Exclude pycache and .py[cod]

.azure-pipelines/INSTALL.md

@@ -69,12 +69,12 @@ Access can be defined for all or only selected repositories, which is nice.
 ```
 
 - Redirected to Azure DevOps, select the account created in _Having an Azure DevOps account_ section.
-- Select the organization, and click "Create a new project" (let's name it the same than the targeted github repo)
+- Select the organization, and click "Create a new project" (let's name it the same than the targetted github repo)
 - The Visibility is public, to profit from 10 parallel jobs
 
 ```
 !!! ACCESS !!!
-Azure Pipelines needs access to the GitHub account (in term of being able to check it is valid), and the Resources shared between the GitHub account and Azure Pipelines.
+Azure Pipelines needs access to the GitHub account (in term of beeing able to check it is valid), and the Resources shared between the GitHub account and Azure Pipelines.
 ```
 
 _Done. We can move to pipelines configuration._

.azure-pipelines/advanced-test.yml

@@ -1,14 +0,0 @@
-# Advanced pipeline for running our full test suite on demand.
-trigger:
-  # When changing these triggers, please ensure the documentation under
-  # "Running tests in CI" is still correct.
-  - test-*
-pr: none
-
-variables:
-  # We don't publish our Docker images in this pipeline, but when building them
-  # for testing, let's use the nightly tag.
-  dockerTag: nightly
-
-stages:
-  - template: templates/stages/test-and-package-stage.yml

.azure-pipelines/advanced.yml

@@ -0,0 +1,20 @@
+# Advanced pipeline for isolated checks and release purpose
+trigger:
+  - test-*
+  - '*.x'
+pr:
+  - test-*
+# This pipeline is also nightly run on master
+schedules:
+  - cron: "0 4 * * *"
+    displayName: Nightly build
+    branches:
+      include:
+      - master
+    always: true
+
+jobs:
+  # Any addition here should be reflected in the release pipeline.
+  # It is advised to declare all jobs here as templates to improve maintainability.
+  - template: templates/tests-suite.yml
+  - template: templates/installer-tests.yml

.azure-pipelines/main.yml

@@ -1,8 +1,12 @@
-trigger: none
+trigger:
+  # apache-parser-v2 is a temporary branch for doing work related to
+  # rewriting the parser in the Apache plugin.
+  - apache-parser-v2
+  - master
 pr:
+  - apache-parser-v2
   - master
   - '*.x'
 
 jobs:
-  - template: templates/jobs/standard-tests-jobs.yml
-
+  - template: templates/tests-suite.yml

.azure-pipelines/nightly.yml

@@ -1,18 +0,0 @@
-# Nightly pipeline running each day for master.
-trigger: none
-pr: none
-schedules:
-  - cron: "30 4 * * *"
-    displayName: Nightly build
-    branches:
-      include:
-      - master
-    always: true
-
-variables:
-  dockerTag: nightly
-
-stages:
-  - template: templates/stages/test-and-package-stage.yml
-  - template: templates/stages/deploy-stage.yml
-  - template: templates/stages/notify-failure-stage.yml

.azure-pipelines/release.yml

@@ -1,18 +1,13 @@
-# Release pipeline to run our full test suite, build artifacts, and deploy them
-# for GitHub release tags.
+# Release pipeline to build and deploy Certbot for Windows for GitHub release tags
 trigger:
   tags:
     include:
       - v*
 pr: none
 
-variables:
-  dockerTag: ${{variables['Build.SourceBranchName']}}
-
-stages:
-  - template: templates/stages/test-and-package-stage.yml
-  - template: templates/stages/changelog-stage.yml
-  - template: templates/stages/deploy-stage.yml
-    parameters:
-      snapReleaseChannel: beta
-  - template: templates/stages/notify-failure-stage.yml
+jobs:
+  # Any addition here should be reflected in the advanced pipeline.
+  # It is advised to declare all jobs here as templates to improve maintainability.
+  - template: templates/tests-suite.yml
+  - template: templates/installer-tests.yml
+  - template: templates/changelog.yml

.azure-pipelines/templates/changelog.yml

@@ -0,0 +1,14 @@
+jobs:
+  - job: changelog
+    pool:
+      vmImage: vs2017-win2016
+    steps:
+      - bash: |
+          CERTBOT_VERSION="$(cd certbot && python -c "import certbot; print(certbot.__version__)" && cd ~-)"
+          "${BUILD_REPOSITORY_LOCALPATH}\tools\extract_changelog.py" "${CERTBOT_VERSION}" >> "${BUILD_ARTIFACTSTAGINGDIRECTORY}/release_notes.md"
+        displayName: Prepare changelog
+      - task: PublishPipelineArtifact@1
+        inputs:
+          path: $(Build.ArtifactStagingDirectory)
+          artifact: changelog
+        displayName: Publish changelog

.azure-pipelines/templates/installer-tests.yml

@@ -0,0 +1,32 @@
+jobs:
+  - job: installer
+    pool:
+      vmImage: vs2017-win2016
+    steps:
+      - task: UsePythonVersion@0
+        inputs:
+          versionSpec: 3.7
+          architecture: x86
+          addToPath: true
+      - script: python windows-installer/construct.py
+        displayName: Build Certbot installer
+      - task: CopyFiles@2
+        inputs:
+          sourceFolder: $(System.DefaultWorkingDirectory)/windows-installer/build/nsis
+          contents: '*.exe'
+          targetFolder: $(Build.ArtifactStagingDirectory)
+      - task: PublishPipelineArtifact@1
+        inputs:
+          path: $(Build.ArtifactStagingDirectory)
+          artifact: windows-installer
+        displayName: Publish Windows installer
+      - script: $(Build.ArtifactStagingDirectory)\certbot-beta-installer-win32.exe /S
+        displayName: Install Certbot
+      - script: |
+          python -m venv venv
+          venv\Scripts\python tools\pip_install.py -e certbot-ci
+        displayName: Prepare Certbot-CI
+      - script: |
+          set PATH=%ProgramFiles(x86)%\Certbot\bin;%PATH%
+          venv\Scripts\python -m pytest certbot-ci\certbot_integration_tests\certbot_tests -n 4
+        displayName: Run integration tests

.azure-pipelines/templates/jobs/extended-tests-jobs.yml

@@ -1,94 +0,0 @@
-jobs:
-  - job: extended_test
-    variables:
-      - name: IMAGE_NAME
-        value: ubuntu-18.04
-      - name: PYTHON_VERSION
-        value: 3.9
-      - group: certbot-common
-    strategy:
-      matrix:
-        linux-py36:
-          PYTHON_VERSION: 3.6
-          TOXENV: py36
-        linux-py37:
-          PYTHON_VERSION: 3.7
-          TOXENV: py37
-        linux-py38:
-          PYTHON_VERSION: 3.8
-          TOXENV: py38
-        linux-py37-nopin:
-          PYTHON_VERSION: 3.7
-          TOXENV: py37
-          CERTBOT_NO_PIN: 1
-        linux-external-mock:
-          TOXENV: external-mock
-        linux-boulder-v1-integration-certbot-oldest:
-          PYTHON_VERSION: 3.6
-          TOXENV: integration-certbot-oldest
-          ACME_SERVER: boulder-v1
-        linux-boulder-v2-integration-certbot-oldest:
-          PYTHON_VERSION: 3.6
-          TOXENV: integration-certbot-oldest
-          ACME_SERVER: boulder-v2
-        linux-boulder-v1-integration-nginx-oldest:
-          PYTHON_VERSION: 3.6
-          TOXENV: integration-nginx-oldest
-          ACME_SERVER: boulder-v1
-        linux-boulder-v2-integration-nginx-oldest:
-          PYTHON_VERSION: 3.6
-          TOXENV: integration-nginx-oldest
-          ACME_SERVER: boulder-v2
-        linux-boulder-v1-py36-integration:
-          PYTHON_VERSION: 3.6
-          TOXENV: integration
-          ACME_SERVER: boulder-v1
-        linux-boulder-v2-py36-integration:
-          PYTHON_VERSION: 3.6
-          TOXENV: integration
-          ACME_SERVER: boulder-v2
-        linux-boulder-v1-py37-integration:
-          PYTHON_VERSION: 3.7
-          TOXENV: integration
-          ACME_SERVER: boulder-v1
-        linux-boulder-v2-py37-integration:
-          PYTHON_VERSION: 3.7
-          TOXENV: integration
-          ACME_SERVER: boulder-v2
-        linux-boulder-v1-py38-integration:
-          PYTHON_VERSION: 3.8
-          TOXENV: integration
-          ACME_SERVER: boulder-v1
-        linux-boulder-v2-py38-integration:
-          PYTHON_VERSION: 3.8
-          TOXENV: integration
-          ACME_SERVER: boulder-v2
-        linux-boulder-v1-py39-integration:
-          PYTHON_VERSION: 3.9
-          TOXENV: integration
-          ACME_SERVER: boulder-v1
-        linux-boulder-v2-py39-integration:
-          PYTHON_VERSION: 3.9
-          TOXENV: integration
-          ACME_SERVER: boulder-v2
-        nginx-compat:
-          TOXENV: nginx_compat
-        linux-integration-rfc2136:
-          IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 3.8
-          TOXENV: integration-dns-rfc2136
-        docker-dev:
-          TOXENV: docker_dev
-        macos-farmtest-apache2:
-          # We run one of these test farm tests on macOS to help ensure the
-          # tests continue to work on the platform.
-          IMAGE_NAME: macOS-10.15
-          PYTHON_VERSION: 3.8
-          TOXENV: test-farm-apache2
-        farmtest-sdists:
-          PYTHON_VERSION: 3.7
-          TOXENV: test-farm-sdists
-    pool:
-      vmImage: $(IMAGE_NAME)
-    steps:
-      - template: ../steps/tox-steps.yml

.azure-pipelines/templates/jobs/packaging-jobs.yml

@@ -1,230 +0,0 @@
-jobs:
-  - job: docker_build
-    pool:
-      vmImage: ubuntu-18.04
-    strategy:
-      matrix:
-        amd64:
-          DOCKER_ARCH: amd64
-        # Do not run the heavy non-amd64 builds for test branches
-        ${{ if not(startsWith(variables['Build.SourceBranchName'], 'test-')) }}:
-          arm32v6:
-            DOCKER_ARCH: arm32v6
-          arm64v8:
-            DOCKER_ARCH: arm64v8
-    # The default timeout of 60 minutes is a little low for compiling
-    # cryptography on ARM architectures.
-    timeoutInMinutes: 180
-    steps:
-      - bash: set -e && tools/docker/build.sh $(dockerTag) $DOCKER_ARCH
-        displayName: Build the Docker images
-      # We don't filter for the Docker Hub organization to continue to allow
-      # easy testing of these scripts on forks.
-      - bash: |
-          set -e
-          DOCKER_IMAGES=$(docker images --filter reference='*/certbot' --filter reference='*/dns-*' --format '{{.Repository}}')
-          docker save --output images.tar $DOCKER_IMAGES
-        displayName: Save the Docker images
-      # If the name of the tar file or artifact changes, the deploy stage will
-      # also need to be updated.
-      - bash: set -e && mv images.tar $(Build.ArtifactStagingDirectory)
-        displayName: Prepare Docker artifact
-      - task: PublishPipelineArtifact@1
-        inputs:
-          path: $(Build.ArtifactStagingDirectory)
-          artifact: docker_$(DOCKER_ARCH)
-        displayName: Store Docker artifact
-  - job: docker_run
-    dependsOn: docker_build
-    pool:
-      vmImage: ubuntu-18.04
-    steps:
-      - task: DownloadPipelineArtifact@2
-        inputs:
-          artifact: docker_amd64
-          path: $(Build.SourcesDirectory)
-        displayName: Retrieve Docker images
-      - bash: set -e && docker load --input $(Build.SourcesDirectory)/images.tar
-        displayName: Load Docker images
-      - bash: |
-          set -ex
-          DOCKER_IMAGES=$(docker images --filter reference='*/certbot' --filter reference='*/dns-*' --format '{{.Repository}}:{{.Tag}}')
-          for DOCKER_IMAGE in ${DOCKER_IMAGES}
-            do docker run --rm "${DOCKER_IMAGE}" plugins --prepare
-          done
-        displayName: Run integration tests for Docker images
-  - job: installer_build
-    pool:
-      vmImage: vs2017-win2016
-    steps:
-      - task: UsePythonVersion@0
-        inputs:
-          versionSpec: 3.8
-          architecture: x86
-          addToPath: true
-      - script: |
-          python -m venv venv
-          venv\Scripts\python tools\pipstrap.py
-          venv\Scripts\python tools\pip_install.py -e windows-installer
-        displayName: Prepare Windows installer build environment
-      - script: |
-          venv\Scripts\construct-windows-installer
-        displayName: Build Certbot installer
-      - task: CopyFiles@2
-        inputs:
-          sourceFolder: $(System.DefaultWorkingDirectory)/windows-installer/build/nsis
-          contents: '*.exe'
-          targetFolder: $(Build.ArtifactStagingDirectory)
-      - task: PublishPipelineArtifact@1
-        inputs:
-          path: $(Build.ArtifactStagingDirectory)
-          # If we change the artifact's name, it should also be changed in tools/create_github_release.py
-          artifact: windows-installer
-        displayName: Publish Windows installer
-  - job: installer_run
-    dependsOn: installer_build
-    strategy:
-      matrix:
-        win2019:
-          imageName: windows-2019
-        win2016:
-          imageName: vs2017-win2016
-    pool:
-      vmImage: $(imageName)
-    steps:
-      - powershell: |
-          if ($PSVersionTable.PSVersion.Major -ne 5) {
-              throw "Powershell version is not 5.x"
-          }
-        condition: eq(variables['imageName'], 'vs2017-win2016')
-        displayName: Check Powershell 5.x is used in vs2017-win2016
-      - task: UsePythonVersion@0
-        inputs:
-          versionSpec: 3.8
-          addToPath: true
-      - task: DownloadPipelineArtifact@2
-        inputs:
-          artifact: windows-installer
-          path: $(Build.SourcesDirectory)/bin
-        displayName: Retrieve Windows installer
-      - script: |
-          python -m venv venv
-          venv\Scripts\python tools\pipstrap.py
-          venv\Scripts\python tools\pip_install.py -e certbot-ci
-        env:
-          PIP_NO_BUILD_ISOLATION: no
-        displayName: Prepare Certbot-CI
-      - script: |
-          set PATH=%ProgramFiles(x86)%\Certbot\bin;%PATH%
-          venv\Scripts\python -m pytest certbot-ci\windows_installer_integration_tests --allow-persistent-changes --installer-path $(Build.SourcesDirectory)\bin\certbot-beta-installer-win32.exe
-        displayName: Run windows installer integration tests
-      - script: |
-          set PATH=%ProgramFiles(x86)%\Certbot\bin;%PATH%
-          venv\Scripts\python -m pytest certbot-ci\certbot_integration_tests\certbot_tests -n 4
-        displayName: Run certbot integration tests
-  - job: snaps_build
-    pool:
-      vmImage: ubuntu-18.04
-    strategy:
-      matrix:
-        amd64:
-          SNAP_ARCH: amd64
-        # Do not run the heavy non-amd64 builds for test branches
-        ${{ if not(startsWith(variables['Build.SourceBranchName'], 'test-')) }}:
-          armhf:
-            SNAP_ARCH: armhf
-          arm64:
-            SNAP_ARCH: arm64
-    timeoutInMinutes: 0
-    steps:
-      - script: |
-          set -e
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends snapd
-          sudo snap install --classic snapcraft
-        displayName: Install dependencies
-      - task: UsePythonVersion@0
-        inputs:
-          versionSpec: 3.8
-          addToPath: true
-      - task: DownloadSecureFile@1
-        name: credentials
-        inputs:
-          secureFile: launchpad-credentials
-      - script: |
-          set -e
-          git config --global user.email "$(Build.RequestedForEmail)"
-          git config --global user.name "$(Build.RequestedFor)"
-          mkdir -p ~/.local/share/snapcraft/provider/launchpad
-          cp $(credentials.secureFilePath) ~/.local/share/snapcraft/provider/launchpad/credentials
-          python3 tools/snap/build_remote.py ALL --archs ${SNAP_ARCH} --timeout 19800
-        displayName: Build snaps
-      - script: |
-          set -e
-          mv *.snap $(Build.ArtifactStagingDirectory)
-          mv certbot-dns-*/*.snap $(Build.ArtifactStagingDirectory)
-        displayName: Prepare artifacts
-      - task: PublishPipelineArtifact@1
-        inputs:
-          path: $(Build.ArtifactStagingDirectory)
-          artifact: snaps_$(SNAP_ARCH)
-        displayName: Store snaps artifacts
-  - job: snap_run
-    dependsOn: snaps_build
-    pool:
-      vmImage: ubuntu-18.04
-    steps:
-      - task: UsePythonVersion@0
-        inputs:
-          versionSpec: 3.8
-          addToPath: true
-      - script: |
-          set -e
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends nginx-light snapd
-          python3 -m venv venv
-          venv/bin/python tools/pipstrap.py
-          venv/bin/python tools/pip_install.py -U tox
-        displayName: Install dependencies
-      - task: DownloadPipelineArtifact@2
-        inputs:
-          artifact: snaps_amd64
-          path: $(Build.SourcesDirectory)/snap
-        displayName: Retrieve Certbot snaps
-      - script: |
-          set -e
-          sudo snap install --dangerous --classic snap/certbot_*.snap
-        displayName: Install Certbot snap
-      - script: |
-          set -e
-          venv/bin/python -m tox -e integration-external,apacheconftest-external-with-pebble
-        displayName: Run tox
-  - job: snap_dns_run
-    dependsOn: snaps_build
-    pool:
-      vmImage: ubuntu-18.04
-    steps:
-      - script: |
-          set -e
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends snapd
-        displayName: Install dependencies
-      - task: UsePythonVersion@0
-        inputs:
-          versionSpec: 3.8
-          addToPath: true
-      - task: DownloadPipelineArtifact@2
-        inputs:
-          artifact: snaps_amd64
-          path: $(Build.SourcesDirectory)/snap
-        displayName: Retrieve Certbot snaps
-      - script: |
-          set -e
-          python3 -m venv venv
-          venv/bin/python tools/pipstrap.py
-          venv/bin/python tools/pip_install.py -e certbot-ci
-        displayName: Prepare Certbot-CI
-      - script: |
-          set -e
-          sudo -E venv/bin/pytest certbot-ci/snap_integration_tests/dns_tests --allow-persistent-changes --snap-folder $(Build.SourcesDirectory)/snap --snap-arch amd64
-        displayName: Test DNS plugins snaps

.azure-pipelines/templates/jobs/standard-tests-jobs.yml

@@ -1,80 +0,0 @@
-jobs:
-  - job: test
-    variables:
-      PYTHON_VERSION: 3.9
-    strategy:
-      matrix:
-        macos-py36:
-          IMAGE_NAME: macOS-10.15
-          PYTHON_VERSION: 3.6
-          TOXENV: py36
-        macos-py39:
-          IMAGE_NAME: macOS-10.15
-          PYTHON_VERSION: 3.9
-          TOXENV: py39
-        windows-py36:
-          IMAGE_NAME: vs2017-win2016
-          PYTHON_VERSION: 3.6
-          TOXENV: py36
-        windows-py38-cover:
-          IMAGE_NAME: vs2017-win2016
-          PYTHON_VERSION: 3.8
-          TOXENV: py38-cover
-        windows-integration-certbot:
-          IMAGE_NAME: vs2017-win2016
-          PYTHON_VERSION: 3.8
-          TOXENV: integration-certbot
-        linux-oldest-tests-1:
-          IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 3.6
-          TOXENV: '{acme,apache,apache-v2,certbot}-oldest'
-        linux-oldest-tests-2:
-          IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 3.6
-          TOXENV: '{dns,nginx}-oldest'
-        linux-py36:
-          IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 3.6
-          TOXENV: py36
-        linux-py39-cover:
-          IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 3.9
-          TOXENV: py39-cover
-        linux-py39-lint:
-          IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 3.9
-          TOXENV: lint
-        linux-py39-mypy:
-          IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 3.9
-          TOXENV: mypy
-        linux-integration:
-          IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 3.8
-          TOXENV: integration
-          ACME_SERVER: pebble
-        apache-compat:
-          IMAGE_NAME: ubuntu-18.04
-          TOXENV: apache_compat
-        # le-modification can be moved to the extended test suite once
-        # https://github.com/certbot/certbot/issues/8742 is resolved.
-        le-modification:
-          IMAGE_NAME: ubuntu-18.04
-          TOXENV: modification
-        apacheconftest:
-          IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 3.6
-          TOXENV: apacheconftest-with-pebble
-        nginxroundtrip:
-          IMAGE_NAME: ubuntu-18.04
-          PYTHON_VERSION: 3.6
-          TOXENV: nginxroundtrip
-    pool:
-      vmImage: $(IMAGE_NAME)
-    steps:
-      - template: ../steps/tox-steps.yml
-  - job: test_sphinx_builds
-    pool:
-      vmImage: ubuntu-20.04
-    steps:
-      - template: ../steps/sphinx-steps.yml

.azure-pipelines/templates/stages/changelog-stage.yml

@@ -1,19 +0,0 @@
-stages:
-  - stage: Changelog
-    jobs:
-      - job: prepare
-        pool:
-          vmImage: vs2017-win2016
-        steps:
-          # If we change the output filename from `release_notes.md`, it should also be changed in tools/create_github_release.py
-          - bash: |
-              set -e
-              CERTBOT_VERSION="$(cd certbot && python -c "import certbot; print(certbot.__version__)" && cd ~-)"
-              "${BUILD_REPOSITORY_LOCALPATH}\tools\extract_changelog.py" "${CERTBOT_VERSION}" >> "${BUILD_ARTIFACTSTAGINGDIRECTORY}/release_notes.md"
-            displayName: Prepare changelog
-          - task: PublishPipelineArtifact@1
-            inputs:
-              path: $(Build.ArtifactStagingDirectory)
-              # If we change the artifact's name, it should also be changed in tools/create_github_release.py
-              artifact: changelog
-            displayName: Publish changelog

.azure-pipelines/templates/stages/deploy-stage.yml

@@ -1,106 +0,0 @@
-parameters:
-- name: snapReleaseChannel
-  type: string
-  default: edge
-  values:
-  - edge
-  - beta
-
-stages:
-  - stage: Deploy
-    jobs:
-      # This job relies on credentials used to publish the Certbot snaps. This
-      # credential file was created by running:
-      #
-      #   snapcraft logout
-      #   snapcraft login (provide the shared snapcraft credentials when prompted)
-      #   snapcraft export-login --channels=beta,edge snapcraft.cfg
-      #
-      # Then the file was added as a secure file in Azure pipelines
-      # with the name snapcraft.cfg by following the instructions at
-      # https://docs.microsoft.com/en-us/azure/devops/pipelines/library/secure-files?view=azure-devops
-      # including authorizing the file in all pipelines as described at
-      # https://docs.microsoft.com/en-us/azure/devops/pipelines/library/secure-files?view=azure-devops#how-do-i-authorize-a-secure-file-for-use-in-all-pipelines.
-      #
-      # This file has a maximum lifetime of one year and the current
-      # file will expire on 2021-07-28 which is also tracked by
-      # https://github.com/certbot/certbot/issues/7931. The file will
-      # need to be updated before then to prevent automated deploys
-      # from breaking.
-      #
-      # Revoking these credentials can be done by changing the password of the
-      # account used to generate the credentials. See
-      # https://forum.snapcraft.io/t/revoking-exported-credentials/19031 for
-      # more info.
-      - job: publish_snap
-        pool:
-          vmImage: ubuntu-18.04
-        variables:
-          - group: certbot-common
-        strategy:
-          matrix:
-            amd64:
-              SNAP_ARCH: amd64
-            arm32v6:
-              SNAP_ARCH: armhf
-            arm64v8:
-              SNAP_ARCH: arm64
-        steps:
-          - bash: |
-              set -e
-              sudo apt-get update
-              sudo apt-get install -y --no-install-recommends snapd
-              sudo snap install --classic snapcraft
-            displayName: Install dependencies
-          - task: DownloadPipelineArtifact@2
-            inputs:
-              artifact: snaps_$(SNAP_ARCH)
-              path: $(Build.SourcesDirectory)/snap
-            displayName: Retrieve Certbot snaps
-          - task: DownloadSecureFile@1
-            name: snapcraftCfg
-            inputs:
-              secureFile: snapcraft.cfg
-          - bash: |
-              set -e
-              snapcraft login --with $(snapcraftCfg.secureFilePath)
-              for SNAP_FILE in snap/*.snap; do
-                tools/retry.sh eval snapcraft upload --release=${{ parameters.snapReleaseChannel }} "${SNAP_FILE}"
-              done
-            displayName: Publish to Snap store
-      - job: publish_docker
-        pool:
-          vmImage: ubuntu-18.04
-        strategy:
-          matrix:
-            amd64:
-              DOCKER_ARCH: amd64
-            arm32v6:
-              DOCKER_ARCH: arm32v6
-            arm64v8:
-              DOCKER_ARCH: arm64v8
-        steps:
-          - task: DownloadPipelineArtifact@2
-            inputs:
-              artifact: docker_$(DOCKER_ARCH)
-              path: $(Build.SourcesDirectory)
-            displayName: Retrieve Docker images
-          - bash: set -e && docker load --input $(Build.SourcesDirectory)/images.tar
-            displayName: Load Docker images
-          - task: Docker@2
-            inputs:
-              command: login
-              # The credentials used here are for the shared certbotbot account
-              # on Docker Hub. The credentials are stored in a service account
-              # which was created by following the instructions at
-              # https://docs.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#sep-docreg.
