Allow specifying the path to CA certificate bundle

The certificates are checked both by Gertty itself (for API calls) and by the launched git processes. In theory, the server could be set up to redirect to another HTTP server for Git calls (and in fact, the KDE's Gerrit instance is set up to do just that). In that case, the CA bundle file should contain PEM certificate chain of all the CAs for both Gerrit and the webserver hosting the git repositories. Change-Id: Id6af61c3710e4809c84b1edd054ab9b1959a60c3
2014-10-22 22:18:56 +02:00 · 2014-10-22 22:18:56 +02:00 · 9e83aeb315
parent 9285a97f4a
commit 9e83aeb315
2 changed files with 14 additions and 2 deletions
--- a/examples/reference-gertty.yaml
+++ b/examples/reference-gertty.yaml
@ -35,8 +35,12 @@ servers:
 # The location of Gertty's sqlite database.  If you have more than one
 # server, you should specify a dburi for any additional servers.
 #    dburi: ~/.gertty.db
-# If your Gerrit server has a self-signed cert (eg, a test server),
-# you can set this value to false to turn of certificate validation.
+# If your Gerrit server uses a non-standard certificate chain (e.g. on a test
+# server), you can pass a full path to a bundle of CA certificates here:
+#    ssl-ca-path: ~/.pki/ca-chain.pem
+# In case you do not care about security and want to use a sledgehammer
+# approach to SSL, you can set this value to false to turn off certificate
+# validation.
 #    verify-ssl: true
 # By default Gertty logs errors to a file and truncates that file each
 # time it starts (so that it does not grow without bound).  If you
--- a/gertty/config.py
+++ b/gertty/config.py
@ -42,6 +42,7 @@ class ConfigSchema(object):
              v.Required('username'): str,
              'password': str,
              'verify-ssl': bool,
+              'ssl-ca-path': str,
              'dburi': str,
              v.Required('git-root'): str,
              'log-file': str,
@ -142,6 +143,13 @@ class Config(object):
        self.verify_ssl = server.get('verify-ssl', True)
        if not self.verify_ssl:
            os.environ['GIT_SSL_NO_VERIFY']='true'
+        self.ssl_ca_path = server.get('ssl-ca-path', None)
+        if self.ssl_ca_path is not None:
+            self.ssl_ca_path = os.path.expanduser(self.ssl_ca_path)
+            # Gertty itself uses the Requests library
+            os.environ['REQUESTS_CA_BUNDLE'] = self.ssl_ca_path
+            # And this is to allow Git callouts
+            os.environ['GIT_SSL_CAINFO'] = self.ssl_ca_path
        self.git_root = os.path.expanduser(server['git-root'])
        self.dburi = server.get('dburi',
                                'sqlite:///' + os.path.expanduser('~/.gertty.db'))