diff --git a/scripts/lib/install b/scripts/lib/install index 63aa72383b..36fb3b13e2 100755 --- a/scripts/lib/install +++ b/scripts/lib/install @@ -11,6 +11,7 @@ Other options: --certbot --self-signed-cert --no-init-db + --cacert The --hostname and --email options are required, unless --no-init-db is set and --certbot is not. @@ -21,12 +22,13 @@ EOF # Shell option parsing. Over time, we'll want to move some of the # environment variables below into this self-documenting system. -args="$(getopt -o '' --long help,no-init-db,self-signed-cert,certbot,hostname:,email: -n "$0" -- "$@")" +args="$(getopt -o '' --long help,no-init-db,self-signed-cert,certbot,hostname:,email:,cacert: -n "$0" -- "$@")" eval "set -- $args" while true; do case "$1" in --help) usage;; --self-signed-cert) SELF_SIGNED_CERT=1; shift;; + --cacert) export CUSTOM_CA_CERTIFICATES="$2"; shift; shift;; --certbot) USE_CERTBOT=1; shift;; --hostname) EXTERNAL_HOST="$2"; shift; shift;; --email) ZULIP_ADMINISTRATOR="$2"; shift; shift;; diff --git a/scripts/lib/install-node b/scripts/lib/install-node index 5d16440db9..5bf177e103 100755 --- a/scripts/lib/install-node +++ b/scripts/lib/install-node @@ -28,7 +28,11 @@ fi if [ "$current_node_version" != "v$node_version" ] || ! [ -L "$node_wrapper_path" ]; then export NVM_DIR=/usr/local/nvm if ! [ -e "$NVM_DIR/nvm.sh" ]; then - wget -nv -O- https://raw.githubusercontent.com/creationix/nvm/v0.33.8/install.sh | bash + wget_opts=(-nv) + if [ -n "${CUSTOM_CA_CERTIFICATES:-}" ]; then + wget_opts+=(--ca-certificate "${CUSTOM_CA_CERTIFICATES}") + fi + wget "${wget_opts[@]}" -O- https://raw.githubusercontent.com/creationix/nvm/v0.33.8/install.sh | bash fi # shellcheck source=/dev/null diff --git a/scripts/lib/node_cache.py b/scripts/lib/node_cache.py index 97f057368f..ace71918f9 100644 --- a/scripts/lib/node_cache.py +++ b/scripts/lib/node_cache.py @@ -90,6 +90,8 @@ def do_yarn_install(target_path, yarn_args, success_stamp, stdout=None, stderr=N if os.path.exists("node_modules"): cmds.append(["cp", "-R", "node_modules/", cached_node_modules]) cd_exec = os.path.join(ZULIP_PATH, "scripts/lib/cd_exec") + if os.environ.get('CUSTOM_CA_CERTIFICATES'): + cmds.append([YARN_BIN, "config", "set", "cafile", os.environ['CUSTOM_CA_CERTIFICATES']]) cmds.append([cd_exec, target_path, YARN_BIN, "install", "--non-interactive"] + yarn_args) cmds.append(['touch', success_stamp]) diff --git a/scripts/lib/setup_venv.py b/scripts/lib/setup_venv.py index aac00be1ad..a366264610 100644 --- a/scripts/lib/setup_venv.py +++ b/scripts/lib/setup_venv.py @@ -252,6 +252,13 @@ def setup_virtualenv(target_venv_path, requirements_file, virtualenv_args=None, exec(open(activate_this).read(), {}, dict(__file__=activate_this)) return cached_venv_path +def add_cert_to_pipconf(): + # type: () -> None + conffile = os.path.expanduser("~/.pip/pip.conf") + confdir = os.path.expanduser("~/.pip/") + os.makedirs(confdir, exist_ok=True) + run(["crudini", "--set", conffile, "global", "cert", os.environ["CUSTOM_CA_CERTIFICATES"]]) + def do_setup_virtualenv(venv_path, requirements_file, virtualenv_args): # type: (str, str, List[str]) -> None @@ -272,6 +279,11 @@ def do_setup_virtualenv(venv_path, requirements_file, virtualenv_args): activate_this = os.path.join(venv_path, "bin", "activate_this.py") exec(open(activate_this).read(), {}, dict(__file__=activate_this)) + # use custom certificate if needed + if os.environ.get('CUSTOM_CA_CERTIFICATES'): + print("Configuring pip to use custom CA certificates...") + add_cert_to_pipconf() + try: install_venv_deps(requirements_file) except subprocess.CalledProcessError: diff --git a/tools/update-authors-json b/tools/update-authors-json index b90b78a4b0..f775bb2e1c 100755 --- a/tools/update-authors-json +++ b/tools/update-authors-json @@ -49,7 +49,7 @@ ContributorsJSON = TypedDict('ContributorsJSON', { def fetch_contributors(repo_link: str) -> Optional[List[Dict[str, Dict[str, Any]]]]: - r = requests.get(repo_link) # type: requests.Response + r = requests.get(repo_link, verify=os.environ.get('CUSTOM_CA_CERTIFICATES')) # type: requests.Response return r.json() if r.status_code == 200 else None def write_to_disk(json_data: ContributorsJSON, out_file: str) -> None: