[Pulp-list] Custom list of CA certificates for pulp-cli

Konstantin M. Khankin khankin.konstantin at gmail.com
Fri Nov 26 17:07:13 UTC 2021 

Hello!

Today I got unpleasantly surprised about the inability to change the list
of CA certificates pulp-cli uses to verify SSL connections. Pulp-cli uses
the requests library, so I expected to be able to just
specify REQUESTS_CA_BUNDLE envvar and be happy. However, this did not work.
So I added some print_tb() here and there and saw this:

...
  File
"/usr/local/lib/python3.6/site-packages/pulpcore/cli/python/content.py",
line 88, in upload
    artifact_href = PulpArtifactContext(pulp_ctx).upload(file, chunk_size)
  File
"/usr/local/lib/python3.6/site-packages/pulpcore/cli/core/context.py", line
43, in upload
    result = self.list(limit=1, offset=0, parameters={"sha256":
sha256_digest})
  File
"/usr/local/lib/python3.6/site-packages/pulpcore/cli/common/context.py",
line 436, in list
    result: Dict[str, Any] = self.pulp_ctx.call(self.LIST_ID,
parameters=payload)
  File
"/usr/local/lib/python3.6/site-packages/pulpcore/cli/common/context.py",
line 134, in call
    result = self.api.call(operation_id, *args, **kwargs)
  File
"/usr/local/lib/python3.6/site-packages/pulpcore/cli/common/openapi.py",
line 263, in call
    response: requests.Response = self._session.send(request)
  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line
657, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line
420, in send
    self.cert_verify(conn, request.url, verify, cert)
...

pulpcore/cli/common/openapi.py
<https://github.com/pulp/pulp-cli/blob/main/pulpcore/cli/common/openapi.py#L265>
calls requests.Session.send
<https://github.com/psf/requests/blob/99b3b492418d0751ca960178d274f89805095e4c/requests/sessions.py#L613>().
This works, but it means merge_environment_settings
<https://github.com/psf/requests/blob/99b3b492418d0751ca960178d274f89805095e4c/requests/sessions.py#L519>
is
not called, because it is in request() (which later calls send()). This
means envvar is not applied.

I tried to abuse Python's dynamic typing and change the value of the
verify_ssl flag to what I'd put into the envvar, but click is smart enough
to catch this :(

I found the FR <https://github.com/pulp/pulp-cli/issues/95> to support
custom CA certificates. It may be that this FR is as easy as changing
send() to request(), allowing users to use an already existing mechanism
from the requests library.

Is there something which I missed?

Thanks!

-- 
Konstantin Khankin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20211126/4643172a/attachment.htm>

More information about the Pulp-list mailing list