.gitignore

@@ -1 +1 @@
-SOURCES/requests-v2.32.3.tar.gz
+SOURCES/requests-v2.25.1.tar.gz

.python-requests.metadata

@@ -1 +1 @@
-412ecbc13900d9cbba88681eb29d66da9c6cae80 SOURCES/requests-v2.32.3.tar.gz
+804fdbaf3dbc57f49a66cef920e9d4a5ce3460eb SOURCES/requests-v2.25.1.tar.gz

SOURCES/CVE-2023-32681.patch

@@ -0,0 +1,59 @@
+From 88313c734876b90c266d183d07d26338a14bc54c Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Mon, 22 May 2023 08:08:57 -0700
+Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q
+
+---
+ requests/sessions.py   |  4 +++-
+ tests/test_requests.py | 20 ++++++++++++++++++++
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/requests/sessions.py b/requests/sessions.py
+index 45ab8a5..db9c594 100644
+--- a/requests/sessions.py
++++ b/requests/sessions.py
+@@ -306,7 +306,9 @@ class SessionRedirectMixin(object):
+         except KeyError:
+             username, password = None, None
+ 
+-        if username and password:
++        # urllib3 handles proxy authorization for us in the standard adapter.
++        # Avoid appending this to TLS tunneled requests where it may be leaked.
++        if not scheme.startswith('https') and username and password:
+             headers['Proxy-Authorization'] = _basic_auth_str(username, password)
+ 
+         return new_proxies
+diff --git a/tests/test_requests.py b/tests/test_requests.py
+index 5e721cb..c70706f 100644
+--- a/tests/test_requests.py
++++ b/tests/test_requests.py
+@@ -551,6 +551,26 @@ class TestRequests:
+         with pytest.raises(InvalidProxyURL):
+             requests.get(httpbin(), proxies={'http': 'http:///example.com:8080'})
+ 
++
++    @pytest.mark.parametrize(
++        "url,has_proxy_auth",
++        (
++            ('http://example.com', True),
++            ('https://example.com', False),
++        ),
++    )
++    def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth):
++        session = requests.Session()
++        proxies = {
++            'http': 'http://test:pass@localhost:8080',
++            'https': 'http://test:pass@localhost:8090',
++        }
++        req = requests.Request('GET', url)
++        prep = req.prepare()
++        session.rebuild_proxies(prep, proxies)
++
++        assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth
++
+     def test_basicauth_with_netrc(self, httpbin):
+         auth = ('user', 'pass')
+         wrong_auth = ('wronguser', 'wrongpass')
+-- 
+2.40.1
+

SOURCES/Empty-security-extras.patch

@@ -0,0 +1,13 @@
+diff --git a/setup.py b/setup.py
+index 065eb22..043ae42 100755
+--- a/setup.py
++++ b/setup.py
+@@ -100,7 +100,7 @@ setup(
+     cmdclass={'test': PyTest},
+     tests_require=test_requirements,
+     extras_require={
+-        'security': ['pyOpenSSL >= 0.14', 'cryptography>=1.3.4'],
++        'security': [],
+         'socks': ['PySocks>=1.5.6, !=1.5.7'],
+         'socks:sys_platform == "win32" and python_version == "2.7"': ['win_inet_pton'],
+     },

