From 9b910084faf3db6fa2071af604620e7d45d12a6c Mon Sep 17 00:00:00 2001
From: Brett Smith <brett@curoverse.com>
Date: Thu, 25 Jun 2015 19:36:52 -0400
Subject: [PATCH] 6432: Python SDK can find and use CA certs on Red Hat.

---
 sdk/python/arvados/api.py    |  6 +-----
 sdk/python/arvados/events.py |  6 +-----
 sdk/python/arvados/util.py   | 18 ++++++++++++++++++
 3 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/sdk/python/arvados/api.py b/sdk/python/arvados/api.py
index 8294df33f5..086487aa09 100644
--- a/sdk/python/arvados/api.py
+++ b/sdk/python/arvados/api.py
@@ -158,11 +158,7 @@ def api(version=None, cache=True, host=None, token=None, insecure=False, **kwarg
             'https://%s/discovery/v1/apis/{api}/{apiVersion}/rest' % (host,))
 
     if 'http' not in kwargs:
-        http_kwargs = {}
-        # Prefer system's CA certificates (if available) over httplib2's.
-        certs_path = '/etc/ssl/certs/ca-certificates.crt'
-        if os.path.exists(certs_path):
-            http_kwargs['ca_certs'] = certs_path
+        http_kwargs = {'ca_certs': util.ca_certs_path()}
         if cache:
             http_kwargs['cache'] = http_cache('discovery')
         if insecure:
diff --git a/sdk/python/arvados/events.py b/sdk/python/arvados/events.py
index 09f2a871a9..3036a25fe0 100644
--- a/sdk/python/arvados/events.py
+++ b/sdk/python/arvados/events.py
@@ -15,11 +15,7 @@ _logger = logging.getLogger('arvados.events')
 
 class EventClient(WebSocketClient):
     def __init__(self, url, filters, on_event):
-        # Prefer system's CA certificates (if available)
-        ssl_options = {}
-        certs_path = '/etc/ssl/certs/ca-certificates.crt'
-        if os.path.exists(certs_path):
-            ssl_options['ca_certs'] = certs_path
+        ssl_options = {'ca_certs': arvados.util.ca_certs_path()}
         if config.flag_is_true('ARVADOS_API_HOST_INSECURE'):
             ssl_options['cert_reqs'] = ssl.CERT_NONE
         else:
diff --git a/sdk/python/arvados/util.py b/sdk/python/arvados/util.py
index 1316f2287f..aaf2094559 100644
--- a/sdk/python/arvados/util.py
+++ b/sdk/python/arvados/util.py
@@ -1,5 +1,6 @@
 import fcntl
 import hashlib
+import httplib2
 import os
 import re
 import subprocess
@@ -371,3 +372,20 @@ def list_all(fn, num_retries=0, **kwargs):
         items_available = c['items_available']
         offset = c['offset'] + len(c['items'])
     return items
+
+def ca_certs_path(fallback=httplib2.CA_CERTS):
+    """Return the path of the best available CA certs source.
+
+    This function searches for various distribution sources of CA
+    certificates, and returns the first it finds.  If it doesn't find any,
+    it returns the value of `fallback` (httplib2's CA certs by default).
+    """
+    for ca_certs_path in [
+        # Debian:
+        '/etc/ssl/certs/ca-certificates.crt',
+        # Red Hat:
+        '/etc/pki/tls/certs/ca-bundle.crt',
+        ]:
+        if os.path.exists(ca_certs_path):
+            return ca_certs_path
+    return fallback
-- 
2.30.2