Merge branch 'master' of ssh://github.com/letsencrypt/lets-encrypt-preview into treat_duplicate_as_renewal

2026-01-21 19:01:07 +03:00 · 2015-09-08 21:02:06 -07:00
parent 3cc15c6193 d7b1af2a31
commit 2006c3a067
23 changed files with 110 additions and 30 deletions
--- a/.travis.yml
+++ b/.travis.yml
@@ -7,8 +7,6 @@ services:
 # http://docs.travis-ci.com/user/ci-environment/#CI-environment-OS
 # gimme has to be kept in sync with Boulder's Go version setting in .travis.yml
 before_install:
-  - travis_retry sudo ./bootstrap/ubuntu.sh
-  - travis_retry sudo apt-get install --no-install-recommends nginx-light openssl
  - '[ "xxx$BOULDER_INTEGRATION" = "xxx" ] || eval "$(gimme 1.5)"'

 # using separate envs with different TOXENVs creates 4x1 Travis build
@@ -21,14 +19,34 @@ env:
  matrix:
    - TOXENV=py26 BOULDER_INTEGRATION=1
    - TOXENV=py27 BOULDER_INTEGRATION=1
+    - TOXENV=py33
+    - TOXENV=py34
    - TOXENV=lint
    - TOXENV=cover

-# make sure simplehttp simple verification works (custom /etc/hosts)
+sudo: false  # containers
 addons:
+  # make sure simplehttp simple verification works (custom /etc/hosts)
  hosts:
    - le.wtf
  mariadb: "10.0"
+  apt:
+    packages:  # keep in sync with bootstrap/ubuntu.sh and Boulder
+    - lsb-release
+    - python
+    - python-dev
+    - python-virtualenv
+    - gcc
+    - dialog
+    - libaugeas0
+    - libssl-dev
+    - libffi-dev
+    - ca-certificates
+    # For letsencrypt-nginx integration testing
+    - nginx-light
+    - openssl
+    # For Boulder integration testing
+    - rsyslog

 install: "travis_retry pip install tox coveralls"
 before_script: '[ "xxx$BOULDER_INTEGRATION" = "xxx" ] || ./tests/boulder-start.sh'
--- a/acme/acme/challenges_test.py
+++ b/acme/acme/challenges_test.py
@@ -144,7 +144,7 @@ class SimpleHTTPResponseTest(unittest.TestCase):
                account_public_key=account_key.public_key()))

    @mock.patch("acme.challenges.requests.get")
-    def test_simple_verify_good_token(self, mock_get):
+    def test_simple_verify_good_validation(self, mock_get):
        account_key = jose.JWKRSA.load(test_util.load_vector('rsa512_key.pem'))
        for resp in self.resp_http, self.resp_https:
            mock_get.reset_mock()
@@ -156,9 +156,9 @@ class SimpleHTTPResponseTest(unittest.TestCase):
                "local", self.chall), verify=False)

    @mock.patch("acme.challenges.requests.get")
-    def test_simple_verify_bad_token(self, mock_get):
+    def test_simple_verify_bad_validation(self, mock_get):
        mock_get.return_value = mock.MagicMock(
-            text=self.chall.token + "!", headers=self.good_headers)
+            text="!", headers=self.good_headers)
        self.assertFalse(self.resp_http.simple_verify(
            self.chall, "local", None))

--- a/acme/acme/client.py
+++ b/acme/acme/client.py
@@ -8,7 +8,7 @@ from six.moves import http_client  # pylint: disable=import-error

 import OpenSSL
 import requests
-import six
+import sys
 import werkzeug

 from acme import errors
@@ -19,8 +19,9 @@ from acme import messages

 logger = logging.getLogger(__name__)

+# Python does not validate certificates by default before version 2.7.9
 # https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning
-if six.PY2:
+if sys.version_info < (2, 7, 9):  # pragma: no cover
    requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3()


@@ -559,7 +560,7 @@ class ClientNetwork(object):
        """Send HEAD request without checking the response.

        Note, that `_check_response` is not called, as it is expected
-        that status code other than successfuly 2xx will be returned, or
+        that status code other than successfully 2xx will be returned, or
        messages2.Error will be raised by the server.

        """
--- a/acme/acme/crypto_util_test.py
+++ b/acme/acme/crypto_util_test.py
@@ -55,10 +55,11 @@ class ServeProbeSNITest(unittest.TestCase):
    def test_probe_not_recognized_name(self):
        self.assertRaises(errors.Error, self._probe, b'bar')

-    def test_probe_connection_error(self):
-        self._probe(b'foo')
-        time.sleep(1)  # TODO: avoid race conditions in other way
-        self.assertRaises(errors.Error, self._probe, b'bar')
+    # TODO: py33/py34 tox hangs forever on do_hendshake in second probe
+    #def probe_connection_error(self):
+    #    self._probe(b'foo')
+    #    #time.sleep(1)  # TODO: avoid race conditions in other way
+    #    self.assertRaises(errors.Error, self._probe, b'bar')


 class PyOpenSSLCertOrReqSANTest(unittest.TestCase):
--- a/acme/acme/jose/interfaces.py
+++ b/acme/acme/jose/interfaces.py
@@ -41,7 +41,7 @@ class JSONDeSerializable(object):
        be encoded into a JSON document. **Full serialization** produces
        a Python object composed of only basic types as required by the
        :ref:`conversion table <conversion-table>`. **Partial
-        serialization** (acomplished by :meth:`to_partial_json`)
+        serialization** (accomplished by :meth:`to_partial_json`)
        produces a Python object that might also be built from other
        :class:`JSONDeSerializable` objects.

