[PATCH 15/21] lookaside: Allow client-side and custom CA certificates
Mathieu Bridon
bochecha at fedoraproject.org
Wed May 6 11:53:11 UTC 2015
From: Mathieu Bridon <bochecha at daitauha.fr>
Some downstreams, most notably fedpkg, interact with a lookaside cache
which uses a self-signed certificate.
Some downstreams, still fedpkg, require an authentication for uploading
source files to the lookaside cache, based on a client-side certificate.
This commit makes it easier on this downstreams to reuse our
CGILookasideCache implementation.
All they need to do is define a cert_file and a ca_cert properties on
their pyrpkg.Commands subclass, and things are going to work
automatically.
And in fact, this is already what fedpkg does, so we're not breaking
anything.
---
src/pyrpkg/__init__.py | 26 +++++++++++++++++++++++++-
src/pyrpkg/lookaside.py | 12 +++++++++++-
2 files changed, 36 insertions(+), 2 deletions(-)
diff --git a/src/pyrpkg/__init__.py b/src/pyrpkg/__init__.py
index c98e3e6..6d818dd 100644
--- a/src/pyrpkg/__init__.py
+++ b/src/pyrpkg/__init__.py
@@ -179,7 +179,8 @@ class Commands(object):
helper object.
"""
return CGILookasideCache(
- self.lookasidehash, self.lookaside, self.lookaside_cgi)
+ self.lookasidehash, self.lookaside, self.lookaside_cgi,
+ client_cert=self.cert_file, ca_cert=self.ca_cert)
@property
def path(self):
@@ -748,6 +749,29 @@ class Commands(object):
def sources_filename(self):
return os.path.join(self.path, 'sources')
+ @property
+ def cert_file(self):
+ """A client-side certificate for SSL authentication
+
+ Downstream users of the pyrpkg API should override this property if
+ they actually need to use a client-side certificate.
+
+ This defaults to None, which means no client-side certificate is used.
+ """
+ return None
+
+ @property
+ def ca_cert(self):
+ """A CA certificate to authenticate the server in SSL connections
+
+ Downstream users of the pyrpkg API should override this property if
+ they actually need to use a CA certificate, usually because their
+ lookaside cache is using HTTPS with a self-signed certificate.
+
+ This defaults to None, which means the system CA bundle is used.
+ """
+ return None
+
# Define some helper functions, they start with _
def _create_curl(self):
"""
diff --git a/src/pyrpkg/lookaside.py b/src/pyrpkg/lookaside.py
index a1c17cb..e455c40 100644
--- a/src/pyrpkg/lookaside.py
+++ b/src/pyrpkg/lookaside.py
@@ -26,7 +26,8 @@ from .errors import DownloadError, InvalidHashType
class CGILookasideCache(object):
"""A class to interact with a CGI-based lookaside cache"""
- def __init__(self, hashtype, download_url, upload_url):
+ def __init__(self, hashtype, download_url, upload_url,
+ client_cert=None, ca_cert=None):
"""Constructor
Args:
@@ -34,10 +35,19 @@ class CGILookasideCache(object):
download_url (str): The URL used to download source files.
upload_url (str): The URL of the CGI script called when uploading
source files.
+ client_cert (str, optional): The full path to the client-side
+ certificate to use for HTTPS authentication. It defaults to
+ None, in which case no client-side certificate is used.
+ ca_cert (str, optional): The full path to the CA certificate to
+ use for HTTPS connexions. (e.g if the server certificate is
+ self-signed. It defaults to None, in which case the system CA
+ bundle is used.
"""
self.hashtype = hashtype
self.download_url = download_url
self.upload_url = upload_url
+ self.client_cert = client_cert
+ self.ca_cert = ca_cert
self.log = logging.getLogger(__name__)
--
2.1.0
More information about the rel-eng
mailing list