Patchwork [02,of,11] sslutil: further refactor sslkwargs

login
register
mail settings
Submitter Gregory Szorc
Date May 5, 2016, 7:53 a.m.
Message ID <c681048bf0680635752b.1462434799@ubuntu-vm-main>
Download mbox | patch
Permalink /patch/14894/
State Accepted
Headers show

Comments

Gregory Szorc - May 5, 2016, 7:53 a.m.
# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1462428109 25200
#      Wed May 04 23:01:49 2016 -0700
# Node ID c681048bf0680635752b51e34c6be45e19e9192b
# Parent  03b9752157bd4098b2fd9d7b35c969b5c7dc22c6
sslutil: further refactor sslkwargs

The logic here and what happens with web.cacerts is mind numbing.
Make the code even more explicit.

Patch

diff --git a/mercurial/sslutil.py b/mercurial/sslutil.py
--- a/mercurial/sslutil.py
+++ b/mercurial/sslutil.py
@@ -244,27 +244,32 @@  def sslkwargs(ui, host):
     if hostfingerprint:
         return kws
 
     # dispatch sets web.cacerts=! when --insecure is used.
     cacerts = ui.config('web', 'cacerts')
     if cacerts == '!':
         return kws
 
+    # If a value is set in the config, validate against a path and load
+    # and require those certs.
     if cacerts:
         cacerts = util.expandpath(cacerts)
         if not os.path.exists(cacerts):
             raise error.Abort(_('could not find web.cacerts: %s') % cacerts)
-    else:
-        # CA certs aren't explicitly listed in the config. See if we can load
-        # defaults.
-        cacerts = _defaultcacerts()
-        if cacerts and cacerts != '!':
-            ui.debug('using %s to enable OS X system CA\n' % cacerts)
-        ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
+
+        kws.update({'ca_certs': cacerts,
+                    'cert_reqs': ssl.CERT_REQUIRED})
+        return kws
+
+    # No CAs in config. See if we can load defaults.
+    cacerts = _defaultcacerts()
+    if cacerts and cacerts != '!':
+        ui.debug('using %s to enable OS X system CA\n' % cacerts)
+    ui.setconfig('web', 'cacerts', cacerts, 'defaultcacerts')
 
     if cacerts != '!':
         kws.update({'ca_certs': cacerts,
                     'cert_reqs': ssl.CERT_REQUIRED,
                     })
     return kws
 
 class validator(object):