--- a/acme/acme/jose/jws.py
+++ b/acme/acme/jose/jws.py
@@ -53,7 +53,7 @@ class Header(json_util.JSONObjectWithFields):
    .. warning:: This class does not support any extensions through
        the "crit" (Critical) Header Parameter (4.1.11) and as a
        conforming implementation, :meth:`from_json` treats its
-        occurence as an error. Please subclass if you seek for
+        occurrence as an error. Please subclass if you seek for
        a different behaviour.

    :ivar x5tS256: "x5t#S256"
--- a/acme/acme/jose/util.py
+++ b/acme/acme/jose/util.py
@@ -107,8 +107,8 @@ class ComparableRSAKey(ComparableKey):  # pylint: disable=too-few-public-methods
    """Wrapper for `cryptography` RSA keys.

    Wraps around:
-    - `cryptography.hazmat.primitives.assymetric.RSAPrivateKey`
-    - `cryptography.hazmat.primitives.assymetric.RSAPublicKey`
+    - `cryptography.hazmat.primitives.asymmetric.RSAPrivateKey`
+    - `cryptography.hazmat.primitives.asymmetric.RSAPublicKey`

    """

--- a/acme/acme/other.py
+++ b/acme/acme/other.py
@@ -36,7 +36,7 @@ class Signature(jose.JSONObjectWithFields):
        :param bytes msg: Message to be signed.

        :param key: Key used for signing.
-        :type key: `cryptography.hazmat.primitives.assymetric.rsa.RSAPrivateKey`
+        :type key: `cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`
            (optionally wrapped in `.ComparableRSAKey`).

        :param bytes nonce: Nonce to be used. If None, nonce of
--- a/acme/acme/test_util.py
+++ b/acme/acme/test_util.py
@@ -1,4 +1,4 @@
-# Symlinked in letsencrypt/tests/test_util.py, casues duplicate-code
+# Symlinked in letsencrypt/tests/test_util.py, causes duplicate-code
 # warning that cannot be disabled locally.
 """Test utilities.

--- a/acme/setup.py
+++ b/acme/setup.py
@@ -5,16 +5,15 @@ from setuptools import find_packages


 install_requires = [
-    'argparse',
    # load_pem_private/public_key (>=0.6)
    # rsa_recover_prime_factors (>=0.8)
    'cryptography>=0.8',
    'mock<1.1.0',  # py26
-    'pyrfc3339',
    'ndg-httpsclient',  # urllib3 InsecurePlatformWarning (#304)
    'pyasn1',  # urllib3 InsecurePlatformWarning (#304)
    # Connection.set_tlsext_host_name (>=0.13), X509Req.get_extensions (>=0.15)
    'PyOpenSSL>=0.15',
+    'pyrfc3339',
    'pytz',
    'requests',
    'six',
--- a/bootstrap/_rpm_common.sh
+++ b/bootstrap/_rpm_common.sh
@@ -4,8 +4,19 @@
 #   - Fedora 22 (x64)
 #   - Centos 7 (x64: on AWS EC2 t2.micro, DigitalOcean droplet)

+if type yum 2>/dev/null
+then
+  tool=yum
+elif type dnf 2>/dev/null
+then
+  tool=dnf
+else
+  echo "Neither yum nor dnf found. Aborting bootstrap!"
+  exit 1
+fi
+
 # "git-core" seems to be an alias for "git" in CentOS 7 (yum search fails)
-yum install -y \
+$tool install -y \
  git-core \
  python \
  python-devel \
--- a/bootstrap/freebsd.sh
+++ b/bootstrap/freebsd.sh
@@ -0,0 +1,8 @@
+#!/bin/sh -xe
+
+pkg install -Ay \
+  git \
+  python \
+  py27-virtualenv \
+  augeas \
+  libffi \
--- a/docs/using.rst
+++ b/docs/using.rst
@@ -102,6 +102,21 @@ Centos 7
   sudo ./bootstrap/centos.sh


+FreeBSD
+-------
+
+.. code-block:: shell
+
+   sudo ./bootstrap/freebsd.sh
+
+Bootstrap script for FreeBSD uses ``pkg`` for package installation,
+i.e. it does not use ports.
+
+FreeBSD by default uses ``tcsh``. In order to activate virtulenv (see
+below), you will need a compatbile shell, e.g. ``pkg install bash &&
+bash``.
+
+
 Installation
 ============

--- a/letsencrypt-compatibility-test/letsencrypt_compatibility_test/interfaces.py
+++ b/letsencrypt-compatibility-test/letsencrypt_compatibility_test/interfaces.py
@@ -23,7 +23,7 @@ class IPluginProxy(zope.interface.Interface):
    def cleanup_from_tests():
        """Performs any necessary cleanup from running plugin tests.

