Merge "Allow specifying the path to CA certificate bundle"

examples/reference-gertty.yaml

@@ -35,8 +35,12 @@ servers:
 # The location of Gertty's sqlite database.  If you have more than one
 # server, you should specify a dburi for any additional servers.
 #    dburi: ~/.gertty.db
-# If your Gerrit server has a self-signed cert (eg, a test server),
-# you can set this value to false to turn of certificate validation.
+# If your Gerrit server uses a non-standard certificate chain (e.g. on a test
+# server), you can pass a full path to a bundle of CA certificates here:
+#    ssl-ca-path: ~/.pki/ca-chain.pem
+# In case you do not care about security and want to use a sledgehammer
+# approach to SSL, you can set this value to false to turn off certificate
+# validation.
 #    verify-ssl: true
 # By default Gertty logs errors to a file and truncates that file each
 # time it starts (so that it does not grow without bound).  If you

gertty/config.py

@@ -42,6 +42,7 @@ class ConfigSchema(object):
               v.Required('username'): str,
               'password': str,
               'verify-ssl': bool,
+              'ssl-ca-path': str,
               'dburi': str,
               v.Required('git-root'): str,
               'log-file': str,
@@ -142,6 +143,13 @@ class Config(object):
         self.verify_ssl = server.get('verify-ssl', True)
         if not self.verify_ssl:
             os.environ['GIT_SSL_NO_VERIFY']='true'
+        self.ssl_ca_path = server.get('ssl-ca-path', None)
+        if self.ssl_ca_path is not None:
+            self.ssl_ca_path = os.path.expanduser(self.ssl_ca_path)
+            # Gertty itself uses the Requests library
+            os.environ['REQUESTS_CA_BUNDLE'] = self.ssl_ca_path
+            # And this is to allow Git callouts
+            os.environ['GIT_SSL_CAINFO'] = self.ssl_ca_path
         self.git_root = os.path.expanduser(server['git-root'])
         self.dburi = server.get('dburi',
                                 'sqlite:///' + os.path.expanduser('~/.gertty.db'))