Remove ability to use cheap certs for test hosts

da247e04 · Tanner Prestegard · ae941b7d · da247e04
Commit da247e04 authored Nov 07, 2018 by Tanner Prestegard
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 19 deletions

ligo/gracedb/rest.py ligo/gracedb/rest.py +9 -19

No files found.
--- a/ligo/gracedb/rest.py
+++ b/ligo/gracedb/rest.py
@@ -35,7 +35,6 @@ from .utils import event_or_superevent, handle_str_or_list_arg, safe_netrc, \
    cleanListInput, get_dt_from_openssl_output, is_expired

 DEFAULT_SERVICE_URL = "https://gracedb.ligo.org/api/"
-KNOWN_TEST_HOSTS = ['moe.phys.uwm.edu', 'embb-dev.ligo.caltech.edu', 'simdb.phys.uwm.edu',]

 #---------------------------------------------------------------------
 # This monkey patch forces TLSv1 if the python version is 2.6.6.
@@ -162,15 +161,11 @@ class GsiRest(object):
                msg += "Please run ligo-proxy-init or grid-proxy-init again "
                msg += "or make sure your robot certificate is readable.\n\n"
                self.output_and_die(msg)
-            # Generally speaking, test boxes use cheap/free certs from the LIGO CA.
-            # These cannot be verified by the client.
-            if host in KNOWN_TEST_HOSTS:
-                ssl_context.verify_mode = ssl.CERT_NONE
-            else:
-                ssl_context.verify_mode = ssl.CERT_REQUIRED
-                ssl_context.check_hostname = True
-                # Find the various CA cert bundles stored on the system
-                ssl_context.load_default_certs()
+            # Load and verify certificates
+            ssl_context.verify_mode = ssl.CERT_REQUIRED
+            ssl_context.check_hostname = True
+            # Find the various CA cert bundles stored on the system
+            ssl_context.load_default_certs()

            if proxy_host:
                self.connector = lambda: ProxyHTTPSConnection(proxy_host, proxy_port, context=ssl_context)
@@ -2033,15 +2028,10 @@ class GraceDbBasic(GraceDb):
            # Use the new method with SSL Context
            # Prepare SSL context
            ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-            # Generally speaking, test boxes use cheap/free certs from the LIGO CA.
-            # These cannot be verified by the client.
-            if host in KNOWN_TEST_HOSTS:
-                ssl_context.verify_mode = ssl.CERT_NONE
-            else:
-                ssl_context.verify_mode = ssl.CERT_REQUIRED
-                ssl_context.check_hostname = True
-                # Find the various CA cert bundles stored on the system
-                ssl_context.load_default_certs()
+            ssl_context.verify_mode = ssl.CERT_REQUIRED
+            ssl_context.check_hostname = True
+            # Find the various CA cert bundles stored on the system
+            ssl_context.load_default_certs()

            if proxy_host:
                self.connector = lambda: ProxyHTTPSConnection(proxy_host, proxy_port, context=ssl_context)