SOURCES/Remove-tests-that-use-the-tarpit.patch

@@ -0,0 +1,55 @@
+From bb1c91432c5e9a1f402692db5c80c65136656afb Mon Sep 17 00:00:00 2001
+From: Jeremy Cline <jeremy@jcline.org>
+Date: Tue, 13 Jun 2017 09:08:09 -0400
+Subject: [PATCH] Remove tests that use the tarpit
+
+The latest version of Mock has started using systemd containers. The
+systemd-nspawn command is being run with --private-network, which
+immediately kills connections to something other than localhost. These
+tests depend on the connection not being killed immediately and that
+they are never responded to.
+
+Signed-off-by: Jeremy Cline <jeremy@jcline.org>
+---
+ tests/test_requests.py | 25 -------------------------
+ 1 file changed, 25 deletions(-)
+
+diff --git a/tests/test_requests.py b/tests/test_requests.py
+index 7d4a4eb5..8d1c55fc 100644
+--- a/tests/test_requests.py
++++ b/tests/test_requests.py
+@@ -2186,31 +2186,6 @@ class TestTimeout:
+         except ReadTimeout:
+             pass
+ 
+-    @pytest.mark.parametrize(
+-        'timeout', (
+-            (0.1, None),
+-            Urllib3Timeout(connect=0.1, read=None)
+-        ))
+-    def test_connect_timeout(self, timeout):
+-        try:
+-            requests.get(TARPIT, timeout=timeout)
+-            pytest.fail('The connect() request should time out.')
+-        except ConnectTimeout as e:
+-            assert isinstance(e, ConnectionError)
+-            assert isinstance(e, Timeout)
+-
+-    @pytest.mark.parametrize(
+-        'timeout', (
+-            (0.1, 0.1),
+-            Urllib3Timeout(connect=0.1, read=0.1)
+-        ))
+-    def test_total_timeout_connect(self, timeout):
+-        try:
+-            requests.get(TARPIT, timeout=timeout)
+-            pytest.fail('The connect() request should time out.')
+-        except ConnectTimeout:
+-            pass
+-
+     def test_encoded_methods(self, httpbin):
+         """See: https://github.com/psf/requests/issues/2316"""
+         r = requests.request(b'GET', httpbin('get'))
+-- 
+2.24.1
+

SOURCES/patch-requests-certs.py-to-use-the-system-CA-bundle.patch

@@ -0,0 +1,29 @@
+diff --color -Nur requests-2.25.1.orig/requests/certs.py requests-2.25.1/requests/certs.py
+--- requests-2.25.1.orig/requests/certs.py	2021-01-10 16:27:05.027059634 -0800
++++ requests-2.25.1/requests/certs.py	2021-01-10 16:29:06.973238179 -0800
+@@ -10,8 +10,13 @@
+ If you are packaging Requests, e.g., for a Linux distribution or a managed
+ environment, you can change the definition of where() to return a separately
+ packaged CA bundle.
++
++This Fedora-patched package returns "/etc/pki/tls/certs/ca-bundle.crt" provided
++by the ca-certificates RPM package.
+ """
+-from certifi import where
++def where():
++    """Return the absolute path to the system CA bundle."""
++    return '/etc/pki/tls/certs/ca-bundle.crt'
+ 
+ if __name__ == '__main__':
+     print(where())
+diff --color -Nur requests-2.25.1.orig/setup.py requests-2.25.1/setup.py
+--- requests-2.25.1.orig/setup.py	2020-12-16 11:34:26.000000000 -0800
++++ requests-2.25.1/setup.py	2021-01-10 16:29:21.570259552 -0800
+@@ -45,7 +45,6 @@
+     'chardet>=3.0.2,<5',
+     'idna>=2.5,<3',
+     'urllib3>=1.21.1,<1.27',
+-    'certifi>=2017.4.17'
+ 
+ ]
+ test_requirements = [

SOURCES/requests-2.12.4-tests_nonet.patch

@@ -0,0 +1,11 @@
+--- requests-2.12.4/tests/testserver/server.py	2016-12-21 11:31:56.000000000 -0800
++++ requests-2.12.4/tests/testserver/server.py.new	2016-12-30 10:40:06.085995065 -0800
+@@ -27,7 +27,7 @@
+     """Dummy server using for unit testing"""
+     WAIT_EVENT_TIMEOUT = 5
+ 
+-    def __init__(self, handler=None, host='localhost', port=0, requests_to_handle=1, wait_to_close_event=None):
++    def __init__(self, handler=None, host='127.0.0.1', port=0, requests_to_handle=1, wait_to_close_event=None):
+         super(Server, self).__init__()
+ 
+         self.handler = handler or consume_socket_content

