Add option to not verify certificate when calling the real estate WMS

[jwkaltz]

Add option to not verify certificate when calling the real estate WMS. Useful for example if the WMS has a self-signed certificate.

In addition to the CI, this PR was tested locally with
http://localhost:6543/oereb/extract/json?EGRID=CH113928077734&WITHIMAGES=true

with both settings (verify_certificate True and False)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.51%. Comparing base (3a31466) to head (fab63e2).
Report is 12 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #2005   +/-   ##
=======================================
  Coverage   85.51%   85.51%           
=======================================
  Files         120      120           
  Lines        5275     5276    +1     
=======================================
+ Hits         4511     4512    +1     
  Misses        764      764           

Flag	Coverage Δ
unittests	85.51% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[michmuel]

Thanks @jwkaltz. I added some comments.

It seems to me that it is a bit a partial solution to a very specific problem of a particular oereb server instance. And not a general use case. If an extract with geometry is requested, the wms for a topic could have as well a self-signed certificate. But this is not possible so for with the standard source. In addition, neglecting the certificates is not advised. Do we really need this MR?

[jwkaltz]

Thanks @jwkaltz. I added some comments.

It seems to me that it is a bit a partial solution to a very specific problem of a particular oereb server instance. And not a general use case. If an extract with geometry is requested, the wms for a topic could have as well a self-signed certificate. But this is not possible so for with the standard source. In addition, neglecting the certificates is not advised. Do we really need this MR?

Hi @michmuel , thanks for the review, I will look at your proposed changes!

Regarding the general context:
In fact the requirement does not come from within the oereb instance itself, but from the oereb server which calls a service with a self-signed certificate. I know of at least 2 cantons which use self-signed certificated for their services, because they believe it saves money to use self-signed certificates. I did advise them to not use self-signed certificates, but this is currently not an option.
We did have a similar situation with the oereb_client, which is why this possibility was added there (openoereb/oereb_client@be16b59).

As far as I could tell, adding this option to the requests.get call in view_service.py is in fact a full solution for this issue. There is also the swisstopo/address.py, but swisstopo has proper certificates so this not an issue there.

[svamaa]

I agree with @michmuel, it's not ideal to open pyramid_oereb to use self-signed certificates. Wouldn't it be possible to add a self-signed certificate to the docker image of pyramid_oereb?
However, the changes don't affect the security of users, that use proper certificates.
Though, I would strongly advice in pyramid_oereb.yml.mako not to use verify_certificate: False with a comment.

[svamaa]

Looks good to me. Thank you for adding the comment.

[michmuel]

The branch works fine in our test environment. However, I spotted a few things.