-              # The name given to this service account must match the value
-              # given to containerRegistry below. "Grant access to all
-              # pipelines" should also be checked.  To revoke these
-              # credentials, we can change the password on the certbotbot
-              # Docker Hub account or remove the account from the
-              # Certbot organization on Docker Hub.
-              containerRegistry: docker-hub
-            displayName: Login to Docker Hub
-          - bash: set -e && tools/docker/deploy.sh $(dockerTag) $DOCKER_ARCH
-            displayName: Deploy the Docker images

.azure-pipelines/templates/stages/notify-failure-stage.yml

@@ -1,19 +0,0 @@
-stages:
-  - stage: On_Failure
-    jobs:
-      - job: notify_mattermost
-        variables:
-          - group: certbot-common
-        pool:
-          vmImage: ubuntu-20.04
-        steps:
-          - bash: |
-              set -e
-              MESSAGE="\
-              ---\n\
-              ##### Azure Pipeline
-              *Repo* $(Build.Repository.ID) - *Pipeline* $(Build.DefinitionName) #$(Build.BuildNumber) - *Branch/PR* $(Build.SourceBranchName)\n\
-              :warning: __Pipeline has failed__: [Link to the build](https://dev.azure.com/$(Build.Repository.ID)/_build/results?buildId=$(Build.BuildId)&view=results)\n\n\
-              ---"
-              curl -i -X POST --data-urlencode "payload={\"text\":\"${MESSAGE}\"}" "$(MATTERMOST_URL)"
-    condition: failed()

.azure-pipelines/templates/stages/test-and-package-stage.yml

@@ -1,6 +0,0 @@
-stages:
-  - stage: TestAndPackage
-    jobs:
-      - template: ../jobs/standard-tests-jobs.yml
-      - template: ../jobs/extended-tests-jobs.yml
-      - template: ../jobs/packaging-jobs.yml

.azure-pipelines/templates/steps/sphinx-steps.yml

@@ -1,21 +0,0 @@
-steps:
-  - bash: |
-      FINAL_STATUS=0
-      declare -a FAILED_BUILDS
-      tools/venv.py
-      source venv/bin/activate
-      for doc_path in */docs
-      do
-        echo ""
-        echo "##[group]Building $doc_path"
-        if ! sphinx-build -W --keep-going -b html $doc_path $doc_path/_build/html; then
-          FINAL_STATUS=1
-          FAILED_BUILDS[${#FAILED_BUILDS[@]}]="${doc_path%/docs}"
-        fi
-        echo "##[endgroup]"
-      done
-      if [[ $FINAL_STATUS -ne 0 ]]; then
-        echo "##[error]The following builds failed: ${FAILED_BUILDS[*]}"
-        exit 1
-      fi
-    displayName: Build Sphinx Documentation

.azure-pipelines/templates/steps/tox-steps.yml

@@ -1,57 +0,0 @@
-steps:
-  # We run brew update because we've seen attempts to install an older version
-  # of a package fail. See
-  # https://github.com/actions/virtual-environments/issues/3165.
-  - bash: |
-      set -e
-      brew update
-      brew install augeas
-    condition: startswith(variables['IMAGE_NAME'], 'macOS')
-    displayName: Install MacOS dependencies
-  - bash: |
-      set -e
-      sudo apt-get update
-      sudo apt-get install -y --no-install-recommends \
-        python-dev \
-        gcc \
-        libaugeas0 \
-        libssl-dev \
-        libffi-dev \
-        ca-certificates \
-        nginx-light \
-        openssl
-      sudo systemctl stop nginx
-    condition: startswith(variables['IMAGE_NAME'], 'ubuntu')
-    displayName: Install Linux dependencies
-  - task: UsePythonVersion@0
-    inputs:
-      versionSpec: $(PYTHON_VERSION)
-      addToPath: true
-    # tools/pip_install.py is used to pin packages to a known working version
-    # except in tests where the environment variable CERTBOT_NO_PIN is set.
-    # virtualenv is listed here explicitly to make sure it is upgraded when
-    # CERTBOT_NO_PIN is set to work around failures we've seen when using an older
-    # version of virtualenv. The option "-I" is set so when CERTBOT_NO_PIN is also
-    # set, pip updates dependencies it thinks are already satisfied to avoid some
-    # problems with its lack of real dependency resolution.
-  - bash: |
-      set -e
-      python tools/pipstrap.py
-      python tools/pip_install.py -I tox virtualenv
-    displayName: Install runtime dependencies
-  - task: DownloadSecureFile@1
-    name: testFarmPem
-    inputs:
-      secureFile: azure-test-farm.pem
-    condition: contains(variables['TOXENV'], 'test-farm')
-  - bash: |
-      set -e
-      export TARGET_BRANCH="`echo "${BUILD_SOURCEBRANCH}" | sed -E 's!refs/(heads|tags)/!!g'`"
-      [ -z "${SYSTEM_PULLREQUEST_TARGETBRANCH}" ] || export TARGET_BRANCH="${SYSTEM_PULLREQUEST_TARGETBRANCH}"
-      env
-      python -m tox
-    env:
-      AWS_ACCESS_KEY_ID: $(AWS_ACCESS_KEY_ID)
-      AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY)
-      AWS_EC2_PEM_FILE: $(testFarmPem.secureFilePath)
-    displayName: Run tox

.azure-pipelines/templates/tests-suite.yml

@@ -0,0 +1,38 @@
+jobs:
+  - job: test
+    pool:
+      vmImage: vs2017-win2016
+    strategy:
+      matrix:
+        py35:
+          PYTHON_VERSION: 3.5
+          TOXENV: py35
+        py37-cover:
+          PYTHON_VERSION: 3.7
+          TOXENV: py37-cover
+        integration-certbot:
+          PYTHON_VERSION: 3.7
+          TOXENV: integration-certbot
+          PYTEST_ADDOPTS: --numprocesses 4
+    variables:
+    - group: certbot-common
+    steps:
+    - task: UsePythonVersion@0
+      inputs:
+        versionSpec: $(PYTHON_VERSION)
+        addToPath: true
+    - script: python tools/pip_install.py -U tox coverage
+      displayName: Install dependencies
+    - script: python -m tox
+      displayName: Run tox
+    # We do not require codecov report upload to succeed. So to avoid to break the pipeline if
+    # something goes wrong, each command is suffixed with a command that hides any non zero exit
+    # codes and echoes an informative message instead.
+    - bash: |
+        curl -s https://codecov.io/bash -o codecov-bash || echo "Failed to download codecov-bash"
+        chmod +x codecov-bash || echo "Failed to apply execute permissions on codecov-bash"
+        ./codecov-bash -F windows  || echo "Codecov did not collect coverage reports"
+      condition: in(variables['TOXENV'], 'py37-cover', 'integration-certbot')
+      env:
+        CODECOV_TOKEN: $(codecov_token)
+      displayName: Publish coverage

.codecov.yml

@@ -0,0 +1,18 @@
+coverage:
+  status:
+    project:
+      default: off
+      linux:
+        flags: linux
+        # Fixed target instead of auto set by #7173, can
+        # be removed when flags in Codecov are added back.
+        target: 97.4
+        threshold: 0.1
+        base: auto
+      windows:
+        flags: windows
+        # Fixed target instead of auto set by #7173, can
+        # be removed when flags in Codecov are added back.
+        target: 97.4
+        threshold: 0.1
+        base: auto

.dockerignore

@@ -8,4 +8,5 @@
 .git
 .tox
 venv
+venv3
 docs

.editorconfig

@@ -1,18 +0,0 @@
-# https://editorconfig.org/
-
-root = true
-
-[*]
-insert_final_newline = true
-trim_trailing_whitespace = true
-end_of_line = lf
-
-[*.py]
-indent_style = space
-indent_size = 4
-charset = utf-8
-max_line_length = 100
-
-[*.yaml]
-indent_style = space
-indent_size = 2

.envrc

@@ -1,12 +0,0 @@
-# This file is just a nicety for developers who use direnv. When you cd under
-# the Certbot repo, Certbot's virtual environment will be automatically
-# activated and then deactivated when you cd elsewhere. Developers have to have
-# direnv set up and run `direnv allow` to allow this file to execute on their
-# system. You can find more information at https://direnv.net/.
-. venv/bin/activate
-# direnv doesn't support modifying PS1 so we unset it to squelch the error
-# it'll otherwise print about this being done in the activate script. See
-# https://github.com/direnv/direnv/wiki/PS1. If you would like your shell
-# prompt to change like it normally does, see
-# https://github.com/direnv/direnv/wiki/Python#restoring-the-ps1.
-unset PS1

.github/FUNDING.yml

@@ -1 +0,0 @@
-custom: https://supporters.eff.org/donate/support-work-on-certbot

.gitignore

@@ -4,12 +4,13 @@
 build/
 dist*/
 /venv*/
+/kgs/
 /.tox/
 /releases*/
 /log*
 letsencrypt.log
 certbot.log
-poetry.lock
+letsencrypt-auto-source/letsencrypt-auto.sig.lzma.base64
 
 # coverage
 .coverage
@@ -25,11 +26,15 @@ tags
 \#*#
 .idea
 .ropeproject
-.vscode
 
 # auth --cert-path --chain-path
 /*.pem
 
+# letstest
+tests/letstest/letest-*/
+tests/letstest/*.pem
+tests/letstest/venv/
+
 .venv
 
 # pytest cache
@@ -44,17 +49,3 @@ tags
 .certbot_test_workspace
 **/assets/pebble*
 **/assets/challtestsrv*
-
-# snap files
-.snapcraft
-parts
-prime
-stage
-*.snap
-snap-constraints.txt
-qemu-*
-certbot-dns*/certbot-dns*_amd64*.txt
-certbot-dns*/certbot-dns*_arm*.txt
-/certbot_amd64*.txt
-/certbot_arm*.txt
-certbot-dns*/snap

.isort.cfg

@@ -1,6 +0,0 @@
-[settings]
-skip_glob=venv*
-force_sort_within_sections=True
-force_single_line=True
-order_by_type=False
-line_length=400

.pylintrc

@@ -8,10 +8,7 @@ jobs=0
 
 # Python code to execute, usually for sys.path manipulation such as
 # pygtk.require().
-# CERTBOT COMMENT
-# This is needed for pylint to import linter_plugin.py since
-# https://github.com/PyCQA/pylint/pull/3396.
-init-hook="import pylint.config, os, sys; sys.path.append(os.path.dirname(pylint.config.PYLINTRC))"
+#init-hook=
 
 # Profiled execution.
 profile=no
@@ -27,11 +24,6 @@ persistent=yes
 # usually to register additional checkers.
 load-plugins=linter_plugin
 
-# A comma-separated list of package or module names from where C extensions may
-# be loaded. Extensions are loading into the active Python interpreter and may
-# run arbitrary code.
-extension-pkg-whitelist=pywintypes,win32api,win32file,win32security
-
 
 [MESSAGES CONTROL]
 
@@ -49,25 +41,10 @@ extension-pkg-whitelist=pywintypes,win32api,win32file,win32security
 # --enable=similarities". If you want to run only the classes checker, but have
 # no Warning level messages displayed, use"--disable=all --enable=classes
 # --disable=W"
-# CERTBOT COMMENT
-# 1) Once certbot codebase is claimed to be compatible exclusively with Python 3,
-#    the useless-object-inheritance check can be enabled again, and code fixed accordingly.
-# 2) Check unsubscriptable-object tends to create a lot of false positives. Let's disable it.
-#    See https://github.com/PyCQA/pylint/issues/1498.
-# 3) Same as point 2 for no-value-for-parameter.
-#    See https://github.com/PyCQA/pylint/issues/2820.
-# 4) raise-missing-from makes it an error to raise an exception from except
-#    block without using explicit exception chaining. While explicit exception
-#    chaining results in a slightly more informative traceback, I don't think
-#    it's beneficial enough for us to change all of our current instances and
-#    give Certbot developers errors about this when they're working on new code
-#    in the future. You can read more about exception chaining and this pylint
-#    check at
-#    https://blog.ram.rachum.com/post/621791438475296768/improving-python-exception-chaining-with.
-# 5) wrong-import-order generates false positives and a pylint developer
-#    suggests that people using isort should disable this check at
-#    https://github.com/PyCQA/pylint/issues/3817#issuecomment-687892090.
-disable=fixme,locally-disabled,locally-enabled,bad-continuation,no-self-use,invalid-name,cyclic-import,duplicate-code,design,import-outside-toplevel,useless-object-inheritance,unsubscriptable-object,no-value-for-parameter,no-else-return,no-else-raise,no-else-break,no-else-continue,raise-missing-from,wrong-import-order
+disable=fixme,locally-disabled,locally-enabled,abstract-class-not-used,abstract-class-little-used,bad-continuation,no-self-use,invalid-name,cyclic-import,duplicate-code,design
+# abstract-class-not-used cannot be disabled locally (at least in
+# pylint 1.4.1), same for abstract-class-little-used
+
 
 [REPORTS]
 
@@ -268,7 +245,7 @@ ignore-mixin-members=yes
 # List of module names for which member attributes should not be checked
 # (useful for modules/projects where namespaces are manipulated during runtime
 # and thus existing member attributes cannot be deduced by static analysis
-ignored-modules=pkg_resources,confargparse,argparse
+ignored-modules=pkg_resources,confargparse,argparse,six.moves,six.moves.urllib
 # import errors ignored only in 1.4.4
 # https://bitbucket.org/logilab/pylint/commits/cd000904c9e2
 

.travis.yml

@@ -0,0 +1,312 @@
+language: python
+dist: xenial
+
+cache:
+    directories:
+        - $HOME/.cache/pip
+
+before_script:
+  - 'if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then ulimit -n 1024 ; fi'
+  # On Travis, the fastest parallelization for integration tests has proved to be 4.
+  - 'if [[ "$TOXENV" == *"integration"* ]]; then export PYTEST_ADDOPTS="--numprocesses 4"; fi'
+  # Use Travis retry feature for farm tests since they are flaky
+  - 'if [[ "$TOXENV" == "travis-test-farm"* ]]; then export TRAVIS_RETRY=travis_retry; fi'
+  - export TOX_TESTENV_PASSENV=TRAVIS
+
+# Only build pushes to the master branch, PRs, and branches beginning with
+# `test-` or of the form `digit(s).digit(s).x`. This reduces the number of
+# simultaneous Travis runs, which speeds turnaround time on review since there
+# is a cap of on the number of simultaneous runs.
+branches:
+  only:
+    # apache-parser-v2 is a temporary branch for doing work related to
+    # rewriting the parser in the Apache plugin.
+    - apache-parser-v2
+    - master
+    - /^\d+\.\d+\.x$/
+    - /^test-.*$/
+
+# Jobs for the main test suite are always executed (including on PRs) except for pushes on master.
+not-on-master: &not-on-master
+  if: NOT (type = push AND branch = master)
+
+# Jobs for the extended test suite are executed for cron jobs and pushes to
+# non-development branches. See the explanation for apache-parser-v2 above.
+extended-test-suite: &extended-test-suite
+  if: type = cron OR (type = push AND branch NOT IN (apache-parser-v2, master))
+
+matrix:
+  include:
+    # Main test suite
+    - python: "2.7"
+      env: ACME_SERVER=pebble TOXENV=integration
+      <<: *not-on-master
+
+    # This job is always executed, including on master
+    - python: "2.7"
+      env: TOXENV=py27-cover FYI="py27 tests + code coverage"
+
+    - python: "2.7"
+      env: TOXENV=lint
+      <<: *not-on-master
+    - python: "3.4"
+      env: TOXENV=mypy
+      <<: *not-on-master
+    - python: "3.5"
+      env: TOXENV=mypy
+      <<: *not-on-master
+    - python: "2.7"
+      # Ubuntu Trusty or older must be used because the oldest version of
+      # cryptography we support cannot be compiled against the version of
+      # OpenSSL in Xenial or newer.
+      dist: trusty
+      env: TOXENV='py27-{acme,apache,certbot,dns,nginx}-oldest'
+      <<: *not-on-master
+    - python: "3.4"
+      env: TOXENV=py34
+      <<: *not-on-master
+    - python: "3.7"
+      env: TOXENV=py37
+      <<: *not-on-master
+    - python: "3.8"
+      env: TOXENV=py38
+      <<: *not-on-master
+    - sudo: required
+      env: TOXENV=apache_compat
+      services: docker
+      before_install:
+      addons:
+      <<: *not-on-master
+    - sudo: required
+      env: TOXENV=le_auto_xenial
+      services: docker
+      <<: *not-on-master
+    - python: "2.7"
+      env: TOXENV=apacheconftest-with-pebble
+      <<: *not-on-master
+    - python: "2.7"
+      env: TOXENV=nginxroundtrip
+      <<: *not-on-master
+
+    # Extended test suite on cron jobs and pushes to tested branches other than master
+    - sudo: required
+      env: TOXENV=nginx_compat
+      services: docker
+      before_install:
+      addons:
+      <<: *extended-test-suite
+    - python: "2.7"
+      env:
+        - TOXENV=travis-test-farm-apache2
+        - secure: "f+j/Lj9s1lcuKo5sEFrlRd1kIAMnIJI4z0MTI7QF8jl9Fkmbx7KECGzw31TNgzrOSzxSapHbcueFYvNCLKST+kE/8ogMZBbwqXfEDuKpyF6BY3uYoJn+wPVE5pIb8Hhe08xPte8TTDSMIyHI3EyTfcAKrIreauoArePvh/cRvSw="
+      <<: *extended-test-suite
+    - python: "2.7"
+      env:
+        - TOXENV=travis-test-farm-leauto-upgrades
+        - secure: "f+j/Lj9s1lcuKo5sEFrlRd1kIAMnIJI4z0MTI7QF8jl9Fkmbx7KECGzw31TNgzrOSzxSapHbcueFYvNCLKST+kE/8ogMZBbwqXfEDuKpyF6BY3uYoJn+wPVE5pIb8Hhe08xPte8TTDSMIyHI3EyTfcAKrIreauoArePvh/cRvSw="
+      git:
+        depth: false  # This is needed to have the history to checkout old versions of certbot-auto.
+      <<: *extended-test-suite
+    - python: "2.7"
+      env:
+        - TOXENV=travis-test-farm-certonly-standalone
+        - secure: "f+j/Lj9s1lcuKo5sEFrlRd1kIAMnIJI4z0MTI7QF8jl9Fkmbx7KECGzw31TNgzrOSzxSapHbcueFYvNCLKST+kE/8ogMZBbwqXfEDuKpyF6BY3uYoJn+wPVE5pIb8Hhe08xPte8TTDSMIyHI3EyTfcAKrIreauoArePvh/cRvSw="
+      <<: *extended-test-suite
+    - python: "2.7"
+      env:
+        - TOXENV=travis-test-farm-sdists
+        - secure: "f+j/Lj9s1lcuKo5sEFrlRd1kIAMnIJI4z0MTI7QF8jl9Fkmbx7KECGzw31TNgzrOSzxSapHbcueFYvNCLKST+kE/8ogMZBbwqXfEDuKpyF6BY3uYoJn+wPVE5pIb8Hhe08xPte8TTDSMIyHI3EyTfcAKrIreauoArePvh/cRvSw="
+      <<: *extended-test-suite
+    - python: "3.7"
+      env: TOXENV=py37 CERTBOT_NO_PIN=1
+      <<: *extended-test-suite
+    - python: "2.7"
+      env: ACME_SERVER=boulder-v1 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "2.7"
+      env: ACME_SERVER=boulder-v2 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "2.7"
+      env: ACME_SERVER=boulder-v1 TOXENV=integration-certbot-oldest
+      # Ubuntu Trusty or older must be used because the oldest version of
+      # cryptography we support cannot be compiled against the version of
+      # OpenSSL in Xenial or newer.
+      dist: trusty
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "2.7"
+      env: ACME_SERVER=boulder-v2 TOXENV=integration-certbot-oldest
+      # Ubuntu Trusty or older must be used because the oldest version of
+      # cryptography we support cannot be compiled against the version of
+      # OpenSSL in Xenial or newer.
+      dist: trusty
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "2.7"
+      env: ACME_SERVER=boulder-v1 TOXENV=integration-nginx-oldest
+      # Ubuntu Trusty or older must be used because the oldest version of
+      # cryptography we support cannot be compiled against the version of
+      # OpenSSL in Xenial or newer.
+      dist: trusty
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "2.7"
+      env: ACME_SERVER=boulder-v2 TOXENV=integration-nginx-oldest
+      # Ubuntu Trusty or older must be used because the oldest version of
+      # cryptography we support cannot be compiled against the version of
+      # OpenSSL in Xenial or newer.
+      dist: trusty
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "3.4"
+      env: TOXENV=py34
+      <<: *extended-test-suite
+    - python: "3.5"
+      env: TOXENV=py35
+      <<: *extended-test-suite
+    - python: "3.6"
+      env: TOXENV=py36
+      <<: *extended-test-suite
+    - python: "3.7"
+      env: TOXENV=py37
+      <<: *extended-test-suite
+    - python: "3.8-dev"
+      env: TOXENV=py38
+      <<: *extended-test-suite
+    - python: "3.4"
+      env: ACME_SERVER=boulder-v1 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "3.4"
+      env: ACME_SERVER=boulder-v2 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "3.5"
+      env: ACME_SERVER=boulder-v1 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "3.5"
+      env: ACME_SERVER=boulder-v2 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "3.6"
+      env: ACME_SERVER=boulder-v1 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "3.6"
+      env: ACME_SERVER=boulder-v2 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "3.7"
+      env: ACME_SERVER=boulder-v1 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "3.7"
+      env: ACME_SERVER=boulder-v2 TOXENV=integration
+      sudo: required
+      services: docker
+      <<: *extended-test-suite
+    - python: "3.8-dev"
+      env: ACME_SERVER=boulder-v1 TOXENV=integration
+      <<: *extended-test-suite
+    - python: "3.8-dev"
+      env: ACME_SERVER=boulder-v2 TOXENV=integration
+      <<: *extended-test-suite
+    - sudo: required
+      env: TOXENV=le_auto_jessie
+      services: docker
+      <<: *extended-test-suite
+    - sudo: required
+      env: TOXENV=le_auto_centos6
+      services: docker
+      <<: *extended-test-suite
+    - sudo: required
+      env: TOXENV=docker_dev
+      services: docker
+      addons:
+        apt:
+          packages:  # don't install nginx and apache
+            - libaugeas0
+      <<: *extended-test-suite
+    - language: generic
+      env: TOXENV=py27
+      os: osx
+      # Using this osx_image is a workaround for
+      # https://travis-ci.community/t/xcode-8-3-homebrew-outdated-error/3798.
+      osx_image: xcode10.2
+      addons:
+        homebrew:
+          packages:
+            - augeas
+            - python2
+      <<: *extended-test-suite
+    - language: generic
+      env: TOXENV=py3
+      os: osx
+      # Using this osx_image is a workaround for
+      # https://travis-ci.community/t/xcode-8-3-homebrew-outdated-error/3798.
+      osx_image: xcode10.2
+      addons:
+        homebrew:
+          packages:
+            - augeas
+            - python3
+      <<: *extended-test-suite
+
+# container-based infrastructure
+sudo: false
+
+addons:
+  apt:
+    packages:  # Keep in sync with letsencrypt-auto-source/pieces/bootstrappers/deb_common.sh and Boulder.
+    - python-dev
+    - gcc
+    - libaugeas0
+    - libssl-dev
+    - libffi-dev
+    - ca-certificates
+    # For certbot-nginx integration testing
+    - nginx-light
+    - openssl
+
+# tools/pip_install.py is used to pin packages to a known working version
+# except in tests where the environment variable CERTBOT_NO_PIN is set.
+# virtualenv is listed here explicitly to make sure it is upgraded when
+# CERTBOT_NO_PIN is set to work around failures we've seen when using an older
+# version of virtualenv.
