* check_untyped_defs in mypy with clean output for acme
* test entire acme module
* Add typing as a dependency because it's only in the stdlib for 3.5+
* Add str_utils, modified for python2.7 compatibility
* make mypy happy in acme
* typing is needed in prod
* we actually only need typing in acme so far
* add tests and more docs for str_utils
* pragma no cover
* add magic_typing
* s/from typing/from magic_typing/g
* move typing to dev_extras
* correctly set up imports
* remove str_utils
* only type: ignore for OpenSSL.SSL, not crypto
* Since we only run mypy with python3 anyway and we're fine importing it when it's not actually there, there's no actual need for typing to be present as a dependency
* comment magic_typing.py
* disable wildcard-import im magic_typing
* disable pylint errors
* add magic_typing_test
* make magic_typing tests work alongside other tests
* make sure temp_typing is set
* add typing as a dev dependency for python3.4
* run mypy with python3.4 on travis to get a little more testing with different environments
* don't stick typing into sys.modules
* reorder imports
* Allow revoke to pass in a url
* Add revocation support to ACMEv2.
* Provide regr for account based revocation.
* Add revoke wrapper to BackwardsCompat client
* Add post wrapper to automatically add acme_version
* Add uri to authzr.
* Only add kid when account is set.
* Add content_type when downloading certificate.
* Only save new_authz URL when it exists.
* Handle combinations in ACMEv1 and ACMEv2.
* Add tests for ACMEv2 "combinations".
* update order object with returned authorizations
* major structure of finalize_order shim refactor
* util methods and imports for finalize_order shim refactor
* update certbot.tests.client_test.py
* extraneous client_test imports
* remove correct import
* update renewal call
* add test for acme.dump_pyopenssl_chain
* Add test for certbot.crypto_util.cert_and_chain_from_fullchain
* add tests for acme.client and change to fetch chain failure to TimeoutError
* s/rytpe/rtype
* remove ClientV1 passthrough
* dump the wrapped cert
* remove dead code
* remove the correct dead code
* support earlier mock
* Drop support for EOL Python 2.6
* Use more helpful assertIn/NotIn instead of assertTrue/False
* Drop support for EOL Python 3.3
* Remove redundant Python 3.3 code
* Restore code for RHEL 6 and virtualenv for Py2.7
* Revert pipstrap.py to upstream
* Merge py26_packages and non_py26_packages into all_packages
* Revert changes to *-auto in root
* Update by calling letsencrypt-auto-source/build.py
* Revert permissions for pipstrap.py
* switch new_order to use crypto_util._pyopenssl_cert_or_req_san
* move certbot.crypto_util._get_names_from_loaded_cert_or_req functionality to acme.crypto_util._pyopenssl_cert_or_req_all_names
* delint
* refactor client tests
* Add test for new order and fix identifiers parsing.
* Add poll_and_finalize test
* Test and fix poll_authorizations timeout
* Add test_failed_authorizations
* Add test_poll_authorizations_success
* Test and fix finalize_order success
* add test_finalize_order_timeout
* add test_finalize_order_error
* test sleep code
This adds two new classes in messages: Order and OrderResource. It also adds methods to ClientV2 to create orders, and poll orders then request issuance.
The CSR is stored on the OrderResource so it can be carried along and submitted when it's time to finalize the order.
Detects acme version by checking for newNonce field in the directory, since it's mandatory. Also updates ClientNetwork.account on register and update_registration.
* add mechanism to detect acme version
* update ClientNetwork.account comment
* switch to MultiVersionClient object in acme
* add shim methods
* add returns
* use backwards-compatible format and implement register
* update to actual representation of tos v2
* add tos fields and pass through to v1 for partial updates
* update tests
* pass more tests
* allow instance variable pass-through and lint
* update certbot and tests to use new_account_and_tos method
* remove --agree-tos test from main_test for now because we moved the callback into acme
* add docstrings
* use hasattr
* all most review comments
* use terms_of_service for both v1 and v2
* add tests for acme/client.py
* tests for acme/messages.py
* Implement ACMEv2 signing of POST bodies.
* Add account, and make acme_version explicit.
* Remove separate NewAccount.
* Rename to add v2.
* Add terms_of_service_agreed.
* Split out wrap_in_jws_v2 test.
* Re-add too-many-public-methods.
* Split Client into ClientBase / Client / ClientV2
* Use camelCase for newAccount.
