launchpad-reviewers team mailing list archive

[Colin Watson <cjwatson@xxxxxxxxxxxxx>]

Colin Watson has proposed merging lp:~cjwatson/launchpad/unverified-salesforce-proxy into lp:launchpad.

Commit message:
Disable TLS certificate verification for the Salesforce proxy.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)
Related bugs:
  Bug #1688361 in Launchpad itself: "Salesforce voucher checks fail after upgrade to xenial"
  https://bugs.launchpad.net/launchpad/+bug/1688361

For more details, see:
https://code.launchpad.net/~cjwatson/launchpad/unverified-salesforce-proxy/+merge/323661

The proxy is currently running off a self-signed certificate, so xenial's Python dislikes it by default.  We should probably sort out the certificate situation at some point, but there are better things to do than to try to tidy up canonical-sfi.

Automatic testing is awkward, but I've tested this manually by SSH-forwarding to niobium.
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~cjwatson/launchpad/unverified-salesforce-proxy into lp:launchpad.

=== modified file 'lib/lp/services/salesforce/proxy.py'
--- lib/lp/services/salesforce/proxy.py	2015-10-14 15:22:01 +0000
+++ lib/lp/services/salesforce/proxy.py	2017-05-05 12:20:17 +0000
@@ -1,4 +1,4 @@
-# Copyright 2009-2010 Canonical Ltd.  This software is licensed under the
+# Copyright 2009-2017 Canonical Ltd.  This software is licensed under the
 # GNU Affero General Public License version 3 (see the file LICENSE).
 
 """Utilities for accessing the external Salesforce proxy."""
@@ -11,7 +11,7 @@
     'Voucher',
     ]
 
-
+import ssl
 from xmlrpclib import (
     Fault,
     ServerProxy,
@@ -91,8 +91,17 @@
 class SalesforceVoucherProxy:
 
     def __init__(self):
+        # XXX cjwatson 2017-05-05: The proxy currently only has a
+        # self-signed certificate.  Until that's fixed, don't bother
+        # checking it.  This can be simplified once everything is on Python
+        # >= 2.7.9 so that ssl.SSLContext is always available.
+        kwargs = {}
+        if hasattr(ssl, "SSLContext"):
+            context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+            context.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
+            kwargs["context"] = context
         self.xmlrpc_transport = SafeTransportWithTimeout(
-            config.commercial.voucher_proxy_timeout / 1000.0)
+            timeout=config.commercial.voucher_proxy_timeout / 1000.0, **kwargs)
 
     @cachedproperty
     def url(self):

=== modified file 'lib/lp/services/timeout.py'
--- lib/lp/services/timeout.py	2016-12-22 16:32:38 +0000
+++ lib/lp/services/timeout.py	2017-05-05 12:20:17 +0000
@@ -1,4 +1,4 @@
-# Copyright 2009-2016 Canonical Ltd.  This software is licensed under the
+# Copyright 2009-2017 Canonical Ltd.  This software is licensed under the
 # GNU Affero General Public License version 3 (see the file LICENSE).
 
 """Helpers to time out external operations."""
@@ -343,9 +343,9 @@
 
     timeout = None
 
-    def __init__(self, timeout=None):
+    def __init__(self, timeout=None, **kwargs):
         # Old style class call to super required.
-        SafeTransport.__init__(self)
+        SafeTransport.__init__(self, **kwargs)
         self.timeout = timeout
 
     def make_connection(self, host):