+install: 'tools/pip_install.py -U codecov tox virtualenv'
+# Most of the time TRAVIS_RETRY is an empty string, and has no effect on the
+# script command. It is set only to `travis_retry` during farm tests, in
+# order to trigger the Travis retry feature, and compensate the inherent
+# flakiness of these specific tests.
+script: '$TRAVIS_RETRY tox'
+
+after_success: '[ "$TOXENV" == "py27-cover" ] && codecov -F linux'
+
+notifications:
+  email: false
+  irc:
+    channels:
+      # This is set to a secure variable to prevent forks from sending
+      # notifications. This value was created by installing
+      # https://github.com/travis-ci/travis.rb and running
+      # `travis encrypt "chat.freenode.net#certbot-devel"`.
+      - secure: "EWW66E2+KVPZyIPR8ViENZwfcup4Gx3/dlimmAZE0WuLwxDCshBBOd3O8Rf6pBokEoZlXM5eDT6XdyJj8n0DLslgjO62pExdunXpbcMwdY7l1ELxX2/UbnDTE6UnPYa09qVBHNG7156Z6yE0x2lH4M9Ykvp0G0cubjPQHylAwo0="
+    on_cancel: never
+    on_success: never
+    on_failure: always

AUTHORS.md

@@ -1,7 +1,6 @@
 Authors
 =======
 
-* [Aaron Gable](https://github.com/aarongable)
 * [Aaron Zirbes](https://github.com/aaronzirbes)
 * Aaron Zuehlke
 * Ada Lovelace
@@ -22,7 +21,6 @@ Authors
 * [Andrzej Górski](https://github.com/andrzej3393)
 * [Anselm Levskaya](https://github.com/levskaya)
 * [Antoine Jacoutot](https://github.com/ajacoutot)
-* [April King](https://github.com/april)
 * [asaph](https://github.com/asaph)
 * [Axel Beckert](https://github.com/xtaran)
 * [Bas](https://github.com/Mechazawa)
@@ -37,9 +35,7 @@ Authors
 * [Blake Griffith](https://github.com/cowlicks)
 * [Brad Warren](https://github.com/bmw)
 * [Brandon Kraft](https://github.com/kraftbj)
-* [Brandon Kreisel](https://github.com/BKreisel)
-* [Brian Heim](https://github.com/brianlheim)
-* [Cameron Steel](https://github.com/Tugzrida)
+* [Brandon Kreisel](https://github.com/kraftbj)
 * [Ceesjan Luiten](https://github.com/quinox)
 * [Chad Whitacre](https://github.com/whit537)
 * [Chhatoi Pritam Baral](https://github.com/pritambaral)
@@ -61,9 +57,7 @@ Authors
 * [DanCld](https://github.com/DanCld)
 * [Daniel Albers](https://github.com/AID)
 * [Daniel Aleksandersen](https://github.com/da2x)
-* [Daniel Almasi](https://github.com/almasen)
 * [Daniel Convissor](https://github.com/convissor)
-* [Daniel "Drex" Drexler](https://github.com/aeturnum)
 * [Daniel Huang](https://github.com/dhuang)
 * [Dave Guarino](https://github.com/daguar)
 * [David cz](https://github.com/dave-cz)
@@ -88,7 +82,6 @@ Authors
 * [Felix Schwarz](https://github.com/FelixSchwarz)
 * [Felix Yan](https://github.com/felixonmars)
 * [Filip Ochnik](https://github.com/filipochnik)
-* [Florian Klink](https://github.com/flokli)
 * [Francois Marier](https://github.com/fmarier)
 * [Frank](https://github.com/Frankkkkk)
 * [Frederic BLANC](https://github.com/fblanc)
@@ -107,9 +100,7 @@ Authors
 * [Harlan Lieberman-Berg](https://github.com/hlieberman)
 * [Henri Salo](https://github.com/fgeek)
 * [Henry Chen](https://github.com/henrychen95)
-* [Hugo van Kemenade](https://github.com/hugovk)
 * [Ingolf Becker](https://github.com/watercrossing)
-* [Ivan Nejgebauer](https://github.com/inejge)
 * [Jaap Eldering](https://github.com/eldering)
 * [Jacob Hoffman-Andrews](https://github.com/jsha)
 * [Jacob Sachs](https://github.com/jsachs)
@@ -133,7 +124,6 @@ Authors
 * [Jonathan Herlin](https://github.com/Jonher937)
 * [Jon Walsh](https://github.com/code-tree)
 * [Joona Hoikkala](https://github.com/joohoi)
-* [Josh McCullough](https://github.com/JoshMcCullough)
 * [Josh Soref](https://github.com/jsoref)
 * [Joubin Jabbari](https://github.com/joubin)
 * [Juho Juopperi](https://github.com/jkjuopperi)
@@ -151,13 +141,11 @@ Authors
 * [Lior Sabag](https://github.com/liorsbg)
 * [Lipis](https://github.com/lipis)
 * [lord63](https://github.com/lord63)
-* [Lorenzo Fundaró](https://github.com/lfundaro)
 * [Luca Beltrame](https://github.com/lbeltrame)
 * [Luca Ebach](https://github.com/lucebac)
 * [Luca Olivetti](https://github.com/olivluca)
 * [Luke Rogers](https://github.com/lukeroge)
 * [Maarten](https://github.com/mrtndwrd)
-* [Mads Jensen](https://github.com/atombrella)
 * [Maikel Martens](https://github.com/krukas)
 * [Malte Janduda](https://github.com/MalteJ)
 * [Mantas Mikulėnas](https://github.com/grawity)
@@ -209,7 +197,6 @@ Authors
 * [Pierre Jaury](https://github.com/kaiyou)
 * [Piotr Kasprzyk](https://github.com/kwadrat)
 * [Prayag Verma](https://github.com/pra85)
-* [Rasesh Patel](https://github.com/raspat1)
 * [Reinaldo de Souza Jr](https://github.com/juniorz)
 * [Remi Rampin](https://github.com/remram44)
 * [Rémy HUBSCHER](https://github.com/Natim)
@@ -217,7 +204,6 @@ Authors
 * [Richard Barnes](https://github.com/r-barnes)
 * [Richard Panek](https://github.com/kernelpanek)
 * [Robert Buchholz](https://github.com/rbu)
-* [Robert Dailey](https://github.com/pahrohfit)
 * [Robert Habermann](https://github.com/frennkie)
 * [Robert Xiao](https://github.com/nneonneo)
 * [Roland Shoemaker](https://github.com/rolandshoemaker)
@@ -243,11 +229,9 @@ Authors
 * [Spencer Bliven](https://github.com/sbliven)
 * [Stacey Sheldon](https://github.com/solidgoldbomb)
 * [Stavros Korokithakis](https://github.com/skorokithakis)
-* [Ștefan Talpalaru](https://github.com/stefantalpalaru)
 * [Stefan Weil](https://github.com/stweil)
 * [Steve Desmond](https://github.com/stevedesmond-ca)
 * [sydneyli](https://github.com/sydneyli)
-* [taixx046](https://github.com/taixx046)
 * [Tan Jay Jun](https://github.com/jayjun)
 * [Tapple Gao](https://github.com/tapple)
 * [Telepenin Nikolay](https://github.com/telepenin)
@@ -279,6 +263,5 @@ Authors
 * [Yomna](https://github.com/ynasser)
 * [Yoni Jah](https://github.com/yonjah)
 * [YourDaddyIsHere](https://github.com/YourDaddyIsHere)
-* [Yuseong Cho](https://github.com/g6123)
 * [Zach Shepherd](https://github.com/zjs)
 * [陈三](https://github.com/chenxsan)

CONTRIBUTING.md

@@ -11,7 +11,7 @@ to the Sphinx generated docs is provided below.
 
 
 [1] https://github.com/blog/1184-contributing-guidelines
-[2] https://docutils.sourceforge.io/docs/user/rst/quickref.html#hyperlink-targets
+[2] http://docutils.sourceforge.net/docs/user/rst/quickref.html#hyperlink-targets
 
 -->
 

Dockerfile-dev

@@ -1,21 +1,21 @@
 # This Dockerfile builds an image for development.
-FROM ubuntu:focal
+FROM debian:buster
 
 # Note: this only exposes the port to other docker containers.
 EXPOSE 80 443
 
 WORKDIR /opt/certbot/src
 
+# TODO: Install Apache/Nginx for plugin development.
 COPY . .
 RUN apt-get update && \
-    DEBIAN_FRONTEND=noninteractive apt-get install apache2 git python3-dev \
-        python3-venv gcc libaugeas0 libssl-dev libffi-dev ca-certificates \
-        openssl nginx-light -y --no-install-recommends && \
+    apt-get install apache2 git nginx-light -y && \
+    letsencrypt-auto-source/letsencrypt-auto --os-packages-only && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* \
            /tmp/* \
            /var/tmp/*
 
-RUN VENV_NAME="../venv" python3 tools/venv.py
+RUN VENV_NAME="../venv" python tools/venv.py
 
 ENV PATH /opt/certbot/venv/bin:$PATH

ISSUE_TEMPLATE.md

@@ -7,7 +7,7 @@ questions.
 ## My operating system is (include version):
 
 
-## I installed Certbot with (snap, OS package manager, pip, certbot-auto, etc):
+## I installed Certbot with (certbot-auto, OS package manager, pip, etc):
 
 
 ## I ran this command and it produced this output:

acme/MANIFEST.in

@@ -3,6 +3,4 @@ include README.rst
 include pytest.ini
 recursive-include docs *
 recursive-include examples *
-recursive-include tests *
-global-exclude __pycache__
-global-exclude *.py[cod]
+recursive-include acme/testdata *

acme/acme/__init__.py

@@ -6,12 +6,14 @@ This module is an implementation of the `ACME protocol`_.
 
 """
 import sys
+import warnings
 
 # This code exists to keep backwards compatibility with people using acme.jose
 # before it became the standalone josepy package.
 #
 # It is based on
 # https://github.com/requests/requests/blob/1278ecdf71a312dc2268f3bfc0aabfab3c006dcf/requests/packages.py
+
 import josepy as jose
 
 for mod in list(sys.modules):

acme/acme/challenges.py

@@ -1,23 +1,15 @@
 """ACME Identifier Validation Challenges."""
 import abc
-import codecs
 import functools
 import hashlib
 import logging
-import socket
-from typing import Type
 
 from cryptography.hazmat.primitives import hashes  # type: ignore
 import josepy as jose
-from OpenSSL import crypto
-from OpenSSL import SSL  # type: ignore # https://github.com/python/typeshed/issues/2052
 import requests
+import six
 
-from acme import crypto_util
-from acme import errors
 from acme import fields
-from acme.mixins import ResourceMixin
-from acme.mixins import TypeMixin
 
 logger = logging.getLogger(__name__)
 
@@ -25,21 +17,21 @@ logger = logging.getLogger(__name__)
 class Challenge(jose.TypedJSONObjectWithFields):
     # _fields_to_partial_json
     """ACME challenge."""
-    TYPES: dict = {}
+    TYPES = {}  # type: dict
 
     @classmethod
     def from_json(cls, jobj):
         try:
-            return super().from_json(jobj)
+            return super(Challenge, cls).from_json(jobj)
         except jose.UnrecognizedTypeError as error:
             logger.debug(error)
             return UnrecognizedChallenge.from_json(jobj)
 
 
-class ChallengeResponse(ResourceMixin, TypeMixin, jose.TypedJSONObjectWithFields):
+class ChallengeResponse(jose.TypedJSONObjectWithFields):
     # _fields_to_partial_json
     """ACME challenge response."""
-    TYPES: dict = {}
+    TYPES = {}  # type: dict
     resource_type = 'challenge'
     resource = fields.Resource(resource_type)
 
@@ -58,11 +50,12 @@ class UnrecognizedChallenge(Challenge):
     """
 
     def __init__(self, jobj):
-        super().__init__()
+        super(UnrecognizedChallenge, self).__init__()
         object.__setattr__(self, "jobj", jobj)
 
     def to_partial_json(self):
-        return self.jobj  # pylint: disable=no-member
+        # pylint: disable=no-member
+        return self.jobj
 
     @classmethod
     def from_json(cls, jobj):
@@ -120,7 +113,7 @@ class KeyAuthorizationChallengeResponse(ChallengeResponse):
         :rtype: bool
 
         """
-        parts = self.key_authorization.split('.')
+        parts = self.key_authorization.split('.')  # pylint: disable=no-member
         if len(parts) != 2:
             logger.debug("Key authorization (%r) is not well formed",
                          self.key_authorization)
@@ -141,20 +134,21 @@ class KeyAuthorizationChallengeResponse(ChallengeResponse):
         return True
 
     def to_partial_json(self):
-        jobj = super().to_partial_json()
+        jobj = super(KeyAuthorizationChallengeResponse, self).to_partial_json()
         jobj.pop('keyAuthorization', None)
         return jobj
 
 
-class KeyAuthorizationChallenge(_TokenChallenge, metaclass=abc.ABCMeta):
+@six.add_metaclass(abc.ABCMeta)
+class KeyAuthorizationChallenge(_TokenChallenge):
     """Challenge based on Key Authorization.
 
     :param response_cls: Subclass of `KeyAuthorizationChallengeResponse`
-        that will be used to generate ``response``.
+        that will be used to generate `response`.
     :param str typ: type of the challenge
     """
-    typ: str = NotImplemented
-    response_cls: Type[KeyAuthorizationChallengeResponse] = NotImplemented
+    typ = NotImplemented
+    response_cls = NotImplemented
     thumbprint_hash_function = (
         KeyAuthorizationChallengeResponse.thumbprint_hash_function)
 
@@ -310,7 +304,7 @@ class HTTP01Response(KeyAuthorizationChallengeResponse):
         uri = chall.uri(domain)
         logger.debug("Verifying %s at %s...", chall.typ, uri)
         try:
-            http_response = requests.get(uri, verify=False)
+            http_response = requests.get(uri)
         except requests.exceptions.RequestException as error:
             logger.error("Unable to reach %s: %s", uri, error)
             return False
@@ -369,163 +363,29 @@ class HTTP01(KeyAuthorizationChallenge):
 
 @ChallengeResponse.register
 class TLSALPN01Response(KeyAuthorizationChallengeResponse):
-    """ACME tls-alpn-01 challenge response."""
+    """ACME TLS-ALPN-01 challenge response.
+
+    This class only allows initiating a TLS-ALPN-01 challenge returned from the
+    CA. Full support for responding to TLS-ALPN-01 challenges by generating and
+    serving the expected response certificate is not currently provided.
+    """
     typ = "tls-alpn-01"
 
-    PORT = 443
-    """Verification port as defined by the protocol.
 
-    You can override it (e.g. for testing) by passing ``port`` to
-    `simple_verify`.
+@Challenge.register
+class TLSALPN01(KeyAuthorizationChallenge):
+    """ACME tls-alpn-01 challenge.
+
+    This class simply allows parsing the TLS-ALPN-01 challenge returned from
+    the CA. Full TLS-ALPN-01 support is not currently provided.
 
     """
-
-    ID_PE_ACME_IDENTIFIER_V1 = b"1.3.6.1.5.5.7.1.30.1"
-    ACME_TLS_1_PROTOCOL = "acme-tls/1"
-
-    @property
-    def h(self):
-        """Hash value stored in challenge certificate"""
-        return hashlib.sha256(self.key_authorization.encode('utf-8')).digest()
-
-    def gen_cert(self, domain, key=None, bits=2048):
-        """Generate tls-alpn-01 certificate.
-
-        :param unicode domain: Domain verified by the challenge.
-        :param OpenSSL.crypto.PKey key: Optional private key used in
-            certificate generation. If not provided (``None``), then
-            fresh key will be generated.
-        :param int bits: Number of bits for newly generated key.
-
-        :rtype: `tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey`
-
-        """
-        if key is None:
-            key = crypto.PKey()
-            key.generate_key(crypto.TYPE_RSA, bits)
-
-
-        der_value = b"DER:" + codecs.encode(self.h, 'hex')
-        acme_extension = crypto.X509Extension(self.ID_PE_ACME_IDENTIFIER_V1,
-                critical=True, value=der_value)
-
-        return crypto_util.gen_ss_cert(key, [domain], force_san=True,
-                extensions=[acme_extension]), key
-
-    def probe_cert(self, domain, host=None, port=None):
-        """Probe tls-alpn-01 challenge certificate.
-
-        :param unicode domain: domain being validated, required.
-        :param string host: IP address used to probe the certificate.
-        :param int port: Port used to probe the certificate.
-
-        """
-        if host is None:
-            host = socket.gethostbyname(domain)
-            logger.debug('%s resolved to %s', domain, host)
-        if port is None:
-            port = self.PORT
-
-        return crypto_util.probe_sni(host=host, port=port, name=domain,
-                alpn_protocols=[self.ACME_TLS_1_PROTOCOL])
-
-    def verify_cert(self, domain, cert):
-        """Verify tls-alpn-01 challenge certificate.
-
-        :param unicode domain: Domain name being validated.
-        :param OpensSSL.crypto.X509 cert: Challenge certificate.
-
-        :returns: Whether the certificate was successfully verified.
-        :rtype: bool
-
-        """
-        # pylint: disable=protected-access
-        names = crypto_util._pyopenssl_cert_or_req_all_names(cert)
-        logger.debug('Certificate %s. SANs: %s', cert.digest('sha256'), names)
-        if len(names) != 1 or names[0].lower() != domain.lower():
-            return False
-
-        for i in range(cert.get_extension_count()):
-            ext = cert.get_extension(i)
-            # FIXME: assume this is the ACME extension. Currently there is no
-            # way to get full OID of an unknown extension from pyopenssl.
-            if ext.get_short_name() == b'UNDEF':
-                data = ext.get_data()
-                return data == self.h
-
-        return False
-
-    # pylint: disable=too-many-arguments
-    def simple_verify(self, chall, domain, account_public_key,
-                      cert=None, host=None, port=None):
-        """Simple verify.
-
-        Verify ``validation`` using ``account_public_key``, optionally
-        probe tls-alpn-01 certificate and check using `verify_cert`.
-
-        :param .challenges.TLSALPN01 chall: Corresponding challenge.
-        :param str domain: Domain name being validated.
-        :param JWK account_public_key:
-        :param OpenSSL.crypto.X509 cert: Optional certificate. If not
-            provided (``None``) certificate will be retrieved using
-            `probe_cert`.
-        :param string host: IP address used to probe the certificate.
-        :param int port: Port used to probe the certificate.
-
-
-        :returns: ``True`` if and only if client's control of the domain has been verified.
-        :rtype: bool
-
-        """
-        if not self.verify(chall, account_public_key):
-            logger.debug("Verification of key authorization in response failed")
-            return False
-
-        if cert is None:
-            try:
-                cert = self.probe_cert(domain=domain, host=host, port=port)
-            except errors.Error as error:
-                logger.debug(str(error), exc_info=True)
-                return False
-
-        return self.verify_cert(domain, cert)
-
-
-@Challenge.register  # pylint: disable=too-many-ancestors
-class TLSALPN01(KeyAuthorizationChallenge):
-    """ACME tls-alpn-01 challenge."""
+    typ = "tls-alpn-01"
     response_cls = TLSALPN01Response
-    typ = response_cls.typ
 
     def validation(self, account_key, **kwargs):
-        """Generate validation.
-
-        :param JWK account_key:
-        :param unicode domain: Domain verified by the challenge.
-        :param OpenSSL.crypto.PKey cert_key: Optional private key used
-            in certificate generation. If not provided (``None``), then
-            fresh key will be generated.
-
-        :rtype: `tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey`
-
-        """
-        return self.response(account_key).gen_cert(
-            key=kwargs.get('cert_key'),
-            domain=kwargs.get('domain'))
-
-    @staticmethod
-    def is_supported():
-        """
-        Check if TLS-ALPN-01 challenge is supported on this machine.
-        This implies that a recent version of OpenSSL is installed (>= 1.0.2),
-        or a recent cryptography version shipped with the OpenSSL library is installed.
-
-        :returns: ``True`` if TLS-ALPN-01 is supported on this machine, ``False`` otherwise.
-        :rtype: bool
-
-        """
-        return (hasattr(SSL.Connection, "set_alpn_protos")
-                and hasattr(SSL.Context, "set_alpn_select_callback"))
+        """Generate validation for the challenge."""
+        raise NotImplementedError()
 
 
 @Challenge.register

acme/acme/challenges_test.py

@@ -1,15 +1,13 @@
 """Tests for acme.challenges."""
-import urllib.parse as urllib_parse
 import unittest
-from unittest import mock
 
 import josepy as jose
-import OpenSSL
+import mock
 import requests
 
-from acme import errors
+from six.moves.urllib import parse as urllib_parse  # pylint: disable=relative-import
 
-import test_util
+from acme import test_util
 
 CERT = test_util.load_comparable_cert('cert.pem')
 KEY = jose.JWKRSA(key=test_util.load_rsa_private_key('rsa512_key.pem'))
@@ -21,6 +19,7 @@ class ChallengeTest(unittest.TestCase):
         from acme.challenges import Challenge
         from acme.challenges import UnrecognizedChallenge
         chall = UnrecognizedChallenge({"type": "foo"})
+        # pylint: disable=no-member
         self.assertEqual(chall, Challenge.from_json(chall.jobj))
 
 
@@ -184,7 +183,7 @@ class HTTP01ResponseTest(unittest.TestCase):
         mock_get.return_value = mock.MagicMock(text=validation)
         self.assertTrue(self.response.simple_verify(
             self.chall, "local", KEY.public_key()))
-        mock_get.assert_called_once_with(self.chall.uri("local"), verify=False)
+        mock_get.assert_called_once_with(self.chall.uri("local"))
 
     @mock.patch("acme.challenges.requests.get")
     def test_simple_verify_bad_validation(self, mock_get):
@@ -200,7 +199,7 @@ class HTTP01ResponseTest(unittest.TestCase):
                   HTTP01Response.WHITESPACE_CUTSET))
         self.assertTrue(self.response.simple_verify(
             self.chall, "local", KEY.public_key()))
-        mock_get.assert_called_once_with(self.chall.uri("local"), verify=False)
+        mock_get.assert_called_once_with(self.chall.uri("local"))
 
     @mock.patch("acme.challenges.requests.get")
     def test_simple_verify_connection_error(self, mock_get):
@@ -259,87 +258,30 @@ class HTTP01Test(unittest.TestCase):
 class TLSALPN01ResponseTest(unittest.TestCase):
 
     def setUp(self):
-        from acme.challenges import TLSALPN01
-        self.chall = TLSALPN01(
-            token=jose.b64decode(b'a82d5ff8ef740d12881f6d3c2277ab2e'))
-        self.domain = u'example.com'
-        self.domain2 = u'example2.com'
-
-        self.response = self.chall.response(KEY)
+        from acme.challenges import TLSALPN01Response
+        self.msg = TLSALPN01Response(key_authorization=u'foo')
         self.jmsg = {
             'resource': 'challenge',
             'type': 'tls-alpn-01',
-            'keyAuthorization': self.response.key_authorization,
+            'keyAuthorization': u'foo',
         }
 
+        from acme.challenges import TLSALPN01
+        self.chall = TLSALPN01(token=(b'x' * 16))
+        self.response = self.chall.response(KEY)
+
     def test_to_partial_json(self):
         self.assertEqual({k: v for k, v in self.jmsg.items() if k != 'keyAuthorization'},
-                         self.response.to_partial_json())
+                         self.msg.to_partial_json())
 
     def test_from_json(self):
         from acme.challenges import TLSALPN01Response
-        self.assertEqual(self.response, TLSALPN01Response.from_json(self.jmsg))
+        self.assertEqual(self.msg, TLSALPN01Response.from_json(self.jmsg))
 
     def test_from_json_hashable(self):
         from acme.challenges import TLSALPN01Response
         hash(TLSALPN01Response.from_json(self.jmsg))
 
-    def test_gen_verify_cert(self):
-        key1 = test_util.load_pyopenssl_private_key('rsa512_key.pem')
-        cert, key2 = self.response.gen_cert(self.domain, key1)
-        self.assertEqual(key1, key2)
-        self.assertTrue(self.response.verify_cert(self.domain, cert))
-
-    def test_gen_verify_cert_gen_key(self):
-        cert, key = self.response.gen_cert(self.domain)
-        self.assertIsInstance(key, OpenSSL.crypto.PKey)
-        self.assertTrue(self.response.verify_cert(self.domain, cert))
-
-    def test_verify_bad_cert(self):
-        self.assertFalse(self.response.verify_cert(self.domain,
-            test_util.load_cert('cert.pem')))
-
-    def test_verify_bad_domain(self):
-        key1 = test_util.load_pyopenssl_private_key('rsa512_key.pem')
-        cert, key2 = self.response.gen_cert(self.domain, key1)
-        self.assertEqual(key1, key2)
-        self.assertFalse(self.response.verify_cert(self.domain2, cert))
-
-    def test_simple_verify_bad_key_authorization(self):
-        key2 = jose.JWKRSA.load(test_util.load_vector('rsa256_key.pem'))
-        self.response.simple_verify(self.chall, "local", key2.public_key())
-
-    @mock.patch('acme.challenges.TLSALPN01Response.verify_cert', autospec=True)
-    def test_simple_verify(self, mock_verify_cert):
-        mock_verify_cert.return_value = mock.sentinel.verification
-        self.assertEqual(
-            mock.sentinel.verification, self.response.simple_verify(
-                self.chall, self.domain, KEY.public_key(),
-                cert=mock.sentinel.cert))
-        mock_verify_cert.assert_called_once_with(
-            self.response, self.domain, mock.sentinel.cert)
-
-    @mock.patch('acme.challenges.socket.gethostbyname')
-    @mock.patch('acme.challenges.crypto_util.probe_sni')
-    def test_probe_cert(self, mock_probe_sni, mock_gethostbyname):
-        mock_gethostbyname.return_value = '127.0.0.1'
-        self.response.probe_cert('foo.com')
-        mock_gethostbyname.assert_called_once_with('foo.com')
-        mock_probe_sni.assert_called_once_with(
-            host='127.0.0.1', port=self.response.PORT, name='foo.com',
-            alpn_protocols=['acme-tls/1'])
-
-        self.response.probe_cert('foo.com', host='8.8.8.8')
-        mock_probe_sni.assert_called_with(
-            host='8.8.8.8', port=mock.ANY, name='foo.com',
-            alpn_protocols=['acme-tls/1'])
-
-    @mock.patch('acme.challenges.TLSALPN01Response.probe_cert')
-    def test_simple_verify_false_on_probe_error(self, mock_probe_cert):
-        mock_probe_cert.side_effect = errors.Error
-        self.assertFalse(self.response.simple_verify(
-            self.chall, self.domain, KEY.public_key()))
-
 
 class TLSALPN01Test(unittest.TestCase):
 
@@ -369,13 +311,8 @@ class TLSALPN01Test(unittest.TestCase):
         self.assertRaises(
             jose.DeserializationError, TLSALPN01.from_json, self.jmsg)
 
-    @mock.patch('acme.challenges.TLSALPN01Response.gen_cert')
-    def test_validation(self, mock_gen_cert):
-        mock_gen_cert.return_value = ('cert', 'key')
-        self.assertEqual(('cert', 'key'), self.msg.validation(
-            KEY, cert_key=mock.sentinel.cert_key, domain=mock.sentinel.domain))
-        mock_gen_cert.assert_called_once_with(key=mock.sentinel.cert_key,
-                                              domain=mock.sentinel.domain)
+    def test_validation(self):
+        self.assertRaises(NotImplementedError, self.msg.validation, KEY)
 
 
 class DNSTest(unittest.TestCase):
@@ -431,7 +368,7 @@ class DNSTest(unittest.TestCase):
             mock_gen.return_value = mock.sentinel.validation
             response = self.msg.gen_response(KEY)
         from acme.challenges import DNSResponse
-        self.assertIsInstance(response, DNSResponse)
+        self.assertTrue(isinstance(response, DNSResponse))
         self.assertEqual(response.validation, mock.sentinel.validation)
 
     def test_validation_domain_name(self):
@@ -478,18 +415,5 @@ class DNSResponseTest(unittest.TestCase):
             self.msg.check_validation(self.chall, KEY.public_key()))
 
 
-class JWSPayloadRFC8555Compliant(unittest.TestCase):
-    """Test for RFC8555 compliance of JWS generated from resources/challenges"""
-    def test_challenge_payload(self):
-        from acme.challenges import HTTP01Response
-
-        challenge_body = HTTP01Response()
-        challenge_body.le_acme_version = 2
-
-        jobj = challenge_body.json_dumps(indent=2).encode()
-        # RFC8555 states that challenge responses must have an empty payload.