SOURCES/support_IPv6_CIDR_in_no_proxy.patch

@@ -1,277 +0,0 @@
-From 91526670ad66e83e799459cb23b031b88bb680b4 Mon Sep 17 00:00:00 2001
-From: Derek Higgins <derekh@redhat.com>
-Date: Thu, 30 May 2024 11:15:18 +0200
-Subject: [PATCH 2/2] Add ipv6 support to should_bypass_proxies
-
-Add support to should_bypass_proxies to support
-IPv6 ipaddresses and CIDRs in no_proxy. Includes
-adding IPv6 support to various other helper functions.
-
-Co-authored-by: Lumir Balhar <lbalhar@redhat.com>
----
- src/requests/utils.py | 83 ++++++++++++++++++++++++++++++++++++-------
- tests/test_utils.py   | 66 +++++++++++++++++++++++++++++++---
- 2 files changed, 132 insertions(+), 17 deletions(-)
-
-diff --git a/src/requests/utils.py b/src/requests/utils.py
-index ae6c42f..0363698 100644
---- a/src/requests/utils.py
-+++ b/src/requests/utils.py
-@@ -679,18 +679,46 @@ def requote_uri(uri):
-         return quote(uri, safe=safe_without_percent)
- 
- 
-+def _get_mask_bits(mask, totalbits=32):
-+    """Converts a mask from /xx format to a int
-+    to be used as a mask for IP's in int format
-+
-+    Example: if mask is 24 function returns 0xFFFFFF00
-+             if mask is 24 and totalbits=128 function
-+                returns 0xFFFFFF00000000000000000000000000
-+
-+    :rtype: int
-+    """
-+    bits = ((1 << mask) - 1) << (totalbits - mask)
-+    return bits
-+
-+
- def address_in_network(ip, net):
-     """This function allows you to check if an IP belongs to a network subnet
- 
-     Example: returns True if ip = 192.168.1.1 and net = 192.168.1.0/24
-              returns False if ip = 192.168.1.1 and net = 192.168.100.0/24
-+             returns True if ip = 1:2:3:4::1 and net = 1:2:3:4::/64
- 
-     :rtype: bool
-     """
--    ipaddr = struct.unpack("=L", socket.inet_aton(ip))[0]
-     netaddr, bits = net.split("/")
--    netmask = struct.unpack("=L", socket.inet_aton(dotted_netmask(int(bits))))[0]
--    network = struct.unpack("=L", socket.inet_aton(netaddr))[0] & netmask
-+    if is_ipv4_address(ip) and is_ipv4_address(netaddr):
-+        ipaddr = struct.unpack(">L", socket.inet_aton(ip))[0]
-+        netmask = _get_mask_bits(int(bits))
-+        network = struct.unpack(">L", socket.inet_aton(netaddr))[0]
-+    elif is_ipv6_address(ip) and is_ipv6_address(netaddr):
-+        ipaddr_msb, ipaddr_lsb = struct.unpack(
-+            ">QQ", socket.inet_pton(socket.AF_INET6, ip)
-+        )
-+        ipaddr = (ipaddr_msb << 64) ^ ipaddr_lsb
-+        netmask = _get_mask_bits(int(bits), 128)
-+        network_msb, network_lsb = struct.unpack(
-+            ">QQ", socket.inet_pton(socket.AF_INET6, netaddr)
-+        )
-+        network = (network_msb << 64) ^ network_lsb
-+    else:
-+        return False
-     return (ipaddr & netmask) == (network & netmask)
- 
- 
-@@ -710,12 +738,39 @@ def is_ipv4_address(string_ip):
-     :rtype: bool
-     """
-     try:
--        socket.inet_aton(string_ip)
-+        socket.inet_pton(socket.AF_INET, string_ip)
-+    except OSError:
-+        return False
-+    return True
-+
-+
-+def is_ipv6_address(string_ip):
-+    """
-+    :rtype: bool
-+    """
-+    try:
-+        socket.inet_pton(socket.AF_INET6, string_ip)
