Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
|
|
|
|
the rationale here is that, in debian, certifi will always return a
working platform trust, since the package points to the system
certificates. in osx and windows, certifi will load an usable trustRoot
that is kept up to date.
another detail we didn't like about the heuristic is that the bundled
certificate for testing will eventually expire, so that introduces the
duty of keeping it up-to-date.
|
|
With the merge of platformTrust in twisted, the situation for cert chain
verification in linux improved a lot.
This patch implements fallbacks to do the following:
- Try to use whatever trust sources are found in the system. This means
that if ca-certificates is installed, pyopenssl will have a valid set of
root certificates and verification will likely work (twisted uses
platformTrust for this).
- If that fails, try to use certifi. We could/should depend on that from
now on, *but* it's not packaged before stretch.
- So, I'm not deprecating its usage right now, but this one should be
the last cacert.pem bundle that we ship with leap.common.
- If the cacert.pem from leap.common fails to be found, well, there's
nothing you can do. Your TOFU attempt with a cert coming from the
CArtel will fail.
Most of this MR should be sent as a patch upstream, see https://twistedmatrix.com/trac/ticket/6934
Also related: https://twistedmatrix.com/trac/ticket/9209
I think proper testing will depend on merging https://github.com/pyca/pyopenssl/pull/473
- Resolves: #8958
- Release: 0.6.0
|
|
|
|
|
|
|
|
This commit is required for `soledad` tests re-collection.
Signed-off-by: Ruben Pollan <meskio@sindominio.net>
|
|
|
|
This commit removes the dep introduced in 5e12233 by just importing some tiny
bit of dirspec code.
The previous change was introduced because:
* pyxdg did not account for Mac OS specifics, i.e. using ~/Library/
directory structure instead of .config (see:
https://leap.se/code/issues/3574).
* dirspec does the correct thing for xdg on Mac OS.
* u1db depends on dirspec anyway.
The problem is that dirspec is not maintained and published on pypi, what
forces us to download it from an URL and add exceptions to be able to pip
install it.
As we are removing dependence on u1db on other modules, we can also remove it
here. To workaround the Mac OS problem, we just add some code from dirspec to
ensure we get the correct directory on Mac OS.
|
|
|
|
|
|
|
|
|
|
otherwise the context.term() does not return
|
|
ad-hoc register/trigger mechanism used for service composition.
to be used in bitmask.core and bitmask.bonafide in the first place.
|
|
|
|
|
|
We don't really need a thread to make use of the ZAP authenticator.
Document bug fix after authenticator thread is gone
|
|
1. refactor the zmq_connect/bind methods to use the txzmq addEndpoints
mechanism, which cleans up the code a bit. it uses the underlying
bindOrConnect method.
2. wrap the addEndpoints call in a helper function that ensures that
doRead is called afterward.
I'm not fully comfortable with us still using the AuthenticatorThread, I
believe we could go witha txzmq-based authenticator for curve.
|
|
|
|
Always use tcp channels and disable curve encryption on the zmq
connections.
- Closes: #7899, #7239
- Related: #7919
|
|
Reorder blocks of events, and comment about which user-specific info
it's being emitted with them.
|
|
|
|
|
|
- See https://leap.se/code/issues/7536
- Actual root cause not identified yet
|
|
|
|
-Resolves: #7524
|
|
Since we need to write a file we have to consider whether we are
running in 'standalone' mode or not to use the right path prefix.
- Related: #7512
|
|
|
|
- Breaks tests in dependent repos like soledad otherwise,
because server.key could not be found
|
|
to make simpler the import of the tx client
- Related: #7274
|
|
|
|
|
|
In case the http client loses connection, it has to clear
it's timeout or the reactor will be left in a dirty state
Fixing this solves a problem with some of the tests in Soledad
that were trying to run on a dirty reactor
|
|
Since register and unregister cant be used without full zmq initialization,
it should make sense to also check flag for them.
|
|
Checking was done inside of emit method. Doing on emit function at
a module level makes it cleaner with less lines inside of check.
|
|
Test client will only start with flag set to True.
Change EventsGenericClientTestCase to set the flag on the
first line of setUp.
|
|
Change EventsClientThread behavior so it won't start anymore if
the events flag is set to False
|
|
|
|
|
|
|
|
The events tests check for register and emit signals,
but because the flag set_events_enabled was False by
default in the tests, no signals were being emitted.
I added the flag to the setUp and tearDown of the tests,
they are still very slow but at least they are passing now
|
|
Two test cases were broken and were implemented here:
The first was that HTTPClient should share the connection between
clients if a pool was not passed explicitly. If you initialize an
HTTPClient without a pool, it will reuse a pool created on the class.
The second was that you should be able to pass to the HTTPCLient a pool
on initialization. Added that possibility and fixed the tests accordingly
|
|
|
|
|
|
The events ioloop client is not completelly thread safe, so we have to use
reactor.callFromThread whenever we need it to be thread-safe. Examples of this
behaviour are the events ioloop client tests that depend on the firing of
deferreds, which are not thread safe. This commit fixes tese tests.
|