-        self.assertEqual(jobj, b'{}')
-
-
 if __name__ == '__main__':
     unittest.main()  # pragma: no cover

acme/acme/client.py

@@ -4,38 +4,47 @@ import collections
 import datetime
 from email.utils import parsedate_tz
 import heapq
-import http.client as http_client
 import logging
-import re
 import time
-from typing import cast
-from typing import Dict
-from typing import List
-from typing import Set
-from typing import Text
-from typing import Union
+import re
+import sys
 
+import six
+from six.moves import http_client  # pylint: disable=import-error
 import josepy as jose
 import OpenSSL
 import requests
 from requests.adapters import HTTPAdapter
-from requests.utils import parse_header_links
 from requests_toolbelt.adapters.source import SourceAddressAdapter
 
 from acme import crypto_util
 from acme import errors
 from acme import jws
 from acme import messages
-from acme.mixins import VersionedLEACMEMixin
+# pylint: disable=unused-import, no-name-in-module
+from acme.magic_typing import Dict, List, Set, Text
+
 
 logger = logging.getLogger(__name__)
 
+# Prior to Python 2.7.9 the stdlib SSL module did not allow a user to configure
+# many important security related options. On these platforms we use PyOpenSSL
+# for SSL, which does allow these options to be configured.
+# https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning
+if sys.version_info < (2, 7, 9):  # pragma: no cover
+    try:
+        # pylint: disable=no-member
+        requests.packages.urllib3.contrib.pyopenssl.inject_into_urllib3()  # type: ignore
+    except AttributeError:
+        import urllib3.contrib.pyopenssl  # pylint: disable=import-error
+        urllib3.contrib.pyopenssl.inject_into_urllib3()
+
 DEFAULT_NETWORK_TIMEOUT = 45
 
 DER_CONTENT_TYPE = 'application/pkix-cert'
 
 
-class ClientBase:
+class ClientBase(object):
     """ACME client base object.
 
     :ivar messages.Directory directory:
@@ -114,9 +123,8 @@ class ClientBase:
         """
         return self.update_registration(regr, update={'status': 'deactivated'})
 
-    def deactivate_authorization(self,
-                                 authzr: messages.AuthorizationResource
-                                 ) -> messages.AuthorizationResource:
+    def deactivate_authorization(self, authzr):
+        # type: (messages.AuthorizationResource) -> messages.AuthorizationResource
         """Deactivate authorization.
 
         :param messages.AuthorizationResource authzr: The Authorization resource
@@ -191,7 +199,7 @@ class ClientBase:
             when = parsedate_tz(retry_after)
             if when is not None:
                 try:
-                    tz_secs = datetime.timedelta(when[-1] if when[-1] is not None else 0)
+                    tz_secs = datetime.timedelta(when[-1] if when[-1] else 0)
                     return datetime.datetime(*when[:7]) - tz_secs
                 except (ValueError, OverflowError):
                     pass
@@ -250,10 +258,10 @@ class Client(ClientBase):
         if net is None:
             net = ClientNetwork(key, alg=alg, verify_ssl=verify_ssl)
 
-        if isinstance(directory, str):
+        if isinstance(directory, six.string_types):
             directory = messages.Directory.from_json(
                 net.get(directory).json())
-        super().__init__(directory=directory,
+        super(Client, self).__init__(directory=directory,
             net=net, acme_version=1)
 
     def register(self, new_reg=None):
@@ -271,6 +279,7 @@ class Client(ClientBase):
         assert response.status_code == http_client.CREATED
 
         # "Instance of 'Field' has no key/contact member" bug:
+        # pylint: disable=no-member
         return self._regr_from_response(response)
 
     def query_registration(self, regr):
@@ -426,7 +435,7 @@ class Client(ClientBase):
 
         """
         assert max_attempts > 0
-        attempts: Dict[messages.AuthorizationResource, int] = collections.defaultdict(int)
+        attempts = collections.defaultdict(int) # type: Dict[messages.AuthorizationResource, int]
         exhausted = set()
 
         # priority queue with datetime.datetime (based on Retry-After) as key,
@@ -438,7 +447,7 @@ class Client(ClientBase):
         heapq.heapify(waiting)
         # mapping between original Authorization Resource and the most
         # recently updated one
-        updated = {authzr: authzr for authzr in authzrs}
+        updated = dict((authzr, authzr) for authzr in authzrs)
 
         while waiting:
             # find the smallest Retry-After, and sleep if necessary
@@ -455,6 +464,7 @@ class Client(ClientBase):
             updated[authzr] = updated_authzr
 
             attempts[authzr] += 1
+            # pylint: disable=no-member
             if updated_authzr.body.status not in (
                     messages.STATUS_VALID, messages.STATUS_INVALID):
                 if attempts[authzr] < max_attempts:
@@ -465,7 +475,7 @@ class Client(ClientBase):
                     exhausted.add(authzr)
 
         if exhausted or any(authzr.body.status == messages.STATUS_INVALID
-                            for authzr in updated.values()):
+                            for authzr in six.itervalues(updated)):
             raise errors.PollError(exhausted, updated)
 
         updated_authzrs = tuple(updated[authzr] for authzr in authzrs)
@@ -539,7 +549,7 @@ class Client(ClientBase):
         :rtype: `list` of `OpenSSL.crypto.X509` wrapped in `.ComparableX509`
 
         """
-        chain: List[jose.ComparableX509] = []
+        chain = [] # type: List[jose.ComparableX509]
         uri = certr.cert_chain_uri
         while uri is not None and len(chain) < max_length:
             response, cert = self._get_cert(uri)
@@ -577,7 +587,7 @@ class ClientV2(ClientBase):
         :param .messages.Directory directory: Directory Resource
         :param .ClientNetwork net: Client network.
         """
-        super().__init__(directory=directory,
+        super(ClientV2, self).__init__(directory=directory,
             net=net, acme_version=2)
 
     def new_account(self, new_account):
@@ -595,6 +605,7 @@ class ClientV2(ClientBase):
         if response.status_code == 200 and 'Location' in response.headers:
             raise errors.ConflictError(response.headers.get('Location'))
         # "Instance of 'Field' has no key/contact member" bug:
+        # pylint: disable=no-member
         regr = self._regr_from_response(response)
         self.net.account = regr
         return regr
@@ -627,7 +638,7 @@ class ClientV2(ClientBase):
         """
         # https://github.com/certbot/certbot/issues/6155
         new_regr = self._get_v2_account(regr)
-        return super().update_registration(new_regr, update)
+        return super(ClientV2, self).update_registration(new_regr, update)
 
     def _get_v2_account(self, regr):
         self.net.account = None
@@ -658,7 +669,7 @@ class ClientV2(ClientBase):
         response = self._post(self.directory['newOrder'], order)
         body = messages.Order.from_json(response.json())
         authorizations = []
-        for url in body.authorizations:
+        for url in body.authorizations:  # pylint: disable=not-an-iterable
             authorizations.append(self._authzr_from_response(self._post_as_get(url), uri=url))
         return messages.OrderResource(
             body=body,
@@ -718,19 +729,17 @@ class ClientV2(ClientBase):
         for authzr in responses:
             if authzr.body.status != messages.STATUS_VALID:
                 for chall in authzr.body.challenges:
-                    if chall.error is not None:
+                    if chall.error != None:
                         failed.append(authzr)
         if failed:
             raise errors.ValidationError(failed)
         return orderr.update(authorizations=responses)
 
-    def finalize_order(self, orderr, deadline, fetch_alternative_chains=False):
+    def finalize_order(self, orderr, deadline):
         """Finalize an order and obtain a certificate.
 
         :param messages.OrderResource orderr: order to finalize
         :param datetime.datetime deadline: when to stop polling and timeout
-        :param bool fetch_alternative_chains: whether to also fetch alternative
-            certificate chains
 
         :returns: finalized order
         :rtype: messages.OrderResource
@@ -747,13 +756,8 @@ class ClientV2(ClientBase):
             if body.error is not None:
                 raise errors.IssuanceError(body.error)
             if body.certificate is not None:
-                certificate_response = self._post_as_get(body.certificate)
-                orderr = orderr.update(body=body, fullchain_pem=certificate_response.text)
-                if fetch_alternative_chains:
-                    alt_chains_urls = self._get_links(certificate_response, 'alternate')
-                    alt_chains = [self._post_as_get(url).text for url in alt_chains_urls]
-                    orderr = orderr.update(alternative_fullchains_pem=alt_chains)
-                return orderr
+                certificate_response = self._post_as_get(body.certificate).text
+                return orderr.update(body=body, fullchain_pem=certificate_response)
         raise errors.TimeoutError()
 
     def revoke(self, cert, rsn):
@@ -775,30 +779,32 @@ class ClientV2(ClientBase):
 
     def _post_as_get(self, *args, **kwargs):
         """
-        Send GET request using the POST-as-GET protocol.
+        Send GET request using the POST-as-GET protocol if needed.
+        The request will be first issued using POST-as-GET for ACME v2. If the ACME CA servers do
+        not support this yet and return an error, request will be retried using GET.
+        For ACME v1, only GET request will be tried, as POST-as-GET is not supported.
         :param args:
         :param kwargs:
         :return:
         """
-        new_args = args[:1] + (None,) + args[1:]
-        return self._post(*new_args, **kwargs)
+        if self.acme_version >= 2:
+            # We add an empty payload for POST-as-GET requests
+            new_args = args[:1] + (None,) + args[1:]
+            try:
+                return self._post(*new_args, **kwargs)
+            except messages.Error as error:
+                if error.code == 'malformed':
+                    logger.debug('Error during a POST-as-GET request, '
+                                 'your ACME CA server may not support it:\n%s', error)
+                    logger.debug('Retrying request with GET.')
+                else:  # pragma: no cover
+                    raise
 
-    def _get_links(self, response, relation_type):
-        """
-        Retrieves all Link URIs of relation_type from the response.
-        :param requests.Response response: The requests HTTP response.
-        :param str relation_type: The relation type to filter by.
-        """
-        # Can't use response.links directly because it drops multiple links
-        # of the same relation type, which is possible in RFC8555 responses.
-        if 'Link' not in response.headers:
-            return []
-        links = parse_header_links(response.headers['Link'])
-        return [l['url'] for l in links
-                if 'rel' in l and 'url' in l and l['rel'] == relation_type]
+        # If POST-as-GET is not supported yet, we use a GET instead.
+        return self.net.get(*args, **kwargs)
 
 
-class BackwardsCompatibleClientV2:
+class BackwardsCompatibleClientV2(object):
     """ACME client wrapper that tends towards V2-style calls, but
     supports V1 servers.
 
@@ -820,7 +826,6 @@ class BackwardsCompatibleClientV2:
     def __init__(self, net, key, server):
         directory = messages.Directory.from_json(net.get(server).json())
         self.acme_version = self._acme_version_from_directory(directory)
-        self.client: Union[Client, ClientV2]
         if self.acme_version == 1:
             self.client = Client(directory, key=key, net=net)
         else:
@@ -840,18 +845,16 @@ class BackwardsCompatibleClientV2:
             if check_tos_cb is not None:
                 check_tos_cb(tos)
         if self.acme_version == 1:
-            client_v1 = cast(Client, self.client)
-            regr = client_v1.register(regr)
+            regr = self.client.register(regr)
             if regr.terms_of_service is not None:
                 _assess_tos(regr.terms_of_service)
-                return client_v1.agree_to_tos(regr)
+                return self.client.agree_to_tos(regr)
             return regr
         else:
-            client_v2 = cast(ClientV2, self.client)
-            if "terms_of_service" in client_v2.directory.meta:
-                _assess_tos(client_v2.directory.meta.terms_of_service)
+            if "terms_of_service" in self.client.directory.meta:
+                _assess_tos(self.client.directory.meta.terms_of_service)
                 regr = regr.update(terms_of_service_agreed=True)
-            return client_v2.new_account(regr)
+            return self.client.new_account(regr)
 
     def new_order(self, csr_pem):
         """Request a new Order object from the server.
@@ -869,32 +872,28 @@ class BackwardsCompatibleClientV2:
 
         """
         if self.acme_version == 1:
-            client_v1 = cast(Client, self.client)
             csr = OpenSSL.crypto.load_certificate_request(OpenSSL.crypto.FILETYPE_PEM, csr_pem)
             # pylint: disable=protected-access
             dnsNames = crypto_util._pyopenssl_cert_or_req_all_names(csr)
             authorizations = []
             for domain in dnsNames:
-                authorizations.append(client_v1.request_domain_challenges(domain))
+                authorizations.append(self.client.request_domain_challenges(domain))
             return messages.OrderResource(authorizations=authorizations, csr_pem=csr_pem)
-        return cast(ClientV2, self.client).new_order(csr_pem)
+        return self.client.new_order(csr_pem)
 
-    def finalize_order(self, orderr, deadline, fetch_alternative_chains=False):
+    def finalize_order(self, orderr, deadline):
         """Finalize an order and obtain a certificate.
 
         :param messages.OrderResource orderr: order to finalize
         :param datetime.datetime deadline: when to stop polling and timeout
-        :param bool fetch_alternative_chains: whether to also fetch alternative
-            certificate chains
 
         :returns: finalized order
         :rtype: messages.OrderResource
 
         """
         if self.acme_version == 1:
-            client_v1 = cast(Client, self.client)
             csr_pem = orderr.csr_pem
-            certr = client_v1.request_issuance(
+            certr = self.client.request_issuance(
                 jose.ComparableX509(
                     OpenSSL.crypto.load_certificate_request(OpenSSL.crypto.FILETYPE_PEM, csr_pem)),
                     orderr.authorizations)
@@ -902,7 +901,7 @@ class BackwardsCompatibleClientV2:
             chain = None
             while datetime.datetime.now() < deadline:
                 try:
-                    chain = client_v1.fetch_chain(certr)
+                    chain = self.client.fetch_chain(certr)
                     break
                 except errors.Error:
                     time.sleep(1)
@@ -917,8 +916,7 @@ class BackwardsCompatibleClientV2:
             chain = crypto_util.dump_pyopenssl_chain(chain).decode()
 
             return orderr.update(fullchain_pem=(cert + chain))
-        return cast(ClientV2, self.client).finalize_order(
-            orderr, deadline, fetch_alternative_chains)
+        return self.client.finalize_order(orderr, deadline)
 
     def revoke(self, cert, rsn):
         """Revoke certificate.
@@ -944,10 +942,10 @@ class BackwardsCompatibleClientV2:
         Always return False for ACMEv1 servers, as it doesn't use External Account Binding."""
         if self.acme_version == 1:
             return False
-        return cast(ClientV2, self.client).external_account_required()
+        return self.client.external_account_required()
 
 
-class ClientNetwork:
+class ClientNetwork(object):
     """Wrapper around requests that signs POSTs for authentication.
 
     Also adds user agent, and handles Content-Type.
@@ -963,7 +961,7 @@ class ClientNetwork:
     :param messages.RegistrationResource account: Account object. Required if you are
             planning to use .post() with acme_version=2 for anything other than
             creating a new account; may be set later after registering.
-    :param josepy.JWASignature alg: Algorithm to use in signing JWS.
+    :param josepy.JWASignature alg: Algoritm to use in signing JWS.
     :param bool verify_ssl: Whether to verify certificates on SSL connections.
     :param str user_agent: String to send as User-Agent header.
     :param float timeout: Timeout for requests.
@@ -977,7 +975,7 @@ class ClientNetwork:
         self.account = account
         self.alg = alg
         self.verify_ssl = verify_ssl
-        self._nonces: Set[Text] = set()
+        self._nonces = set() # type: Set[Text]
         self.user_agent = user_agent
         self.session = requests.Session()
         self._default_timeout = timeout
@@ -1008,8 +1006,6 @@ class ClientNetwork:
         :rtype: `josepy.JWS`
 
         """
-        if isinstance(obj, VersionedLEACMEMixin):
-            obj.le_acme_version = acme_version
         jobj = obj.json_dumps(indent=2).encode() if obj else b''
         logger.debug('JWS payload:\n%s', jobj)
         kwargs = {
@@ -1045,9 +1041,6 @@ class ClientNetwork:
 
         """
         response_ct = response.headers.get('Content-Type')
-        # Strip parameters from the media-type (rfc2616#section-3.7)
-        if response_ct:
-            response_ct = response_ct.split(';')[0].strip()
         try:
             # TODO: response.json() is called twice, once here, and
             # once in _get and _post clients
@@ -1131,21 +1124,21 @@ class ClientNetwork:
             err_regex = r".*host='(\S*)'.*Max retries exceeded with url\: (\/\w*).*(\[Errno \d+\])([A-Za-z ]*)"
             m = re.match(err_regex, str(e))
             if m is None:
-                raise  # pragma: no cover
-            host, path, _err_no, err_msg = m.groups()
-            raise ValueError("Requesting {0}{1}:{2}".format(host, path, err_msg))
+                raise # pragma: no cover
+            else:
+                host, path, _err_no, err_msg = m.groups()
+                raise ValueError("Requesting {0}{1}:{2}".format(host, path, err_msg))
 
         # If content is DER, log the base64 of it instead of raw bytes, to keep
         # binary data out of the logs.
-        debug_content: Union[bytes, str]
         if response.headers.get("Content-Type") == DER_CONTENT_TYPE:
             debug_content = base64.b64encode(response.content)
         else:
             debug_content = response.content.decode("utf-8")
         logger.debug('Received response:\nHTTP %d\n%s\n\n%s',
                      response.status_code,
-                     "\n".join("{0}: {1}".format(k, v)
-                                for k, v in response.headers.items()),
+                     "\n".join(["{0}: {1}".format(k, v)
+                                for k, v in response.headers.items()]),
                      debug_content)
         return response
 
@@ -1200,7 +1193,8 @@ class ClientNetwork:
             if error.code == 'badNonce':
                 logger.debug('Retrying request after error:\n%s', error)
                 return self._post_once(*args, **kwargs)
-            raise
+            else:
+                raise
 
     def _post_once(self, url, obj, content_type=JOSE_CONTENT_TYPE,
             acme_version=1, **kwargs):

acme/acme/client_test.py

@@ -2,13 +2,13 @@
 # pylint: disable=too-many-lines
 import copy
 import datetime
-import http.client as http_client
 import json
 import unittest
-from typing import Dict
-from unittest import mock
+
+from six.moves import http_client  # pylint: disable=import-error
 
 import josepy as jose
+import mock
 import OpenSSL
 import requests
 
@@ -16,9 +16,10 @@ from acme import challenges
 from acme import errors
 from acme import jws as acme_jws
 from acme import messages
-from acme.mixins import VersionedLEACMEMixin
-import messages_test
-import test_util
+from acme import messages_test
+from acme import test_util
+from acme.magic_typing import Dict # pylint: disable=unused-import, no-name-in-module
+
 
 CERT_DER = test_util.load_vector('cert.der')
 CERT_SAN_PEM = test_util.load_vector('cert-san.pem')
@@ -62,7 +63,7 @@ class ClientTestBase(unittest.TestCase):
         self.contact = ('mailto:cert-admin@example.com', 'tel:+12025551212')
         reg = messages.Registration(
             contact=self.contact, key=KEY.public_key())
-        the_arg: Dict = dict(reg)
+        the_arg = dict(reg) # type: Dict
         self.new_reg = messages.NewRegistration(**the_arg)
         self.regr = messages.RegistrationResource(
             body=reg, uri='https://www.letsencrypt-demo.org/acme/reg/1')
@@ -90,7 +91,7 @@ class BackwardsCompatibleClientV2Test(ClientTestBase):
     """Tests for  acme.client.BackwardsCompatibleClientV2."""
 
     def setUp(self):
-        super().setUp()
+        super(BackwardsCompatibleClientV2Test, self).setUp()
         # contains a loaded cert
         self.certr = messages.CertificateResource(
             body=messages_test.CERT)
@@ -261,7 +262,7 @@ class BackwardsCompatibleClientV2Test(ClientTestBase):
         with mock.patch('acme.client.ClientV2') as mock_client:
             client = self._init()
             client.finalize_order(mock_orderr, mock_deadline)
-            mock_client().finalize_order.assert_called_once_with(mock_orderr, mock_deadline, False)
+            mock_client().finalize_order.assert_called_once_with(mock_orderr, mock_deadline)
 
     def test_revoke(self):
         self.response.json.return_value = DIRECTORY_V1.to_json()
@@ -319,7 +320,7 @@ class ClientTest(ClientTestBase):
     """Tests for acme.client.Client."""
