arachnys · thomasleveil · Jun 6, 2019 · Apr 24, 2019 · Jun 7, 2019
diff --git a/cabot/cabot_config.py b/cabot/cabot_config.py
@@ -19,6 +19,7 @@
 WWW_SCHEME = os.environ.get('WWW_SCHEME', "https")
 
 HTTP_USER_AGENT = os.environ.get('HTTP_USER_AGENT', 'Cabot')
+CABOT_HTTP_CHECK_CA_BUNDLE = os.environ.get('CABOT_HTTP_CHECK_CA_BUNDLE')
 
 # How often should alerts be sent for important failures?
 ALERT_INTERVAL = int(os.environ.get('ALERT_INTERVAL', 10))

diff --git a/cabot/cabotapp/models/base.py b/cabot/cabotapp/models/base.py
@@ -1,5 +1,6 @@
 import itertools
 import json
+import os
 import re
 import subprocess
 import time
@@ -763,11 +764,20 @@ def _run(self):
             auth = (self.username if self.username is not None else '',
                     self.password if self.password is not None else '')
 
+        ssl_verify = self.verify_ssl_certificate
+        if self.verify_ssl_certificate and settings.CABOT_HTTP_CHECK_CA_BUNDLE:
+            if os.path.isfile(settings.CABOT_HTTP_CHECK_CA_BUNDLE):
+                ssl_verify = settings.CABOT_HTTP_CHECK_CA_BUNDLE
+            else:
+                logger.error('Cannot find CA bundle file %r. Check the value of CABOT_HTTP_CHECK_CA_BUNDLE' %
+                             settings.CABOT_HTTP_CHECK_CA_BUNDLE)
+                ssl_verify = True  # Fallback on default CA bundle provided by the Certifi python module
+
         try:
             resp = requests.get(
                 self.endpoint,
                 timeout=self.timeout,
-                verify=self.verify_ssl_certificate,
+                verify=ssl_verify,
                 auth=auth,
                 headers={
                     "User-Agent": settings.HTTP_USER_AGENT,

diff --git a/cabot/cabotapp/tasks.py b/cabot/cabotapp/tasks.py
@@ -99,11 +99,7 @@ def clean_db(days_to_retain=7, batch_size=10000):
     InstanceStatusSnapshot.objects.filter(id__in=instance_snapshot_ids).delete()
 
     # If we reached the batch size on either we need to re-queue to continue cleaning up.
-    if (
-            result_count == batch_size or
-            service_snapshot_count == batch_size or
-            instance_snapshot_count == batch_size
-    ):
+    if result_count == batch_size or service_snapshot_count == batch_size or instance_snapshot_count == batch_size:
         clean_db.apply_async(kwargs={
             'days_to_retain': days_to_retain,
             'batch_size': batch_size},

diff --git a/cabot/cabotapp/views.py b/cabot/cabotapp/views.py
@@ -264,7 +264,7 @@ class Meta:
             }),
             'text_match': forms.TextInput(attrs={
                 'style': 'width: 100%',
-                'placeholder': '[Aa]rachnys\s+[Rr]ules',
+                'placeholder': r'[Aa]rachnys\s+[Rr]ules',
             }),
             'status_code': forms.TextInput(attrs={
                 'style': 'width: 20%',

diff --git a/cabot/settings.py b/cabot/settings.py
@@ -164,7 +164,7 @@
 COMPRESS_PRECOMPILERS = (
     ('text/coffeescript', 'coffee --compile --stdio'),
     ('text/eco',
-     'eco -i TEMPLATES {infile} && cat "$(echo "{infile}" | sed -e "s/\.eco$/.js/g")"'),
+     r'eco -i TEMPLATES {infile} && cat "$(echo "{infile}" | sed -e "s/\.eco$/.js/g")"'),
     ('text/less', 'lessc {infile} > {outfile}'),
 )
 

diff --git a/conf/default.env b/conf/default.env
@@ -28,6 +28,9 @@ CELERY_BROKER_URL=redis://redis:6379/1
 # User-Agent string used for HTTP checks
 HTTP_USER_AGENT=Cabot
 
+# CA bundle to use when verifying SSL certificate in HTTP checks. By default the bundle is provided by the Certifi python module
+# CABOT_HTTP_CHECK_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
+
 # Used for pointing links back in alerts etc.
 WWW_HTTP_HOST=localhost
 WWW_SCHEME=http

diff --git a/conf/development.env.example b/conf/development.env.example
@@ -38,6 +38,9 @@ GRAPHITE_PASS=password
 # User-Agent string used for HTTP checks
 HTTP_USER_AGENT=Cabot
 
+# CA bundle to use when verifying SSL certificate in HTTP checks. By default the bundle is provided by the Certifi python module
+# CABOT_HTTP_CHECK_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
+
 # Hipchat integration
 HIPCHAT_ALERT_ROOM=room_name_or_id
 HIPCHAT_API_KEY=your_hipchat_api_key

diff --git a/conf/production.env.example b/conf/production.env.example
@@ -39,6 +39,9 @@ GRAPHITE_PASS=password
 ## User-Agent string used for Cabot HTTP checks
 HTTP_USER_AGENT=Cabot
 
+# CA bundle to use when verifying SSL certificate in HTTP checks. By default the bundle is provided by the Certifi python module
+# CABOT_HTTP_CHECK_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
+
 ## Email plugin integration
 EMAIL_HOST=smtp.example.com
 # SMTP authentication settings. To disable SMTP authentication, comment out

diff --git a/setup.py b/setup.py
@@ -4,7 +4,10 @@
 from os import environ as env
 import subprocess
 
-from pip.req import parse_requirements
+try: # for pip >= 10
+    from pip._internal.req import parse_requirements
+except ImportError: # for pip <= 9.0.3
+    from pip.req import parse_requirements
 
 requirements = [str(req.req) for req in parse_requirements('requirements.txt', session=False)]
 requirements_plugins = [str(req.req) for req in parse_requirements('requirements-plugins.txt', session=False)]