* Make acme_version optional parameter on .post().
This allows us to instantiate a ClientNetwork before knowing the version.
* Add kid unconditionally.
* Use pipstrap to install a good version of pip
* Use pytest in cb-auto tests
* Remove nose usage in auto_test.py
* remove nose dev dep
* use pytest in test_tests
* Use pytest in tox
* Update dev dependency pinnings
* remove nose multiprocess lines
* Use pytest for coverage
* Use older py and pytest for old python versions
* Add test for Error.__str__
* pin pytest in oldest test
* Fix tests for DNS-DO plugin on py26
* Work around bug for Python 3.3
* Clarify dockerfile comments
Fixes#4535
Extracts the relevant fields using a regex. We considered catching
specific exception types, and referencing their fields, but the types
raised by `requests` are not well documented and may not be long
term stable. If the regex fails to match, for instance due to a change
in the exception message, the new exception message will just be
passed through.
* Hide exceptions that occur during session.close()
This fixes#4840. Exceptions that are raised out of __del__ methods are caught
and printed to stderr. By catching any exceptions that occur, we now prevent
this from happening.
Alternative solutions to this would have been either not calling
session.close() at all or adding a close() method to acme.client.ClientNetwork,
acme.client.Client, and certbot.client.Client and using certbot.client.Client
in a context manager to ensure close() is called. The former means that users
of the ACME library never properly close their connections until their program
exits and the latter adds a lot of complexity and nesting of client code for
little benefit.
* Only catch Exceptions
* Pin oldest version of packaged python deps
* Install security extras in oldest tests
* Revert "bump requests requirement to >=2.10 (#4248)"
This reverts commit 402ad8b353.
* Use create=True when patching open on module
* add TLSSNI01DualNetworkedServers
* use DualNetworkedServers in certbot/plugins/standalone.py
also, make both servers run on the same port.
* make probe_sni connect on ipv6 and ipv4 using None
* mimic BSD-like conditions to get test coverage
* test ServerManager taking into account BSD systems
* pass tests even if python is compiled without ipv6 support
* Add an account deactivate utility script.
This is handy if you created an account with a tool other than Certbot, and want
to deactivate the account.
* Move deactivate.py to tools.
* Add test for ConflictError.
* Fix lint error.
* Document how to set server.
* Move 'jwk' and 'alg' fields to protected header.
Previously, these were in the unprotected JWS header, which Boulder currently
allows. However, the next version of the spec doesn't allow anything in the
unprotected header. Moving these fields now allows server implementers who are
implementing the Certbot/Boulder version of ACME
(https://github.com/letsencrypt/boulder/blob/master/docs/acme-divergences.md) to
use JOSE libraries that don't support unprotected headers.
Fixes#4417.
* Only protect existing headers.
* Mention python 3 support in setup.py
* Build universal (py2 and py3 compatible) wheels
* Mention Python 3.3+ support in docs
* we work on python 3.6 too
* Add url and kid to jws.
This will be required in order to implement the latest ACME spec, which uses
these protected header fields.
* Add comments and fix lint.
* Enforce mutual exclusivity of jwk and kid.
If the updated datetime collides, the comparator of heapq will move
onto the AuthorizationResource value and throws an "unorderable type"
error.
This adds an index value to the element tuple to ensure that they are
always strictly ordered.
It's relatively finicky to make a CSR appropriate to pass to poll_and_request_issuance. I think most users want to be able to give a list of domains and a private key, and get back a CSR. This branch adds that functionality to crypto_util.
Note that the two new functions take arguments, and return values, as PEM-encoded buffers. This is a departure from some existing ACME interfaces that take PyOpenSSL types. I've discussed with the Certbot team, and we agree that this is broadly the direction the ACME API should take, so that users of the module don't need to import PyOpenSSL themselves, or use its primitives.
* Add make_csr.
* accept privkey
* Tweak API.
* Remove make_csr from certbot package.
* Skip test in older Pythons.
* Move get_Extensions call under protection.
* Remove assertIn because not backwards-compatible.
* Fix encoding, and use PEM.
* Fix test
* Fix tests on py35.
* Fix error in test.
* Make import_csr_file always return PEM.
Also delete get_sans_from_csr (unused) and get_names_from_csr (newly unused).
* Fix function doc.
* Fix indent
* Fix call of obtain_certificate_from_Csr
* lint
* Handle review feedback.
* Fix test.
