Skip to content

Generate client certs dynamically#1725

Merged
sethmlarson merged 7 commits intourllib3:masterfrom
pquentin:dynamic-trustme-certs
Nov 4, 2019
Merged

Generate client certs dynamically#1725
sethmlarson merged 7 commits intourllib3:masterfrom
pquentin:dynamic-trustme-certs

Conversation

@pquentin
Copy link
Member

@pquentin pquentin commented Oct 31, 2019

Opening this pull request to get a review of the last commit: pquentin@22da6fd

I'll rebase it if/when the other pull requests get merged.

sethmlarson
sethmlarson requested changes Oct 31, 2019
View reviewed changes
Copy link
Member

@sethmlarson sethmlarson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks pretty good, a couple questions for you

test/conftest.py Outdated
Copy link
Member

@sethmlarson sethmlarson Oct 31, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hate to be nit-picky about names but can we call this certs_dir or something shorter? :)

Copy link
Member Author

@pquentin pquentin Oct 31, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't worry, I love nitpicks! You're right, certs_dir would be better.

Copy link
Member Author

@pquentin pquentin Nov 3, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed, thanks.

test/with_dummyserver/test_https.py Outdated
Copy link
Member

@sethmlarson sethmlarson Oct 31, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will be changed once we move to generating server certs as well?

Copy link
Member Author

@pquentin pquentin Oct 31, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it will change. I'm not sure yet how that will look. Ideally I'll be able to get the hash programmatically, maybe via trustme. It's also possible that it will stay static because it depends only on the name which could stay static. Not sure, really. I've spend quite some time trying to figure this out but don't have a satisfying answer here yet. :(

@codecov-io
Copy link

codecov-io commented Nov 3, 2019
edited
Loading

Codecov Report

Merging #1725 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #1725   +/-   ##
=======================================
  Coverage   99.65%   99.65%           
=======================================
  Files          22       22           
  Lines        2006     2006           
=======================================
  Hits         1999     1999           
  Misses          7        7

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f4b36ad...1c8bc1e. Read the comment docs.

@pquentin
Use six.wraps in test decorators to allow pytest fixtures
bcb3ae1 
pytest-dev/pytest#2782
@pquentin
Use decorators to mark tests as xfail in PyPy2
ac3cbad 
This was not possibly until now because of functool.wraps for older
Pythons.
@pquentin
Generate certificate directory at runtime
81134d7 
Instead of storing it in git.
@pquentin
Use pytest tmpdir support
44c6940
@pquentin
test_ca_dir_verified: cast Pathes back to strings
2774c45 
In order to support older Python versions.
@pquentin
Generate client certs dynamically
66b15a0 
We keep the existing client_intermediate.pem because it's used in the
password tests.

And we still rely on the existing root CA to generate the client
certificate because it's still used for the server certificate. Since
the CA uses a 1024-bit key, those client_intermediate tests still don't
work on macOS 10.15, but this commit still is a step forward.
@pquentin
Use shorter name for generated certs dir
1c8bc1e
@pquentin pquentin force-pushed the dynamic-trustme-certs branch from 9cf5fae to 1c8bc1e Compare November 3, 2019 06:28
sethmlarson
sethmlarson approved these changes Nov 4, 2019
View reviewed changes
Copy link
Member

@sethmlarson sethmlarson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@sethmlarson sethmlarson merged commit efe8230 into urllib3:master Nov 4, 2019
This was referenced Nov 4, 2019
Closed
Merged
@pquentin pquentin deleted the dynamic-trustme-certs branch November 30, 2019 18:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sethmlarson sethmlarson sethmlarson approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pquentin @codecov-io @sethmlarson