From 3a4a8bef19d2bd35447fa2508fb6f025024b9625 Mon Sep 17 00:00:00 2001
From: "sahil.wikhe" <sahil.wikhe@cyberark.com>
Date: Wed, 3 Jun 2026 15:42:16 -0700
Subject: [PATCH] security: Add verify=False runtime warning and flip examples
 to trust-bundle default

VC-53768
---
 examples/get_cert.py                              |  9 +++++----
 examples/ssh_certificates/get_cert_ssh.py         | 12 +++++++-----
 examples/ssh_certificates/get_cert_ssh_service.py | 12 +++++++-----
 examples/tpp/get_cert_tpp_token.py                | 12 +++++++-----
 vcert/connection_cloud.py                         |  6 ++++++
 vcert/connection_tpp.py                           |  6 ++++++
 vcert/connection_tpp_token.py                     |  6 ++++++
 7 files changed, 44 insertions(+), 19 deletions(-)

diff --git a/examples/get_cert.py b/examples/get_cert.py
index 883ab28..c4ffc00 100644
--- a/examples/get_cert.py
+++ b/examples/get_cert.py
@@ -42,12 +42,13 @@ def main():
         # Connection will be chosen automatically based on which arguments are passed.
         # If token is passed CyberArk Certificate Manager, SaaS connection will be used.
         # If user, password, and URL CyberArk Certificate Manager, Self-Hosted will be used.
+        # If your CyberArk Certificate Manager, Self-Hosted server certificate is signed with your own CA,
+        # or available only via proxy, specify the CA trust bundle path:
         conn = Connection(url=url, token=token, user=user, password=password,
-                          http_request_kwargs={'verify': False})
-        # If your CyberArk Certificate Manager, Self-Hosted server certificate signed with your own CA, or available only via proxy, you can specify
-        # a trust bundle using requests vars:
+                          http_request_kwargs={"verify": "/path-to/bundle.pem"})
+        # Lab/testing only — DO NOT use in production:
         # conn = Connection(url=url, token=token, user=user, password=password,
-        #                  http_request_kwargs={"verify": "/path-to/bundle.pem"})
+        #                  http_request_kwargs={'verify': False})
 
     request = CertificateRequest(common_name=f"{randomword(10)}.venafi.example.com")
     request.san_dns = ["www.client.venafi.example.com", "ww1.client.venafi.example.com"]
diff --git a/examples/ssh_certificates/get_cert_ssh.py b/examples/ssh_certificates/get_cert_ssh.py
index f9840c5..4d19129 100644
--- a/examples/ssh_certificates/get_cert_ssh.py
+++ b/examples/ssh_certificates/get_cert_ssh.py
@@ -31,11 +31,13 @@ def main():
     user = environ.get('TPP_USER')
     password = environ.get('TPP_PASSWORD')
 
-    connector = venafi_connection(url=url, user=user, password=password, http_request_kwargs={'verify': False})
-    # If your CyberArk Certificate Manager, Self-Hosted server certificate is signed with your own CA, or available only via proxy,
-    # you can specify a trust bundle using requests vars:
-    # connector = venafi_connection(url=url, api_key=api_key, access_token=access_token,
-    #                          http_request_kwargs={"verify": "/path-to/bundle.pem"})
+    # If your CyberArk Certificate Manager, Self-Hosted server certificate is signed with your own CA,
+    # or available only via proxy, specify the CA trust bundle path:
+    connector = venafi_connection(url=url, user=user, password=password,
+                                  http_request_kwargs={"verify": "/path-to/bundle.pem"})
+    # Lab/testing only — DO NOT use in production:
+    # connector = venafi_connection(url=url, user=user, password=password,
+    #                               http_request_kwargs={'verify': False})
 
     # Create an Authentication object to request a token with the proper scope to manage SSH certificates
     auth = Authentication(user=user, password=password, scope=SCOPE_SSH)
diff --git a/examples/ssh_certificates/get_cert_ssh_service.py b/examples/ssh_certificates/get_cert_ssh_service.py
index 178afd0..3bffec4 100644
--- a/examples/ssh_certificates/get_cert_ssh_service.py
+++ b/examples/ssh_certificates/get_cert_ssh_service.py
@@ -31,11 +31,13 @@ def main():
     user = environ.get('TPP_USER')
     password = environ.get('TPP_PASSWORD')
 