* Initial configuration of mypy in box, correction of base mypy errors.
* Move mypy install to toe
* Add pylint comments for typing imports.
* Remove typing module for Python 2.6 compatibility.
An early version of the spec indicated that clients should process issuance
sequentially, following Link rel=next from an account URL to an authz URL, to a
new-cert URL. However, the spec has long since moved to putting these URLs in
the directory.
Certbot nominally supports either; This change consolidates on always using the
directory, simplifying things and making the transition to the latest ACME spec
easier.
* Revert "Revert "Remove Link rel=next for authzs and new-certs." (#4277)"
This reverts commit 11ec1eb911.
* Save new_authzr_uri with account for older clients.
* Add test that new_authzr_uri exists in regr.
* Restore backwards compatibility for new_authzr_uri.
* Fix account_test.
* Add test for deprecated URI argument to request_challenges.
* Review feedback.
* Fix test
* Add omitempty to new_cert_uri.
* stop conditionally pinning mock version in acme
* stop conditionally pinning mock version in certbot
* stop conditionally pinning mock version in apache
* stop conditionally pinning mock version in nginx
* stop conditionally pinning mock version in letshelp
* stop conditionally pinning mock version in compatibility-test
The primary motivation is to avoid a branch, giving bugs one fewer place to hide. But, as a bonus, more people get a more bugfixed version of argparse. (To use the example from the argparse docs, people stuck on Python 3.2.3 can get bugfixes that made it into the stdlib only in 3.2.4.)
* Remove UnexpectedUpdate exceptions.
These exceptions trigger when the server sends the client back an object with a
field that doesn't exactly match what the client previously sent.
This causes unnecessary breakage in various cases, doesn't prevent any problems,
and isn't required by spec.
* Back out all UnexpectedUpdate removals except registration update.
An early version of the spec indicated that clients should process issuance
sequentially, following Link rel=next from an account URL to an authz URL, to a
new-cert URL. However, the spec has long since moved to putting these URLs in
the directory.
Certbot nominally supports either; This change consolidates on always using the
directory, simplifying things and making the transition to the latest ACME spec
easier.
This includes two new tests in the integration test script to check that
boulder gets the correct code. The encoding is specified in RFC5280
5.3.1. The codes that boulder will accept are a subset of that,
specified in `boulder.revocation.reasons.go`.
* Parallalelise nosetests from tox
* Parallelise even more things, break even more things
* Now unbreak all the tests that aren't ready for ||ism
* Try to pass tests!
- Remove non-working hack in reporter_test
- also be selective about ||ism in the cover environment
* Try again
* certbot-apache tests also work, given enough time
* Nginx may need more time in Travis's cloud
* Unbreak reporter_test under ||ism
* More timeout
* Working again?
* This goes way faster
* Another big win
* Split a couple more large test suites
* A last improvement
* More ||ism!
* ||ise lint too
* Allow nosetests to figure out how many cores to use
* simplify merge
* Mark the new CLI tests as ||izable
* Simplify reporter_test changes
* Rationalise ||ism flags
* Re-up coverage
* Clean up reporter tests
* Stop modifying testdata during tests
* remove unused os
* Ensure tests pass with openssl 1.1
A bunch of the acme.standalone and acme.crypto_util tests were using
weak crypto that is now prohibited :/
* lint
* lintlint
* Fix symlink
* pin requests version in py26-oldest
* Determine requests security deps dynamically
Starting with requests 2.12, pyasn1 and ndg-httpsclient are no longer
needed to inject pyopenssl into urllib3. This change allows us to
determine whether or not these dependencies are required at install
time. If an older version of requests is used, these packages are
still installed. If a new version of requests is used, they are not
reducing the number of dependencies we have.
* Bump requests version in certbot-auto
* Use pkg_resources in activate test
Due to pip's lack of dependency resolution, the change to use
requests[extras] causes errors in acme.util_test because pkg_resources
accurately detects the "missing" dependency.
There isn't a real problem here. The problem comes from a brand new
requests and ancient pyopenssl as well as a unit test for
functionality we plan to remove in our next release. I modified
the unit test to fix the problem for now.
* Use six instead of pkg_resources for test
* Require requests<=2.11.1 in py27-oldest test
If we don't do this, we get test failures for the certbot package
which is actually a good thing! pkg_resources is catching the
unlikely but possible problem I describe in #3803 and erroring out
saying it is missing the necessary dependencies to run certbot.