 
     def setUp(self):
-        super().setUp()
+        super(ClientTest, self).setUp()
 
         self.directory = DIRECTORY_V1
 
@@ -604,8 +605,8 @@ class ClientTest(ClientTestBase):
             # make sure that max_attempts is per-authorization, rather
             # than global
             max_attempts=max(len(authzrs[0].retries), len(authzrs[1].retries)))
-        self.assertIs(cert[0], csr)
-        self.assertIs(cert[1], updated_authzrs)
+        self.assertTrue(cert[0] is csr)
+        self.assertTrue(cert[1] is updated_authzrs)
         self.assertEqual(updated_authzrs[0].uri, 'a...')
         self.assertEqual(updated_authzrs[1].uri, 'b.')
         self.assertEqual(updated_authzrs[0].times, [
@@ -641,7 +642,7 @@ class ClientTest(ClientTestBase):
         authzr = self.client.deactivate_authorization(self.authzr)
         self.assertEqual(authzb, authzr.body)
         self.assertEqual(self.client.net.post.call_count, 1)
-        self.assertIn(self.authzr.uri, self.net.post.call_args_list[0][0])
+        self.assertTrue(self.authzr.uri in self.net.post.call_args_list[0][0])
 
     def test_check_cert(self):
         self.response.headers['Location'] = self.certr.uri
@@ -700,7 +701,7 @@ class ClientTest(ClientTestBase):
 
     def test_revocation_payload(self):
         obj = messages.Revocation(certificate=self.certr.body, reason=self.rsn)
-        self.assertIn('reason', obj.to_partial_json().keys())
+        self.assertTrue('reason' in obj.to_partial_json().keys())
         self.assertEqual(self.rsn, obj.to_partial_json()['reason'])
 
     def test_revoke_bad_status_raises_error(self):
@@ -716,7 +717,7 @@ class ClientV2Test(ClientTestBase):
     """Tests for acme.client.ClientV2."""
 
     def setUp(self):
-        super().setUp()
+        super(ClientV2Test, self).setUp()
 
         self.directory = DIRECTORY_V2
 
@@ -840,32 +841,6 @@ class ClientV2Test(ClientTestBase):
         deadline = datetime.datetime.now() - datetime.timedelta(seconds=60)
         self.assertRaises(errors.TimeoutError, self.client.finalize_order, self.orderr, deadline)
 
-    def test_finalize_order_alt_chains(self):
-        updated_order = self.order.update(
-            certificate='https://www.letsencrypt-demo.org/acme/cert/',
-        )
-        updated_orderr = self.orderr.update(body=updated_order,
-                                            fullchain_pem=CERT_SAN_PEM,
-                                            alternative_fullchains_pem=[CERT_SAN_PEM,
-                                                                        CERT_SAN_PEM])
-        self.response.json.return_value = updated_order.to_json()
-        self.response.text = CERT_SAN_PEM
-        self.response.headers['Link'] ='<https://example.com/acme/cert/1>;rel="alternate", ' + \
-            '<https://example.com/dir>;rel="index", ' + \
-            '<https://example.com/acme/cert/2>;title="foo";rel="alternate"'
-
-        deadline = datetime.datetime(9999, 9, 9)
-        resp = self.client.finalize_order(self.orderr, deadline, fetch_alternative_chains=True)
-        self.net.post.assert_any_call('https://example.com/acme/cert/1',
-                                      mock.ANY, acme_version=2, new_nonce_url=mock.ANY)
-        self.net.post.assert_any_call('https://example.com/acme/cert/2',
-                                      mock.ANY, acme_version=2, new_nonce_url=mock.ANY)
-        self.assertEqual(resp, updated_orderr)
-
-        del self.response.headers['Link']
-        resp = self.client.finalize_order(self.orderr, deadline, fetch_alternative_chains=True)
-        self.assertEqual(resp, updated_orderr.update(alternative_fullchains_pem=[]))
-
     def test_revoke(self):
         self.client.revoke(messages_test.CERT, self.rsn)
         self.net.post.assert_called_once_with(
@@ -877,9 +852,9 @@ class ClientV2Test(ClientTestBase):
         self.response.headers['Location'] = self.regr.uri
         self.response.json.return_value = self.regr.body.to_json()
         self.assertEqual(self.regr, self.client.update_registration(self.regr))
-        self.assertIsNotNone(self.client.net.account)
+        self.assertNotEqual(self.client.net.account, None)
         self.assertEqual(self.client.net.post.call_count, 2)
-        self.assertIn(DIRECTORY_V2.newAccount, self.net.post.call_args_list[0][0])
+        self.assertTrue(DIRECTORY_V2.newAccount in self.net.post.call_args_list[0][0])
 
         self.response.json.return_value = self.regr.body.update(
             contact=()).to_json()
@@ -912,8 +887,21 @@ class ClientV2Test(ClientTestBase):
                 new_nonce_url='https://www.letsencrypt-demo.org/acme/new-nonce')
             self.client.net.get.assert_not_called()
 
+            class FakeError(messages.Error):
+                """Fake error to reproduce a malformed request ACME error"""
+                def __init__(self):  # pylint: disable=super-init-not-called
+                    pass
+                @property
+                def code(self):
+                    return 'malformed'
+            self.client.net.post.side_effect = FakeError()
 
-class MockJSONDeSerializable(VersionedLEACMEMixin, jose.JSONDeSerializable):
+            self.client.poll(self.authzr2)  # pylint: disable=protected-access
+
+            self.client.net.get.assert_called_once_with(self.authzr2.uri)
+
+
+class MockJSONDeSerializable(jose.JSONDeSerializable):
     # pylint: disable=missing-docstring
     def __init__(self, value):
         self.value = value
@@ -943,7 +931,7 @@ class ClientNetworkTest(unittest.TestCase):
         self.response.links = {}
 
     def test_init(self):
-        self.assertIs(self.net.verify_ssl, self.verify_ssl)
+        self.assertTrue(self.net.verify_ssl is self.verify_ssl)
 
     def test_wrap_in_jws(self):
         # pylint: disable=protected-access
@@ -977,8 +965,8 @@ class ClientNetworkTest(unittest.TestCase):
 
     def test_check_response_not_ok_jobj_error(self):
         self.response.ok = False
-        self.response.json.return_value = messages.Error.with_code(
-            'serverInternal', detail='foo', title='some title').to_json()
+        self.response.json.return_value = messages.Error(
+            detail='foo', typ='serverInternal', title='some title').to_json()
         # pylint: disable=protected-access
         self.assertRaises(
             messages.Error, self.net._check_response, self.response)
@@ -1003,39 +991,10 @@ class ClientNetworkTest(unittest.TestCase):
         self.response.json.side_effect = ValueError
         for response_ct in [self.net.JSON_CONTENT_TYPE, 'foo']:
             self.response.headers['Content-Type'] = response_ct
-            # pylint: disable=protected-access
+            # pylint: disable=protected-access,no-value-for-parameter
             self.assertEqual(
                 self.response, self.net._check_response(self.response))
 
-    @mock.patch('acme.client.logger')
-    def test_check_response_ok_ct_with_charset(self, mock_logger):
-        self.response.json.return_value = {}
-        self.response.headers['Content-Type'] = 'application/json; charset=utf-8'
-        # pylint: disable=protected-access
-        self.assertEqual(self.response, self.net._check_response(
-            self.response, content_type='application/json'))
-        try:
-            mock_logger.debug.assert_called_with(
-                'Ignoring wrong Content-Type (%r) for JSON decodable response',
-                'application/json; charset=utf-8'
-            )
-        except AssertionError:
-            return
-        raise AssertionError('Expected Content-Type warning ' #pragma: no cover
-            'to not have been logged')
-
-    @mock.patch('acme.client.logger')
-    def test_check_response_ok_bad_ct(self, mock_logger):
-        self.response.json.return_value = {}
-        self.response.headers['Content-Type'] = 'text/plain'
-        # pylint: disable=protected-access
-        self.assertEqual(self.response, self.net._check_response(
-            self.response, content_type='application/json'))
-        mock_logger.debug.assert_called_with(
-            'Ignoring wrong Content-Type (%r) for JSON decodable response',
-            'text/plain'
-        )
-
     def test_check_response_conflict(self):
         self.response.ok = False
         self.response.status_code = 409
@@ -1046,7 +1005,7 @@ class ClientNetworkTest(unittest.TestCase):
         self.response.json.return_value = {}
         for response_ct in [self.net.JSON_CONTENT_TYPE, 'foo']:
             self.response.headers['Content-Type'] = response_ct
-            # pylint: disable=protected-access
+            # pylint: disable=protected-access,no-value-for-parameter
             self.assertEqual(
                 self.response, self.net._check_response(self.response))
 
@@ -1171,8 +1130,8 @@ class ClientNetworkWithMockedResponseTest(unittest.TestCase):
         self.response.headers = {}
         self.response.links = {}
         self.response.checked = False
-        self.acmev1_nonce_response = mock.MagicMock(
-            ok=False, status_code=http_client.METHOD_NOT_ALLOWED)
+        self.acmev1_nonce_response = mock.MagicMock(ok=False,
+            status_code=http_client.METHOD_NOT_ALLOWED)
         self.acmev1_nonce_response.headers = {}
         self.obj = mock.MagicMock()
         self.wrapped_obj = mock.MagicMock()
@@ -1185,7 +1144,7 @@ class ClientNetworkWithMockedResponseTest(unittest.TestCase):
 
         def send_request(*args, **kwargs):
             # pylint: disable=unused-argument,missing-docstring
-            self.assertNotIn("new_nonce_url", kwargs)
+            self.assertFalse("new_nonce_url" in kwargs)
             method = args[0]
             uri = args[1]
             if method == 'HEAD' and uri != "new_nonce_uri":
@@ -1330,7 +1289,7 @@ class ClientNetworkSourceAddressBindingTest(unittest.TestCase):
         from acme.client import ClientNetwork
         net = ClientNetwork(key=None, alg=None, source_address=self.source_address)
         for adapter in net.session.adapters.values():
-            self.assertIn(self.source_address, adapter.source_address)
+            self.assertTrue(self.source_address in adapter.source_address)
 
     def test_behavior_assumption(self):
         """This is a test that guardrails the HTTPAdapter behavior so that if the default for
@@ -1340,7 +1299,7 @@ class ClientNetworkSourceAddressBindingTest(unittest.TestCase):
         # test should fail if the default adapter type is changed by requests
         net = ClientNetwork(key=None, alg=None)
         session = requests.Session()
-        for scheme in session.adapters:
+        for scheme in session.adapters.keys():
             client_network_adapter = net.session.adapters.get(scheme)
             default_adapter = session.adapters.get(scheme)
             self.assertEqual(client_network_adapter.__class__, default_adapter.__class__)

acme/acme/crypto_util.py

@@ -5,15 +5,16 @@ import logging
 import os
 import re
 import socket
-from typing import Callable
-from typing import Tuple
-from typing import Union
 
-import josepy as jose
 from OpenSSL import crypto
-from OpenSSL import SSL  # type: ignore # https://github.com/python/typeshed/issues/2052
+from OpenSSL import SSL # type: ignore # https://github.com/python/typeshed/issues/2052
+import josepy as jose
 
 from acme import errors
+# pylint: disable=unused-import, no-name-in-module
+from acme.magic_typing import Callable, Union, Tuple, Optional
+# pylint: enable=unused-import, no-name-in-module
+
 
 logger = logging.getLogger(__name__)
 
@@ -27,41 +28,19 @@ logger = logging.getLogger(__name__)
 _DEFAULT_SSL_METHOD = SSL.SSLv23_METHOD  # type: ignore
 
 
-class _DefaultCertSelection:
-    def __init__(self, certs):
-        self.certs = certs
-
-    def __call__(self, connection):
-        server_name = connection.get_servername()
-        return self.certs.get(server_name, None)
-
-
-class SSLSocket:  # pylint: disable=too-few-public-methods
+class SSLSocket(object):
     """SSL wrapper for sockets.
 
     :ivar socket sock: Original wrapped socket.
     :ivar dict certs: Mapping from domain names (`bytes`) to
         `OpenSSL.crypto.X509`.
     :ivar method: See `OpenSSL.SSL.Context` for allowed values.
-    :ivar alpn_selection: Hook to select negotiated ALPN protocol for
-        connection.
-    :ivar cert_selection: Hook to select certificate for connection. If given,
-        `certs` parameter would be ignored, and therefore must be empty.
 
     """
-    def __init__(self, sock, certs=None,
-            method=_DEFAULT_SSL_METHOD, alpn_selection=None,
-            cert_selection=None):
+    def __init__(self, sock, certs, method=_DEFAULT_SSL_METHOD):
         self.sock = sock
-        self.alpn_selection = alpn_selection
+        self.certs = certs
         self.method = method
-        if not cert_selection and not certs:
-            raise ValueError("Neither cert_selection or certs specified.")
-        if cert_selection and certs:
-            raise ValueError("Both cert_selection and certs specified.")
-        if cert_selection is None:
-            cert_selection = _DefaultCertSelection(certs)
-        self.cert_selection = cert_selection
 
     def __getattr__(self, name):
         return getattr(self.sock, name)
@@ -78,25 +57,24 @@ class SSLSocket:  # pylint: disable=too-few-public-methods
         :type connection: :class:`OpenSSL.Connection`
 
         """
-        pair = self.cert_selection(connection)
-        if pair is None:
-            logger.debug("Certificate selection for server name %s failed, dropping SSL",
-                         connection.get_servername())
+        server_name = connection.get_servername()
+        try:
+            key, cert = self.certs[server_name]
+        except KeyError:
+            logger.debug("Server name (%s) not recognized, dropping SSL",
+                         server_name)
             return
-        key, cert = pair
         new_context = SSL.Context(self.method)
         new_context.set_options(SSL.OP_NO_SSLv2)
         new_context.set_options(SSL.OP_NO_SSLv3)
         new_context.use_privatekey(key)
         new_context.use_certificate(cert)
-        if self.alpn_selection is not None:
-            new_context.set_alpn_select_callback(self.alpn_selection)
         connection.set_context(new_context)
 
-    class FakeConnection:
+    class FakeConnection(object):
         """Fake OpenSSL.SSL.Connection."""
 
-        # pylint: disable=missing-function-docstring
+        # pylint: disable=missing-docstring
 
         def __init__(self, connection):
             self._wrapped = connection
@@ -108,15 +86,13 @@ class SSLSocket:  # pylint: disable=too-few-public-methods
             # OpenSSL.SSL.Connection.shutdown doesn't accept any args
             return self._wrapped.shutdown()
 
-    def accept(self):  # pylint: disable=missing-function-docstring
+    def accept(self):  # pylint: disable=missing-docstring
         sock, addr = self.sock.accept()
 
         context = SSL.Context(self.method)
         context.set_options(SSL.OP_NO_SSLv2)
         context.set_options(SSL.OP_NO_SSLv3)
         context.set_tlsext_servername_callback(self._pick_certificate_cb)
-        if self.alpn_selection is not None:
-            context.set_alpn_select_callback(self.alpn_selection)
 
         ssl_sock = self.FakeConnection(SSL.Connection(context, sock))
         ssl_sock.set_accept_state()
@@ -132,9 +108,8 @@ class SSLSocket:  # pylint: disable=too-few-public-methods
         return ssl_sock, addr
 
 
-def probe_sni(name, host, port=443, timeout=300, # pylint: disable=too-many-arguments
-              method=_DEFAULT_SSL_METHOD, source_address=('', 0),
-              alpn_protocols=None):
+def probe_sni(name, host, port=443, timeout=300,
+              method=_DEFAULT_SSL_METHOD, source_address=('', 0)):
     """Probe SNI server for SSL certificate.
 
     :param bytes name: Byte string to send as the server name in the
@@ -146,8 +121,6 @@ def probe_sni(name, host, port=443, timeout=300, # pylint: disable=too-many-argu
     :param tuple source_address: Enables multi-path probing (selection
         of source interface). See `socket.creation_connection` for more
         info. Available only in Python 2.7+.
-    :param alpn_protocols: Protocols to request using ALPN.
-    :type alpn_protocols: `list` of `bytes`
 
     :raises acme.errors.Error: In case of any problems.
 
@@ -166,9 +139,9 @@ def probe_sni(name, host, port=443, timeout=300, # pylint: disable=too-many-argu
             " from {0}:{1}".format(
                 source_address[0],
                 source_address[1]
-            ) if any(source_address) else ""
+            ) if socket_kwargs else ""
         )
-        socket_tuple: Tuple[str, int] = (host, port)
+        socket_tuple = (host, port)  # type: Tuple[str, int]
         sock = socket.create_connection(socket_tuple, **socket_kwargs)  # type: ignore
     except socket.error as error:
         raise errors.Error(error)
@@ -177,8 +150,6 @@ def probe_sni(name, host, port=443, timeout=300, # pylint: disable=too-many-argu
         client_ssl = SSL.Connection(context, client)
         client_ssl.set_connect_state()
         client_ssl.set_tlsext_host_name(name)  # pyOpenSSL>=0.13
-        if alpn_protocols is not None:
-            client_ssl.set_alpn_protos(alpn_protocols)
         try:
             client_ssl.do_handshake()
             client_ssl.shutdown()
@@ -186,7 +157,6 @@ def probe_sni(name, host, port=443, timeout=300, # pylint: disable=too-many-argu
             raise errors.Error(error)
     return client_ssl.get_peer_certificate()
 
-
 def make_csr(private_key_pem, domains, must_staple=False):
     """Generate a CSR containing a list of domains as subjectAltNames.
 
@@ -218,7 +188,6 @@ def make_csr(private_key_pem, domains, must_staple=False):
     return crypto.dump_certificate_request(
         crypto.FILETYPE_PEM, csr)
 
-
 def _pyopenssl_cert_or_req_all_names(loaded_cert_or_req):
     common_name = loaded_cert_or_req.get_subject().CN
     sans = _pyopenssl_cert_or_req_san(loaded_cert_or_req)
@@ -227,7 +196,6 @@ def _pyopenssl_cert_or_req_all_names(loaded_cert_or_req):
         return sans
     return [common_name] + [d for d in sans if d != common_name]
 
-
 def _pyopenssl_cert_or_req_san(cert_or_req):
     """Get Subject Alternative Names from certificate or CSR using pyOpenSSL.
 
@@ -256,7 +224,7 @@ def _pyopenssl_cert_or_req_san(cert_or_req):
 
     if isinstance(cert_or_req, crypto.X509):
         # pylint: disable=line-too-long
-        func: Union[Callable[[int, crypto.X509Req], bytes], Callable[[int, crypto.X509], bytes]] = crypto.dump_certificate
+        func = crypto.dump_certificate # type: Union[Callable[[int, crypto.X509Req], bytes], Callable[[int, crypto.X509], bytes]]
     else:
         func = crypto.dump_certificate_request
     text = func(crypto.FILETYPE_TEXT, cert_or_req).decode("utf-8")
@@ -272,14 +240,12 @@ def _pyopenssl_cert_or_req_san(cert_or_req):
 
 
 def gen_ss_cert(key, domains, not_before=None,
-                validity=(7 * 24 * 60 * 60), force_san=True, extensions=None):
+                validity=(7 * 24 * 60 * 60), force_san=True):
     """Generate new self-signed certificate.
 
     :type domains: `list` of `unicode`
     :param OpenSSL.crypto.PKey key:
     :param bool force_san:
-    :param extensions: List of additional extensions to include in the cert.
-    :type extensions: `list` of `OpenSSL.crypto.X509Extension`
 
     If more than one domain is provided, all of the domains are put into
     ``subjectAltName`` X.509 extension and first domain is set as the
@@ -292,13 +258,10 @@ def gen_ss_cert(key, domains, not_before=None,
     cert.set_serial_number(int(binascii.hexlify(os.urandom(16)), 16))
     cert.set_version(2)
 
-    if extensions is None:
-        extensions = []
-
-    extensions.append(
+    extensions = [
         crypto.X509Extension(
             b"basicConstraints", True, b"CA:TRUE, pathlen:0"),
-    )
+    ]
 
     cert.get_subject().CN = domains[0]
     # TODO: what to put into cert.get_subject()?
@@ -320,7 +283,6 @@ def gen_ss_cert(key, domains, not_before=None,
     cert.sign(key, "sha256")
     return cert
 
-
 def dump_pyopenssl_chain(chain, filetype=crypto.FILETYPE_PEM):
     """Dump certificate chain into a bundle.
 
@@ -336,6 +298,7 @@ def dump_pyopenssl_chain(chain, filetype=crypto.FILETYPE_PEM):
 
     def _dump_cert(cert):
         if isinstance(cert, jose.ComparableX509):
+            # pylint: disable=protected-access
             cert = cert.wrapped
         return crypto.dump_certificate(filetype, cert)
 

acme/acme/crypto_util_test.py

@@ -1,22 +1,25 @@
 """Tests for acme.crypto_util."""
 import itertools
 import socket
-import socketserver
 import threading
 import time
 import unittest
-from typing import List
+
+import six
+from six.moves import socketserver  #type: ignore  # pylint: disable=import-error
 
 import josepy as jose
 import OpenSSL
 
 from acme import errors
-import test_util
+from acme import test_util
+from acme.magic_typing import List # pylint: disable=unused-import, no-name-in-module
 
 
 class SSLSocketAndProbeSNITest(unittest.TestCase):
     """Tests for acme.crypto_util.SSLSocket/probe_sni."""
 
+
     def setUp(self):
         self.cert = test_util.load_comparable_cert('rsa2048_cert.pem')
         key = test_util.load_pyopenssl_private_key('rsa2048_key.pem')
@@ -27,14 +30,16 @@ class SSLSocketAndProbeSNITest(unittest.TestCase):
 
         class _TestServer(socketserver.TCPServer):
 
+            # six.moves.* | pylint: disable=attribute-defined-outside-init,no-init
+
             def server_bind(self):  # pylint: disable=missing-docstring
-                self.socket = SSLSocket(socket.socket(),
-                        certs)
+                self.socket = SSLSocket(socket.socket(), certs=certs)
                 socketserver.TCPServer.server_bind(self)
 
         self.server = _TestServer(('', 0), socketserver.BaseRequestHandler)
         self.port = self.server.socket.getsockname()[1]
         self.server_thread = threading.Thread(
+            # pylint: disable=no-member
             target=self.server.handle_request)
 
     def tearDown(self):
@@ -60,7 +65,8 @@ class SSLSocketAndProbeSNITest(unittest.TestCase):
         self.assertRaises(errors.Error, self._probe, b'bar')
 
     def test_probe_connection_error(self):
-        self.server.server_close()
+        # pylint has a hard time with six
+        self.server.server_close()  # pylint: disable=no-member
         original_timeout = socket.getdefaulttimeout()
         try:
             socket.setdefaulttimeout(1)
@@ -69,18 +75,6 @@ class SSLSocketAndProbeSNITest(unittest.TestCase):
             socket.setdefaulttimeout(original_timeout)
 
 
-class SSLSocketTest(unittest.TestCase):
-    """Tests for acme.crypto_util.SSLSocket."""
-
-    def test_ssl_socket_invalid_arguments(self):
-        from acme.crypto_util import SSLSocket
-        with self.assertRaises(ValueError):
-            _ = SSLSocket(None, {'sni': ('key', 'cert')},
-                    cert_selection=lambda _: None)
-        with self.assertRaises(ValueError):
-            _ = SSLSocket(None)
-
-
 class PyOpenSSLCertOrReqAllNamesTest(unittest.TestCase):
     """Test for acme.crypto_util._pyopenssl_cert_or_req_all_names."""
 
@@ -118,9 +112,9 @@ class PyOpenSSLCertOrReqSANTest(unittest.TestCase):
     @classmethod
     def _get_idn_names(cls):
         """Returns expected names from '{cert,csr}-idnsans.pem'."""
-        chars = [chr(i) for i in itertools.chain(range(0x3c3, 0x400),
-                                                 range(0x641, 0x6fc),
-                                                 range(0x1820, 0x1877))]
+        chars = [six.unichr(i) for i in itertools.chain(range(0x3c3, 0x400),
+                                                        range(0x641, 0x6fc),
+                                                        range(0x1820, 0x1877))]
         return [''.join(chars[i: i + 45]) + '.invalid'
                 for i in range(0, len(chars), 45)]
 
@@ -181,7 +175,7 @@ class RandomSnTest(unittest.TestCase):
 
     def setUp(self):
         self.cert_count = 5
-        self.serial_num: List[int] = []
+        self.serial_num = [] # type: List[int]
         self.key = OpenSSL.crypto.PKey()
         self.key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048)
 
@@ -191,7 +185,7 @@ class RandomSnTest(unittest.TestCase):
         for _ in range(self.cert_count):
             cert = gen_ss_cert(self.key, ['dummy'], force_san=True)
             self.serial_num.append(cert.get_serial_number())
-        self.assertGreater(len(set(self.serial_num)), 1)
+        self.assertTrue(len(set(self.serial_num)) > 1)
 
 class MakeCSRTest(unittest.TestCase):
     """Test for standalone functions."""
