Rev 6260: Create a specific test permutation for urllib https so we can inject our test ca certs. The wiring in _urllib2_wrappers is a bit hackish and it will need to use auth instead so different certs can be used for proxies and real servers but this could wait until authentication.conf is migrated to the config stacks. With this change in place, all https tests pass without the need to create a dedicated GlobalStore. in file:///home/vila/src/bzr/reviews/urllib-verifies-ssl-certs/
Vincent Ladeuil
v.ladeuil+lp at free.fr
Fri Jan 20 09:19:14 UTC 2012
At file:///home/vila/src/bzr/reviews/urllib-verifies-ssl-certs/
------------------------------------------------------------
revno: 6260
revision-id: v.ladeuil+lp at free.fr-20120120091914-ewiyhwbs9on1fuvk
parent: v.ladeuil+lp at free.fr-20120119171427-xhxthhw3mtz35hpf
committer: Vincent Ladeuil <v.ladeuil+lp at free.fr>
branch nick: urllib-verifies-ssl-certs
timestamp: Fri 2012-01-20 10:19:14 +0100
message:
Create a specific test permutation for urllib https so we can inject our test ca certs. The wiring in _urllib2_wrappers is a bit hackish and it will need to use auth instead so different certs can be used for proxies and real servers but this could wait until authentication.conf is migrated to the config stacks. With this change in place, all https tests pass without the need to create a dedicated GlobalStore.
-------------- next part --------------
=== modified file 'bzrlib/transport/http/_urllib.py'
--- a/bzrlib/transport/http/_urllib.py 2011-12-18 15:28:38 +0000
+++ b/bzrlib/transport/http/_urllib.py 2012-01-20 09:19:14 +0000
@@ -38,14 +38,14 @@
_opener_class = Opener
- def __init__(self, base, _from_transport=None):
+ def __init__(self, base, _from_transport=None, ca_certs=None):
super(HttpTransport_urllib, self).__init__(
base, 'urllib', _from_transport=_from_transport)
if _from_transport is not None:
self._opener = _from_transport._opener
else:
self._opener = self._opener_class(
- report_activity=self._report_activity)
+ report_activity=self._report_activity, ca_certs=ca_certs)
def _perform(self, request):
"""Send the request to the server and handles common errors.
@@ -175,7 +175,18 @@
)
permutations = [(HttpTransport_urllib, http_server.HttpServer_urllib),]
if features.HTTPSServerFeature.available():
- from bzrlib.tests import https_server
- permutations.append((HttpTransport_urllib,
+ from bzrlib.tests import (
+ https_server,
+ ssl_certs,
+ )
+
+ class HTTPS_urllib_transport(HttpTransport_urllib):
+
+ def __init__(self, base, _from_transport=None):
+ super(HTTPS_urllib_transport, self).__init__(
+ base, _from_transport=_from_transport,
+ ca_certs=ssl_certs.build_path('ca.crt'))
+
+ permutations.append((HTTPS_urllib_transport,
https_server.HTTPSServer_urllib))
return permutations
=== modified file 'bzrlib/transport/http/_urllib2_wrappers.py'
--- a/bzrlib/transport/http/_urllib2_wrappers.py 2012-01-19 17:14:27 +0000
+++ b/bzrlib/transport/http/_urllib2_wrappers.py 2012-01-20 09:19:14 +0000
@@ -122,7 +122,7 @@
Whether to require a certificate from the remote side. (default:required)
Possible values:
- * none: certificates ignored
+ * none: Certificates ignored
* optional: Certificates not required, but validated if provided
* required: Certificates required, and validated
""")
@@ -356,11 +356,12 @@
# XXX: Needs refactoring at the caller level.
def __init__(self, host, port=None, proxied_host=None,
- report_activity=None):
+ report_activity=None, ca_certs=None):
AbstractHTTPConnection.__init__(self, report_activity=report_activity)
# Use strict=True since we don't support HTTP/0.9
httplib.HTTPConnection.__init__(self, host, port, strict=True)
self.proxied_host = proxied_host
+ # ca_certs is ignored, it's only relevant for https
def connect(self):
if 'http' in debug.debug_flags:
@@ -428,12 +429,13 @@
def __init__(self, host, port=None, key_file=None, cert_file=None,
proxied_host=None,
- report_activity=None):
+ report_activity=None, ca_certs=None):
AbstractHTTPConnection.__init__(self, report_activity=report_activity)
# Use strict=True since we don't support HTTP/0.9
httplib.HTTPSConnection.__init__(self, host, port,
key_file, cert_file, strict=True)
self.proxied_host = proxied_host
+ self.ca_certs = ca_certs
def connect(self):
if 'http' in debug.debug_flags:
@@ -446,7 +448,10 @@
def connect_to_origin(self):
# FIXME JRV 2011-12-18: Use location config here?
config_stack = config.GlobalStack()
- ca_certs = config_stack.get('ssl.ca_certs')
+ if self.ca_certs is None:
+ ca_certs = config_stack.get('ssl.ca_certs')
+ else:
+ ca_certs = self.ca_certs
cert_reqs = config_stack.get('ssl.cert_reqs')
if cert_reqs == ssl.CERT_NONE:
trace.warning("not checking SSL certificates for %s: %d",
@@ -580,8 +585,9 @@
handler_order = 1000 # after all pre-processings
- def __init__(self, report_activity=None):
+ def __init__(self, report_activity=None, ca_certs=None):
self._report_activity = report_activity
+ self.ca_certs = ca_certs
def create_connection(self, request, http_connection_class):
host = request.get_host()
@@ -595,7 +601,8 @@
try:
connection = http_connection_class(
host, proxied_host=request.proxied_host,
- report_activity=self._report_activity)
+ report_activity=self._report_activity,
+ ca_certs=self.ca_certs)
except httplib.InvalidURL, exception:
# There is only one occurrence of InvalidURL in httplib
raise errors.InvalidURL(request.get_full_url(),
@@ -1788,9 +1795,10 @@
connection=ConnectionHandler,
redirect=HTTPRedirectHandler,
error=HTTPErrorProcessor,
- report_activity=None):
+ report_activity=None,
+ ca_certs=None):
self._opener = urllib2.build_opener(
- connection(report_activity=report_activity),
+ connection(report_activity=report_activity, ca_certs=ca_certs),
redirect, error,
ProxyHandler(),
HTTPBasicAuthHandler(),
More information about the bazaar-commits
mailing list