Replaced boto certificate

third_party/gsutil/oauth2_plugin/oauth2_client.py

 # Copyright 2010 Google Inc. All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
@@ skipping 47 matching lines @@
     from django.utils import simplejson as json
   except ImportError:
     # Try for simplejson
     import simplejson as json
 
 LOG = logging.getLogger('oauth2_client')
 # Lock used for checking/exchanging refresh token, so multithreaded
 # operation doesn't attempt concurrent refreshes.
 token_exchange_lock = threading.Lock()
 
-# SHA1 sum of the CA certificates file imported from boto.
-CACERTS_FILE_SHA1SUM = 'ed024a78d9327f8669b3b117d9eac9e3c9460e9b'

[ghost stip (do not use), 2014/03/28 21:17:03]

instead of removing, shouldn't we just switch it to the modified sha?

[Ryan Tseng, 2014/03/28 21:32:35]

In theory - yes.
But I'm not sure why we should even bother checking if the CA cert is correct.
From a security standpoint, anyone who has access to the cert file can also
change this sha1 sum, so we don't really gain anything.

[pgervais, 2014/03/28 22:10:18]

Plus replacing the certificates for developers should be as easy as possible. I
was very surprised by the very existence of this check. It sort of makes sense
for the upstream project, but not here.

-
 class Error(Exception):
   """Base exception for the OAuth2 module."""
   pass
 
 
 class AccessTokenRefreshError(Error):
   """Error trying to exchange a refresh token into an access token."""
   pass
 
 
@@ skipping 210 matching lines @@
     # constructor for unit testing purposes.
     self.datetime_strategy = datetime_strategy
     self._proxy = proxy
 
     self.access_token_cache = access_token_cache or InMemoryTokenCache()
 
     self.ca_certs_file = os.path.join(
         os.path.dirname(os.path.abspath(cacerts.__file__)), 'cacerts.txt')
 
     if url_opener is None:
-      # Check that the cert file distributed with boto has not been tampered
-      # with.
-      h = sha1()
-      h.update(file(self.ca_certs_file).read())
-      actual_sha1 = h.hexdigest()
-      if actual_sha1 != CACERTS_FILE_SHA1SUM:
-        raise Error(
-            'CA certificates file does not have expected SHA1 sum; '
-            'expected: %s, actual: %s' % (CACERTS_FILE_SHA1SUM, actual_sha1))
       # TODO(Google): set user agent?
       url_opener = urllib2.build_opener(
           fancy_urllib.FancyProxyHandler(),
           fancy_urllib.FancyRedirectHandler(),
           fancy_urllib.FancyHTTPSHandler())
     self.url_opener = url_opener
 
   def _TokenRequest(self, request):
     """Make a requst to this client's provider's token endpoint.
 
@@ skipping 313 matching lines @@
     return h.hexdigest()
 
   def GetAuthorizationHeader(self):
     """Gets the access token HTTP authorication header value.
 
     Returns:
       The value of an Authorization HTTP header that authenticates
       requests with an OAuth2 access token based on this refresh token.
     """
     return 'Bearer %s' % self.oauth2_client.GetAccessToken(self).token