Fix the disable_ssl_certificate_validation option

Backport fix https://github.com/httplib2/httplib2/pull/15 into bionic

bionic python-httplib2 debdiff

[sts-sponsors]

Would this fix be backward compatible with < py3.5 ? or that would require py35 onward to work ?

Bionic has both py2 and py3 and this package is built for both.

# d/control:

Package: python-httplib2
Architecture: all
Depends: ${python:Depends},
...
Description: comprehensive HTTP client library written for Python
 httplib2.py supports many features left out of other HTTP libraries.

 This package provides module for python2 series.

Package: python3-httplib2
Architecture: all
Depends: ${python3:Depends},
...
 This package provides module for python3 series.

I've tested with Python 2.7.17 (latest for bionic), as well as
Python 3.6.9 (latest) and did not have any issues compiling or running.

Yes, I believe this is backwards compatible with < Python3.5.
I will omit any further mention of Python2, since I believe your question was directed towards Python3 compatibility.

In the debian/control there is this statement:

Build-Depends: debhelper (>= 9),
               dh-python,
               python-all (>= 2.6.6-3~),
               python3-all (>= 3.1.2-10)

"Build-Depends" which comes from here:

https://www.debian.org/doc/debian-policy/ch-relationships.html#relationships-between-source-and-binary-packages-build-depends-build-depends-indep-build-depends-arch-build-conflicts-build-conflicts-indep-build-conflicts-arch
- "The dependencies and conflicts they define must be satisfied (as defined earlier for binary packages) in order to invoke the targets in debian/rules".

reattached updated debdiff

attached updated debdiff with just minor adjustments:

- added tag "LP: #1906720" to changelog entry
- ran 'quilt refresh' on patch to fix offsets
- added DEP3 fields to patch (https://dep-team.pages.debian.net/deps/dep3/)
  (in general, at least Origin: and Bug-Ubuntu: fields should be added)
- renamed patch to remove leading '0002-' (just personal preference for patch naming)

uploaded to bionic, thanks @hypothetical-lemon

Did you also remove the 0002 from the d/p/ at the top of the changelog?

+ * d/p/0002-lp1906720-Make-disable_ssl_certificate_validation-work-wit.patch

On Tue, Jan 19, 2021 at 3:31 PM Dan Streetman <email address hidden>
wrote:

> uploaded to bionic, thanks @hypothetical-lemon
>
> --
> You received this bug notification because you are a bug assignee.
> https://bugs.launchpad.net/bugs/1906720
>
> Title:
> Fix the disable_ssl_certificate_validation option
>
> Status in python-httplib2 package in Ubuntu:
> Fix Released
> Status in python-httplib2 source package in Bionic:
> In Progress
> Status in python-httplib2 source package in Focal:
> Fix Released
> Status in python-httplib2 source package in Groovy:
> Fix Released
> Status in python-httplib2 source package in Hirsute:
> Fix Released
>
> Bug description:
> [Environment]
>
> Bionic
> python3-httplib2 | 0.9.2+dfsg-1ubuntu0.2
>
> [Description]
>
> maas cli fails to work with apis over https with self-signed
> certificates due to the lack
> of disable_ssl_certificate_validation option with python 3.5.
>
> [Distribution/Release, Package versions, Platform]
> cat /etc/lsb-release; dpkg -l | grep maas
> DISTRIB_ID=Ubuntu
> DISTRIB_RELEASE=18.04
> DISTRIB_CODENAME=bionic
> DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"
> ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service"
> is a physical cloud and IPAM
> ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and
> command-line interface
> ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server
> common files
> ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server
> ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching
> Proxy
> ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack
> Controller for MAAS
> ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region
> controller API service for MAAS
> ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all
> Region Controller for MAAS
> ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS
> server Django web framework (Python 3)
> ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS
> python API client (Python 3)
> ii python3-maas-provisioningserver
> 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning
> libraries (Python 3)
>
> [Steps to Reproduce]
>
> - prepare a maas server(installed by packages for me and the customer).
> it doesn't have to be HA to reproduce
> - prepare a set of certificate, key and ca-bundle
> - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl
> restart nginx`
> - add the ca certificates to the host
> sudo mkdir /usr/share/ca-certificates/extra
> sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
> dpkg-reconfigure ca-certificates
> - login with a new profile over https url
> - when not added the ca-bundle to the trusted ca cert store, it fails to
> login and '--insecure' flag also doesn't work[3]
>
> [Known Workarounds]
> None
>
> [Test]
> # Note even though this change only affects ...

