1303156 – pki.client.PKIConnection should ignore env vars such as http_proxy

Bug 1303156 - pki.client.PKIConnection should ignore env vars such as http_proxy

Summary: pki.client.PKIConnection should ignore env vars such as http_proxy

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	7.3
Assignee:	Christian Heimes
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-01-29 17:33 UTC by Matthew Harmsen
Modified:	2020-10-04 21:04 UTC (History)
CC List:	2 users (show)
Fixed In Version:	pki-core-10.3.1-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 05:22:45 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2291	0	None	None	None	2020-10-04 21:04:48 UTC
Red Hat Product Errata	RHBA-2016:2396	0	normal	SHIPPED_LIVE	pki-core bug fix and enhancement update	2016-11-03 13:55:03 UTC

Description Matthew Harmsen 2016-01-29 17:33:13 UTC

PKIConnection uses python-requests to handle HTTP connections to the server. requests inspects env vars such as http_proxy and https_proxy for HTTP proxy server location, REQUESTS_CA_BUNDLE and CURL_CA_BUNDLE to override the trust store location as well as ~/.netrc for authentication. This can cause hard to debug issues such as installation failures. See https://fedorahosted.org/freeipa/ticket/5555 for background.

The feature can be disabled easily: https://requests.readthedocs.org/en/latest/api/?highlight=trust_env#requests.Session.trust_env

I propose to have it disabled by default. It's a one line fix (two with comment, three if we want a flag in PKIConnection.__init__()).

Comment 1 Matthew Harmsen 2016-01-29 17:34:21 UTC

This issue has been fixed in PKI TRAC Ticket #1733.

Comment 2 Mike McCune 2016-03-28 22:25:24 UTC

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Comment 4 Sumedh Sidhaye 2016-08-10 10:46:21 UTC

Tested it by setting HTTP_PROXY / HTTPS_PROXY variable before running pkispawn.

pkispawn succeeds with no errors. Hence marking it as verified.

Tested with the following build:

pki-base.noarch          10.3.3-5.el7                                     
pki-base-java.noarch     10.3.3-5.el7                                     
pki-ca.noarch            10.3.3-5.el7                                     
pki-console.noarch       10.3.3-1.el7pki                                  
pki-core-debuginfo.x86_6410.3.3-5.el7pki                                  
pki-javadoc.noarch       10.3.3-5.el7                                     
pki-kra.noarch           10.3.3-5.el7                                     
pki-ocsp.noarch          10.3.3-5.el7pki                                  
pki-server.noarch        10.3.3-5.el7                                     
pki-symkey.x86_64        10.3.3-5.el7                                     
pki-tks.noarch           10.3.3-5.el7pki                                  
pki-tools.x86_64         10.3.3-5.el7                                     
pki-tps.x86_64           10.3.3-5.el7pki

Comment 6 errata-xmlrpc 2016-11-04 05:22:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2396.html

Note You need to log in before you can comment on or make changes to this bug.