@@ -206,8 +200,8 @@ class MakeCSRTest(unittest.TestCase):
 
     def test_make_csr(self):
         csr_pem = self._call_with_key(["a.example", "b.example"])
-        self.assertIn(b'--BEGIN CERTIFICATE REQUEST--', csr_pem)
-        self.assertIn(b'--END CERTIFICATE REQUEST--', csr_pem)
+        self.assertTrue(b'--BEGIN CERTIFICATE REQUEST--' in csr_pem)
+        self.assertTrue(b'--END CERTIFICATE REQUEST--' in csr_pem)
         csr = OpenSSL.crypto.load_certificate_request(
             OpenSSL.crypto.FILETYPE_PEM, csr_pem)
         # In pyopenssl 0.13 (used with TOXENV=py27-oldest), csr objects don't

acme/acme/errors.py

@@ -28,8 +28,8 @@ class NonceError(ClientError):
 
 class BadNonce(NonceError):
     """Bad nonce error."""
-    def __init__(self, nonce, error, *args):
-        super().__init__(*args)
+    def __init__(self, nonce, error, *args, **kwargs):
+        super(BadNonce, self).__init__(*args, **kwargs)
         self.nonce = nonce
         self.error = error
 
@@ -44,11 +44,11 @@ class MissingNonce(NonceError):
     Replay-Nonce header field in each successful response to a POST it
     provides to a client (...)".
 
-    :ivar requests.Response ~.response: HTTP Response
+    :ivar requests.Response response: HTTP Response
 
     """
-    def __init__(self, response, *args):
-        super().__init__(*args)
+    def __init__(self, response, *args, **kwargs):
+        super(MissingNonce, self).__init__(*args, **kwargs)
         self.response = response
 
     def __str__(self):
@@ -72,7 +72,7 @@ class PollError(ClientError):
     def __init__(self, exhausted, updated):
         self.exhausted = exhausted
         self.updated = updated
-        super().__init__()
+        super(PollError, self).__init__()
 
     @property
     def timeout(self):
@@ -83,20 +83,17 @@ class PollError(ClientError):
         return '{0}(exhausted={1!r}, updated={2!r})'.format(
             self.__class__.__name__, self.exhausted, self.updated)
 
-
 class ValidationError(Error):
     """Error for authorization failures. Contains a list of authorization
     resources, each of which is invalid and should have an error field.
     """
     def __init__(self, failed_authzrs):
         self.failed_authzrs = failed_authzrs
-        super().__init__()
+        super(ValidationError, self).__init__()
 
-
-class TimeoutError(Error):  # pylint: disable=redefined-builtin
+class TimeoutError(Error):
     """Error for when polling an authorization or an order times out."""
 
-
 class IssuanceError(Error):
     """Error sent by the server after requesting issuance of a certificate."""
 
@@ -106,8 +103,7 @@ class IssuanceError(Error):
         :param messages.Error error: The error provided by the server.
         """
         self.error = error
-        super().__init__()
-
+        super(IssuanceError, self).__init__()
 
 class ConflictError(ClientError):
     """Error for when the server returns a 409 (Conflict) HTTP status.
@@ -119,7 +115,7 @@ class ConflictError(ClientError):
     """
     def __init__(self, location):
         self.location = location
-        super().__init__()
+        super(ConflictError, self).__init__()
 
 
 class WildcardUnsupportedError(Error):

acme/acme/errors_test.py

@@ -1,6 +1,7 @@
 """Tests for acme.errors."""
 import unittest
-from unittest import mock
+
+import mock
 
 
 class BadNonceTest(unittest.TestCase):
@@ -24,8 +25,8 @@ class MissingNonceTest(unittest.TestCase):
         self.error = MissingNonce(self.response)
 
     def test_str(self):
-        self.assertIn("FOO", str(self.error))
-        self.assertIn("{}", str(self.error))
+        self.assertTrue("FOO" in str(self.error))
+        self.assertTrue("{}" in str(self.error))
 
 
 class PollErrorTest(unittest.TestCase):
@@ -34,7 +35,7 @@ class PollErrorTest(unittest.TestCase):
     def setUp(self):
         from acme.errors import PollError
         self.timeout = PollError(
-            exhausted={mock.sentinel.AR},
+            exhausted=set([mock.sentinel.AR]),
             updated={})
         self.invalid = PollError(exhausted=set(), updated={
             mock.sentinel.AR: mock.sentinel.AR2})

acme/acme/fields.py

@@ -4,6 +4,7 @@ import logging
 import josepy as jose
 import pyrfc3339
 
+
 logger = logging.getLogger(__name__)
 
 
@@ -12,7 +13,7 @@ class Fixed(jose.Field):
 
     def __init__(self, json_name, value):
         self.value = value
-        super().__init__(
+        super(Fixed, self).__init__(
             json_name=json_name, default=value, omitempty=False)
 
     def decode(self, value):
@@ -53,7 +54,7 @@ class Resource(jose.Field):
 
     def __init__(self, resource_type, *args, **kwargs):
         self.resource_type = resource_type
-        super().__init__(
+        super(Resource, self).__init__(
             'resource', default=resource_type, *args, **kwargs)
 
     def decode(self, value):

acme/acme/jose_test.py

@@ -2,7 +2,6 @@
 import importlib
 import unittest
 
-
 class JoseTest(unittest.TestCase):
     """Tests for acme.jose shim."""
 
@@ -21,10 +20,11 @@ class JoseTest(unittest.TestCase):
 
         # We use the imports below with eval, but pylint doesn't
         # understand that.
-        import acme  # pylint: disable=unused-import
-        import josepy  # pylint: disable=unused-import
-        acme_jose_mod = eval(acme_jose_path)  # pylint: disable=eval-used
-        josepy_mod = eval(josepy_path)  # pylint: disable=eval-used
+        # pylint: disable=eval-used,unused-variable
+        import acme
+        import josepy
+        acme_jose_mod = eval(acme_jose_path)
+        josepy_mod = eval(josepy_path)
         self.assertIs(acme_jose_mod, josepy_mod)
         self.assertIs(getattr(acme_jose_mod, attribute), getattr(josepy_mod, attribute))
 

acme/acme/jws.py

@@ -14,10 +14,8 @@ class Header(jose.Header):
     kid = jose.Field('kid', omitempty=True)
     url = jose.Field('url', omitempty=True)
 
-    # Mypy does not understand the josepy magic happening here, and falsely claims
-    # that nonce is redefined. Let's ignore the type check here.
-    @nonce.decoder  # type: ignore
-    def nonce(value):  # pylint: disable=no-self-argument,missing-function-docstring
+    @nonce.decoder
+    def nonce(value):  # pylint: disable=missing-docstring,no-self-argument
         try:
             return jose.decode_b64jose(value)
         except jose.DeserializationError as error:
@@ -42,7 +40,7 @@ class Signature(jose.Signature):
 class JWS(jose.JWS):
     """ACME-specific JWS. Includes none, url, and kid in protected header."""
     signature_cls = Signature
-    __slots__ = jose.JWS._orig_slots
+    __slots__ = jose.JWS._orig_slots  # pylint: disable=no-member
 
     @classmethod
     # pylint: disable=arguments-differ
@@ -50,7 +48,7 @@ class JWS(jose.JWS):
         # Per ACME spec, jwk and kid are mutually exclusive, so only include a
         # jwk field if kid is not provided.
         include_jwk = kid is None
-        return super().sign(payload, key=key, alg=alg,
+        return super(JWS, cls).sign(payload, key=key, alg=alg,
                                     protect=frozenset(['nonce', 'url', 'kid', 'jwk', 'alg']),
                                     nonce=nonce, url=url, kid=kid,
                                     include_jwk=include_jwk)

acme/acme/jws_test.py

@@ -3,7 +3,8 @@ import unittest
 
 import josepy as jose
 
-import test_util
+from acme import test_util
+
 
 KEY = jose.JWKRSA.load(test_util.load_vector('rsa512_key.pem'))
 
@@ -48,7 +49,7 @@ class JWSTest(unittest.TestCase):
         self.assertEqual(jws.signature.combined.nonce, self.nonce)
         self.assertEqual(jws.signature.combined.url, self.url)
         self.assertEqual(jws.signature.combined.kid, self.kid)
-        self.assertIsNone(jws.signature.combined.jwk)
+        self.assertEqual(jws.signature.combined.jwk, None)
         # TODO: check that nonce is in protected header
 
         self.assertEqual(jws, JWS.from_json(jws.to_json()))
@@ -58,7 +59,7 @@ class JWSTest(unittest.TestCase):
         jws = JWS.sign(payload=b'foo', key=self.privkey,
                        alg=jose.RS256, nonce=self.nonce,
                        url=self.url)
-        self.assertIsNone(jws.signature.combined.kid)
+        self.assertEqual(jws.signature.combined.kid, None)
         self.assertEqual(jws.signature.combined.jwk, self.pubkey)
 
 

acme/acme/magic_typing.py

@@ -1,17 +1,16 @@
-"""Simple shim around the typing module.
+"""Shim class to not have to depend on typing module in prod."""
+import sys
 
-This was useful when this code supported Python 2 and typing wasn't always
-available. This code is being kept for now for backwards compatibility.
-
-"""
-import warnings
-from typing import *  # pylint: disable=wildcard-import, unused-wildcard-import
-from typing import Collection, IO  # type: ignore
-
-warnings.warn("acme.magic_typing is deprecated and will be removed in a future release.",
-              DeprecationWarning)
-
-class TypingClass:
+class TypingClass(object):
     """Ignore import errors by getting anything"""
     def __getattr__(self, name):
-        return None  # pragma: no cover
+        return None
+
+try:
+    # mypy doesn't respect modifying sys.modules
+    from typing import *  # pylint: disable=wildcard-import, unused-wildcard-import
+    # pylint: disable=unused-import
+    from typing import Collection, IO  # type: ignore
+    # pylint: enable=unused-import
+except ImportError:
+    sys.modules[__name__] = TypingClass()

acme/acme/magic_typing_test.py

@@ -0,0 +1,41 @@
+"""Tests for acme.magic_typing."""
+import sys
+import unittest
+
+import mock
+
+
+class MagicTypingTest(unittest.TestCase):
+    """Tests for acme.magic_typing."""
+    def test_import_success(self):
+        try:
+            import typing as temp_typing
+        except ImportError: # pragma: no cover
+            temp_typing = None # pragma: no cover
+        typing_class_mock = mock.MagicMock()
+        text_mock = mock.MagicMock()
+        typing_class_mock.Text = text_mock
+        sys.modules['typing'] = typing_class_mock
+        if 'acme.magic_typing' in sys.modules:
+            del sys.modules['acme.magic_typing'] # pragma: no cover
+        from acme.magic_typing import Text # pylint: disable=no-name-in-module
+        self.assertEqual(Text, text_mock)
+        del sys.modules['acme.magic_typing']
+        sys.modules['typing'] = temp_typing
+
+    def test_import_failure(self):
+        try:
+            import typing as temp_typing
+        except ImportError: # pragma: no cover
+            temp_typing = None # pragma: no cover
+        sys.modules['typing'] = None
+        if 'acme.magic_typing' in sys.modules:
+            del sys.modules['acme.magic_typing'] # pragma: no cover
+        from acme.magic_typing import Text # pylint: disable=no-name-in-module
+        self.assertTrue(Text is None)
+        del sys.modules['acme.magic_typing']
+        sys.modules['typing'] = temp_typing
+
+
+if __name__ == '__main__':
+    unittest.main()  # pragma: no cover

acme/acme/messages.py

@@ -1,18 +1,18 @@
 """ACME protocol messages."""
-from collections.abc import Hashable
 import json
-from typing import Any
-from typing import Dict
-from typing import Type
+import six
+try:
+    from collections.abc import Hashable  # pylint: disable=no-name-in-module
+except ImportError:  # pragma: no cover
+    from collections import Hashable
 
 import josepy as jose
 
 from acme import challenges
 from acme import errors
 from acme import fields
-from acme import jws
 from acme import util
-from acme.mixins import ResourceMixin
+from acme import jws
 
 OLD_ERROR_PREFIX = "urn:acme:error:"
 ERROR_PREFIX = "urn:ietf:params:acme:error:"
@@ -33,7 +33,7 @@ ERROR_CODES = {
                    ' domain'),
     'dns': 'There was a problem with a DNS query during identifier validation',
     'dnssec': 'The server could not validate a DNSSEC signed domain',
-    'incorrectResponse': 'Response received didn\'t match the challenge\'s requirements',
+    'incorrectResponse': 'Response recieved didn\'t match the challenge\'s requirements',
     # deprecate invalidEmail
     'invalidEmail': 'The provided email for a registration was invalid',
     'invalidContact': 'The provided contact URI was invalid',
@@ -64,6 +64,7 @@ def is_acme_error(err):
     return False
 
 
+@six.python_2_unicode_compatible
 class Error(jose.JSONObjectWithFields, errors.Error):
     """ACME error.
 
@@ -90,9 +91,7 @@ class Error(jose.JSONObjectWithFields, errors.Error):
             raise ValueError("The supplied code: %s is not a known ACME error"
                              " code" % code)
         typ = ERROR_PREFIX + code
-        # Mypy will not understand that the Error constructor accepts a named argument
-        # "typ" because of josepy magic. Let's ignore the type check here.
-        return cls(typ=typ, **kwargs)  # type: ignore
+        return cls(typ=typ, **kwargs)
 
     @property
     def description(self):
@@ -129,10 +128,10 @@ class Error(jose.JSONObjectWithFields, errors.Error):
 class _Constant(jose.JSONDeSerializable, Hashable):  # type: ignore
     """ACME constant."""
     __slots__ = ('name',)
-    POSSIBLE_NAMES: Dict[str, '_Constant'] = NotImplemented
+    POSSIBLE_NAMES = NotImplemented
 
     def __init__(self, name):
-        super().__init__()
+        super(_Constant, self).__init__()
         self.POSSIBLE_NAMES[name] = self  # pylint: disable=unsupported-assignment-operation
         self.name = name
 
@@ -144,7 +143,7 @@ class _Constant(jose.JSONDeSerializable, Hashable):  # type: ignore
         if jobj not in cls.POSSIBLE_NAMES:  # pylint: disable=unsupported-membership-test
             raise jose.DeserializationError(
                 '{0} not recognized'.format(cls.__name__))
-        return cls.POSSIBLE_NAMES[jobj]
+        return cls.POSSIBLE_NAMES[jobj]  # pylint: disable=unsubscriptable-object
 
     def __repr__(self):
         return '{0}({1})'.format(self.__class__.__name__, self.name)
@@ -155,10 +154,13 @@ class _Constant(jose.JSONDeSerializable, Hashable):  # type: ignore
     def __hash__(self):
         return hash((self.__class__, self.name))
 
+    def __ne__(self, other):
+        return not self == other
+
 
 class Status(_Constant):
     """ACME "status" field."""
-    POSSIBLE_NAMES: dict = {}
+    POSSIBLE_NAMES = {}  # type: dict
 STATUS_UNKNOWN = Status('unknown')
 STATUS_PENDING = Status('pending')
 STATUS_PROCESSING = Status('processing')
@@ -171,7 +173,7 @@ STATUS_DEACTIVATED = Status('deactivated')
 
 class IdentifierType(_Constant):
     """ACME identifier type."""
-    POSSIBLE_NAMES: Dict[str, 'IdentifierType'] = {}
+    POSSIBLE_NAMES = {}  # type: dict
 IDENTIFIER_FQDN = IdentifierType('dns')  # IdentifierDNS in Boulder
 
 
@@ -189,7 +191,7 @@ class Identifier(jose.JSONObjectWithFields):
 class Directory(jose.JSONDeSerializable):
     """Directory."""
 
-    _REGISTERED_TYPES: Dict[str, Type[Any]] = {}
+    _REGISTERED_TYPES = {}  # type: dict
 
     class Meta(jose.JSONObjectWithFields):
         """Directory Meta."""
@@ -200,8 +202,8 @@ class Directory(jose.JSONDeSerializable):
         external_account_required = jose.Field('externalAccountRequired', omitempty=True)
 
         def __init__(self, **kwargs):
-            kwargs = {self._internal_name(k): v for k, v in kwargs.items()}
-            super().__init__(**kwargs)
+            kwargs = dict((self._internal_name(k), v) for k, v in kwargs.items())
+            super(Directory.Meta, self).__init__(**kwargs)
 
         @property
         def terms_of_service(self):
@@ -211,7 +213,7 @@ class Directory(jose.JSONDeSerializable):
         def __iter__(self):
             # When iterating over fields, use the external name 'terms_of_service' instead of
             # the internal '_terms_of_service'.
-            for name in super().__iter__():
+            for name in super(Directory.Meta, self).__iter__():
                 yield name[1:] if name == '_terms_of_service' else name
 
         def _internal_name(self, name):
@@ -223,7 +225,7 @@ class Directory(jose.JSONDeSerializable):
         return getattr(key, 'resource_type', key)
 
     @classmethod
-    def register(cls, resource_body_cls: Type[Any]) -> Type[Any]:
+    def register(cls, resource_body_cls):
         """Register resource."""
         resource_type = resource_body_cls.resource_type
         assert resource_type not in cls._REGISTERED_TYPES
@@ -240,13 +242,13 @@ class Directory(jose.JSONDeSerializable):
         try:
             return self[name.replace('_', '-')]
         except KeyError as error:
-            raise AttributeError(str(error))
+            raise AttributeError(str(error) + ': ' + name)
 
     def __getitem__(self, name):
         try:
             return self._jobj[self._canon_key(name)]
         except KeyError:
-            raise KeyError('Directory field "' + self._canon_key(name) + '" not found')
+            raise KeyError('Directory field not found')
 
     def to_partial_json(self):
         return self._jobj
@@ -269,7 +271,7 @@ class Resource(jose.JSONObjectWithFields):
 class ResourceWithURI(Resource):
     """ACME Resource with URI.
 
-    :ivar unicode ~.uri: Location of the resource.
+    :ivar unicode uri: Location of the resource.
 
     """
     uri = jose.Field('uri')  # no ChallengeResource.uri
@@ -279,7 +281,7 @@ class ResourceBody(jose.JSONObjectWithFields):
     """ACME Resource Body."""
 
 
-class ExternalAccountBinding:
+class ExternalAccountBinding(object):
     """ACME External Account Binding"""
 
     @classmethod
@@ -309,9 +311,6 @@ class Registration(ResourceBody):
     # on new-reg key server ignores 'key' and populates it based on
     # JWS.signature.combined.jwk
     key = jose.Field('key', omitempty=True, decoder=jose.JWK.from_json)
-    # Contact field implements special behavior to allow messages that clear existing
-    # contacts while not expecting the `contact` field when loading from json.
-    # This is implemented in the constructor and *_json methods.
     contact = jose.Field('contact', omitempty=True, default=())
     agreement = jose.Field('agreement', omitempty=True)
     status = jose.Field('status', omitempty=True)
@@ -324,73 +323,24 @@ class Registration(ResourceBody):
 
     @classmethod
     def from_data(cls, phone=None, email=None, external_account_binding=None, **kwargs):
-        """
-        Create registration resource from contact details.
-
-        The `contact` keyword being passed to a Registration object is meaningful, so
-        this function represents empty iterables in its kwargs by passing on an empty
-        `tuple`.
-        """
-
-        # Note if `contact` was in kwargs.
-        contact_provided = 'contact' in kwargs
-
-        # Pop `contact` from kwargs and add formatted email or phone numbers
+        """Create registration resource from contact details."""
         details = list(kwargs.pop('contact', ()))
         if phone is not None:
             details.append(cls.phone_prefix + phone)
         if email is not None:
             details.extend([cls.email_prefix + mail for mail in email.split(',')])
-
-        # Insert formatted contact information back into kwargs
-        # or insert an empty tuple if `contact` provided.
-        if details or contact_provided:
-            kwargs['contact'] = tuple(details)
+        kwargs['contact'] = tuple(details)
 
         if external_account_binding:
             kwargs['external_account_binding'] = external_account_binding
 
         return cls(**kwargs)
 
-    def __init__(self, **kwargs):
-        """Note if the user provides a value for the `contact` member."""
-        if 'contact' in kwargs:
-            # Avoid the __setattr__ used by jose.TypedJSONObjectWithFields
-            object.__setattr__(self, '_add_contact', True)
-        super().__init__(**kwargs)
-
     def _filter_contact(self, prefix):
         return tuple(
             detail[len(prefix):] for detail in self.contact  # pylint: disable=not-an-iterable
             if detail.startswith(prefix))
 
-    def _add_contact_if_appropriate(self, jobj):
-        """
-        The `contact` member of Registration objects should not be required when
-        de-serializing (as it would be if the Fields' `omitempty` flag were `False`), but
-        it should be included in serializations if it was provided.
-
-        :param jobj: Dictionary containing this Registrations' data
-        :type jobj: dict
-
-        :returns: Dictionary containing Registrations data to transmit to the server
-        :rtype: dict
-        """
-        if getattr(self, '_add_contact', False):
-            jobj['contact'] = self.encode('contact')
-
-        return jobj
-
-    def to_partial_json(self):
-        """Modify josepy.JSONDeserializable.to_partial_json()"""
-        jobj = super().to_partial_json()
-        return self._add_contact_if_appropriate(jobj)
-
-    def fields_to_partial_json(self):
-        """Modify josepy.JSONObjectWithFields.fields_to_partial_json()"""
-        jobj = super().fields_to_partial_json()
-        return self._add_contact_if_appropriate(jobj)
-
     @property
     def phones(self):
         """All phones found in the ``contact`` field."""
@@ -403,13 +353,13 @@ class Registration(ResourceBody):
 
 
 @Directory.register
-class NewRegistration(ResourceMixin, Registration):
+class NewRegistration(Registration):
     """New registration."""
     resource_type = 'new-reg'
     resource = fields.Resource(resource_type)
 
 
-class UpdateRegistration(ResourceMixin, Registration):
+class UpdateRegistration(Registration):
     """Update registration."""
     resource_type = 'reg'
     resource = fields.Resource(resource_type)
@@ -459,20 +409,20 @@ class ChallengeBody(ResourceBody):
                        omitempty=True, default=None)
 
     def __init__(self, **kwargs):
-        kwargs = {self._internal_name(k): v for k, v in kwargs.items()}
-        super().__init__(**kwargs)
+        kwargs = dict((self._internal_name(k), v) for k, v in kwargs.items())
+        super(ChallengeBody, self).__init__(**kwargs)
 
     def encode(self, name):
-        return super().encode(self._internal_name(name))
+        return super(ChallengeBody, self).encode(self._internal_name(name))
 
     def to_partial_json(self):
-        jobj = super().to_partial_json()
+        jobj = super(ChallengeBody, self).to_partial_json()
         jobj.update(self.chall.to_partial_json())
         return jobj
 
     @classmethod
     def fields_from_json(cls, jobj):
-        jobj_fields = super().fields_from_json(jobj)
+        jobj_fields = super(ChallengeBody, cls).fields_from_json(jobj)
         jobj_fields['chall'] = challenges.Challenge.from_json(jobj)
         return jobj_fields
 
@@ -487,7 +437,7 @@ class ChallengeBody(ResourceBody):
     def __iter__(self):
         # When iterating over fields, use the external name 'uri' instead of
         # the internal '_uri'.
-        for name in super().__iter__():
+        for name in super(ChallengeBody, self).__iter__():
             yield name[1:] if name == '_uri' else name
 
     def _internal_name(self, name):
@@ -507,6 +457,7 @@ class ChallengeResource(Resource):
     @property
     def uri(self):
         """The URL of the challenge body."""
+        # pylint: disable=function-redefined,no-member
         return self.body.uri
 
 
@@ -533,10 +484,8 @@ class Authorization(ResourceBody):
     expires = fields.RFC3339Field('expires', omitempty=True)
     wildcard = jose.Field('wildcard', omitempty=True)
 
-    # Mypy does not understand the josepy magic happening here, and falsely claims
-    # that challenge is redefined. Let's ignore the type check here.
-    @challenges.decoder  # type: ignore
-    def challenges(value):  # pylint: disable=no-self-argument,missing-function-docstring
+    @challenges.decoder
+    def challenges(value):  # pylint: disable=missing-docstring,no-self-argument
         return tuple(ChallengeBody.from_json(chall) for chall in value)
 
     @property
@@ -547,13 +496,13 @@ class Authorization(ResourceBody):
 
 
 @Directory.register
-class NewAuthorization(ResourceMixin, Authorization):
+class NewAuthorization(Authorization):
     """New authorization."""
     resource_type = 'new-authz'
     resource = fields.Resource(resource_type)
 
 
-class UpdateAuthorization(ResourceMixin, Authorization):
+class UpdateAuthorization(Authorization):
     """Update authorization."""
     resource_type = 'authz'
     resource = fields.Resource(resource_type)
@@ -571,7 +520,7 @@ class AuthorizationResource(ResourceWithURI):
 
 
 @Directory.register
-class CertificateRequest(ResourceMixin, jose.JSONObjectWithFields):
+class CertificateRequest(jose.JSONObjectWithFields):
     """ACME new-cert request.
