fix for python3-requests 2.32.2

[eaglegai]

Fix for requests 2.32.2+:
Add get_connection_with_tls_context() for requests 2.32.2 as suggests: psf/requests#6710

[a-dubs]

Thank you for this contribution! Would you mind adding your GitHub username to the tools/.github-cla-signers file and committing that change to this PR?

Additionally, you need to sign the Canonical contributor licence agreement. This grants us your permission to use your contributions in the project.

Thanks in advance!

[a-dubs]

Oh also, would you mind editing your PR description so that it matches the desired pull request template as such:

Proposed Commit Message

fix: Add get_connection_with_tls_context() for requests 2.32.2+

get_connection() is deprecated in requests 2.32.2+ so this will
allow for the LXDSocketAdapter to avoid using a deprecated api.

Fixes GH-5434

Additional Context

Fixes: #5434

Test Steps

Checklist

• My code follows the process laid out in the documentation
• I have updated or added any unit tests accordingly
• I have updated or added any documentation accordingly

Merge type

• Squash merge using "Proposed Commit Message"
• Rebase and merge unique commits. Requires commit messages per-commit each referencing the pull request number (#<PR_NUM>)

[eaglegai]

Thank you for this contribution! Would you mind adding your GitHub username to the tools/.github-cla-signers file and committing that change to this PR?

Additionally, you need to sign the Canonical contributor licence agreement. This grants us your permission to use your contributions in the project.

Thanks in advance!

I'm trying.

[eaglegai]

@a-dubs hello, I have finished the CLA, and changed the commit message.

[blackboxsw]

@eaglegai @a-dubs I just saw the "Check ruff" job failed because we didn't run tox -e do_format on this branch to sort line-length automatically. I just performed that step locally, squash merged into the original commit and git --force pushed the branch to sort the formatting complaint. Thanks again! When we see the CLA signing show up on our internal docs I think we are probably good here.

[a-dubs]

Thank you @blackboxsw !

[holmanb]

Thanks for proposing this @eaglegai!

To quote the description in psf/requests#6710, the proposed solution (which matches the example code) should be backwards compatible between versions of Requests.

Addressing the CVE in requests and its impact on cloud-init:

From the description of CVE-2024-34195:

When making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of verify. This behavior will continue for the lifecycle of the connection in the connection pool.

The proposes remediations are:

Any of these options can be used to remediate the current issue, we highly recommend upgrading as the preferred mitigation.

• Upgrade to requests>=2.32.0.
• For requests<2.32.0, avoid setting verify=False for the first request to a host while using a Requests Session.
• For requests<2.32.0, call close() on Session objects to clear existing connections if verify=False is used.

In cloud-init, this code is used only to communicate over a local unix socket to a trusted service, the LXD IMDS. It does not use verify=False for any requests.

While requiring a dependency on 2.32.0 is ultimately a downstream choice to make, from an upstream perspective we already have a recommended remediation in place.

[holmanb]

I've requested Canonical's security team take a look at this, but I feel comfortable with merging this since cloud-init already remediates the issue and the change in this PR is simply implementing the recommended way to work with the api changes in 2.32.2 and greater that resulted from this CVE.

[mdeslaur]

ACK from the Security Team, change looks reasonable, and is backwards compatible.