Allow an optional cert file to be specified that gets used by pip (#403)

civiform · Oct 21, 2024 · 65ff73b · 65ff73b
1 parent 0e70272
commit 65ff73b
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 2 deletions.
diff --git a/cloud/shared/bin/python_env_setup b/cloud/shared/bin/python_env_setup
@@ -14,6 +14,7 @@ function initialize_python_env() {
   echo "initializing python env from script"
 
   local requirements_file_path=$1
+  local cert_file_path=$2
 
   # Check if there are any requirements to install
   if [[ ! -f "$requirements_file_path" ]]; then
@@ -30,6 +31,18 @@ function initialize_python_env() {
   # source the activate script (. is more portable between shells than source)
   . .venv/bin/activate
 
+  # If a certificate file is specified, perform checks then configure pip to use it
+  if [[ -n "$cert_file_path" ]]; then
+    # Check if the file exists and is readable
+    if [[ ! -f "$cert_file_path" || ! -r "$cert_file_path" ]]; then
+      echo "Error: Certificate file '$cert_file_path' does not exist or is not readable."
+      return 1
+    fi
+
+    echo "Setting pip global.cert to $cert_file_path"
+    pip config set global.cert "$cert_file_path"
+  fi
+
   #Check if the requirement file is already met.
   if [[ ! $(pip3 freeze | diff "$requirements_file_path" -) ]]; then
     echo ".venv directory found with necessary dependencies installed"

diff --git a/cloud/shared/bin/run b/cloud/shared/bin/run
@@ -17,17 +17,31 @@ set -o pipefail
 source cloud/shared/bin/python_env_setup
 
 # Get the arguments that we want to pass to run.py
-while getopts s:c:t:u:d: flag; do
+while getopts s:c:t:u:d:p: flag; do
   case "${flag}" in
     # The civiform_config file that contains the values to configure the deployment
     s) source_config=${OPTARG} ;;
     # The command that the run.py script should execute
     c) command=${OPTARG} ;;
     # The tag of the image that should be used for this deployment (e.g. "latest")
     t) tag=${OPTARG} ;;
+    # A custom trusted root CA file to set pip global config
+    p) cert_file_path=${OPTARG} ;;
   esac
 done
 
+# Validate the cert file, if provided
+if [[ -n "$cert_file_path" ]]; then
+  # Check if the cert file exists and is readable
+  if [[ -f "$cert_file_path" && -r "$cert_file_path" ]]; then
+    echo "Certificate file '$cert_file_path' exists and is readable."
+  else
+    echo "Certificate file '$cert_file_path' does not exist or is not readable."
+    exit 1
+  fi
+
+fi
+
 # if the tag is "latest", resolve it to the specific snapshot tag from Docker
 # Go templating is used to parse the snapshot tag from the json returned by docker inspect
 # https://docs.docker.com/engine/reference/commandline/inspect/#options
@@ -111,7 +125,7 @@ dependencies_file_path="cloud/shared/bin/env-var-docs-python-dependencies.txt"
 echo "env-var-docs @ git+https://github.com/civiform/civiform.git@${commit_sha}\
 #subdirectory=env-var-docs/parser-package" >>$dependencies_file_path
 
-initialize_python_env $dependencies_file_path
+initialize_python_env $dependencies_file_path "$cert_file_path"
 
 args=("--command" "${command}" "--tag" "${tag}" "--config" "${source_config}")