-        This is guarenteed to be called before the program exits.
+        This is guaranteed to be called before the program exits.

        """

--- a/letsencrypt-nginx/setup.py
+++ b/letsencrypt-nginx/setup.py
@@ -5,8 +5,9 @@ from setuptools import find_packages
 install_requires = [
    'acme',
    'letsencrypt',
-    'pyparsing>=1.5.5',  # Python3 support; perhaps unnecessary?
    'mock<1.1.0',  # py26
+    'PyOpenSSL',
+    'pyparsing>=1.5.5',  # Python3 support; perhaps unnecessary?
    'zope.interface',
 ]

--- a/letsencrypt/account.py
+++ b/letsencrypt/account.py
@@ -62,7 +62,7 @@ class Account(object):  # pylint: disable=too-few-public-methods
        # Implementation note: Email? Multiple accounts can have the
        # same email address. Registration URI? Assigned by the
        # server, not guaranteed to be stable over time, nor
-        # cannonical URI can be generated. ACME protocol doesn't allow
+        # canonical URI can be generated. ACME protocol doesn't allow
        # account key (and thus its fingerprint) to be updated...

    @property
--- a/letsencrypt/cli.py
+++ b/letsencrypt/cli.py
@@ -723,7 +723,7 @@ def _plugins_parsing(helpful, plugins):
        "plugins", description="Let's Encrypt client supports an "
        "extensible plugins architecture. See '%(prog)s plugins' for a "
        "list of all available plugins and their names. You can force "
-        "a particular plugin by setting options provided below. Futher "
+        "a particular plugin by setting options provided below. Further "
        "down this help message you will find plugin-specific options "
        "(prefixed by --{plugin_name}).")
    helpful.add(
--- a/letsencrypt/display/ops.py
+++ b/letsencrypt/display/ops.py
@@ -16,7 +16,7 @@ util = zope.component.getUtility  # pylint: disable=invalid-name


 def choose_plugin(prepared, question):
-    """Allow the user to choose ther plugin.
+    """Allow the user to choose their plugin.

    :param list prepared: List of `~.PluginEntryPoint`.
    :param str question: Question to be presented to the user.
--- a/letsencrypt/interfaces.py
+++ b/letsencrypt/interfaces.py
@@ -142,7 +142,7 @@ class IAuthenticator(IPlugin):

        :param str domain: Domain for which challenge preferences are sought.

-        :returns: List of challege types (subclasses of
+        :returns: List of challenge types (subclasses of
            :class:`acme.challenges.Challenge`) with the most
            preferred challenges first. If a type is not specified, it means the
            Authenticator cannot perform the challenge.
--- a/letsencrypt/storage.py
+++ b/letsencrypt/storage.py
@@ -645,7 +645,7 @@ class RenewableCert(object):  # pylint: disable=too-many-instance-attributes

        """
        # XXX: assumes official archive location rather than examining links
-        # XXX: consider using os.open for availablity of os.O_EXCL
+        # XXX: consider using os.open for availability of os.O_EXCL
        # XXX: ensure file permissions are correct; also create directories
        #      if needed (ensuring their permissions are correct)
        # Figure out what the new version is and hence where to save things
--- a/setup.py
+++ b/setup.py
@@ -41,6 +41,7 @@ install_requires = [
    'pyrfc3339',
    'python2-pythondialog>=3.2.2rc1',  # Debian squeeze support, cf. #280
    'pytz',
+    'requests',
    'zope.component',
    'zope.interface',
 ]
--- a/tools/deps.sh
+++ b/tools/deps.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+#
+# Find all Python imports.
+#
+#  ./deps.sh letsencrypt
+#  ./deps.sh acme
+#  ./deps.sh letsencrypt-apache
+#  ...
+#
+# Manually compare the output with deps in setup.py.
+
+git grep -h -E '^(import|from.*import)' $1/ | \
+    awk '{print $2}' | \
+    grep -vE "^$1" | \
+    sort -u
--- a/tox.ini
+++ b/tox.ini
@@ -6,7 +6,7 @@
 # acme and letsencrypt are not yet on pypi, so when Tox invokes
 # "install *.zip", it will not find deps
 skipsdist = true
-envlist = py26,py27,cover,lint
+envlist = py26,py27,py33,py34,cover,lint

 [testenv]
 commands =
@@ -23,6 +23,16 @@ setenv =
    PYTHONHASHSEED = 0
 # https://testrun.org/tox/latest/example/basic.html#special-handling-of-pythonhas

+[testenv:py33]
+commands =
+    pip install -e acme[testing]
+    nosetests acme
+
+[testenv:py34]
+commands =
+    pip install -e acme[testing]
+    nosetests acme
+
 [testenv:cover]
 basepython = python2.7
 commands =