From 9e83aeb3151dce706b3770261f88a8c9d51b87d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Kundr=C3=A1t?= Date: Wed, 22 Oct 2014 22:18:56 +0200 Subject: [PATCH] Allow specifying the path to CA certificate bundle The certificates are checked both by Gertty itself (for API calls) and by the launched git processes. In theory, the server could be set up to redirect to another HTTP server for Git calls (and in fact, the KDE's Gerrit instance is set up to do just that). In that case, the CA bundle file should contain PEM certificate chain of all the CAs for both Gerrit and the webserver hosting the git repositories. Change-Id: Id6af61c3710e4809c84b1edd054ab9b1959a60c3 --- examples/reference-gertty.yaml | 8 ++++++-- gertty/config.py | 8 ++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/examples/reference-gertty.yaml b/examples/reference-gertty.yaml index e049793..6c4a2e6 100644 --- a/examples/reference-gertty.yaml +++ b/examples/reference-gertty.yaml @@ -35,8 +35,12 @@ servers: # The location of Gertty's sqlite database. If you have more than one # server, you should specify a dburi for any additional servers. # dburi: ~/.gertty.db -# If your Gerrit server has a self-signed cert (eg, a test server), -# you can set this value to false to turn of certificate validation. +# If your Gerrit server uses a non-standard certificate chain (e.g. on a test +# server), you can pass a full path to a bundle of CA certificates here: +# ssl-ca-path: ~/.pki/ca-chain.pem +# In case you do not care about security and want to use a sledgehammer +# approach to SSL, you can set this value to false to turn off certificate +# validation. # verify-ssl: true # By default Gertty logs errors to a file and truncates that file each # time it starts (so that it does not grow without bound). If you diff --git a/gertty/config.py b/gertty/config.py index e6a3338..4f51b71 100644 --- a/gertty/config.py +++ b/gertty/config.py @@ -42,6 +42,7 @@ class ConfigSchema(object): v.Required('username'): str, 'password': str, 'verify-ssl': bool, + 'ssl-ca-path': str, 'dburi': str, v.Required('git-root'): str, 'log-file': str, @@ -142,6 +143,13 @@ class Config(object): self.verify_ssl = server.get('verify-ssl', True) if not self.verify_ssl: os.environ['GIT_SSL_NO_VERIFY']='true' + self.ssl_ca_path = server.get('ssl-ca-path', None) + if self.ssl_ca_path is not None: + self.ssl_ca_path = os.path.expanduser(self.ssl_ca_path) + # Gertty itself uses the Requests library + os.environ['REQUESTS_CA_BUNDLE'] = self.ssl_ca_path + # And this is to allow Git callouts + os.environ['GIT_SSL_CAINFO'] = self.ssl_ca_path self.git_root = os.path.expanduser(server['git-root']) self.dburi = server.get('dburi', 'sqlite:///' + os.path.expanduser('~/.gertty.db'))