From e9d1a9c94e9b78aa9b3a1e4e3a44dce13164e2f1 Mon Sep 17 00:00:00 2001
From: Mike Graves <mgraves@mit.edu>
Date: Tue, 18 Sep 2018 14:29:57 -0400
Subject: [PATCH] Add missing Symplectic FTP cert

Symplectic's FTP server has a broken cert chain. After trying to get
them to fix this it seems unlikely we'll have a solution in a timely
manner. Packaging the missing cert and adding it to the verify chain
seems like the least invasive, still reasonably secure way to fix it.
---
 build.sh      |  1 +
 carbon/app.py | 12 ++++++++----
 comodo.pem    | 35 +++++++++++++++++++++++++++++++++++
 lambda.py     |  8 +++++++-
 4 files changed, 51 insertions(+), 5 deletions(-)
 create mode 100644 comodo.pem

diff --git a/build.sh b/build.sh
index 75ec5b3..49e2445 100755
--- a/build.sh
+++ b/build.sh
@@ -19,6 +19,7 @@ aws s3 cp s3://$S3_BUCKET/$LIBAIO_SO $BUILD_DIR/lib/$LIBAIO_SO && \
   ln -rs $BUILD_DIR/lib/libaio.so.1 $BUILD_DIR/lib/libaio.so
 cp -r carbon $BUILD_DIR
 cp lambda.py $BUILD_DIR
+cp comodo.pem $BUILD_DIR
 pipenv lock -r > $BUILD_DIR/requirements.txt
 pipenv run pip install -r $BUILD_DIR/requirements.txt -t $BUILD_DIR
 cd $BUILD_DIR && zip --symlinks -r ../$DIST_DIR/$PACKAGE *
diff --git a/carbon/app.py b/carbon/app.py
index 4cc98d0..182578e 100644
--- a/carbon/app.py
+++ b/carbon/app.py
@@ -197,17 +197,19 @@ def pipe(self, reader):
 
 
 class FTPReader:
-    def __init__(self, fp, user, passwd, path, host='localhost', port=21):
+    def __init__(self, fp, user, passwd, path, host='localhost', port=21,
+                 ctx=None):
         self.fp = fp
         self.user = user
         self.passwd = passwd
         self.path = path
         self.host = host
         self.port = port
+        self.ctx = ctx
 
     def __call__(self):
         """Transfer a file using FTP over TLS."""
-        ftps = ftplib.FTP_TLS()
+        ftps = ftplib.FTP_TLS(context=self.ctx)
         ftps.connect(self.host, self.port)
         ftps.login(self.user, self.passwd)
         ftps.prot_p()
@@ -310,10 +312,11 @@ def from_env(cls):
 
 
 class FTPFeeder:
-    def __init__(self, event, context, config):
+    def __init__(self, event, context, config, ssl_ctx=None):
         self.event = event
         self.context = context
         self.config = config
+        self.ssl_ctx = ssl_ctx
 
     def run(self):
         r, w = os.pipe()
@@ -324,5 +327,6 @@ def run(self):
                                 self.config['FTP_PASS'],
                                 self.config['FTP_PATH'],
                                 self.config['FTP_HOST'],
-                                self.config['FTP_PORT'])
+                                int(self.config['FTP_PORT']),
+                                self.ssl_ctx)
             PipeWriter(out=fp_w).pipe(ftp_rdr).write(feed_type)
diff --git a/comodo.pem b/comodo.pem
new file mode 100644
index 0000000..d81d72a
--- /dev/null
+++ b/comodo.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
+hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
+A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
+BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy
+MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
+EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
+Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh
+bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh
+bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0
+Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6
+ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51
+UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n
+c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY
+MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz
+30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
+HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG
+BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
+bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB
+AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E
+T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v
+ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p
+mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/
+e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps
+P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY
+dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc
+2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG
+V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4
+HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX
+j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII
+0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap
+lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
++AZxAeKCINT+b72x
+-----END CERTIFICATE-----
diff --git a/lambda.py b/lambda.py
index e9acb84..b973a6b 100644
--- a/lambda.py
+++ b/lambda.py
@@ -1,5 +1,6 @@
 import json
 import os
+import ssl
 
 import boto3
 
@@ -15,4 +16,9 @@ def handler(event, context):
     cfg.update({k: event[k] for k in ENV_VARS if k in event})
     cfg.update(secret_env)
     engine.configure(cfg['CARBON_DB'])
-    FTPFeeder(event, context, cfg).run()
+    c_dir = os.path.dirname(os.path.realpath(__file__))
+    cert = os.path.join(c_dir, 'comodo.pem')
+    ctx = ssl.create_default_context()
+    # Load the missing cert from Symplectic's cert chain
+    ctx.load_verify_locations(cafile=cert)
+    FTPFeeder(event, context, cfg, ctx).run()