-     except OSError:
-         return False
-     return True
- 
- 
-+def compare_ips(a, b):
-+    """
-+    Compare 2 IP's, uses socket.inet_pton to normalize IPv6 IPs
-+
-+    :rtype: bool
-+    """
-+    if a == b:
-+        return True
-+    try:
-+        return socket.inet_pton(socket.AF_INET6, a) == socket.inet_pton(
-+            socket.AF_INET6, b
-+        )
-+    except OSError:
-+        return False
-+
-+
- def is_valid_cidr(string_network):
-     """
-     Very simple check of the cidr format in no_proxy variable.
-@@ -723,17 +778,19 @@ def is_valid_cidr(string_network):
-     :rtype: bool
-     """
-     if string_network.count("/") == 1:
-+        address, mask = string_network.split("/")
-         try:
--            mask = int(string_network.split("/")[1])
-+            mask = int(mask)
-         except ValueError:
-             return False
- 
--        if mask < 1 or mask > 32:
--            return False
--
--        try:
--            socket.inet_aton(string_network.split("/")[0])
--        except OSError:
-+        if is_ipv4_address(address):
-+            if mask < 1 or mask > 32:
-+                return False
-+        elif is_ipv6_address(address):
-+            if mask < 1 or mask > 128:
-+                return False
-+        else:
-             return False
-     else:
-         return False
-@@ -790,12 +847,12 @@ def should_bypass_proxies(url, no_proxy):
-         # the end of the hostname, both with and without the port.
-         no_proxy = (host for host in no_proxy.replace(" ", "").split(",") if host)
- 
--        if is_ipv4_address(parsed.hostname):
-+        if is_ipv4_address(parsed.hostname) or is_ipv6_address(parsed.hostname):
-             for proxy_ip in no_proxy:
-                 if is_valid_cidr(proxy_ip):
-                     if address_in_network(parsed.hostname, proxy_ip):
-                         return True
--                elif parsed.hostname == proxy_ip:
-+                elif compare_ips(parsed.hostname, proxy_ip):
-                     # If no_proxy ip was defined in plain IP notation instead of cidr notation &
-                     # matches the IP of the index
-                     return True
-diff --git a/tests/test_utils.py b/tests/test_utils.py
-index 5e9b56e..befbb46 100644
---- a/tests/test_utils.py
-+++ b/tests/test_utils.py
-@@ -14,9 +14,11 @@ from requests._internal_utils import unicode_is_ascii
- from requests.cookies import RequestsCookieJar
- from requests.structures import CaseInsensitiveDict
- from requests.utils import (
-+    _get_mask_bits,
-     _parse_content_type_header,
-     add_dict_to_cookiejar,
-     address_in_network,
-+    compare_ips,
-     dotted_netmask,
-     extract_zipped_paths,
-     get_auth_from_url,
-@@ -263,8 +265,15 @@ class TestIsIPv4Address:
- 
- 
- class TestIsValidCIDR:
--    def test_valid(self):
--        assert is_valid_cidr("192.168.1.0/24")
-+    @pytest.mark.parametrize(
-+        "value",
-+        (
-+            "192.168.1.0/24",
-+            "1:2:3:4::/64",
-+        ),
-+    )
-+    def test_valid(self, value):
-+        assert is_valid_cidr(value)
- 
-     @pytest.mark.parametrize(
-         "value",
