PYTHON-2140 Test PyOpenSSL on macOS

ShaneHarvey · ShaneHarvey · commit 043c8e822bb4 · 2020-03-03T10:27:54.000-08:00
Handle the case where the peer omits the self-signed issuer cert and
OCSP is not requested by delaying issuer check.
Properly set PYMONGO_MUST_CONNECT in PyOpenSSL tests.
Properly set PYTHON_BINARY in OCSP test.
diff --git a/.evergreen/config.yml b/.evergreen/config.yml
@@ -347,6 +347,9 @@ functions:
          script: |
            set -o xtrace
            ${PREPARE_SHELL}
+           if [ -n "${MONGODB_STARTED}" ]; then
+             export PYMONGO_MUST_CONNECT=1
+           fi
            PYTHON_BINARY=${PYTHON_BINARY} sh ${PROJECT_DIRECTORY}/.evergreen/run-pyopenssl-tests.sh
 
   "run doctests":
@@ -662,6 +665,7 @@ functions:
         working_dir: "src"
         script: |
           ${PREPARE_SHELL}
+          PYTHON_BINARY=${PYTHON_BINARY} \
           CA_FILE="$DRIVERS_TOOLS/.evergreen/ocsp/rsa/ca.pem" \
           OCSP_TLS_SHOULD_SUCCEED="${OCSP_TLS_SHOULD_SUCCEED}" \
           sh ${PROJECT_DIRECTORY}/.evergreen/run-ocsp-tests.sh
@@ -1740,6 +1744,15 @@ buildvariants:
   tasks:
     - "pyopenssl"
 
+- matrix_name: "tests-pyopenssl-macOS"
+  matrix_spec:
+    platform: macos-1014
+    auth: "*"
+    ssl: "ssl"
+  display_name: "PyOpenSSL ${platform} ${auth}"
+  tasks:
+    - "pyopenssl"
+
 - matrix_name: "tests-python-version-rhel62-test-encryption"
   matrix_spec:
     platform: rhel62
diff --git a/.evergreen/run-ocsp-tests.sh b/.evergreen/run-ocsp-tests.sh
@@ -13,9 +13,15 @@ if [ -z "$PYTHON_BINARY" ]; then
 fi
 
 $PYTHON_BINARY -m virtualenv --never-download --no-wheel ocsptest
-    . ocsptest/bin/activate
-    trap "deactivate; rm -rf ocsptest" EXIT HUP
-    pip install pyopenssl requests service_identity
-    PYTHON=python
+. ocsptest/bin/activate
+trap "deactivate; rm -rf ocsptest" EXIT HUP
 
-OCSP_TLS_SHOULD_SUCCEED=${OCSP_TLS_SHOULD_SUCCEED} CA_FILE=${CA_FILE} $PYTHON test/ocsp/test_ocsp.py
+IS_PYTHON_2=$(python -c "import sys; sys.stdout.write('1' if sys.version_info < (3,) else '0')")
+if [ $IS_PYTHON_2 = "1" ]; then
+    echo "Using a Python 2"
+    pip install --upgrade 'setuptools<45'
+fi
+
+pip install pyopenssl requests service_identity
+
+OCSP_TLS_SHOULD_SUCCEED=${OCSP_TLS_SHOULD_SUCCEED} CA_FILE=${CA_FILE} python test/ocsp/test_ocsp.py
diff --git a/.evergreen/run-pyopenssl-tests.sh b/.evergreen/run-pyopenssl-tests.sh
@@ -19,9 +19,15 @@ else
 fi
 
 $PYTHON -m virtualenv pyopenssltest
-trap "deactivate; rm -rf pyopenssltest" EXIT HUP
 . pyopenssltest/bin/activate
-pip install pyopenssl>=17.2.0 "requests<3.0.0" service_identity>=18.1.0
-pip list
+trap "deactivate; rm -rf pyopenssltest" EXIT HUP
+
+IS_PYTHON_2=$(python -c "import sys; sys.stdout.write('1' if sys.version_info < (3,) else '0')")
+if [ $IS_PYTHON_2 = "1" ]; then
+    echo "Using a Python 2"
+    pip install --upgrade 'setuptools<45'
+fi
+
+pip install pyopenssl requests service_identity
 python -c 'import sys; print(sys.version)'
 python setup.py test
diff --git a/pymongo/ocsp_support.py b/pymongo/ocsp_support.py
@@ -237,9 +237,6 @@ def ocsp_callback(conn, ocsp_bytes, user_data):
     cert = conn.get_peer_certificate().to_cryptography()
     chain = [cer.to_cryptography() for cer in conn.get_peer_cert_chain()]
     issuer = _get_issuer_cert(cert, chain)
-    if issuer is None:
-        _LOGGER.debug("No issuer cert?")
-        return 0
     must_staple = False
     # https://tools.ietf.org/html/rfc7633#section-4.2.3.1
     ext = _get_extension(cert, _TLSFeature)
@@ -268,6 +265,9 @@ def ocsp_callback(conn, ocsp_bytes, user_data):
             _LOGGER.debug("No OCSP URI, soft fail")
             # No responder URI, soft fail.
             return 1
+        if issuer is None:
+            _LOGGER.debug("No issuer cert?")
+            return 0
         _LOGGER.debug("Requesting OCSP data")
         # When requesting data from an OCSP endpoint we only fail on
         # successful, valid responses with a certificate status of REVOKED.
@@ -291,6 +291,9 @@ def ocsp_callback(conn, ocsp_bytes, user_data):
         return 1
 
     _LOGGER.debug("Peer stapled an OCSP response")
+    if issuer is None:
+        _LOGGER.debug("No issuer cert?")
+        return 0
     response = _load_der_ocsp_response(ocsp_bytes)
     _LOGGER.debug(
         "OCSP response status: %r", response.response_status)
diff --git a/test/test_ssl.py b/test/test_ssl.py
@@ -442,7 +442,7 @@ def test_validation_with_system_ca_certs(self):
             raise SkipTest("Can't load system CA certificates.")
 
         if (ssl.OPENSSL_VERSION.lower().startswith('libressl') and
-                sys.platform == 'darwin'):
+                sys.platform == 'darwin' and not _ssl.IS_PYOPENSSL):
             raise SkipTest(
                 "LibreSSL on OSX doesn't support setting CA certificates "
                 "using SSL_CERT_FILE environment variable.")