 
     :ivar josepy.util.ComparableX509 csr:
@@ -597,7 +546,7 @@ class CertificateResource(ResourceWithURI):
 
 
 @Directory.register
-class Revocation(ResourceMixin, jose.JSONObjectWithFields):
+class Revocation(jose.JSONObjectWithFields):
     """Revocation message.
 
     :ivar .ComparableX509 certificate: `OpenSSL.crypto.X509` wrapped in
@@ -614,16 +563,14 @@ class Revocation(ResourceMixin, jose.JSONObjectWithFields):
 class Order(ResourceBody):
     """Order Resource Body.
 
-    :ivar identifiers: List of identifiers for the certificate.
-    :vartype identifiers: `list` of `.Identifier`
+    :ivar list of .Identifier: List of identifiers for the certificate.
     :ivar acme.messages.Status status:
-    :ivar authorizations: URLs of authorizations.
-    :vartype authorizations: `list` of `str`
+    :ivar list of str authorizations: URLs of authorizations.
     :ivar str certificate: URL to download certificate as a fullchain PEM.
     :ivar str finalize: URL to POST to to request issuance once all
         authorizations have "valid" status.
     :ivar datetime.datetime expires: When the order expires.
-    :ivar ~.Error error: Any error that occurred during finalization, if applicable.
+    :ivar .Error error: Any error that occurred during finalization, if applicable.
     """
     identifiers = jose.Field('identifiers', omitempty=True)
     status = jose.Field('status', decoder=Status.from_json,
@@ -634,10 +581,8 @@ class Order(ResourceBody):
     expires = fields.RFC3339Field('expires', omitempty=True)
     error = jose.Field('error', omitempty=True, decoder=Error.from_json)
 
-    # Mypy does not understand the josepy magic happening here, and falsely claims
-    # that identifiers is redefined. Let's ignore the type check here.
-    @identifiers.decoder  # type: ignore
-    def identifiers(value):  # pylint: disable=no-self-argument,missing-function-docstring
+    @identifiers.decoder
+    def identifiers(value):  # pylint: disable=missing-docstring,no-self-argument
         return tuple(Identifier.from_json(identifier) for identifier in value)
 
 class OrderResource(ResourceWithURI):
@@ -645,20 +590,15 @@ class OrderResource(ResourceWithURI):
 
     :ivar acme.messages.Order body:
     :ivar str csr_pem: The CSR this Order will be finalized with.
-    :ivar authorizations: Fully-fetched AuthorizationResource objects.
-    :vartype authorizations: `list` of `acme.messages.AuthorizationResource`
+    :ivar list of acme.messages.AuthorizationResource authorizations:
+        Fully-fetched AuthorizationResource objects.
     :ivar str fullchain_pem: The fetched contents of the certificate URL
         produced once the order was finalized, if it's present.
-    :ivar alternative_fullchains_pem: The fetched contents of alternative certificate
-        chain URLs produced once the order was finalized, if present and requested during
-        finalization.
-    :vartype alternative_fullchains_pem: `list` of `str`
     """
     body = jose.Field('body', decoder=Order.from_json)
     csr_pem = jose.Field('csr_pem', omitempty=True)
     authorizations = jose.Field('authorizations')
     fullchain_pem = jose.Field('fullchain_pem', omitempty=True)
-    alternative_fullchains_pem = jose.Field('alternative_fullchains_pem', omitempty=True)
 
 @Directory.register
 class NewOrder(Order):

acme/acme/messages_test.py

@@ -1,12 +1,13 @@
 """Tests for acme.messages."""
-from typing import Dict
 import unittest
-from unittest import mock
 
 import josepy as jose
+import mock
 
 from acme import challenges
-import test_util
+from acme import test_util
+from acme.magic_typing import Dict # pylint: disable=unused-import, no-name-in-module
+
 
 CERT = test_util.load_comparable_cert('cert.der')
 CSR = test_util.load_comparable_csr('csr.der')
@@ -18,7 +19,8 @@ class ErrorTest(unittest.TestCase):
 
     def setUp(self):
         from acme.messages import Error, ERROR_PREFIX
-        self.error = Error.with_code('malformed', detail='foo', title='title')
+        self.error = Error(
+            detail='foo', typ=ERROR_PREFIX + 'malformed', title='title')
         self.jobj = {
             'detail': 'foo',
             'title': 'some title',
@@ -26,6 +28,7 @@ class ErrorTest(unittest.TestCase):
         }
         self.error_custom = Error(typ='custom', detail='bar')
         self.empty_error = Error()
+        self.jobj_custom = {'type': 'custom', 'detail': 'bar'}
 
     def test_default_typ(self):
         from acme.messages import Error
@@ -40,27 +43,28 @@ class ErrorTest(unittest.TestCase):
         hash(Error.from_json(self.error.to_json()))
 
     def test_description(self):
-        self.assertEqual('The request message was malformed', self.error.description)
-        self.assertIsNone(self.error_custom.description)
+        self.assertEqual(
+            'The request message was malformed', self.error.description)
+        self.assertTrue(self.error_custom.description is None)
 
     def test_code(self):
         from acme.messages import Error
         self.assertEqual('malformed', self.error.code)
-        self.assertIsNone(self.error_custom.code)
-        self.assertIsNone(Error().code)
+        self.assertEqual(None, self.error_custom.code)
+        self.assertEqual(None, Error().code)
 
     def test_is_acme_error(self):
-        from acme.messages import is_acme_error, Error
+        from acme.messages import is_acme_error
         self.assertTrue(is_acme_error(self.error))
         self.assertFalse(is_acme_error(self.error_custom))
-        self.assertFalse(is_acme_error(Error()))
         self.assertFalse(is_acme_error(self.empty_error))
         self.assertFalse(is_acme_error("must pet all the {dogs|rabbits}"))
 
     def test_unicode_error(self):
-        from acme.messages import Error, is_acme_error
-        arabic_error = Error.with_code(
-            'malformed', detail=u'\u0639\u062f\u0627\u0644\u0629', title='title')
+        from acme.messages import Error, ERROR_PREFIX, is_acme_error
+        arabic_error = Error(
+                detail=u'\u0639\u062f\u0627\u0644\u0629', typ=ERROR_PREFIX + 'malformed',
+            title='title')
         self.assertTrue(is_acme_error(arabic_error))
 
     def test_with_code(self):
@@ -82,7 +86,7 @@ class ConstantTest(unittest.TestCase):
         from acme.messages import _Constant
 
         class MockConstant(_Constant):  # pylint: disable=missing-docstring
-            POSSIBLE_NAMES: Dict = {}
+            POSSIBLE_NAMES = {} # type: Dict
 
         self.MockConstant = MockConstant  # pylint: disable=invalid-name
         self.const_a = MockConstant('a')
@@ -106,11 +110,11 @@ class ConstantTest(unittest.TestCase):
 
     def test_equality(self):
         const_a_prime = self.MockConstant('a')
-        self.assertNotEqual(self.const_a, self.const_b)
-        self.assertEqual(self.const_a, const_a_prime)
+        self.assertFalse(self.const_a == self.const_b)
+        self.assertTrue(self.const_a == const_a_prime)
 
-        self.assertNotEqual(self.const_a, self.const_b)
-        self.assertEqual(self.const_a, const_a_prime)
+        self.assertTrue(self.const_a != self.const_b)
+        self.assertFalse(self.const_a != const_a_prime)
 
 
 class DirectoryTest(unittest.TestCase):
@@ -252,19 +256,6 @@ class RegistrationTest(unittest.TestCase):
         from acme.messages import Registration
         hash(Registration.from_json(self.jobj_from))
 
-    def test_default_not_transmitted(self):
-        from acme.messages import NewRegistration
-        empty_new_reg = NewRegistration()
-        new_reg_with_contact = NewRegistration(contact=())
-
-        self.assertEqual(empty_new_reg.contact, ())
-        self.assertEqual(new_reg_with_contact.contact, ())
-
-        self.assertNotIn('contact', empty_new_reg.to_partial_json())
-        self.assertNotIn('contact', empty_new_reg.fields_to_partial_json())
-        self.assertIn('contact', new_reg_with_contact.to_partial_json())
-        self.assertIn('contact', new_reg_with_contact.fields_to_partial_json())
-
 
 class UpdateRegistrationTest(unittest.TestCase):
     """Tests for acme.messages.UpdateRegistration."""
@@ -314,7 +305,8 @@ class ChallengeBodyTest(unittest.TestCase):
         from acme.messages import Error
         from acme.messages import STATUS_INVALID
         self.status = STATUS_INVALID
-        error = Error.with_code('serverInternal', detail='Unable to communicate with DNS server')
+        error = Error(typ='urn:ietf:params:acme:error:serverInternal',
+                      detail='Unable to communicate with DNS server')
         self.challb = ChallengeBody(
             uri='http://challb', chall=self.chall, status=self.status,
             error=error)
@@ -406,7 +398,7 @@ class AuthorizationResourceTest(unittest.TestCase):
         authzr = AuthorizationResource(
             uri=mock.sentinel.uri,
             body=mock.sentinel.body)
-        self.assertIsInstance(authzr, jose.JSONDeSerializable)
+        self.assertTrue(isinstance(authzr, jose.JSONDeSerializable))
 
 
 class CertificateRequestTest(unittest.TestCase):
@@ -417,7 +409,7 @@ class CertificateRequestTest(unittest.TestCase):
         self.req = CertificateRequest(csr=CSR)
 
     def test_json_de_serializable(self):
-        self.assertIsInstance(self.req, jose.JSONDeSerializable)
+        self.assertTrue(isinstance(self.req, jose.JSONDeSerializable))
         from acme.messages import CertificateRequest
         self.assertEqual(
             self.req, CertificateRequest.from_json(self.req.to_json()))
@@ -433,7 +425,7 @@ class CertificateResourceTest(unittest.TestCase):
             cert_chain_uri=mock.sentinel.cert_chain_uri)
 
     def test_json_de_serializable(self):
-        self.assertIsInstance(self.certr, jose.JSONDeSerializable)
+        self.assertTrue(isinstance(self.certr, jose.JSONDeSerializable))
         from acme.messages import CertificateResource
         self.assertEqual(
             self.certr, CertificateResource.from_json(self.certr.to_json()))
@@ -466,7 +458,6 @@ class OrderResourceTest(unittest.TestCase):
             'authorizations': None,
         })
 
-
 class NewOrderTest(unittest.TestCase):
     """Tests for acme.messages.NewOrder."""
 
@@ -481,18 +472,5 @@ class NewOrderTest(unittest.TestCase):
         })
 
 
-class JWSPayloadRFC8555Compliant(unittest.TestCase):
-    """Test for RFC8555 compliance of JWS generated from resources/challenges"""
-    def test_message_payload(self):
-        from acme.messages import NewAuthorization
-
-        new_order = NewAuthorization()
-        new_order.le_acme_version = 2
-
-        jobj = new_order.json_dumps(indent=2).encode()
-        # RFC8555 states that JWS bodies must not have a resource field.
-        self.assertEqual(jobj, b'{}')
-
-
 if __name__ == '__main__':
     unittest.main()  # pragma: no cover

acme/acme/mixins.py

@@ -1,65 +0,0 @@
-"""Useful mixins for Challenge and Resource objects"""
-
-
-class VersionedLEACMEMixin:
-    """This mixin stores the version of Let's Encrypt's endpoint being used."""
-    @property
-    def le_acme_version(self):
-        """Define the version of ACME protocol to use"""
-        return getattr(self, '_le_acme_version', 1)
-
-    @le_acme_version.setter
-    def le_acme_version(self, version):
-        # We need to use object.__setattr__ to not depend on the specific implementation of
-        # __setattr__  in current class (eg. jose.TypedJSONObjectWithFields raises AttributeError
-        # for any attempt to set an attribute to make objects immutable).
-        object.__setattr__(self, '_le_acme_version', version)
-
-    def __setattr__(self, key, value):
-        if key == 'le_acme_version':
-            # Required for @property to operate properly. See comment above.
-            object.__setattr__(self, key, value)
-        else:
-            super().__setattr__(key, value)  # pragma: no cover
-
-
-class ResourceMixin(VersionedLEACMEMixin):
-    """
-    This mixin generates a RFC8555 compliant JWS payload
-    by removing the `resource` field if needed (eg. ACME v2 protocol).
-    """
-    def to_partial_json(self):
-        """See josepy.JSONDeserializable.to_partial_json()"""
-        return _safe_jobj_compliance(super(),
-                                     'to_partial_json', 'resource')
-
-    def fields_to_partial_json(self):
-        """See josepy.JSONObjectWithFields.fields_to_partial_json()"""
-        return _safe_jobj_compliance(super(),
-                                     'fields_to_partial_json', 'resource')
-
-
-class TypeMixin(VersionedLEACMEMixin):
-    """
-    This mixin allows generation of a RFC8555 compliant JWS payload
-    by removing the `type` field if needed (eg. ACME v2 protocol).
-    """
-    def to_partial_json(self):
-        """See josepy.JSONDeserializable.to_partial_json()"""
-        return _safe_jobj_compliance(super(),
-                                     'to_partial_json', 'type')
-
-    def fields_to_partial_json(self):
-        """See josepy.JSONObjectWithFields.fields_to_partial_json()"""
-        return _safe_jobj_compliance(super(),
-                                     'fields_to_partial_json', 'type')
-
-
-def _safe_jobj_compliance(instance, jobj_method, uncompliant_field):
-    if hasattr(instance, jobj_method):
-        jobj = getattr(instance, jobj_method)()
-        if instance.le_acme_version == 2:
-            jobj.pop(uncompliant_field, None)
-        return jobj
-
-    raise AttributeError('Method {0}() is not implemented.'.format(jobj_method))  # pragma: no cover

acme/acme/standalone.py

@@ -1,19 +1,24 @@
 """Support for standalone client challenge solvers. """
 import collections
 import functools
-import http.client as http_client
-import http.server as BaseHTTPServer
 import logging
 import socket
-import socketserver
 import threading
-from typing import List
+
+from six.moves import BaseHTTPServer  # type: ignore  # pylint: disable=import-error
+from six.moves import http_client  # pylint: disable=import-error
+from six.moves import socketserver  # type: ignore  # pylint: disable=import-error
 
 from acme import challenges
 from acme import crypto_util
+from acme.magic_typing import List # pylint: disable=unused-import, no-name-in-module
+
 
 logger = logging.getLogger(__name__)
 
+# six.moves.* | pylint: disable=no-member,attribute-defined-outside-init
+# pylint: disable=no-init
+
 
 class TLSServer(socketserver.TCPServer):
     """Generic TLS Server."""
@@ -26,34 +31,28 @@ class TLSServer(socketserver.TCPServer):
             self.address_family = socket.AF_INET
         self.certs = kwargs.pop("certs", {})
         self.method = kwargs.pop(
+            # pylint: disable=protected-access
             "method", crypto_util._DEFAULT_SSL_METHOD)
         self.allow_reuse_address = kwargs.pop("allow_reuse_address", True)
         socketserver.TCPServer.__init__(self, *args, **kwargs)
 
     def _wrap_sock(self):
         self.socket = crypto_util.SSLSocket(
-            self.socket, cert_selection=self._cert_selection,
-            alpn_selection=getattr(self, '_alpn_selection', None),
-            method=self.method)
+            self.socket, certs=self.certs, method=self.method)
 
-    def _cert_selection(self, connection):  # pragma: no cover
-        """Callback selecting certificate for connection."""
-        server_name = connection.get_servername()
-        return self.certs.get(server_name, None)
-
-    def server_bind(self):
+    def server_bind(self):  # pylint: disable=missing-docstring
         self._wrap_sock()
         return socketserver.TCPServer.server_bind(self)
 
 
-class ACMEServerMixin:
+class ACMEServerMixin:  # pylint: disable=old-style-class
     """ACME server common settings mixin."""
     # TODO: c.f. #858
     server_version = "ACME client standalone challenge solver"
     allow_reuse_address = True
 
 
-class BaseDualNetworkedServers:
+class BaseDualNetworkedServers(object):
     """Base class for a pair of IPv6 and IPv4 servers that tries to do everything
        it's asked for both servers, but where failures in one server don't
        affect the other.
@@ -63,8 +62,8 @@ class BaseDualNetworkedServers:
 
     def __init__(self, ServerClass, server_address, *remaining_args, **kwargs):
         port = server_address[1]
-        self.threads: List[threading.Thread] = []
-        self.servers: List[socketserver.BaseServer] = []
+        self.threads = [] # type: List[threading.Thread]
+        self.servers = [] # type: List[ACMEServerMixin]
 
         # Must try True first.
         # Ubuntu, for example, will fail to bind to IPv4 if we've already bound
@@ -107,6 +106,7 @@ class BaseDualNetworkedServers:
         """Wraps socketserver.TCPServer.serve_forever"""
         for server in self.servers:
             thread = threading.Thread(
+                # pylint: disable=no-member
                 target=server.serve_forever)
             thread.start()
             self.threads.append(thread)
@@ -126,40 +126,6 @@ class BaseDualNetworkedServers:
         self.threads = []
 
 
-class TLSALPN01Server(TLSServer, ACMEServerMixin):
-    """TLSALPN01 Server."""
-
-    ACME_TLS_1_PROTOCOL = b"acme-tls/1"
-
-    def __init__(self, server_address, certs, challenge_certs, ipv6=False):
-        TLSServer.__init__(
-            self, server_address, _BaseRequestHandlerWithLogging, certs=certs,
-            ipv6=ipv6)
-        self.challenge_certs = challenge_certs
-
-    def _cert_selection(self, connection):
-        # TODO: We would like to serve challenge cert only if asked for it via
-        # ALPN. To do this, we need to retrieve the list of protos from client
-        # hello, but this is currently impossible with openssl [0], and ALPN
-        # negotiation is done after cert selection.
-        # Therefore, currently we always return challenge cert, and terminate
-        # handshake in alpn_selection() if ALPN protos are not what we expect.
-        # [0] https://github.com/openssl/openssl/issues/4952
-        server_name = connection.get_servername()
-        logger.debug("Serving challenge cert for server name %s", server_name)
-        return self.challenge_certs.get(server_name, None)
-
-    def _alpn_selection(self, _connection, alpn_protos):
-        """Callback to select alpn protocol."""
-        if len(alpn_protos) == 1 and alpn_protos[0] == self.ACME_TLS_1_PROTOCOL:
-            logger.debug("Agreed on %s ALPN", self.ACME_TLS_1_PROTOCOL)
-            return self.ACME_TLS_1_PROTOCOL
-        logger.debug("Cannot agree on ALPN proto. Got: %s", str(alpn_protos))
-        # Explicitly close the connection now, by returning an empty string.
-        # See https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_alpn_select_callback  # pylint: disable=line-too-long
-        return b""
-
-
 class HTTPServer(BaseHTTPServer.HTTPServer):
     """Generic HTTP Server."""
 
@@ -175,10 +141,10 @@ class HTTPServer(BaseHTTPServer.HTTPServer):
 class HTTP01Server(HTTPServer, ACMEServerMixin):
     """HTTP01 Server."""
 
-    def __init__(self, server_address, resources, ipv6=False, timeout=30):
+    def __init__(self, server_address, resources, ipv6=False):
         HTTPServer.__init__(
             self, server_address, HTTP01RequestHandler.partial_init(
-                simple_http_resources=resources, timeout=timeout), ipv6=ipv6)
+                simple_http_resources=resources), ipv6=ipv6)
 
 
 class HTTP01DualNetworkedServers(BaseDualNetworkedServers):
@@ -203,24 +169,7 @@ class HTTP01RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
 
     def __init__(self, *args, **kwargs):
         self.simple_http_resources = kwargs.pop("simple_http_resources", set())
-        self._timeout = kwargs.pop('timeout', 30)
         BaseHTTPServer.BaseHTTPRequestHandler.__init__(self, *args, **kwargs)
-        self.server: HTTP01Server
-
-    # In parent class BaseHTTPRequestHandler, 'timeout' is a class-level property but we
-    # need to define its value during the initialization phase in HTTP01RequestHandler.
-    # However MyPy does not appreciate that we dynamically shadow a class-level property
-    # with an instance-level property (eg. self.timeout = ... in __init__()). So to make
-    # everyone happy, we statically redefine 'timeout' as a method property, and set the
-    # timeout value in a new internal instance-level property _timeout.
-    @property
-    def timeout(self):
-        """
-        The default timeout this server should apply to requests.
-        :return: timeout to apply
-        :rtype: int
-        """
-        return self._timeout
 
     def log_message(self, format, *args):  # pylint: disable=redefined-builtin
         """Log arbitrary message."""
@@ -231,7 +180,7 @@ class HTTP01RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
         self.log_message("Incoming request")
         BaseHTTPServer.BaseHTTPRequestHandler.handle(self)
 
-    def do_GET(self):  # pylint: disable=invalid-name,missing-function-docstring
+    def do_GET(self):  # pylint: disable=invalid-name,missing-docstring
         if self.path == "/":
             self.handle_index()
         elif self.path.startswith("/" + challenges.HTTP01.URI_ROOT_PATH):
@@ -269,7 +218,7 @@ class HTTP01RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
                          self.path)
 
     @classmethod
-    def partial_init(cls, simple_http_resources, timeout):
+    def partial_init(cls, simple_http_resources):
         """Partially initialize this handler.
 
         This is useful because `socketserver.BaseServer` takes
@@ -278,18 +227,4 @@ class HTTP01RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
 
         """
         return functools.partial(
-            cls, simple_http_resources=simple_http_resources,
-            timeout=timeout)
-
-
-class _BaseRequestHandlerWithLogging(socketserver.BaseRequestHandler):
-    """BaseRequestHandler with logging."""
-
-    def log_message(self, format, *args):  # pylint: disable=redefined-builtin
-        """Log arbitrary message."""
-        logger.debug("%s - - %s", self.client_address[0], format % args)
-
-    def handle(self):
-        """Handle request."""
-        self.log_message("Incoming request")
-        socketserver.BaseRequestHandler.handle(self)
+            cls, simple_http_resources=simple_http_resources)

acme/acme/standalone_test.py

@@ -1,20 +1,18 @@
 """Tests for acme.standalone."""
-import http.client as http_client
 import socket
-import socketserver
 import threading
 import unittest
-from typing import Set
-from unittest import mock
+
+from six.moves import http_client  # pylint: disable=import-error
+from six.moves import socketserver  # type: ignore  # pylint: disable=import-error
 
 import josepy as jose
+import mock
 import requests
 
 from acme import challenges
-from acme import crypto_util
-from acme import errors
-
-import test_util
+from acme import test_util
+from acme.magic_typing import Set # pylint: disable=unused-import, no-name-in-module
 
 
 class TLSServerTest(unittest.TestCase):
@@ -42,7 +40,7 @@ class HTTP01ServerTest(unittest.TestCase):
     def setUp(self):
         self.account_key = jose.JWK.load(
             test_util.load_vector('rsa1024_key.pem'))
-        self.resources: Set = set()
+        self.resources = set() # type: Set
 
         from acme.standalone import HTTP01Server
         self.server = HTTP01Server(('', 0), resources=self.resources)
@@ -86,81 +84,6 @@ class HTTP01ServerTest(unittest.TestCase):
     def test_http01_not_found(self):
         self.assertFalse(self._test_http01(add=False))
 
-    def test_timely_shutdown(self):
-        from acme.standalone import HTTP01Server
-        server = HTTP01Server(('', 0), resources=set(), timeout=0.05)
-        server_thread = threading.Thread(target=server.serve_forever)
-        server_thread.start()
-
-        client = socket.socket()
-        client.connect(('localhost', server.socket.getsockname()[1]))
-
-        stop_thread = threading.Thread(target=server.shutdown)
-        stop_thread.start()
-        server_thread.join(5.)
-
-        is_hung = server_thread.is_alive()
-        try:
-            client.shutdown(socket.SHUT_RDWR)
-        except: # pragma: no cover, pylint: disable=bare-except
-            # may raise error because socket could already be closed
-            pass
-
-        self.assertFalse(is_hung, msg='Server shutdown should not be hung')
-
-
-@unittest.skipIf(not challenges.TLSALPN01.is_supported(), "pyOpenSSL too old")
-class TLSALPN01ServerTest(unittest.TestCase):
-    """Test for acme.standalone.TLSALPN01Server."""
-
-    def setUp(self):
-        self.certs = {b'localhost': (
-            test_util.load_pyopenssl_private_key('rsa2048_key.pem'),
-            test_util.load_cert('rsa2048_cert.pem'),
-        )}
-        # Use different certificate for challenge.
