From 387d09045fb37b71bc0f1980f16ca70bc071996c Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Thu, 14 Jan 2016 13:22:33 +0100
Subject: Don't use settings like HTTP proxy from env vars during installation

The PKIConnection class uses python-requests for HTTPS. The library
picks up several settings from environment variables, e.g. HTTP proxy
server, certificate bundle with trust anchors and authentication. A
proxy can interfere with the Dogtag installer and cause some operations
to fail.

With session.trust_env = False python-requests no longer inspects the
environment and Dogtag has full controll over its connection settings.
For backward compatibility reasons trust_env is only disabled during
installation and removal of Dogtag.

https://requests.readthedocs.org/en/latest/api/?highlight=trust_env#requests.Session.trust_env

https://fedorahosted.org/pki/ticket/1733
https://fedorahosted.org/freeipa/ticket/5555
---
 base/server/python/pki/server/deployment/pkihelper.py | 9 ++++++---
 base/server/python/pki/server/deployment/pkiparser.py | 6 ++++--
 2 files changed, 10 insertions(+), 5 deletions(-)

(limited to 'base/server/python')

diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 43a404625..1db235826 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -1082,7 +1082,8 @@ class Instance:
             hostname=self.mdict['pki_hostname'],
             port=self.mdict['pki_https_port'],
             subsystem=self.mdict['pki_subsystem_type'],
-            accept='application/xml')
+            accept='application/xml',
+            trust_env=False)
 
         # catching all exceptions because we do not want to break if underlying
         # requests or urllib3 use a different exception.
@@ -3025,7 +3026,8 @@ class KRAConnector:
             protocol='https',
             hostname=sechost,
             port=secport,
-            subsystem='ca')
+            subsystem='ca',
+            trust_env=False)
         sd = pki.system.SecurityDomainClient(sd_connection)
         try:
             info = sd.get_security_domain_info()
@@ -3791,7 +3793,8 @@ class ConfigClient:
             protocol='https',
             hostname=self.mdict['pki_hostname'],
             port=self.mdict['pki_https_port'],
-            subsystem=self.mdict['pki_subsystem_type'])
+            subsystem=self.mdict['pki_subsystem_type'],
+            trust_env=False)
 
         try:
             client = pki.system.SystemConfigClient(connection)
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 2b4479118..77a1cdf2d 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -478,7 +478,8 @@ class PKIConfigParser:
             protocol='https',
             hostname=self.mdict['pki_security_domain_hostname'],
             port=self.mdict['pki_security_domain_https_port'],
-            subsystem='ca')
+            subsystem='ca',
+            trust_env=False)
 
     def sd_get_info(self):
         sd = pki.system.SecurityDomainClient(self.sd_connection)
@@ -545,7 +546,8 @@ class PKIConfigParser:
             protocol=parse.scheme,
             hostname=parse.hostname,
             port=str(parse.port),
-            subsystem=system_type)
+            subsystem=system_type,
+            trust_env=False)
         client = pki.system.SystemStatusClient(conn)
         response = client.get_status()
         root = ET.fromstring(response)
-- 
cgit