Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for providing custom Certificate Autority bundle file #670

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add support for providing custom Certificate Autority bundle file #670

wants to merge 3 commits into from

Conversation

thomasleveil
Copy link
Contributor

@thomasleveil thomasleveil commented Jun 11, 2019
edited

Motivation

In it's current state, Cabot HTTP checks with SSL validation relies on the Python requests module to handle the SSL validation part.

When it comes to validate the server certificate chain, the requests module must know the CA certificate used to sign the presented server certificate. When one want to use Cabot to check an HTTPS server presenting a server certificate signed by a self-signed CA certificate, we need a mean to provide Cabot (and its requests module) with a CA bundle file containing our own certificate.

The python requests module does not use the OS CA certificates store ; instead it uses its own bundle provided by the Python Certifi module.

Changes

This PR introduces a new optional environment variable: CABOT_HTTP_CHECK_CA_BUNDLE which can be used to specify the path of a custom CA cert bundle file.

CABOT_HTTP_CHECK_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

Thomas LEVEIL added 3 commits June 7, 2019 15:03
Add CABOT_HTTP_CHECK_CA_BUNDLE in settings to allow users to provide
f450948 
their own root certificate bundle file

By default the requests module uses the bundle provided by the Certifi
module https://certifi.io/en/latest/
compliance with flake8 rules
a84ca9d
fix setup.py for pip>=10
7c88832
@codecov
Copy link

codecov bot commented Jun 11, 2019

Codecov Report

❗ No coverage uploaded for pull request base (master@56cfed4). Click here to learn what that means.
The diff coverage is 44.44%.

Impacted file tree graph

@@            Coverage Diff            @@
##             master     #670   +/-   ##
=========================================
  Coverage          ?   80.79%           
=========================================
  Files             ?       46           
  Lines             ?     2963           
  Branches          ?      181           
=========================================
  Hits              ?     2394           
  Misses            ?      509           
  Partials          ?       60
Impacted Files Coverage Δ
cabot/settings.py 68.42% <ø> (ø)
cabot/cabotapp/views.py 70.89% <ø> (ø)
cabot/cabot_config.py 100% <100%> (ø)
cabot/cabotapp/tasks.py 61.66% <100%> (ø)
cabot/cabotapp/models/base.py 78.87% <28.57%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 56cfed4...7c88832. Read the comment docs.

@JeanFred
Copy link
Contributor

https://2.python-requests.org/en/master/api/

verify – (optional) Either a boolean, in which case it controls whether we verify the server’s TLS certificate, or a string, in which case it must be a path to a CA bundle to use. Defaults to True.
Never knew this could be a boolean or a string… Learnt smth today :)

JeanFred
JeanFred approved these changes Jun 11, 2019
View reviewed changes
Copy link
Contributor

@JeanFred JeanFred left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JeanFred JeanFred JeanFred approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@thomasleveil @JeanFred