-@@ -274,6 +283,11 @@ class TestIsValidCIDR:
-             "192.168.1.0/128",
-             "192.168.1.0/-1",
-             "192.168.1.999/24",
-+            "1:2:3:4::1",
-+            "1:2:3:4::/a",
-+            "1:2:3:4::0/321",
-+            "1:2:3:4::/-1",
-+            "1:2:3:4::12211/64",
-         ),
-     )
-     def test_invalid(self, value):
-@@ -287,6 +301,12 @@ class TestAddressInNetwork:
-     def test_invalid(self):
-         assert not address_in_network("172.16.0.1", "192.168.1.0/24")
- 
-+    def test_valid_v6(self):
-+        assert address_in_network("1:2:3:4::1111", "1:2:3:4::/64")
-+
-+    def test_invalid_v6(self):
-+        assert not address_in_network("1:2:3:4:1111", "1:2:3:4::/124")
-+
- 
- class TestGuessFilename:
-     @pytest.mark.parametrize(
-@@ -722,6 +742,11 @@ def test_urldefragauth(url, expected):
-         ("http://172.16.1.12:5000/", False),
-         ("http://google.com:5000/v1.0/", False),
-         ("file:///some/path/on/disk", True),
-+        ("http://[1:2:3:4:5:6:7:8]:5000/", True),
-+        ("http://[1:2:3:4::1]/", True),
-+        ("http://[1:2:3:9::1]/", True),
-+        ("http://[1:2:3:9:0:0:0:1]/", True),
-+        ("http://[1:2:3:9::2]/", False),
-     ),
- )
- def test_should_bypass_proxies(url, expected, monkeypatch):
-@@ -730,11 +755,11 @@ def test_should_bypass_proxies(url, expected, monkeypatch):
-     """
-     monkeypatch.setenv(
-         "no_proxy",
--        "192.168.0.0/24,127.0.0.1,localhost.localdomain,172.16.1.1, google.com:6000",
-+        "192.168.0.0/24,127.0.0.1,localhost.localdomain,1:2:3:4::/64,1:2:3:9::1,172.16.1.1, google.com:6000",
-     )
-     monkeypatch.setenv(
-         "NO_PROXY",
--        "192.168.0.0/24,127.0.0.1,localhost.localdomain,172.16.1.1, google.com:6000",
-+        "192.168.0.0/24,127.0.0.1,localhost.localdomain,1:2:3:4::/64,1:2:3:9::1,172.16.1.1, google.com:6000",
-     )
-     assert should_bypass_proxies(url, no_proxy=None) == expected
- 
-@@ -956,3 +981,36 @@ def test_should_bypass_proxies_win_registry_ProxyOverride_value(monkeypatch):
-     monkeypatch.setattr(winreg, "OpenKey", OpenKey)
-     monkeypatch.setattr(winreg, "QueryValueEx", QueryValueEx)
-     assert should_bypass_proxies("http://example.com/", None) is False
-+
-+
-+@pytest.mark.parametrize(
-+    "mask, totalbits, maskbits",
-+    (
-+        (24, None, 0xFFFFFF00),
-+        (31, None, 0xFFFFFFFE),
-+        (0, None, 0x0),
-+        (4, 4, 0xF),
-+        (24, 128, 0xFFFFFF00000000000000000000000000),
-+    ),
-+)
-+def test__get_mask_bits(mask, totalbits, maskbits):
-+    args = {"mask": mask}
-+    if totalbits:
-+        args["totalbits"] = totalbits
-+    assert _get_mask_bits(**args) == maskbits
-+
-+
-+@pytest.mark.parametrize(
-+    "a, b, expected",
-+    (
-+        ("1.2.3.4", "1.2.3.4", True),
-+        ("1.2.3.4", "2.2.3.4", False),
-+        ("1::4", "1.2.3.4", False),
-+        ("1::4", "1::4", True),
-+        ("1::4", "1:0:0:0:0:0:0:4", True),
-+        ("1::4", "1:0:0:0:0:0::4", True),
-+        ("1::4", "1:0:0:0:0:0:1:4", False),
-+    ),
-+)
-+def test_compare_ips(a, b, expected):
-+    assert compare_ips(a, b) == expected
--- 
-2.45.1
-

