[PATCH 03 of 11] sslutil: move code examining _canloaddefaultcerts out of _defaultcacerts

Gregory Szorc gregory.szorc at gmail.com
Thu May 5 03:53:20 EDT 2016


# HG changeset patch
# User Gregory Szorc <gregory.szorc at gmail.com>
# Date 1462430314 25200
#      Wed May 04 23:38:34 2016 -0700
# Node ID 2864851cadedd9fb960368d408ce6fce039c78a8
# Parent  c681048bf0680635752b51e34c6be45e19e9192b
sslutil: move code examining _canloaddefaultcerts out of _defaultcacerts

Before, the return of _defaultcacerts() was 1 of 3 types. This was
difficult to read. Make it return a path or None.

We had to update hghave.py in the same patch because it was also
looking at this internal function. I wasted dozens of minutes
trying to figure out why tests were failing until I found the
code in hghave.py...

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -217,24 +217,23 @@ def _plainapplepython():
     """
     if sys.platform != 'darwin' or util.mainfrozen() or not sys.executable:
         return False
     exe = os.path.realpath(sys.executable).lower()
     return (exe.startswith('/usr/bin/python') or
             exe.startswith('/system/library/frameworks/python.framework/'))
 
 def _defaultcacerts():
-    """return path to CA certificates; None for system's store; ! to disable"""
+    """return path to default CA certificates or None."""
     if _plainapplepython():
         dummycert = os.path.join(os.path.dirname(__file__), 'dummycert.pem')
         if os.path.exists(dummycert):
             return dummycert
-    if _canloaddefaultcerts:
-        return None
-    return '!'
+
+    return None
 
 def sslkwargs(ui, host):
     """Determine arguments to pass to wrapsocket().
 
     ``host`` is the hostname being connected to.
     """
     kws = {'ui': ui}
 
@@ -257,18 +256,22 @@ def sslkwargs(ui, host):
             raise error.Abort(_('could not find web.cacerts: %s') % cacerts)
 
         kws.update({'ca_certs': cacerts,
                     'cert_reqs': ssl.CERT_REQUIRED})
         return kws
 
     # No CAs in config. See if we can load defaults.
     cacerts = _defaultcacerts()
-    if cacerts and cacerts != '!':
+    if cacerts:
         ui.debug('using %s to enable OS X system CA\n' % cacerts)
+    else:
+        if not _canloaddefaultcerts:
+            cacerts = '!'
+
     ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
 
     if cacerts != '!':
         kws.update({'ca_certs': cacerts,
                     'cert_reqs': ssl.CERT_REQUIRED,
                     })
     return kws
 
diff --git a/tests/hghave.py b/tests/hghave.py
--- a/tests/hghave.py
+++ b/tests/hghave.py
@@ -411,17 +411,17 @@ def has_sslcontext():
         ssl.SSLContext
         return True
     except (ImportError, AttributeError):
         return False
 
 @check("defaultcacerts", "can verify SSL certs by system's CA certs store")
 def has_defaultcacerts():
     from mercurial import sslutil
-    return sslutil._defaultcacerts() != '!'
+    return sslutil._defaultcacerts() or sslutil._canloaddefaultcerts
 
 @check("windows", "Windows")
 def has_windows():
     return os.name == 'nt'
 
 @check("system-sh", "system() uses sh")
 def has_system_sh():
     return os.name != 'nt'


More information about the Mercurial-devel mailing list