looks good. Fundamentally this code is swapping the ssl cert source from certifi to to urllib3.
I am a little concerned about the certifi breaking use case. How about adding a ssl_ca_cert input argument to Configuration.__init__ here to support their use case?

[rparini]

Yes I think that makes sense to better document the ssl_ca_cert config option. I have done this in the latest commit.

I have not touched the python-legacy client. Would it be appropriate to make these changes there?

I also notice that running ./bin/generate-samples.sh has not updated the python-asyncio petstore sample (https://github.com/rparini/openapi-generator/tree/python-default-ca/samples/client/petstore/python-asyncio) even though I have changed src/main/resources/python/asyncio/rest.mustache. Do I need to do something else to get it to apply these changes?

[spacether]

Thank you for adding that update. asyncio is still built from python-legacy. If you want to build this into python-legacy that's fine too. I have no preference either way. What do you prefer?

[rparini]

Sure, I will add to python-legacy. It looks like the changes should be the same.

[rparini]

I have added the same changes to python-legacy

Not sure if the CircleCI error is related to my changes. The error seems to be related to an unavailable dependency:

Dec 10, 2020 11:05:45 PM org.apache.maven.wagon.providers.http.httpclient.impl.execchain.RetryExec execute
INFO: Retrying request to {s}->https://repo.maven.apache.org:443
[ERROR] Plugin org.apache.maven.plugins:maven-javadoc-plugin:3.1.1 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-javadoc-plugin:jar:3.1.1: Could not transfer artifact org.apache.maven.plugins:maven-javadoc-plugin:pom:3.1.1 from/to central (https://repo.maven.apache.org/maven2): Connection reset -> [Help 1]

[spacether]

Thank you for you PR and adding the new __init__ argument! This looks great!