mirror of
https://github.com/certbot/certbot.git
synced 2025-08-09 15:02:48 +03:00
713b91495b
Fixes #8093. This PR modifies and audits all uses of `subprocess` and `Popen` outside of tests, `certbot-ci/`, `certbot-compatibility-test/`, `letsencrypt-auto-source/`, `tools/`, and `windows-installer/`. Calls to outside programs have their `env` modified to remove the `SNAP` components of paths, if they exist. This includes any calls made from hooks, calls to `apachectl` and `nginx`, and to `openssl` from `ocsp.py`. For testing manually, rsync flags will look something like: ``` rsync -avzhe ssh root@focal.domain:/home/certbot/certbot/certbot_*_amd64.snap . rsync -avzhe ssh certbot_*_amd64.snap root@centos7.domain:/root/certbot/ ``` With these modifications, `certbot plugins --prepare` now passes on Centos 7. If I'm wrong and we package the `openssl` binary, the modifications should be removed from `ocsp.py`, and `env` should be passed into `run_script` rather than set internally in its calls from nginx and apache. One caveat with this approach is the disconnect between why it's a problem (packaging) and where it's solved (internal to Certbot). I considered a wrapping approach, but we'd still have to audit specific calls. I think the best way to address this is robust testing; specifically, running the snap on other systems. For hooks, all calls will remove the snap paths if they exist. This is probably fine, because even if the hook intends to call back into certbot, it can do that, it'll just create a new snap. I'm not sure if we need these modifications for the Mac OS X/ Darwin calls, but they can't hurt. * Add method to plugins util to get env without snap paths * Use modified environment in Nginx plugin * Pass through env to certbot.util.run_script * Use modified environment in Apache plugin * move env_no_snap_for_external_calls to certbot.util * Set env internally to run_script, since we use that only to call out * Add env to mac subprocess calls in certbot.util * Add env to openssl call in ocsp.py * Add env for hooks calls in certbot.compat.misc. * Pass env into execute_command to avoid circular dependency * Update hook test to assert called with env * Fix mypy type hint to account for new param * Change signature to include Optional * go back to using CERTBOT_PLUGIN_PATH * no need to modify PYTHONPATH in env * robustly detect when we're in a snap * Improve env util fxn docstring * Update changelog * Add unit tests for env_no_snap_for_external_calls * Import compat.os
90 lines
2.9 KiB
Python
90 lines
2.9 KiB
Python
from distutils.version import LooseVersion
|
|
import sys
|
|
|
|
from setuptools import __version__ as setuptools_version
|
|
from setuptools import find_packages
|
|
from setuptools import setup
|
|
from setuptools.command.test import test as TestCommand
|
|
|
|
version = '1.6.0.dev0'
|
|
|
|
# Remember to update local-oldest-requirements.txt when changing the minimum
|
|
# acme/certbot version.
|
|
install_requires = [
|
|
'acme>=1.4.0',
|
|
'certbot>=1.6.0.dev0',
|
|
'PyOpenSSL',
|
|
'pyparsing>=1.5.5', # Python3 support
|
|
'setuptools',
|
|
'zope.interface',
|
|
]
|
|
|
|
setuptools_known_environment_markers = (LooseVersion(setuptools_version) >= LooseVersion('36.2'))
|
|
if setuptools_known_environment_markers:
|
|
install_requires.append('mock ; python_version < "3.3"')
|
|
elif 'bdist_wheel' in sys.argv[1:]:
|
|
raise RuntimeError('Error, you are trying to build certbot wheels using an old version '
|
|
'of setuptools. Version 36.2+ of setuptools is required.')
|
|
elif sys.version_info < (3,3):
|
|
install_requires.append('mock')
|
|
|
|
|
|
class PyTest(TestCommand):
|
|
user_options = []
|
|
|
|
def initialize_options(self):
|
|
TestCommand.initialize_options(self)
|
|
self.pytest_args = ''
|
|
|
|
def run_tests(self):
|
|
import shlex
|
|
# import here, cause outside the eggs aren't loaded
|
|
import pytest
|
|
errno = pytest.main(shlex.split(self.pytest_args))
|
|
sys.exit(errno)
|
|
|
|
|
|
setup(
|
|
name='certbot-nginx',
|
|
version=version,
|
|
description="Nginx plugin for Certbot",
|
|
url='https://github.com/letsencrypt/letsencrypt',
|
|
author="Certbot Project",
|
|
author_email='client-dev@letsencrypt.org',
|
|
license='Apache License 2.0',
|
|
python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*',
|
|
classifiers=[
|
|
'Development Status :: 5 - Production/Stable',
|
|
'Environment :: Plugins',
|
|
'Intended Audience :: System Administrators',
|
|
'License :: OSI Approved :: Apache Software License',
|
|
'Operating System :: POSIX :: Linux',
|
|
'Programming Language :: Python',
|
|
'Programming Language :: Python :: 2',
|
|
'Programming Language :: Python :: 2.7',
|
|
'Programming Language :: Python :: 3',
|
|
'Programming Language :: Python :: 3.5',
|
|
'Programming Language :: Python :: 3.6',
|
|
'Programming Language :: Python :: 3.7',
|
|
'Programming Language :: Python :: 3.8',
|
|
'Topic :: Internet :: WWW/HTTP',
|
|
'Topic :: Security',
|
|
'Topic :: System :: Installation/Setup',
|
|
'Topic :: System :: Networking',
|
|
'Topic :: System :: Systems Administration',
|
|
'Topic :: Utilities',
|
|
],
|
|
|
|
packages=find_packages(),
|
|
include_package_data=True,
|
|
install_requires=install_requires,
|
|
entry_points={
|
|
'certbot.plugins': [
|
|
'nginx = certbot_nginx._internal.configurator:NginxConfigurator',
|
|
],
|
|
},
|
|
test_suite='certbot_nginx',
|
|
tests_require=["pytest"],
|
|
cmdclass={"test": PyTest},
|
|
)
|