-    connector = venafi_connection(url=url, user=user, password=password, http_request_kwargs={'verify': False})
-    # If your CyberArk Certificate Manager, Self-Hosted server certificate signed with your own CA, or available only via proxy,
-    # you can specify a trust bundle using requests vars:
-    # connector = venafi_connection(url=url, api_key=api_key, access_token=access_token,
-    #                          http_request_kwargs={"verify": "/path-to/bundle.pem"})
+    # If your CyberArk Certificate Manager, Self-Hosted server certificate is signed with your own CA,
+    # or available only via proxy, specify the CA trust bundle path:
+    connector = venafi_connection(url=url, user=user, password=password,
+                                  http_request_kwargs={"verify": "/path-to/bundle.pem"})
+    # Lab/testing only — DO NOT use in production:
+    # connector = venafi_connection(url=url, user=user, password=password,
+    #                               http_request_kwargs={'verify': False})
 
     # Create an Authentication object to request a token with the proper scope to manage SSH certificates
     auth = Authentication(user=user, password=password, scope=SCOPE_SSH)
diff --git a/examples/tpp/get_cert_tpp_token.py b/examples/tpp/get_cert_tpp_token.py
index 775eb37..e178dc9 100644
--- a/examples/tpp/get_cert_tpp_token.py
+++ b/examples/tpp/get_cert_tpp_token.py
@@ -41,11 +41,13 @@ def main():
         # If user and password are passed, you can get a new token from them.
         # If access_token and refresh_token are passed, there is no need for the username and password.
         # If only access_token is passed, the Connection will fail when token expires, as there is no way to refresh it.
-        conn = venafi_connection(url=url, user=user, password=password, http_request_kwargs={'verify': False})
-        # If your CyberArk Certificate Manager, Self-Hosted server certificate signed with your own CA, or available only via proxy, you can specify
-        # a trust bundle using requests vars:
-        # conn = token_connection(url=url, user=user, password=password,
-        #                         http_request_kwargs={"verify": "/path-to/bundle.pem"})
+        # If your CyberArk Certificate Manager, Self-Hosted server certificate is signed with your own CA,
+        # or available only via proxy, specify the CA trust bundle path:
+        conn = venafi_connection(url=url, user=user, password=password,
+                                 http_request_kwargs={"verify": "/path-to/bundle.pem"})
+        # Lab/testing only — DO NOT use in production:
+        # conn = venafi_connection(url=url, user=user, password=password,
+        #                          http_request_kwargs={'verify': False})
 
     request = CertificateRequest(common_name=f"{random_word(10)}.venafi.example.com")
     request.san_dns = ["www.client.venafi.example.com", "ww1.client.venafi.example.com"]
diff --git a/vcert/connection_cloud.py b/vcert/connection_cloud.py
index 6dc9267..8aed054 100644
--- a/vcert/connection_cloud.py
+++ b/vcert/connection_cloud.py
@@ -153,6 +153,12 @@ def __init__(self, token, url=None, http_request_kwargs=None):
             http_request_kwargs = {'timeout': 180}
         elif 'timeout' not in http_request_kwargs:
             http_request_kwargs['timeout'] = 180
+        if http_request_kwargs.get('verify') is False:
+            log.warning(
+                "TLS certificate verification is DISABLED (verify=False). "
+                "This allows interception of credentials and private-key material. "
+                "Use a CA trust-bundle path (verify='/path/to/bundle.pem') in production."
+            )
         self._http_request_kwargs = http_request_kwargs
 
     def __str__(self):
diff --git a/vcert/connection_tpp.py b/vcert/connection_tpp.py
index 43c8061..ba2c732 100644
--- a/vcert/connection_tpp.py
+++ b/vcert/connection_tpp.py
@@ -44,6 +44,12 @@ def __init__(self, user, password, url, http_request_kwargs=None):
             http_request_kwargs = {'timeout': 180}
         elif 'timeout' not in http_request_kwargs:
             http_request_kwargs['timeout'] = 180
+        if http_request_kwargs.get('verify') is False:
+            log.warning(
+                "TLS certificate verification is DISABLED (verify=False). "
+                "This allows interception of credentials and private-key material. "
+                "Use a CA trust-bundle path (verify='/path/to/bundle.pem') in production."
+            )
         self._http_request_kwargs = http_request_kwargs or {}
 
     def __setattr__(self, key, value):
diff --git a/vcert/connection_tpp_token.py b/vcert/connection_tpp_token.py
index 80a7be2..247b05d 100644
--- a/vcert/connection_tpp_token.py
+++ b/vcert/connection_tpp_token.py
@@ -50,6 +50,12 @@ def __init__(self, url, user=None, password=None, access_token=None, refresh_tok
             http_request_kwargs = {'timeout': 180}
         elif 'timeout' not in http_request_kwargs:
             http_request_kwargs['timeout'] = 180
+        if http_request_kwargs.get('verify') is False:
+            log.warning(
+                "TLS certificate verification is DISABLED (verify=False). "
+                "This allows interception of credentials and private-key material. "
+                "Use a CA trust-bundle path (verify='/path/to/bundle.pem') in production."
+            )
         self._http_request_kwargs = http_request_kwargs or {}
 
     def __setattr__(self, key, value):