Use bundled cacert file on Windows and macOS

9 months ago · 5da742394e
parent 962c5eed8e
commit 5da742394e
3 changed files with 45 additions and 13 deletions
--- a/gns3server/controller/appliance_manager.py
+++ b/gns3server/controller/appliance_manager.py
@ -15,13 +15,13 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

-import sys
 import os
 import json
 import uuid
 import asyncio
 import aiohttp
 import shutil
+import ssl

 try:
    import importlib_resources
@ -32,6 +32,7 @@ except ImportError:
 from .appliance import Appliance
 from ..config import Config
 from ..utils.asyncio import locking
+from ..utils.cacert import get_cacert

 import logging
 log = logging.getLogger(__name__)
@ -46,6 +47,7 @@ class ApplianceManager:

        self._appliances = {}
        self._appliances_etag = None
+        self._sslcontext = ssl.create_default_context(cafile=get_cacert())

    @property
    def appliances_etag(self):
@ -174,7 +176,7 @@ class ApplianceManager:

        symbol_url = "https://raw.githubusercontent.com/GNS3/gns3-registry/master/symbols/{}".format(symbol)
        async with aiohttp.ClientSession() as session:
-            async with session.get(symbol_url) as response:
+            async with session.get(symbol_url, ssl=self._sslcontext) as response:
                if response.status != 200:
                    log.warning("Could not retrieve appliance symbol {} from GitHub due to HTTP error code {}".format(symbol, response.status))
                else:
@ -200,7 +202,11 @@ class ApplianceManager:
                log.info("Checking if appliances are up-to-date (ETag {})".format(self._appliances_etag))
                headers["If-None-Match"] = self._appliances_etag
            async with aiohttp.ClientSession() as session:
-                async with session.get('https://api.github.com/repos/GNS3/gns3-registry/contents/appliances', headers=headers) as response:
+                async with session.get(
+                        'https://api.github.com/repos/GNS3/gns3-registry/contents/appliances',
+                        ssl=self._sslcontext,
+                        headers=headers
+                ) as response:
                    if response.status == 304:
                        log.info("Appliances are already up-to-date (ETag {})".format(self._appliances_etag))
                        return
--- a/gns3server/crash_report.py
+++ b/gns3server/crash_report.py
@ -32,7 +32,7 @@ import distro

 from .version import __version__, __version_info__
 from .config import Config
-from .utils.get_resource import get_resource
+from .utils.cacert import get_cacert

 import logging
 log = logging.getLogger(__name__)
@ -71,21 +71,13 @@ class CrashReport:
        sentry_uncaught.disabled = True

        if SENTRY_SDK_AVAILABLE:
-            cacert = None
-            if hasattr(sys, "frozen"):
-                cacert_resource = get_resource("cacert.pem")
-                if cacert_resource is not None and os.path.isfile(cacert_resource):
-                    cacert = cacert_resource
-                else:
-                    log.error("The SSL certificate bundle file '{}' could not be found".format(cacert_resource))
-
            # Don't send log records as events.
            sentry_logging = LoggingIntegration(level=logging.INFO, event_level=None)

            try:
                sentry_sdk.init(dsn=CrashReport.DSN,
                                release=__version__,
-                                ca_certs=cacert,
+                                ca_certs=get_cacert(),
                                default_integrations=False,
                                integrations=[sentry_logging])
            except Exception as e:
--- a/gns3server/utils/cacert.py
+++ b/gns3server/utils/cacert.py
@ -0,0 +1,34 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2023 GNS3 Technologies Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import sys
+
+from .get_resource import get_resource
+
+import logging
+log = logging.getLogger(__name__)
+
+
+def get_cacert():
+    if hasattr(sys, "frozen"):
+        cacert_resource = get_resource("cacert.pem")
+        if cacert_resource is not None and os.path.isfile(cacert_resource):
+            return cacert_resource
+        else:
+            log.error("The SSL certificate bundle file '{}' could not be found".format(cacert_resource))
+    return None  # this means we use the system's CA bundle