[Pulp-list] Custom list of CA certificates for pulp-cli

Konstantin M. Khankin khankin.konstantin at gmail.com
Fri Nov 26 20:04:34 UTC 2021 

Yes, it works. Thank you!

пт, 26 нояб. 2021 г. в 20:59, Matthias Dellweg <mdellweg at redhat.com>:

> Can you please verify that this change solves your problem:
> https://github.com/pulp/pulp-cli/pull/434
>
> Thank you!
>
> On Fri, Nov 26, 2021 at 6:09 PM Konstantin M. Khankin
> <khankin.konstantin at gmail.com> wrote:
> >
> > Hello!
> >
> > Today I got unpleasantly surprised about the inability to change the
> list of CA certificates pulp-cli uses to verify SSL connections. Pulp-cli
> uses the requests library, so I expected to be able to just specify
> REQUESTS_CA_BUNDLE envvar and be happy. However, this did not work. So I
> added some print_tb() here and there and saw this:
> >
> > ...
> >   File
> "/usr/local/lib/python3.6/site-packages/pulpcore/cli/python/content.py",
> line 88, in upload
> >     artifact_href = PulpArtifactContext(pulp_ctx).upload(file,
> chunk_size)
> >   File
> "/usr/local/lib/python3.6/site-packages/pulpcore/cli/core/context.py", line
> 43, in upload
> >     result = self.list(limit=1, offset=0, parameters={"sha256":
> sha256_digest})
> >   File
> "/usr/local/lib/python3.6/site-packages/pulpcore/cli/common/context.py",
> line 436, in list
> >     result: Dict[str, Any] = self.pulp_ctx.call(self.LIST_ID,
> parameters=payload)
> >   File
> "/usr/local/lib/python3.6/site-packages/pulpcore/cli/common/context.py",
> line 134, in call
> >     result = self.api.call(operation_id, *args, **kwargs)
> >   File
> "/usr/local/lib/python3.6/site-packages/pulpcore/cli/common/openapi.py",
> line 263, in call
> >     response: requests.Response = self._session.send(request)
> >   File "/usr/local/lib/python3.6/site-packages/requests/sessions.py",
> line 657, in send
> >     r = adapter.send(request, **kwargs)
> >   File "/usr/local/lib/python3.6/site-packages/requests/adapters.py",
> line 420, in send
> >     self.cert_verify(conn, request.url, verify, cert)
> > ...
> >
> > pulpcore/cli/common/openapi.py calls requests.Session.send(). This
> works, but it means merge_environment_settings is not called, because it is
> in request() (which later calls send()). This means envvar is not applied.
> >
> > I tried to abuse Python's dynamic typing and change the value of the
> verify_ssl flag to what I'd put into the envvar, but click is smart enough
> to catch this :(
> >
> > I found the FR to support custom CA certificates. It may be that this FR
> is as easy as changing send() to request(), allowing users to use an
> already existing mechanism from the requests library.
> >
> > Is there something which I missed?
> >
> > Thanks!
> >
> > --
> > Konstantin Khankin
> > _______________________________________________
> > Pulp-list mailing list
> > Pulp-list at redhat.com
> > https://listman.redhat.com/mailman/listinfo/pulp-list
>
>

-- 
Ханкин Константин
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20211126/12464294/attachment.htm>

More information about the Pulp-list mailing list