Good job package resources.
* Undo changes to acme.util_test
Print request and response bodies with newlines, rather than all on one line.
Remove "Omitted empty field" log, which gets logged meaninglessly for every JSON
serialization.
Remove duplicated logging of responses.
Log the base64 version of the nonce, rather than turning it into bytes and
logging the backslash-escaped version of those bytes.
Only pass -vv in tests.
* Add and test activate function to acme.
This function can be used to check if our optional dependencies are
available and they meet our version requirements.
* use activate in dns_resolver
* use activate in dns_available() in challenges_test
* Use activate in dns_resolver_test
* Use activate in certbot.plugins.util_test
* Use acme.util.activate for psutil
* Better testing and handling of missing deps
* Factored out *_available() code into a common function
* Delayed exception caused from using acme.dns_resolver without
dnspython until the function is called. This makes both
production and testing code simpler.
* Make a common subclass for already_listening tests
* Simplify mocking of USE_PSUTIL in tests
* move skipUnless to test_util
* add skip_unless to acme test_util
* Make dns_resolver_tests work with and without dnspython
* make acme.challenges_test pass when dns is unavailable
Right now the ACME client checks that the returned registration matches the
registation posted, but there's no guarantee this will always be the case, and
this only introduces unnecessary fragility.
Don't run pep8 for directories that we don't actually enforce pep8 on.
Install dependencies with -q.
Don't print reports, they make it hard to find the actual errors.
Remove deprecated fields from acme .pylintrc, they cause unnecessary messages
about deprecation.
The extra self will push along the arguments, resulting in the accurate but not very helpful error message: "AttributeError: 'JWKRSA' object has no attribute 'kty'"
When pip-installing any of these packages, pip hit our permissive, any-version "setuptools" dependency first and then ignored all subsequent, more constrained ones, like cryptography's "setuptools>=1.0". See https://github.com/pypa/pip/issues/988. It thus, on a box with setuptools 0.9.8, stuck with that version. Then, at runtime, letsencrypt crashed because pkg_resources couldn't satisfy cryptography's setuptools>=1.0 requirement.
This change lets us pip-install our packages and have it work. We'll need to make sure our direct requirements (all of them) satisfy the more constrained requirements of our dependencies. Yes, it is disgusting.
We're stepping off that infra briefly, to keep it the same as boulder's. When we retire the old le-auto, we'll step back on and change boulder to use it as well.
This should make the linter pass and allow us to merge the letsencrypt-auto-release branch when it's ready. IHNI why it passes on master without this disabled.
The motivation is to free us of a reliance on a rather modern version of setuptools, which caused le-auto failures for people on Wheezy and other older distros. (The alternative would have been to forcibly upgrade setuptools as the old le-auto did, but less is more.)
Mock is used only in tests, so we move it to tests_require. It will still be installed automatically when setup.py test is run. Give all packages a test_suite so this works.
The "testing" extra remains for optional packages not required for the nose tests but used in tox. However, the extra is much less useful now and is a candidate for deletion. We could roll the list of packages therein into the tox config so as not to favor any particular package.
Remove tests_require=install_requires, which I don't think does anything useful, since install requirements are implicitly installed when running setup.py test.
Fix tests to pass with mock removed. We had to stop them pulling down LE from PyPI, since the current version there (0.1.1) requires mock and explodes when `letsencrypt` is run.
In order to override the default (`acme-python`), clients (including
Let's Encrypt: #858, #1397) should create a custom
acme.clietn.ClientNetwork object and pass it to
acme.client.Client.__init__.
I'm not even sure why `serve_forever2` and `shutdown2` were introduced
in the first place... It probably follows from my misconception about
the SocketServer module. After having studied the module again, I come
to the conclusion that we can get rid of my crap, simultanously
reducing probability of #1085 (hopefully down to 0)!
`server_forever` is used throughout tests instead of `handle_request`,
because `shutdown`, following docs, "must be called while
serve_forever() is running in another thread, or it will deadlock",
and our `probe_sni` HTTP request is already enough to kill single
`handle_request`.
We don't need to use any busy waiting block or `sleep` between serve
and shutdown; studying CPython source code leads to the conclusion
that the following construction is non-blocking:
```python
import threading, SocketServer
s = SocketServer.TCPServer(("", 0), None)
t = threading.Thread(target=s.shutdown)
t.start()
s.serve_forever() # returns immediately
t.join() # returns immediately
```
