Story #6432
closed
[SDKs] PySDK supports Red Hat system CA certs
100%
Description
Right now the Python SDK knows how to find and use the Debian system CA certs file (/etc/ssl/certs/ca-certificates.crt) in places where libraries try to use old certs. This path doesn't exist on Red Hat, so the SDK can't verify the certs of Curoverse clusters. In all the places where we use the Debian CA certs, search for the Red Hat CA certs, and use them if available.
Updated by Brett Smith over 9 years ago
6432-pysdk-more-ca-certs-wip is up for review.
I thought about whether it made any sense to write a test, and ultimately decided against it. The point of the function is to introspect and report on the current state of the system. The only way to ensure that the results are wholly correct is to do the same introspection and assert that the function returned the expected result.
I thought about writing a test like, "Check if we're on Debian or Red Hat, or one of its derivatives. If so, assert that the result does not equal httplib2.CA_CERTS. Otherwise, assert that it does equal httplib2.CA_CERTS." However, this seemed only marginally better than the above approach.
What we really care about is that we can verify the cert of the API server we're connecting to, like Curoverse Cloud clusters. That's ultimately a system deployment question rather than a code question, so QA needs to be handled at that level, I think.
Updated by Ward Vandewege over 9 years ago
reviewing 6432-pysdk-more-ca-certs-wip at 798218c8505a784877251e2424d39c8204895e20
Code looks good, tests pass, LGTM.
Updated by Brett Smith over 9 years ago
- Status changed from In Progress to Resolved
Applied in changeset arvados|commit:416a99c2039e879cefc67dd0764b8544ef6c2d53.