From 19dabc0eda6ea5445abb93238e58c8e7880a40fc Mon Sep 17 00:00:00 2001 From: Ken Dreyer Date: Fri, 7 Feb 2020 13:51:09 -0700 Subject: [PATCH] client: use default CA store during client auth if serverca is unset Prior to this change, if the following conditions were true: 1) A Koji client uses SSL authentication, 2) The user does not set the "serverca" option for their profile, 3) The user does not have a "~/.koji/serverca.crt" file present, Then Koji did not use the default CA store to validate the hub's CA. read_defaults() was setting the "serverca" value to an empty string "" in these cases. This led to an AuthError in ssl_login() for the empty string: raise AuthError("Server CA %s doesn't exist or is not accessible" % serverca) Update ssl_login() to ignore empty strings in this case, treating them the same as None. The code in _sendOneCall() already checks this value in a similar way, with "if verify:", so we're matching that behavior here. With this change, Koji clients will fall back to using the default CA store. --- koji/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koji/__init__.py b/koji/__init__.py index 4a4335f1..717f462a 100644 --- a/koji/__init__.py +++ b/koji/__init__.py @@ -2583,7 +2583,7 @@ class ClientSession(object): raise AuthError('No certification provided') if not os.access(cert, os.R_OK): raise AuthError("Certificate %s doesn't exist or is not accessible" % cert) - if serverca is not None and not os.access(serverca, os.R_OK): + if serverca and not os.access(serverca, os.R_OK): raise AuthError("Server CA %s doesn't exist or is not accessible" % serverca) # FIXME: ca is not useful here and therefore ignored, can be removed # when API is changed