scripts: Allow configuring a custom CA bundle for build process.

For building Zulip in an environment where a custom CA certificate is
required to access the public Internet, one needs to be able to
specify that CA certificate for all network access done by the Zulip
installer/build process.  This change allows configuring that via the
environment.

scripts/lib/install

@@ -11,6 +11,7 @@ Other options:
   --certbot
   --self-signed-cert
   --no-init-db
+  --cacert
 
 The --hostname and --email options are required,
 unless --no-init-db is set and --certbot is not.
@@ -21,12 +22,13 @@ EOF
 
 # Shell option parsing.  Over time, we'll want to move some of the
 # environment variables below into this self-documenting system.
-args="$(getopt -o '' --long help,no-init-db,self-signed-cert,certbot,hostname:,email: -n "$0" -- "$@")"
+args="$(getopt -o '' --long help,no-init-db,self-signed-cert,certbot,hostname:,email:,cacert: -n "$0" -- "$@")"
 eval "set -- $args"
 while true; do
     case "$1" in
         --help) usage;;
         --self-signed-cert) SELF_SIGNED_CERT=1; shift;;
+        --cacert) export CUSTOM_CA_CERTIFICATES="$2"; shift; shift;;
         --certbot) USE_CERTBOT=1; shift;;
         --hostname) EXTERNAL_HOST="$2"; shift; shift;;
         --email) ZULIP_ADMINISTRATOR="$2"; shift; shift;;

scripts/lib/install-node

@@ -28,7 +28,11 @@ fi
 if [ "$current_node_version" != "v$node_version" ] || ! [ -L "$node_wrapper_path" ]; then
     export NVM_DIR=/usr/local/nvm
     if ! [ -e "$NVM_DIR/nvm.sh" ]; then
-        wget -nv -O- https://raw.githubusercontent.com/creationix/nvm/v0.33.8/install.sh | bash
+        wget_opts=(-nv)
+        if [ -n "${CUSTOM_CA_CERTIFICATES:-}" ]; then
+            wget_opts+=(--ca-certificate "${CUSTOM_CA_CERTIFICATES}")
+        fi
+        wget "${wget_opts[@]}" -O- https://raw.githubusercontent.com/creationix/nvm/v0.33.8/install.sh | bash
     fi
 
     # shellcheck source=/dev/null

scripts/lib/node_cache.py

@@ -90,6 +90,8 @@ def do_yarn_install(target_path, yarn_args, success_stamp, stdout=None, stderr=N
         if os.path.exists("node_modules"):
             cmds.append(["cp", "-R", "node_modules/", cached_node_modules])
         cd_exec = os.path.join(ZULIP_PATH, "scripts/lib/cd_exec")
+        if os.environ.get('CUSTOM_CA_CERTIFICATES'):
+            cmds.append([YARN_BIN, "config", "set", "cafile", os.environ['CUSTOM_CA_CERTIFICATES']])
         cmds.append([cd_exec, target_path, YARN_BIN, "install", "--non-interactive"] +
                     yarn_args)
     cmds.append(['touch', success_stamp])

scripts/lib/setup_venv.py

@@ -252,6 +252,13 @@ def setup_virtualenv(target_venv_path, requirements_file, virtualenv_args=None,
     exec(open(activate_this).read(), {}, dict(__file__=activate_this))
     return cached_venv_path
 
+def add_cert_to_pipconf():
+    # type: () -> None
+    conffile = os.path.expanduser("~/.pip/pip.conf")
+    confdir = os.path.expanduser("~/.pip/")
+    os.makedirs(confdir, exist_ok=True)
+    run(["crudini", "--set", conffile, "global", "cert", os.environ["CUSTOM_CA_CERTIFICATES"]])
+
 def do_setup_virtualenv(venv_path, requirements_file, virtualenv_args):
     # type: (str, str, List[str]) -> None
 
@@ -272,6 +279,11 @@ def do_setup_virtualenv(venv_path, requirements_file, virtualenv_args):
     activate_this = os.path.join(venv_path, "bin", "activate_this.py")
     exec(open(activate_this).read(), {}, dict(__file__=activate_this))
 
+    # use custom certificate if needed
+    if os.environ.get('CUSTOM_CA_CERTIFICATES'):
+        print("Configuring pip to use custom CA certificates...")
+        add_cert_to_pipconf()
+
     try:
         install_venv_deps(requirements_file)
     except subprocess.CalledProcessError:

tools/update-authors-json

@@ -49,7 +49,7 @@ ContributorsJSON = TypedDict('ContributorsJSON', {
 
 
 def fetch_contributors(repo_link: str) -> Optional[List[Dict[str, Dict[str, Any]]]]:
-    r = requests.get(repo_link)  # type: requests.Response
+    r = requests.get(repo_link, verify=os.environ.get('CUSTOM_CA_CERTIFICATES'))  # type: requests.Response
     return r.json() if r.status_code == 200 else None
 
 def write_to_disk(json_data: ContributorsJSON, out_file: str) -> None: