Launchpad itself

Merge lp:~cjwatson/launchpad/system-ca-certificates into lp:launchpad

  1. system-ca-certificates
  2. Merge into devel
Proposed by Colin Watson
Status: Merged
Merged at revision: 18994
Proposed branch: lp:~cjwatson/launchpad/system-ca-certificates
Merge into: lp:launchpad
Diff against target: 71 lines (+28/-0)
4 files modified
configs/development/launchpad-lazr.conf (+1/-0)
lib/lp/services/config/schema-lazr.conf (+6/-0)
lib/lp/services/tests/test_timeout.py (+18/-0)
lib/lp/services/timeout.py (+3/-0)
To merge this branch: bzr merge lp:~cjwatson/launchpad/system-ca-certificates
Reviewer Review Type Date Requested Status
William Grant code Approve
Review via email: mp+368993@code.launchpad.net

Commit message

Add configurable CA certificates bundle path for urlfetch.

Description of the change

Comparing https://launchpad.net/ubuntu/+source/ca-certificates with https://pypi.org/project/certifi/, I'm not actually convinced that the system package is a better way for Launchpad to get an up-to-date CA certificate package, particularly now that we can easily update certifi independently of requests; so in my opinion we probably shouldn't use this on production at the moment. Still, it's useful to have the option.

To post a comment you must log in.
Revision history for this message
William Grant (wgrant) wrote :

The system package is definitely a better place to get it, as we are the OS vendor so if the system package is problematically out of date we should know about it.

review: Approve (code)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'configs/development/launchpad-lazr.conf'
2--- configs/development/launchpad-lazr.conf 2019-05-28 13:55:14 +0000
3+++ configs/development/launchpad-lazr.conf 2019-06-18 17:35:58 +0000
4@@ -98,6 +98,7 @@
5 enable_test_openid_provider: True
6 openid_canonical_root: https://testopenid.test/
7 openid_provider_root: https://testopenid.test/
8+ca_certificates_path: /etc/ssl/certs/ca-certificates.crt
9 code_domain: code.launchpad.test
10 default_batch_size: 5
11 max_attachment_size: 2097152
12
13=== modified file 'lib/lp/services/config/schema-lazr.conf'
14--- lib/lp/services/config/schema-lazr.conf 2019-05-28 13:55:14 +0000
15+++ lib/lp/services/config/schema-lazr.conf 2019-06-18 17:35:58 +0000
16@@ -940,6 +940,12 @@
17 # datatype: string
18 http_proxy: none
19
20+# Path to CA certificate bundle, or "none" to use the one bundled with the
21+# certifi Python package.
22+#
23+# datatype: string
24+ca_certificates_path: none
25+
26 # Session cookies being sent to a subdomain of the parent
27 # domains listed here will be sent to the parent domain,
28 # allowing sessions to be shared between vhosts.
29
30=== modified file 'lib/lp/services/tests/test_timeout.py'
31--- lib/lp/services/tests/test_timeout.py 2019-06-07 21:12:13 +0000
32+++ lib/lp/services/tests/test_timeout.py 2019-06-18 17:35:58 +0000
33@@ -388,6 +388,24 @@
34 {scheme: proxy for scheme in ('http', 'https')},
35 fake_send.calls[0][1]['proxies'])
36
37+ def test_urlfetch_no_ca_certificates(self):
38+ """If ca_certificates_path is None, urlfetch uses bundled certs."""
39+ self.pushConfig('launchpad', ca_certificates_path='none')
40+ fake_send = FakeMethod(result=Response())
41+ self.useFixture(
42+ MonkeyPatch('requests.adapters.HTTPAdapter.send', fake_send))
43+ urlfetch('http://example.com/')
44+ self.assertIs(True, fake_send.calls[0][1]['verify'])
45+
46+ def test_urlfetch_ca_certificates_if_configured(self):
47+ """urlfetch uses the configured ca_certificates_path if it is set."""
48+ self.pushConfig('launchpad', ca_certificates_path='/path/to/certs')
49+ fake_send = FakeMethod(result=Response())
50+ self.useFixture(
51+ MonkeyPatch('requests.adapters.HTTPAdapter.send', fake_send))
52+ urlfetch('http://example.com/')
53+ self.assertEqual('/path/to/certs', fake_send.calls[0][1]['verify'])
54+
55 def test_urlfetch_does_not_support_ftp_urls_by_default(self):
56 """urlfetch() does not support ftp urls by default."""
57 url = 'ftp://localhost/'
58
59=== modified file 'lib/lp/services/timeout.py'
60--- lib/lp/services/timeout.py 2019-06-14 14:26:30 +0000
61+++ lib/lp/services/timeout.py 2019-06-18 17:35:58 +0000
62@@ -378,6 +378,9 @@
63 request_kwargs["proxies"]["ftp"] = config.launchpad.http_proxy
64 if output_file is not None:
65 request_kwargs["stream"] = True
66+ if config.launchpad.ca_certificates_path is not None:
67+ request_kwargs.setdefault(
68+ "verify", config.launchpad.ca_certificates_path)
69 response = self.session.request(url=url, **request_kwargs)
70 raise_for_status_redacted(response)
71 if output_file is None: