Trying to use SSL with SNI ext on older python 2.x (webrtc#407)

Ensuring certificate verification for old python 2.x versions in order to download Google App Engine during our build with TravisCI.

Gruntfile.js

@@ -45,8 +45,11 @@ module.exports = function(grunt) {
     },
 
     shell: {
-      getPythonTestDeps: {
-        command: 'python build/get_python_test_deps.py'
+      pipInstall : {
+        command: 'pip install --user --requirement requirements.txt'
+      },
+      ensureGoogleAppEngineIsInstalled: {
+        command: 'python build/ensure_google_app_engine_is_installed.py'
       },
       runPythonTests: {
         command: ['python', 'build/run_python_tests.py',
@@ -171,7 +174,8 @@ module.exports = function(grunt) {
   grunt.registerTask('default', ['runLinting', 'runPythonTests', 'build',
                                  'runUnitTests']);
   grunt.registerTask('runLinting', ['csslint', 'htmlhint', 'eslint']);
-  grunt.registerTask('runPythonTests', ['shell:getPythonTestDeps',
+  grunt.registerTask('runPythonTests', ['shell:pipInstall',
+                                        'shell:ensureGoogleAppEngineIsInstalled',
                                         'shell:buildAppEnginePackageWithTests',
                                         'shell:runPythonTests',
                                         'shell:removePythonTestsFromOutAppEngineDir']);

build/get_python_test_deps.py → build/ensure_google_app_engine_is_installed.py

@@ -1,11 +1,11 @@
 #!/usr/bin/python
 
 import os
-import pip
-import re
 import sys
-import urllib2
 import zipfile
+import urllib3
+import urllib3.contrib.pyopenssl
+import certifi
 
 
 GAE_DOWNLOAD_URL = 'https://storage.googleapis.com/appengine-sdks/featured/'
@@ -23,9 +23,17 @@ def _GetLatestAppEngineSdkVersion():
 
 def _Download(url, to):
   print 'Downloading %s to %s...' % (url, to)
-  response = urllib2.urlopen(url)
+  # Using certifi.old_where() because old versions of OpenSSL sometimes fails
+  # to validate certificate chains that use the strong roots [certifi.where()].
+  http = urllib3.PoolManager(
+      cert_reqs='CERT_REQUIRED',
+      ca_certs=certifi.old_where()
+  )
+  response = http.request('GET', url, preload_content=False)
   with open(to, 'w') as to_file:
-    to_file.write(response.read())
+    for chunk in response.stream(1024):
+      to_file.write(chunk)
+  response.release_conn()
 
 
 def _Unzip(path, dir):
@@ -34,15 +42,6 @@ def _Unzip(path, dir):
   with zipfile.ZipFile(path) as zip_file:
     zip_file.extractall(dir)
 
-
-def Install(package):
-  try:
-    print 'Installing python package using pip: ' + package
-    pip.main(['install', '--user' , package])
-  except OSError as e:
-    print 'Could not install %s due to : %s' % (package, e)
-
-
 def DownloadAppEngineSdkIfNecessary():
   gae_sdk_version = _GetLatestAppEngineSdkVersion()
   gae_sdk_file = 'google_appengine_%s.zip' % gae_sdk_version
@@ -58,10 +57,11 @@ def DownloadAppEngineSdkIfNecessary():
 
 
 def main():
-  Install('requests')
-  Install('WebTest')
   DownloadAppEngineSdkIfNecessary()
 
 
 if __name__ == '__main__':
+  # Workaround for using SSL with SNI extensions on older python 2.x versions.
+  # Must do this due to the python version used on Google AppEngine.
+  urllib3.contrib.pyopenssl.inject_into_urllib3()
   sys.exit(main())

requirements.txt

@@ -0,0 +1,3 @@
+urllib3[secure]==1.19.1
+requests==2.12.4
+webtest==2.0.24