SOURCES/system-certs.patch

@@ -1,59 +0,0 @@
-From bb733473e91e71b812ada46bc110f607630f9327 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hrn=C4=8Diar?= <thrnciar@redhat.com>
-Date: Thu, 30 May 2024 11:10:29 +0200
-Subject: [PATCH 1/2] system certs
-
-Co-authored-by: Lumir Balhar <lbalhar@redhat.com>
----
- setup.cfg             | 1 -
- setup.py              | 1 -
- src/requests/certs.py | 8 +++++++-
- 3 files changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/setup.cfg b/setup.cfg
-index 8d44e0e..fa10a53 100644
---- a/setup.cfg
-+++ b/setup.cfg
-@@ -4,7 +4,6 @@ provides-extra =
-     socks
-     use_chardet_on_py3
- requires-dist =
--    certifi>=2017.4.17
-     charset_normalizer>=2,<4
-     idna>=2.5,<4
-     urllib3>=1.21.1,<3
-diff --git a/setup.py b/setup.py
-index 1b0eb37..03d19b0 100755
---- a/setup.py
-+++ b/setup.py
-@@ -62,7 +62,6 @@ requires = [
-     "charset_normalizer>=2,<4",
-     "idna>=2.5,<4",
-     "urllib3>=1.21.1,<3",
--    "certifi>=2017.4.17",
- ]
- test_requirements = [
-     "pytest-httpbin==2.0.0",
-diff --git a/src/requests/certs.py b/src/requests/certs.py
-index be422c3..9aee713 100644
---- a/src/requests/certs.py
-+++ b/src/requests/certs.py
-@@ -10,8 +10,14 @@ only one — the one from the certifi package.
- If you are packaging Requests, e.g., for a Linux distribution or a managed
- environment, you can change the definition of where() to return a separately
- packaged CA bundle.
-+
-+This Fedora-patched package returns "/etc/pki/tls/certs/ca-bundle.crt" provided
-+by the ca-certificates RPM package.
- """
--from certifi import where
-+
-+def where():
-+    """Return the absolute path to the system CA bundle."""
-+    return '/etc/pki/tls/certs/ca-bundle.crt'
- 
- if __name__ == "__main__":
-     print(where())
--- 
-2.45.1
-

SPECS/python-requests.spec

@@ -1,37 +1,51 @@
-# When bootstrapping Python, we cannot test this yet
-# RHEL does not include the test dependencies
-%bcond tests    %{undefined rhel}
-# The extras are disabled on RHEL to avoid pysocks and deprecated requests[security]
-%bcond extras   %{undefined rhel}
+# Disable tests on RHEL9 as to not pull in the test dependencies
+# Specify --with tests to run the tests e.g. on EPEL
+%bcond_with tests
+
 
 Name:           python-requests
-Version:        2.32.3
-Release:        1%{?dist}
+Version:        2.25.1
+Release:        7%{?dist}
 Summary:        HTTP library, written in Python, for human beings
 
-License:        Apache-2.0
+License:        ASL 2.0
 URL:            https://pypi.io/project/requests
-Source:         https://github.com/requests/requests/archive/v%{version}/requests-v%{version}.tar.gz
-
+Source0:        https://github.com/requests/requests/archive/v%{version}/requests-v%{version}.tar.gz
 # Explicitly use the system certificates in ca-certificates.
 # https://bugzilla.redhat.com/show_bug.cgi?id=904614
-Patch:          system-certs.patch
-
-# Add support for IPv6 CIDR in no_proxy setting
-# This functionality is needed in Openshift and it has been
-# proposed for upstream in 2021 but the PR unfortunately stalled.
-# Upstream PR: https://github.com/psf/requests/pull/5953
-# This change is backported also into RHEL 9.4 (via CS)
-Patch:          support_IPv6_CIDR_in_no_proxy.patch
+Patch0:         patch-requests-certs.py-to-use-the-system-CA-bundle.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=1450608
+Patch2:         Remove-tests-that-use-the-tarpit.patch
+
+# Use 127.0.0.1 not localhost for socket.bind() in the Server test
+# class, to fix tests in Koji's no-network environment
+# This probably isn't really upstreamable, because I guess localhost
+# could technically be IPv6 or something, and our no-network env is
+# a pretty odd one so this is a niche requirement.
+Patch3:         requests-2.12.4-tests_nonet.patch
+
+# The [security] extra as present in upstream 2.25.1 is not possible,
+# because the PyOpenSSL package is not part of RHEL 9.
+# We backport a pre-2.26.0 commit that makes request[security] a no-op:
+#   https://github.com/psf/requests/pull/5867
+# """
+# We initially removed default support for PyOpenSSL in Requests 2.24.0
+# as it is now considered less secure. Deprecation of the extras_require was
+# announced in Requests 2.25.0 and we're officially removing the extras_require
+# functionality in Requests 2.26.0.
+# Projects currently using requests[security] after this change will continue
+# to operate as if performing a standard requests installation (secure by default).
+# """
+Patch4:         Empty-security-extras.patch
+
+# Security fix for CVE-2023-32681
+# Unintended leak of Proxy-Authorization header
+# Resolved upstream: https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
+# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2209469
+Patch5:         CVE-2023-32681.patch
 
