changeset 44880:7dd63a8cb1ee

sslutil: eliminate `_canloaddefaultcerts` by constant-folding code using it
author Manuel Jacob <me@manueljacob.de>
date Sat, 30 May 2020 03:23:58 +0200
parents ab5348bbc55e
children 89f83e47e9c9
files mercurial/sslutil.py
diffstat 1 files changed, 1 insertions(+), 80 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/sslutil.py	Sat May 30 05:08:02 2020 +0200
+++ b/mercurial/sslutil.py	Sat May 30 03:23:58 2020 +0200
@@ -52,8 +52,6 @@
 if util.safehasattr(ssl, b'PROTOCOL_TLSv1_2'):
     supportedprotocols.add(b'tls1.2')
 
-_canloaddefaultcerts = True
-
 
 def _hostsettings(ui, hostname):
     """Obtain security settings for a hostname.
@@ -227,7 +225,7 @@
 
         # Require certificate validation if CA certs are being loaded and
         # verification hasn't been disabled above.
-        if cafile or (_canloaddefaultcerts and s[b'allowloaddefaultcerts']):
+        if cafile or s[b'allowloaddefaultcerts']:
             s[b'verifymode'] = ssl.CERT_REQUIRED
         else:
             # At this point we don't have a fingerprint, aren't being
@@ -721,14 +719,6 @@
     )
 
 
-_systemcacertpaths = [
-    # RHEL, CentOS, and Fedora
-    b'/etc/pki/tls/certs/ca-bundle.trust.crt',
-    # Debian, Ubuntu, Gentoo
-    b'/etc/ssl/certs/ca-certificates.crt',
-]
-
-
 def _defaultcacerts(ui):
     """return path to default CA certificates or None.
 
@@ -751,23 +741,6 @@
     except (ImportError, AttributeError):
         pass
 
-    # On Windows, only the modern ssl module is capable of loading the system
-    # CA certificates. If we're not capable of doing that, emit a warning
-    # because we'll get a certificate verification error later and the lack
-    # of loaded CA certificates will be the reason why.
-    # Assertion: this code is only called if certificates are being verified.
-    if pycompat.iswindows:
-        if not _canloaddefaultcerts:
-            ui.warn(
-                _(
-                    b'(unable to load Windows CA certificates; see '
-                    b'https://mercurial-scm.org/wiki/SecureConnections for '
-                    b'how to configure Mercurial to avoid this message)\n'
-                )
-            )
-
-        return None
-
     # Apple's OpenSSL has patches that allow a specially constructed certificate
     # to load the system CA store. If we're running on Apple Python, use this
     # trick.
@@ -778,58 +751,6 @@
         if os.path.exists(dummycert):
             return dummycert
 
-    # The Apple OpenSSL trick isn't available to us. If Python isn't able to
-    # load system certs, we're out of luck.
-    if pycompat.isdarwin:
-        # FUTURE Consider looking for Homebrew or MacPorts installed certs
-        # files. Also consider exporting the keychain certs to a file during
-        # Mercurial install.
-        if not _canloaddefaultcerts:
-            ui.warn(
-                _(
-                    b'(unable to load CA certificates; see '
-                    b'https://mercurial-scm.org/wiki/SecureConnections for '
-                    b'how to configure Mercurial to avoid this message)\n'
-                )
-            )
-        return None
-
-    # / is writable on Windows. Out of an abundance of caution make sure
-    # we're not on Windows because paths from _systemcacerts could be installed
-    # by non-admin users.
-    assert not pycompat.iswindows
-
-    # Try to find CA certificates in well-known locations. We print a warning
-    # when using a found file because we don't want too much silent magic
-    # for security settings. The expectation is that proper Mercurial
-    # installs will have the CA certs path defined at install time and the
-    # installer/packager will make an appropriate decision on the user's
-    # behalf. We only get here and perform this setting as a feature of
-    # last resort.
-    if not _canloaddefaultcerts:
-        for path in _systemcacertpaths:
-            if os.path.isfile(path):
-                ui.warn(
-                    _(
-                        b'(using CA certificates from %s; if you see this '
-                        b'message, your Mercurial install is not properly '
-                        b'configured; see '
-                        b'https://mercurial-scm.org/wiki/SecureConnections '
-                        b'for how to configure Mercurial to avoid this '
-                        b'message)\n'
-                    )
-                    % path
-                )
-                return path
-
-        ui.warn(
-            _(
-                b'(unable to load CA certificates; see '
-                b'https://mercurial-scm.org/wiki/SecureConnections for '
-                b'how to configure Mercurial to avoid this message)\n'
-            )
-        )
-
     return None