On 2016-01-14 13:34, Christian Heimes wrote: > The PKIConnection class uses python-requests for HTTPS. The library > picks up several settings from environment variables, e.g. HTTP proxy > server, certificate bundle with trust anchors and authentication. A > proxy can interfere with the Dogtag installer and cause some operations > to fail. > > With session.trust_env = False python-requests no longer inspects the > environment and Dogtag has full controll over its connection settings. > > https://requests.readthedocs.org/en/latest/api/?highlight=trust_env#requests.Session.trust_env > > https://fedorahosted.org/pki/ticket/1733 > https://fedorahosted.org/freeipa/ticket/5555
Endi suggested to keep the default and only disable trust_env in the installer. Here is an updated patch. Christian
From f6e5698ea114c30bd25bf8244a3b22de598eb83b Mon Sep 17 00:00:00 2001 From: Christian Heimes <[email protected]> Date: Thu, 14 Jan 2016 13:22:33 +0100 Subject: [PATCH] Don't use settings like HTTP proxy from env vars during installation The PKIConnection class uses python-requests for HTTPS. The library picks up several settings from environment variables, e.g. HTTP proxy server, certificate bundle with trust anchors and authentication. A proxy can interfere with the Dogtag installer and cause some operations to fail. With session.trust_env = False python-requests no longer inspects the environment and Dogtag has full controll over its connection settings. For backward compatibility reasons trust_env is only disabled during installation and removal of Dogtag. https://requests.readthedocs.org/en/latest/api/?highlight=trust_env#requests.Session.trust_env https://fedorahosted.org/pki/ticket/1733 https://fedorahosted.org/freeipa/ticket/5555 --- base/common/python/pki/client.py | 7 ++++++- base/server/python/pki/server/deployment/pkihelper.py | 9 ++++++--- base/server/python/pki/server/deployment/pkiparser.py | 6 ++++-- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/base/common/python/pki/client.py b/base/common/python/pki/client.py index 581f0b0ad1c42874ec4505eebb214071725f2c53..e0e71b5163af62b57792b662caff29c5da095e25 100644 --- a/base/common/python/pki/client.py +++ b/base/common/python/pki/client.py @@ -51,7 +51,8 @@ class PKIConnection: """ def __init__(self, protocol='http', hostname='localhost', port='8080', - subsystem='ca', accept='application/json'): + subsystem='ca', accept='application/json', + trust_env=None): """ Set the parameters for a python-requests based connection to a Dogtag subsystem. @@ -66,6 +67,9 @@ class PKIConnection: :param accept: value of accept header. Supported values are usually 'application/json' or 'application/xml' :type accept: str + :param trust_env: use environment variables for http proxy and other + requests settings (default: yes) + :type trust_env: bool, None :return: PKIConnection object. """ @@ -79,6 +83,7 @@ class PKIConnection: self.subsystem self.session = requests.Session() + self.session.trust_env = trust_env if accept: self.session.headers.update({'Accept': accept}) diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 7a1a8c7d145628313868b614123977165b9015bf..85c5e0ba069070e911271e7ac9450f17abd40a8d 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -1084,7 +1084,8 @@ class Instance: hostname=self.mdict['pki_hostname'], port=self.mdict['pki_https_port'], subsystem=self.mdict['pki_subsystem_type'], - accept='application/xml') + accept='application/xml', + trust_env=False) # catching all exceptions because we do not want to break if underlying # requests or urllib3 use a different exception. @@ -3027,7 +3028,8 @@ class KRAConnector: protocol='https', hostname=sechost, port=secport, - subsystem='ca') + subsystem='ca', + trust_env=False) sd = pki.system.SecurityDomainClient(sd_connection) try: info = sd.get_security_domain_info() @@ -3793,7 +3795,8 @@ class ConfigClient: protocol='https', hostname=self.mdict['pki_hostname'], port=self.mdict['pki_https_port'], - subsystem=self.mdict['pki_subsystem_type']) + subsystem=self.mdict['pki_subsystem_type'], + trust_env=False) try: client = pki.system.SystemConfigClient(connection) diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index d2b37d0622b4131a5737f77571adfb3e5fc7b94e..f533aee4648867250ac8c639deae051bd70516e9 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -479,7 +479,8 @@ class PKIConfigParser: protocol='https', hostname=self.mdict['pki_security_domain_hostname'], port=self.mdict['pki_security_domain_https_port'], - subsystem='ca') + subsystem='ca', + trust_env=False) def sd_get_info(self): sd = pki.system.SecurityDomainClient(self.sd_connection) @@ -546,7 +547,8 @@ class PKIConfigParser: protocol=parse.scheme, hostname=parse.hostname, port=str(parse.port), - subsystem=system_type) + subsystem=system_type, + trust_env=False) client = pki.system.SystemStatusClient(conn) response = client.get_status() root = ET.fromstring(response) -- 2.5.0
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pki-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-devel
