Don't use settings like HTTP proxy from env vars during installation

The PKIConnection class uses python-requests for HTTPS. The library
picks up several settings from environment variables, e.g. HTTP proxy
server, certificate bundle with trust anchors and authentication. A
proxy can interfere with the Dogtag installer and cause some operations
to fail.

With session.trust_env = False python-requests no longer inspects the
environment and Dogtag has full controll over its connection settings.
For backward compatibility reasons trust_env is only disabled during
installation and removal of Dogtag.

https://requests.readthedocs.org/en/latest/api/?highlight=trust_env#requests.Session.trust_env

https://fedorahosted.org/pki/ticket/1733
https://fedorahosted.org/freeipa/ticket/5555

1 files changed, 4 insertions, 2 deletions

diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 2b4479118..77a1cdf2d 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -478,7 +478,8 @@ class PKIConfigParser:
             protocol='https',
             hostname=self.mdict['pki_security_domain_hostname'],
             port=self.mdict['pki_security_domain_https_port'],
-            subsystem='ca')
+            subsystem='ca',
+            trust_env=False)
 
     def sd_get_info(self):
         sd = pki.system.SecurityDomainClient(self.sd_connection)
@@ -545,7 +546,8 @@ class PKIConfigParser:
             protocol=parse.scheme,
             hostname=parse.hostname,
             port=str(parse.port),
-            subsystem=system_type)
+            subsystem=system_type,
+            trust_env=False)
         client = pki.system.SystemStatusClient(conn)
         response = client.get_status()
         root = ET.fromstring(response)