particle-os/debian-koji
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

client: use default CA store during client auth if serverca is unset

Browse source 
Prior to this change, if the following conditions were true:

1) A Koji client uses SSL authentication,
2) The user does not set the "serverca" option for their profile,
3) The user does not have a "~/.koji/serverca.crt" file present,

Then Koji did not use the default CA store to validate the hub's CA.
read_defaults() was setting the "serverca" value to an empty string ""
in these cases. This led to an AuthError in ssl_login() for the empty
string:

  raise AuthError("Server CA %s doesn't exist or is not accessible" % serverca)

Update ssl_login() to ignore empty strings in this case, treating them
the same as None.

The code in _sendOneCall() already checks this value in a similar way,
with "if verify:", so we're matching that behavior here.

With this change, Koji clients will fall back to using the default CA
store.
This commit is contained in:
Ken Dreyer 2020-02-07 13:51:09 -07:00 committed by Tomas Kopecek
parent 714d2b25cd
commit 19dabc0eda
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
koji/__init__.py
View file

@ -2583,7 +2583,7 @@ class ClientSession(object):
raise AuthError('No certification provided')
if not os.access(cert, os.R_OK):
raise AuthError("Certificate %s doesn't exist or is not accessible" % cert)
if serverca is not None and not os.access(serverca, os.R_OK):
if serverca and not os.access(serverca, os.R_OK):
raise AuthError("Server CA %s doesn't exist or is not accessible" % serverca)
# FIXME: ca is not useful here and therefore ignored, can be removed
# when API is changed