Install SUSE certs and enable SSL warnings

SUSE · Aug 14, 2023 · f595ac9 · f595ac9
1 parent 55e1285
commit f595ac9
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 9 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -10,7 +10,8 @@ COPY requirements.txt /pcw/
 # * Install system requirements
 # * Install pip requirements
 # * Empty system cache to conserve some space
-RUN zypper -n in gcc libffi-devel && pip install --no-cache-dir -r /pcw/requirements.txt && zypper clean && rm -rf /var/cache
+RUN source /etc/os-release && zypper addrepo -G -cf "https://download.opensuse.org/repositories/SUSE:/CA/$VERSION_ID/SUSE:CA.repo" && \
+    zypper -n in ca-certificates-suse gcc libffi-devel && pip install --no-cache-dir -r /pcw/requirements.txt && zypper clean && rm -rf /var/cache
 
 # Copy program files only
 COPY ocw  /pcw/ocw/
@@ -28,5 +29,7 @@ VOLUME /pcw/db
 
 EXPOSE 8000/tcp
 
+ENV REQUESTS_CA_BUNDLE=/etc/ssl/ca-bundle.pem
+
 # Once we are certain that this runs nicely, replace this with ENTRYPOINT.
 ENTRYPOINT ["/pcw/container-startup", "run"]
diff --git a/ocw/lib/openqa.py b/ocw/lib/openqa.py
@@ -1,4 +1,3 @@
-import os
 from urllib.parse import urlparse
 from cachetools import cached
 from requests.exceptions import RequestException
@@ -7,11 +6,9 @@
 from openqa_client.exceptions import OpenQAClientError
 
 
-if not bool(os.environ.get('REQUESTS_CA_BUNDLE')):
-    # Disable urllib3 warnings for InsecureRequestWarning only on openqa_client.client
-    openqa_client.client.requests.packages.urllib3.disable_warnings(
-        openqa_client.client.requests.packages.urllib3.exceptions.InsecureRequestWarning
-    )
+# We don't verify TLS server certificates because we
+# may encounter self-signed or expired certificates
+DEFAULT_VERIFY = False
 
 
 @cached(cache={})
@@ -26,7 +23,7 @@ def get_url(server):
             got = openqa_client.client.requests.head(
                 url,
                 timeout=5,
-                verify=bool(os.environ.get('REQUESTS_CA_BUNDLE')),
+                verify=DEFAULT_VERIFY,
             )
             got.raise_for_status()
             return url
@@ -48,7 +45,7 @@ def __new__(cls, **kwargs):
     def __init__(self, **kwargs):
         kwargs.pop("server")
         self.__client = openqa_client.client.OpenQA_Client(server=self.server, **kwargs)
-        self.__client.session.verify = bool(os.environ.get('REQUESTS_CA_BUNDLE'))
+        self.__client.session.verify = DEFAULT_VERIFY
 
     def is_cancelled(self, job_id: str) -> bool:
         if not job_id.isdigit():