Add an option to disable CA certificate pinning

[mihir-pradhan]

Description

• Added disable_ca_pinning=False parameter to Client.__init__()
• Added validation that raises DuoException if both disable_ca_pinning=True and custom duo_certs are provided
• When disabled, sets verify=True on requests.post() calls (OS trust store) instead of verify=DEFAULT_CA_CERT_PATH (bundled CA bundle)

How Has This Been Tested?

• TestDisableCaPinning — 7 tests verifying constructor behavior:
  • Default value is False and uses bundled CA certs
  • Can be set to True with default or None duo_certs
  • Can be set to True with explicit DEFAULT_CA_CERT_PATH duo_certs
  • Raises DuoException when combined with a custom duo_certs path
  • Raises DuoException when combined with duo_certs='DISABLE'
  • Explicit False preserves existing behavior
• TestDisableCaPinningRequests — 4 tests verifying request behavior:
  • Health check with pinning disabled passes verify=True (system trust store)
  • Health check with pinning enabled passes verify=DEFAULT_CA_CERT_PATH (bundled)
  • Token exchange with pinning disabled passes verify=True (system trust store)
  • Token exchange with pinning enabled passes verify=DEFAULT_CA_CERT_PATH (bundled)
• Full test suite passes (74 tests)

Types of Changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)