 BuildArch:      noarch
-BuildRequires:  python%{python3_pkgversion}-devel
-%if %{with tests}
-BuildRequires:  python3dist(pytest)
-BuildRequires:  python3dist(pytest-httpbin)
-BuildRequires:  python3dist(pytest-mock)
-BuildRequires:  python3dist(trustme)
-%endif
 
 %description
 Most existing Python modules for sending HTTP requests are extremely verbose and
@@ -39,9 +53,20 @@ cumbersome. Python’s built-in urllib2 module provides most of the HTTP
 capabilities you should need, but the API is thoroughly broken. This library is
 designed to make HTTP requests easy for developers.
 
-
 %package -n python%{python3_pkgversion}-requests
-Summary:        %{summary}
+Summary: HTTP library, written in Python, for human beings
+
+%{?python_provide:%python_provide python%{python3_pkgversion}-requests}
+
+BuildRequires:  python%{python3_pkgversion}-devel
+BuildRequires:  pyproject-rpm-macros
+
+%if %{with tests}
+BuildRequires:  python3dist(pytest)
+BuildRequires:  python3dist(pytest-httpbin)
+BuildRequires:  python3dist(pytest-mock)
+%endif
+
 
 %description -n python%{python3_pkgversion}-requests
 Most existing Python modules for sending HTTP requests are extremely verbose and
@@ -49,27 +74,29 @@ cumbersome. Python’s built-in urllib2 module provides most of the HTTP
 capabilities you should need, but the API is thoroughly broken. This library is
 designed to make HTTP requests easy for developers.
 
-
-%if %{with extras}
 %pyproject_extras_subpkg -n python%{python3_pkgversion}-requests security socks
-%endif
-
 
 %generate_buildrequires
-%pyproject_buildrequires %{?with_extras:-x security,socks}
+%if %{with tests}
+%pyproject_buildrequires -r
+%else
+%pyproject_buildrequires
+%endif
 
 
 %prep
 %autosetup -p1 -n requests-%{version}
 
+# Unbundle the certificate bundle from mozilla.
+rm -rf requests/cacert.pem
+
 # env shebang in nonexecutable file
-sed -i '/#!\/usr\/.*python/d' src/requests/certs.py
+sed -i '/#!\/usr\/.*python/d' requests/certs.py
 
 # Some doctests use the internet and fail to pass in Koji. Since doctests don't have names, I don't
 # know a way to skip them. We also don't want to patch them out, because patching them out will
 # change the docs. Thus, we set pytest not to run doctests at all.
-sed -i 's/ --doctest-modules//' pyproject.toml
-
+sed -i 's/ --doctest-modules//' pytest.ini
 
 %build
 %pyproject_wheel
@@ -80,12 +107,10 @@ sed -i 's/ --doctest-modules//' pyproject.toml
 %pyproject_save_files requests
 
 
-%check
-%pyproject_check_import
 %if %{with tests}
-# test_unicode_header_name - reported: https://github.com/psf/requests/issues/6734
-# test_use_proxy_from_environment needs pysocks
-%pytest -v tests -k "not test_unicode_header_name %{!?with_extras:and not test_use_proxy_from_environment}"
+%check
+# test_https_warnings: https://github.com/psf/requests/issues/5530
+%pytest -v -k "not test_https_warnings"
 %endif
 
