PYTHON-2140 Test PyOpenSSL on macOS

Handle the case where the peer omits the self-signed issuer cert and OCSP is not requested by delaying issuer check. Properly set PYMONGO_MUST_CONNECT in PyOpenSSL tests. Properly set PYTHON_BINARY in OCSP test.
2020-02-27 13:36:16 -08:00 · 2020-02-27 13:36:16 -08:00 · 043c8e822b
commit 043c8e822b
parent e26dc96e31
5 changed files with 40 additions and 12 deletions
--- a/.evergreen/config.yml
+++ b/.evergreen/config.yml
@ -347,6 +347,9 @@ functions:
         script: |
           set -o xtrace
           ${PREPARE_SHELL}
+           if [ -n "${MONGODB_STARTED}" ]; then
+             export PYMONGO_MUST_CONNECT=1
+           fi
           PYTHON_BINARY=${PYTHON_BINARY} sh ${PROJECT_DIRECTORY}/.evergreen/run-pyopenssl-tests.sh

  "run doctests":
@ -662,6 +665,7 @@ functions:
        working_dir: "src"
        script: |
          ${PREPARE_SHELL}
+          PYTHON_BINARY=${PYTHON_BINARY} \
          CA_FILE="$DRIVERS_TOOLS/.evergreen/ocsp/rsa/ca.pem" \
          OCSP_TLS_SHOULD_SUCCEED="${OCSP_TLS_SHOULD_SUCCEED}" \
          sh ${PROJECT_DIRECTORY}/.evergreen/run-ocsp-tests.sh
@ -1740,6 +1744,15 @@ buildvariants:
  tasks:
    - "pyopenssl"

+- matrix_name: "tests-pyopenssl-macOS"
+  matrix_spec:
+    platform: macos-1014
+    auth: "*"
+    ssl: "ssl"
+  display_name: "PyOpenSSL ${platform} ${auth}"
+  tasks:
+    - "pyopenssl"
+
 - matrix_name: "tests-python-version-rhel62-test-encryption"
  matrix_spec:
    platform: rhel62
--- a/.evergreen/run-ocsp-tests.sh
+++ b/.evergreen/run-ocsp-tests.sh
@ -13,9 +13,15 @@ if [ -z "$PYTHON_BINARY" ]; then
 fi

 $PYTHON_BINARY -m virtualenv --never-download --no-wheel ocsptest
-    . ocsptest/bin/activate
-    trap "deactivate; rm -rf ocsptest" EXIT HUP
-    pip install pyopenssl requests service_identity
-    PYTHON=python
+. ocsptest/bin/activate
+trap "deactivate; rm -rf ocsptest" EXIT HUP

-OCSP_TLS_SHOULD_SUCCEED=${OCSP_TLS_SHOULD_SUCCEED} CA_FILE=${CA_FILE} $PYTHON test/ocsp/test_ocsp.py
+IS_PYTHON_2=$(python -c "import sys; sys.stdout.write('1' if sys.version_info < (3,) else '0')")
+if [ $IS_PYTHON_2 = "1" ]; then
+    echo "Using a Python 2"
+    pip install --upgrade 'setuptools<45'
+fi
+
+pip install pyopenssl requests service_identity
+
+OCSP_TLS_SHOULD_SUCCEED=${OCSP_TLS_SHOULD_SUCCEED} CA_FILE=${CA_FILE} python test/ocsp/test_ocsp.py
--- a/.evergreen/run-pyopenssl-tests.sh
+++ b/.evergreen/run-pyopenssl-tests.sh
@ -19,9 +19,15 @@ else
 fi

 $PYTHON -m virtualenv pyopenssltest
-trap "deactivate; rm -rf pyopenssltest" EXIT HUP
 . pyopenssltest/bin/activate
-pip install pyopenssl>=17.2.0 "requests<3.0.0" service_identity>=18.1.0
-pip list
+trap "deactivate; rm -rf pyopenssltest" EXIT HUP
+
+IS_PYTHON_2=$(python -c "import sys; sys.stdout.write('1' if sys.version_info < (3,) else '0')")
+if [ $IS_PYTHON_2 = "1" ]; then
+    echo "Using a Python 2"
+    pip install --upgrade 'setuptools<45'
+fi
+
+pip install pyopenssl requests service_identity
 python -c 'import sys; print(sys.version)'
 python setup.py test
--- a/pymongo/ocsp_support.py
+++ b/pymongo/ocsp_support.py
@ -237,9 +237,6 @@ def ocsp_callback(conn, ocsp_bytes, user_data):
    cert = conn.get_peer_certificate().to_cryptography()
    chain = [cer.to_cryptography() for cer in conn.get_peer_cert_chain()]
    issuer = _get_issuer_cert(cert, chain)
-    if issuer is None:
-        _LOGGER.debug("No issuer cert?")
-        return 0
    must_staple = False
    # https://tools.ietf.org/html/rfc7633#section-4.2.3.1
    ext = _get_extension(cert, _TLSFeature)
@ -268,6 +265,9 @@ def ocsp_callback(conn, ocsp_bytes, user_data):
            _LOGGER.debug("No OCSP URI, soft fail")
            # No responder URI, soft fail.
            return 1
+        if issuer is None:
+            _LOGGER.debug("No issuer cert?")
+            return 0
        _LOGGER.debug("Requesting OCSP data")
        # When requesting data from an OCSP endpoint we only fail on
        # successful, valid responses with a certificate status of REVOKED.
@ -291,6 +291,9 @@ def ocsp_callback(conn, ocsp_bytes, user_data):
        return 1

    _LOGGER.debug("Peer stapled an OCSP response")
+    if issuer is None:
+        _LOGGER.debug("No issuer cert?")
+        return 0
    response = _load_der_ocsp_response(ocsp_bytes)
    _LOGGER.debug(
        "OCSP response status: %r", response.response_status)
--- a/test/test_ssl.py
+++ b/test/test_ssl.py
@ -442,7 +442,7 @@ class TestSSL(IntegrationTest):
            raise SkipTest("Can't load system CA certificates.")

        if (ssl.OPENSSL_VERSION.lower().startswith('libressl') and
-                sys.platform == 'darwin'):
+                sys.platform == 'darwin' and not _ssl.IS_PYOPENSSL):
            raise SkipTest(
                "LibreSSL on OSX doesn't support setting CA certificates "
                "using SSL_CERT_FILE environment variable.")