Did you also remove the 0002 from the changelog?

+ * d/p/0002-lp1906720-Make-disable_ssl_certificate_validation-work-wit.patch

Please add a regression analysis as required by https://wiki.ubuntu.com/StableReleaseUpdates#Procedure.

In particular, please take some steps here to make sure that we don't accidentally disable certificate validation across the board - since that would have severe consequences, we're messing with "should we check the certificate" code, and the problem wouldn't be detected just by checking this bug is fixed.

That's the most obvious possible issue to me, but please consider and add anything else relevant.

heathers new v2 debdiff, corrected the d/p/lp# in the changelog

[sts-sponsor]

The patch name in d/change was inconsistent with what found in d/p and d/p/series
I fixed d/changelog accordingly, and re-upload.

For SRU team, please consider the most recent upload and reject the oldest one.

- Eric

[sts-sponsor]

I re-uploaded, because it was already, but I agree that before changing back Bionic's status to 'in progress' we need [where problem could occurs] section.

- Eric

original problem: maas cli fails to work with apis over https with self-signed certificates due to the lack
of disable_ssl_certificate_validation option with python 3.5. [0] attachment
MAAS version (2.8.2)
Python version (3.5 or less)

Based on Robie's comment.

there are 2 options
1. we continue to sru this patch
2. we ask for a monkey patch to MAAS

One recent previously monkey patched by MAAS https://bugs.launchpad.net/maas/+bug/1741913

Linking directly related bug https://bugs.launchpad.net/maas/+bug/1891201

maas gui https

maas cli https via maas-cli

MAAS insecure login script

MAAS secure https login script

resolved https maas-cli

ready for sru review

@slashd can we get this reviewed this week?

Thank you,
Heather Lemon

Re-tagged as verification-done.

Thanks,
Heather Lemon

Hello Jorge, or anyone else affected,

Accepted python-httplib2 into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python-httplib2/0.9.2+dfsg-1ubuntu0.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted python-httplib2 (0.9.2+dfsg-1ubuntu0.3) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

python-oslo.vmware/2.26.0-0ubuntu1 (arm64, i386, s390x, armhf, amd64, ppc64el)
apport/2.20.9-0ubuntu7.23 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#python-httplib2

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Heather and I discussed the autopkgtests failures today.

She's taking a look at fixing python-oslo.vmware, which
seems to be a missing Build-Depends: on python module(s)
nowadays, because the last time it passed was 2019-03.
It was reproducible with autopkgtests-virt-lxd locally.

For apport, it seems an interesting one, as it fails on
other archs except i386 for a long time, including amd64
but it has recently passed on amd64; thus reported as a
regression; but previous errors on other archs sometimes
include the failing test. And it's been ~2 months since
it last passed, so maybe things changed.

Thus I'm rerunning it against python-httplib2 in -updates,
to hopefully confirm the failure is not a regression from
this upload.

Thanks Mauricio!

and apport/amd64 played tricks on us, but it does pass now.

it passed on bionic-updates, which suggests a regression on bionic-proposed;
but another rereun with bionic-proposed now passed.. well. it's good now! :)

from [1]:

2.20.9-0ubuntu7.23 python-httplib2/0.9.2+dfsg-1ubuntu0.3 2021-02-10 23:43:24 UTC 0h 12m 27s mfo pass log   artifacts
2.20.9-0ubuntu7.23 python-httplib2/0.9.2+dfsg-1ubuntu0.2 2021-02-10 23:01:31 UTC 0h 10m 15s mfo pass log   artifacts
2.20.9-0ubuntu7.23 python-httplib2/0.9.2+dfsg-1ubuntu0.3 2021-02-10 13:34:34 UTC 0h 13m 01s mfo fail log   artifacts
2.20.9-0ubuntu7.23 python-httplib2/0.9.2+dfsg-1ubuntu0.3 2021-02-09 22:41:05 UTC 0h 11m 19s - fail log   artifacts

[1] https://autopkgtest.ubuntu.com/packages/apport/bionic/amd64

the python-oslo.vmware failures are almost certainly the same as bug 1912792

Thanks for looking into the failures, I'll hint it in.