 
@@ -95,93 +120,27 @@ sed -i 's/ --doctest-modules//' pyproject.toml
 
 
 %changelog
-* Wed Jun 26 2024 Lumír Balhar <lbalhar@redhat.com> - 2.32.3-1
-- Update to 2.32.3
-- Fix for CVE-2024-35195
-Resolves: RHEL-37604
-- Add support for IPv6 CIDR in no_proxy setting
-Resolves: RHEL-32523
-
-* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.31.0-4
-- Bump release for June 2024 mass rebuild
-
-* Fri Jan 26 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.31.0-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.31.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Mon Oct 16 2023 Tomáš Hrnčiar <thrnciar@redhat.com> - 2.31.0-1
-- Update to 2.31.0
-- Fixes: rhbz#2189970
-
-* Tue Oct 10 2023 Miro Hrončok <mhroncok@redhat.com> - 2.28.2-7
-- Do not package requests[security] and requests[socks] on RHEL
-- Make the package build even when urllib3 won't pull in pysocks
-
-* Tue Aug 08 2023 Karolina Surma <ksurma@redhat.com> - 2.28.2-6
-- Declare the license as an SPDX expression
-
-* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.28.2-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Sat Jul 01 2023 Python Maint <python-maint@redhat.com> - 2.28.2-4
-- Rebuilt for Python 3.12
-
-* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 2.28.2-3
-- Bootstrap for Python 3.12
-
-* Tue May 23 2023 Miro Hrončok <mhroncok@redhat.com> - 2.28.2-2
+* Fri Jun 16 2023 Charalampos Stratakis <cstratak@redhat.com> - 2.25.1-7
 - Security fix for CVE-2023-32681
-- https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q
-
-* Wed Feb 01 2023 Lumír Balhar <lbalhar@redhat.com> - 2.28.2-1
-- Update to 2.28.2 (rhbz#2160527)
-
-* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.28.1-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-
-* Tue Sep 13 2022 Kevin Fenzi <kevin@scrye.com> - 2.28.1-3
-- Enable all tests and drop no longer needed test patch.
-
-* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.28.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Tue Jul 12 2022 Adam Williamson <awilliam@redhat.com> - 2.28.1-1
-- Update to 2.28.1, rediff patches
-
-* Mon Jun 20 2022 Lumír Balhar <lbalhar@redhat.com> - 2.27.1-5
-- Allow charset_normalizer 2.1.0 and newer up to 3.0.0
-
-* Tue Jun 14 2022 Python Maint <python-maint@redhat.com> - 2.27.1-4
-- Rebuilt for Python 3.11
-
-* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 2.27.1-3
-- Bootstrap for Python 3.11
-
-* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.27.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Sat Jan 08 2022 Kevin Fenzi <kevin@scrye.com> - 2.27.1-1
-- Update to 2.27.1. Fixes rhbz#2037431
+Resolves: rhbz#2209469
 
-* Tue Jan 04 2022 Adam Williamson <awilliam@redhat.com> - 2.27.0-1
-- Update to 2.27.0
-- Re-enable test_https_warnings as it works with pytest-httpbin 1.0.0 now
-- Re-enable test_pyopenssl_redirect, it seems to work too
+* Tue Feb 08 2022 Tomáš Hrnčiar <thrnciar@redhat.com> - 2.25.1-6
+- Add automatically generated Obsoletes tag with the python39- prefix
+  for smoother upgrade from RHEL8
+- Related: rhbz#1990421
 
-* Sun Jul 25 2021 Lumír Balhar <lbalhar@redhat.com> - 2.26.0-1
-- Update to 2.26.0
-Resolves: rhbz#1981856
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 2.25.1-5
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.25.1-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+* Thu Jul 15 2021 Miro Hrončok <mhroncok@redhat.com> - 2.25.1-4
+- Make requests[security] extras a no-op (backported from future 2.26.0)
 
-* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 2.25.1-3
-- Rebuilt for Python 3.10
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.25.1-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 
-* Wed Jun 02 2021 Python Maint <python-maint@redhat.com> - 2.25.1-2
-- Bootstrap for Python 3.10
+* Mon Mar 08 2021 Charalampos Stratakis <cstratak@redhat.com> - 2.25.1-2
+- Disable tests on RHEL9 to avoid pulling in the test dependencies
 
 * Tue Feb 02 2021 Kevin Fenzi <kevin@scrye.com> - 2.25.1-1
 - Update 2.25.1. Fix is rhbz#1908487