Ok, autopkgtest failures hinted. That being said: I see the verification tags switched but no verification information present. I'm quite sure proper verification has been performed, but we'd like to have a recording of what testing has been performed and on which package versions as documentation. Then I'd be happy to let it out. Thank you!

Hey, so i didn't know that the verification done needed to a comment as I changed it in the description instead.

[VERIFICATION DONE]
-----
ubuntu series tested: bionic
MAAS name: ubuntu-bionic MAAS
MAAS version: 2.4.2 (7034-g2f5deb8b8-0ubuntu1)

sudo apt-get remove python-httplib2
dpkg -l PKGNAME | cat

sudo apt-get install python-httplib2
package version installed: 0.9.2+dfsg-1ubuntu0.3

sudo apt-get install maas

sudo maas init

-- fill out questions

# create 2 users secure & unsecure
maas createadmin
 username: testadmin
 username: secureadmin

sudo maas apikey --username=testadmin > api-key-testadmin
sudo maas apikey --username=testadmin > api-key-secureadmin

sudo apt get update
sudo apt-get install nginx

touch /etc/nginx/sites-available/maas-https-default
# copy and paste from here:
server {
 listen 443 ssl http2;

 server_name _;
 ssl_certificate /home/ubuntu/localhost.crt;
 ssl_certificate_key /home/ubuntu/localhost.key;

 location / {
  proxy_pass http://localhost:5240;
  include /etc/nginx/proxy_params;
 }

 location /MAAS/ws {
  proxy_pass http://127.0.0.1:5240/MAAS/ws;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "Upgrade";
 }
}

vim /etc/nginx/sites-available/maas-https-default
# restart ngnix
sudo service nginx restart
# create maas login scripts
touch maas-login.sh
# contents of maas-login.sh
#!/bin/sh
PROFILE=testadmin
API_KEY_FILE=/root/api-key-testadmin
API_SERVER=127.0.0.1:5240

MAAS_URL=http://$API_SERVER/MAAS

touch https-maas-login.sh

# contents of https-maas-login.sh
#!/bin/sh
PROFILE=secureadmin
API_KEY_FILE=/root/api-key-secureadmin
API_SERVER=localhost

MAAS_URL=https://$API_SERVER/MAAS

maas login $PROFILE $MAAS_URL - < $API_KEY_FILE

sudo chmod +rwx maas-login.sh
sud./maas-login.sh o chmod +rwx https-maas-login.sh

cd /etc/nginx/sites-enabled
sudo touch maas-https-default
vim maas-https-default
sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled
# login to maas with unsecure & secure user
./maas-login.sh
./https-maas-login.sh

# console output
root@ubuntu-bionic:~# ./https-maas-login.sh

You are now logged in to the MAAS server at
https://localhost/MAAS/api/2.0/ with the profile name 'secureadmin'.

For help with the available commands, try:

  maas secureadmin --help

root@ubuntu-bionic:~# exit

# reverse sshuttle if needed to check gui login
sshuttle -r root@<container ip addr> 127.0.0.1/0

updated tag to verification-done

Awesome!

This bug was fixed in the package python-httplib2 - 0.9.2+dfsg-1ubuntu0.3

---------------
python-httplib2 (0.9.2+dfsg-1ubuntu0.3) bionic; urgency=medium

  * d/p/lp1906720-Make-disable_ssl_certificate_validation-work-wit.patch
  - Fix TLS authentication to MAAS with maas-cli (LP: #1906720)

 -- Heather Lemon <email address hidden> Tue, 15 Dec 2020 13:09:40 -0700

The verification of the Stable Release Update for python-httplib2 has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.