-        self.challenge_certs = {b'localhost': (
-            test_util.load_pyopenssl_private_key('rsa4096_key.pem'),
-            test_util.load_cert('rsa4096_cert.pem'),
-        )}
-        from acme.standalone import TLSALPN01Server
-        self.server = TLSALPN01Server(("localhost", 0), certs=self.certs,
-                challenge_certs=self.challenge_certs)
-        # pylint: disable=no-member
-        self.thread = threading.Thread(target=self.server.serve_forever)
-        self.thread.start()
-
-    def tearDown(self):
-        self.server.shutdown()  # pylint: disable=no-member
-        self.thread.join()
-
-    # TODO: This is not implemented yet, see comments in standalone.py
-    # def test_certs(self):
-    #    host, port = self.server.socket.getsockname()[:2]
-    #    cert = crypto_util.probe_sni(
-    #        b'localhost', host=host, port=port, timeout=1)
-    #    # Expect normal cert when connecting without ALPN.
-    #    self.assertEqual(jose.ComparableX509(cert),
-    #                     jose.ComparableX509(self.certs[b'localhost'][1]))
-
-    def test_challenge_certs(self):
-        host, port = self.server.socket.getsockname()[:2]
-        cert = crypto_util.probe_sni(
-            b'localhost', host=host, port=port, timeout=1,
-            alpn_protocols=[b"acme-tls/1"])
-        #  Expect challenge cert when connecting with ALPN.
-        self.assertEqual(
-                jose.ComparableX509(cert),
-                jose.ComparableX509(self.challenge_certs[b'localhost'][1])
-        )
-
-    def test_bad_alpn(self):
-        host, port = self.server.socket.getsockname()[:2]
-        with self.assertRaises(errors.Error):
-            crypto_util.probe_sni(
-                b'localhost', host=host, port=port, timeout=1,
-                alpn_protocols=[b"bad-alpn"])
-
 
 class BaseDualNetworkedServersTest(unittest.TestCase):
     """Test for acme.standalone.BaseDualNetworkedServers."""
@@ -216,10 +139,11 @@ class BaseDualNetworkedServersTest(unittest.TestCase):
 class HTTP01DualNetworkedServersTest(unittest.TestCase):
     """Tests for acme.standalone.HTTP01DualNetworkedServers."""
 
+
     def setUp(self):
         self.account_key = jose.JWK.load(
             test_util.load_vector('rsa1024_key.pem'))
-        self.resources: Set = set()
+        self.resources = set() # type: Set
 
         from acme.standalone import HTTP01DualNetworkedServers
         self.servers = HTTP01DualNetworkedServers(('', 0), resources=self.resources)

acme/acme/test_util.py

@@ -4,12 +4,12 @@
 
 """
 import os
+import pkg_resources
 
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
 import josepy as jose
 from OpenSSL import crypto
-import pkg_resources
 
 
 def load_vector(*names):
@@ -25,7 +25,8 @@ def _guess_loader(filename, loader_pem, loader_der):
         return loader_pem
     elif ext.lower() == '.der':
         return loader_der
-    raise ValueError("Loader could not be recognized based on extension")  # pragma: no cover
+    else:  # pragma: no cover
+        raise ValueError("Loader could not be recognized based on extension")
 
 
 def load_cert(*names):

acme/acme/testdata/README

@@ -4,14 +4,12 @@ to use appropriate extension for vector filenames: .pem for PEM and
 
 The following command has been used to generate test keys:
 
-  for k in 256 512 1024 2048 4096; do openssl genrsa -out rsa${k}_key.pem $k; done
+  for x in 256 512 1024 2048; do openssl genrsa -out rsa${k}_key.pem $k; done
 
 and for the CSR:
 
   openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -outform DER > csr.der
 
-and for the certificates:
+and for the certificate:
 
-  openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -x509 -outform DER > cert.der
-  openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -x509 > rsa2048_cert.pem
-  openssl req -key rsa1024_key.pem -new -subj '/CN=example.com' -x509 > rsa1024_cert.pem
+  openssl req -key rsa2047_key.pem -new -subj '/CN=example.com' -x509 -outform DER > cert.der

acme/acme/util.py

@@ -1,6 +1,7 @@
 """ACME utilities."""
+import six
 
 
 def map_keys(dikt, func):
     """Map dictionary keys."""
-    return {func(key): value for key, value in dikt.items()}
+    return dict((func(key), value) for key, value in six.iteritems(dikt))

acme/docs/Makefile

@@ -9,7 +9,7 @@ BUILDDIR      = _build
 
 # User-friendly check for sphinx-build
 ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1)
-$(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from https://www.sphinx-doc.org/)
+$(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/)
 endif
 
 # Internal variables.

acme/docs/conf.py

@@ -12,8 +12,10 @@
 # All configuration values have a default; values that are commented out
 # serve to show the default.
 
-import os
 import sys
+import os
+import shlex
+
 
 here = os.path.abspath(os.path.dirname(__file__))
 
@@ -40,7 +42,7 @@ extensions = [
 ]
 
 autodoc_member_order = 'bysource'
-autodoc_default_flags = ['show-inheritance']
+autodoc_default_flags = ['show-inheritance', 'private-members']
 
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ['_templates']
@@ -85,9 +87,7 @@ language = 'en'
 
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
-exclude_patterns = [
-    '_build',
-]
+exclude_patterns = ['_build']
 
 # The reST default role (used for this markup: `text`) to use for all
 # documents.
@@ -114,7 +114,7 @@ pygments_style = 'sphinx'
 #keep_warnings = False
 
 # If true, `todo` and `todoList` produce output, else they produce nothing.
-todo_include_todos = False
+todo_include_todos = True
 
 
 # -- Options for HTML output ----------------------------------------------
@@ -122,7 +122,7 @@ todo_include_todos = False
 # The theme to use for HTML and HTML Help pages.  See the documentation for
 # a list of builtin themes.
 
-# https://docs.readthedocs.io/en/stable/faq.html#i-want-to-use-the-read-the-docs-theme-locally
+# http://docs.readthedocs.org/en/latest/theme.html#how-do-i-use-this-locally-and-on-read-the-docs
 # on_rtd is whether we are on readthedocs.org
 on_rtd = os.environ.get('READTHEDOCS', None) == 'True'
 if not on_rtd:  # only import and set the theme if we're building docs locally

acme/docs/make.bat

@@ -65,7 +65,7 @@ if errorlevel 9009 (
 	echo.may add the Sphinx directory to PATH.
 	echo.
 	echo.If you don't have Sphinx installed, grab it from
-	echo.https://www.sphinx-doc.org/
+	echo.http://sphinx-doc.org/
 	exit /b 1
 )
 

acme/docs/man/jws.rst

@@ -1,3 +1 @@
-:orphan:
-
 .. literalinclude:: ../jws-help.txt

acme/examples/http01_example.py

@@ -26,10 +26,8 @@ Workflow:
     - Deactivate Account
 """
 from contextlib import contextmanager
-
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric import rsa
-import josepy as jose
 import OpenSSL
 
 from acme import challenges
@@ -38,6 +36,7 @@ from acme import crypto_util
 from acme import errors
 from acme import messages
 from acme import standalone
+import josepy as jose
 
 # Constants:
 

acme/setup.py

@@ -1,22 +1,28 @@
+from setuptools import setup
+from setuptools import find_packages
+from setuptools.command.test import test as TestCommand
 import sys
 
-from setuptools import find_packages
-from setuptools import setup
-
-version = '1.17.0.dev0'
+version = '1.0.0.dev0'
 
+# Please update tox.ini when modifying dependency version requirements
 install_requires = [
-    'cryptography>=2.1.4',
+    # load_pem_private/public_key (>=0.6)
+    # rsa_recover_prime_factors (>=0.8)
+    'cryptography>=1.2.3',
     # formerly known as acme.jose:
     # 1.1.0+ is required to avoid the warnings described at
     # https://github.com/certbot/josepy/issues/13.
     'josepy>=1.1.0',
-    'PyOpenSSL>=17.3.0',
+    # Connection.set_tlsext_host_name (>=0.13)
+    'mock',
+    'PyOpenSSL>=0.13.1',
     'pyrfc3339',
     'pytz',
-    'requests>=2.6.0',
+    'requests[security]>=2.6.0',  # security extras added in 2.4.1
     'requests-toolbelt>=0.3.0',
-    'setuptools>=39.0.1',
+    'setuptools',
+    'six>=1.9.0',  # needed for python_2_unicode_compatible
 ]
 
 dev_extras = [
@@ -30,25 +36,44 @@ docs_extras = [
     'sphinx_rtd_theme',
 ]
 
+
+class PyTest(TestCommand):
+    user_options = []
+
+    def initialize_options(self):
+        TestCommand.initialize_options(self)
+        self.pytest_args = ''
+
+    def run_tests(self):
+        import shlex
+        # import here, cause outside the eggs aren't loaded
+        import pytest
+        errno = pytest.main(shlex.split(self.pytest_args))
+        sys.exit(errno)
+
+
 setup(
     name='acme',
     version=version,
     description='ACME protocol implementation in Python',
     url='https://github.com/letsencrypt/letsencrypt',
     author="Certbot Project",
-    author_email='certbot-dev@eff.org',
+    author_email='client-dev@letsencrypt.org',
     license='Apache License 2.0',
-    python_requires='>=3.6',
+    python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Intended Audience :: Developers',
         'License :: OSI Approved :: Apache Software License',
         'Programming Language :: Python',
+        'Programming Language :: Python :: 2',
+        'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
+        'Programming Language :: Python :: 3.4',
+        'Programming Language :: Python :: 3.5',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
-        'Programming Language :: Python :: 3.9',
         'Topic :: Internet :: WWW/HTTP',
         'Topic :: Security',
     ],
@@ -60,4 +85,7 @@ setup(
         'dev': dev_extras,
         'docs': docs_extras,
     },
+    test_suite='acme',
+    tests_require=["pytest"],
+    cmdclass={"test": PyTest},
 )

acme/tests/magic_typing_test.py

@@ -1,30 +0,0 @@
-"""Tests for acme.magic_typing."""
-import sys
-import unittest
-import warnings
-from unittest import mock
-
-
-class MagicTypingTest(unittest.TestCase):
-    """Tests for acme.magic_typing."""
-    def test_import_success(self):
-        try:
-            import typing as temp_typing
-        except ImportError:  # pragma: no cover
-            temp_typing = None  # pragma: no cover
-        typing_class_mock = mock.MagicMock()
-        text_mock = mock.MagicMock()
-        typing_class_mock.Text = text_mock
-        sys.modules['typing'] = typing_class_mock
-        if 'acme.magic_typing' in sys.modules:
-            del sys.modules['acme.magic_typing']  # pragma: no cover
-        with warnings.catch_warnings():
-            warnings.filterwarnings("ignore", category=DeprecationWarning)
-            from acme.magic_typing import Text
-        self.assertEqual(Text, text_mock)
-        del sys.modules['acme.magic_typing']
-        sys.modules['typing'] = temp_typing
-
-
-if __name__ == '__main__':
-    unittest.main()  # pragma: no cover

acme/tests/testdata/rsa1024_cert.pem

@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB/TCCAWagAwIBAgIJAOyRIBs3QT8QMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
-BAMMC2V4YW1wbGUuY29tMB4XDTE4MDQyMzEwMzE0NFoXDTE4MDUyMzEwMzE0NFow
-FjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
-AoGBAJqJ87R8aVwByONxgQA9hwgvQd/QqI1r1UInXhEF2VnEtZGtUWLi100IpIqr
-Mq4qusDwNZ3g8cUPtSkvJGs89djoajMDIJP7lQUEKUYnYrI0q755Tr/DgLWSk7iW
-l5ezym0VzWUD0/xXUz8yRbNMTjTac80rS5SZk2ja2wWkYlRJAgMBAAGjUzBRMB0G
-A1UdDgQWBBSsaX0IVZ4XXwdeffVAbG7gnxSYjTAfBgNVHSMEGDAWgBSsaX0IVZ4X
-XwdeffVAbG7gnxSYjTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GB
-ADe7SVmvGH2nkwVfONk8TauRUDkePN1CJZKFb2zW1uO9ANJ2v5Arm/OQp0BG/xnI
-Djw/aLTNVESF89oe15dkrUErtcaF413MC1Ld5lTCaJLHLGqDKY69e02YwRuxW7jY
-qarpt7k7aR5FbcfO5r4V/FK/Gvp4Dmoky8uap7SJIW6x
------END CERTIFICATE-----

acme/tests/testdata/rsa4096_cert.pem

@@ -1,30 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFDTCCAvWgAwIBAgIUImqDrP53V69vFROsjP/gL0YtoA4wDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMjAwNTI3MjMyNDE0WhcNMjAw
-NjI2MjMyNDE0WjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcN
-AQEBBQADggIPADCCAgoCggIBANY9LKLk9Dxn0MUMQFHwBoTN4ehDSWBws2KcytpF
-mc8m9Mfk1wmb4fQSKYtK3wIFMfIyo9HQu0nKqMkkUw52o3ZXyOv+oWwF5qNy2BKu
-lh5OMSkaZ0o13zoPpW42e+IUnyxvg70+0urD+sUue4cyTHh/nBIUjrM/05ZJ/ac8
-HR0RK3H41YoqBjq69JjMZczZZhbNFit3s6p0R1TbVAgc3ckqbtX5BDyQMQQCP4Ed
-m4DgbAFVqdcPUCC5W3F3fmuQiPKHiADzONZnXpy6lUvLDWqcd6loKp+nKHM6OkXX
-8hmD7pE1PYMQo4hqOfhBR2IgMjAShwd5qUFjl1m2oo0Qm3PFXOk6i2ZQdS6AA/yd
-B5/mX0RnM2oIdFZPb6UZFSmtEgs9sTzn+hMUyNSZQRE54px1ur1xws2R+vbsCyM5
-+KoFVxDjVjU9TlZx3GvDvnqz/tbHjji6l8VHZYOBMBUXbKHu2U6pJFZ5Zp7k68/z
-a3Fb9Pjtn3iRkXEyC0N5kLgqO4QTlExnxebV8aMvQpWd/qefnMn9qPYIZPEXSQAR
-mEBIahkcACb60s+acG0WFFluwBPtBqEr8Q67XlSF0Ibf4iBiRzpPobhlWta1nrFg
-4IWHMSoZ0PE75bhIGBEkhrpcXQCAxXmAfxfjKDH7jdJ1fRdnZ/9+OzwYGVX5GH/l
-0QDtAgMBAAGjUzBRMB0GA1UdDgQWBBQh3xiz/o1nEU2ySylZ9gxCXvIPGzAfBgNV
-HSMEGDAWgBQh3xiz/o1nEU2ySylZ9gxCXvIPGzAPBgNVHRMBAf8EBTADAQH/MA0G
-CSqGSIb3DQEBCwUAA4ICAQAELoXz31oR9pdAwidlv9ZBOKiC7KBWy8VMqXNVkfTn
-bVRxAUex7zleLFIOkWnqadsMesU9sIwrbLzBcZ8Q/vBY+z2xOPdXcgcAoAmdKWoq
-YBQNiqng9r54sqlzB/77QZCf5fdktESe7NTxhCifgx5SAWq7IUQs/lm3tnMUSAfE
-5ctuN6M+w8K54y3WDprcfMHpnc3ZHeSPhVQApHM0h/bDvXq0bRS7kmq27Hb153Qm
-nH3TwYB5pPSWW38NbUc+s/a7mItO7S8ly8yGbA0j9c/IbN5lM+OCdk06asz3+c8E
-uo8nuCBoYO5+6AqC2N7WJ3Tdr/pFA8jTbd6VNVlgCWTIR8ZosL5Fgkfv+4fUBrHt
-zdVUqMUzvga5rvZnwnJ5Qfu/drHeAAo9MTNFQNe2QgDlYfWBh5GweolgmFSwrpkY
-v/5wLtIyv/ASHKswybbqMIlpttcLTXjx5yuh8swttT6Wh+FQqqQ32KSRB3StiwyK
-oH0ZhrwYHiFYNlPxecGX6XUta6rFtTlEdkBGSnXzgiTzL2l+Nc0as0V5B9RninZG
-qJ+VOChSQ0OFvg1riSXv7tMvbLdGQnxwTRL3t6BMS8I4LA2m3ZfWUcuXT783ODTH
-16f1Q1AgXd2csstTWO9cv+N/0fpX31nqrm6+CrGduSr2u4HjYYnlLIUhmdTvK3fX
-Fg==
------END CERTIFICATE-----

acme/tests/testdata/rsa4096_key.pem

@@ -1,51 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKgIBAAKCAgEA1j0souT0PGfQxQxAUfAGhM3h6ENJYHCzYpzK2kWZzyb0x+TX
-CZvh9BIpi0rfAgUx8jKj0dC7ScqoySRTDnajdlfI6/6hbAXmo3LYEq6WHk4xKRpn
-SjXfOg+lbjZ74hSfLG+DvT7S6sP6xS57hzJMeH+cEhSOsz/Tlkn9pzwdHRErcfjV
-iioGOrr0mMxlzNlmFs0WK3ezqnRHVNtUCBzdySpu1fkEPJAxBAI/gR2bgOBsAVWp
-1w9QILlbcXd+a5CI8oeIAPM41mdenLqVS8sNapx3qWgqn6coczo6RdfyGYPukTU9
-gxCjiGo5+EFHYiAyMBKHB3mpQWOXWbaijRCbc8Vc6TqLZlB1LoAD/J0Hn+ZfRGcz
-agh0Vk9vpRkVKa0SCz2xPOf6ExTI1JlBETninHW6vXHCzZH69uwLIzn4qgVXEONW
-NT1OVnHca8O+erP+1seOOLqXxUdlg4EwFRdsoe7ZTqkkVnlmnuTrz/NrcVv0+O2f
-eJGRcTILQ3mQuCo7hBOUTGfF5tXxoy9ClZ3+p5+cyf2o9ghk8RdJABGYQEhqGRwA
-JvrSz5pwbRYUWW7AE+0GoSvxDrteVIXQht/iIGJHOk+huGVa1rWesWDghYcxKhnQ
-8TvluEgYESSGulxdAIDFeYB/F+MoMfuN0nV9F2dn/347PBgZVfkYf+XRAO0CAwEA
-AQKCAgEA0hZdTkQtCYtYm9LexDsXeWYX8VcCfrMmBj7xYcg9A3oVMmzDPuYBVwH0
-gWbjd6y2hOaJ5TfGYZ99kvmvBRDsTSHaoyopC7BhssjtAKz6Ay/0X3VH8usPQ3WS
-aZi+NT65tK6KRqtz08ppgLGLa1G00bl5x/Um1rpxeACI4FU/y4BJ1VMJvJpnT3KE
-Z86Qyagqx5NH+UpCApZSWPFX3zjHePzGgcfXErjniCHYOnpZQrFQ2KIzkfSvQ9fg
-x01ByKOM2CB2C1B33TCzBAioXRH6zyAu7A59NeCK9ywTduhDvie1a+oEryFC7IQW
-4s7I/H3MGX4hsf/pLXlHMy+5CZJOjRaC2h+pypfbbcuiXu6Sn64kHNpiI7SxI5DI
-MIRjyG7MdUcrzq0Rt8ogwwpbCoRqrl/w3bhxtqmeZaEZtyxbjlm7reK2YkIFDgyz
-JMqiJK5ZAi+9L/8c0xhjjAQQ0sIzrjmjA8U+6YnWL9jU5qXTVnBB8XQucyeeZGgk
-yRHyMur71qOXN8z3UEva7MHkDTUBlj8DgTz6sEjqCipaWl0CXfDNa4IhHIXD5qiF
-wplhq7OeS0v6EGG/UFa3Q/lFntxtrayxJX7uvvSccGzjPKXTjpWUELLi/FdnIsum
-eXT3RgIEYozj4BibDXaBLfHTCVzxOr7AAEvKM9XWSUgLA0paSWECggEBAO9ZBeE1
-GWzd1ejTTkcxBC9AK2rNsYG8PdNqiof/iTbuJWNeRqpG+KB/0CNIpjZ2X5xZd0tM
-FDpHTFehlP26Roxuq50iRAFc+SN5KoiO0A3JuJAidreIgRTia1saUUrypHqWrYEA
-VZVj2AI8Pyg3s1OkR2frFskY7hXBVb/pJNDP/m9xTXXIYiIXYkHYe+4RIJCnAxRv
-q5YHKaX+0Ull9YCZJCxmwvcHat8sgu8qkiwUMEM6QSNEkrEbdnWYBABvC1AR6sws
-7MP1h9+j22n4Zc/3D6kpFZEL9Erx8nNyhbOZ6q2Tdnf6YKVVjZdyVa8VyNnR0ROl
-3BjkFaHb/bg4e4kCggEBAOUk8ZJS3qBeGCOjug384zbHGcnhUBYtYJiOz+RXBtP+
-PRksbFtTkgk1sHuSGO8YRddU4Qv7Av1xL8o+DEsLBSD0YQ7pmLrR/LK+iDQ5N63O
-Fve9uJH0ybxAOkiua7G24+lTsVUP//KWToL4Wh5zbHBBjL5D2Z9zoeVbcE87xhva
-lImMVr4Ex252DqNP9wkZxBjudFyJ/C/TnXrjPcgwhxWTC7sLQMhE5p+490G7c4hX
-PywkIKrANbu37KDiAvVS+dC66ZgpL/NUDkeloAmGNO08LGzbV6YKchlvDyWU/AvW
-0hYjbL0FUq7K/wp1G9fumolB+fbI25K9c13X93STzUUCggEBAJDsNFUyk5yJjbYW
-C/WrRj9d+WwH9Az77+uNPSgvn+O0usq6EMuVgYGdImfa21lqv2Wp/kOHY1AOT7lX
-yyD+oyzw7dSNJOQ2aVwDR6+72Vof5DLRy1RBwPbmSd61xrc8yD658YCEtU1pUSe5
-VvyBDYH9nIbdn8RP5gkiMUusXXBaIFNWJXLFzDWcNxBrhk6V7EPp/EFphFmpKJyr
-+AkbRVWCZJbF+hMdWKadCwLJogwyhS6PnVU/dhrq6AU38GRa2Fy5HJRYN1xH1Oej
-DX3Su8L6c28Xw0k6FcczTHx+wVoIPkKvYTIwVkiFzt/+iMckx6KsGo5tBSHFKRwC
-WlQrTxECggEBALjUruLnY1oZ7AC7bTUhOimSOfQEgTQSUCtebsRxijlvhtsKYTDd
-XRt+qidStjgN7S/+8DRYuZWzOeg5WnMhpXZqiOudcyume922IGl3ibjxVsdoyjs5
-J4xohlrgDlBgBMDNWGoTqNGFejjcmNydH+gAh8VlN2INxJYbxqCyx17qVgwJHmLR
-uggYxD/pHYvCs9GkbknCp5/wYsOgDtKuihfV741lS1D/esN1UEQ+LrfYIEW7snno
-5q7Pcdhn1hkKYCWEzy2Ec4Aj2gzixQ9JqOF/OxpnZvCw1k47rg0TeqcWFYnz8x8Y
-7xO8/DH0OoxXk2GJzVXJuItJs4gLzzfCjL0CggEAJFHfC9jisdy7CoWiOpNCSF1B
-S0/CWDz77cZdlWkpTdaXGGp1MA/UKUFPIH8sOHfvpKS660+X4G/1ZBHmFb4P5kFF
-Qy8UyUMKtSOEdZS6KFlRlfSCAMd5aSTmCvq4OSjYEpMRwUhU/iEJNkn9Z1Soehe0
-U3dxJ8KiT1071geO6rRquSHoSJs6Y0WQKriYYQJOhh4Axs3PQihER2eyh+WGk8YJ
-02m0mMsjntqnXtdc6IcdKaHp9ko+OpM9QZLsvt19fxBcrXj/i21uUXrzuNtKfO6M
-JqGhsOrO2dh8lMhvodENvgKA0DmYDC9N7ogo7bxTNSedcjBF46FhJoqii8m70Q==
------END RSA PRIVATE KEY-----

certbot-apache/MANIFEST.in

@@ -1,7 +1,6 @@
 include LICENSE.txt
 include README.rst
-recursive-include tests *
+recursive-include certbot_apache/tests/testdata *
+include certbot_apache/_internal/centos-options-ssl-apache.conf
+include certbot_apache/_internal/options-ssl-apache.conf
 recursive-include certbot_apache/_internal/augeas_lens *.aug
-recursive-include certbot_apache/_internal/tls_configs *.conf
-global-exclude __pycache__
-global-exclude *.py[cod]

certbot-apache/certbot_apache/_internal/apache_util.py

@@ -1,18 +1,9 @@
 """ Utility functions for certbot-apache plugin """
 import binascii
-import fnmatch
-import logging
-import re
-import subprocess
 
-import pkg_resources
-
-from certbot import errors
 from certbot import util
 from certbot.compat import os
 
-logger = logging.getLogger(__name__)
-
 
 def get_mod_deps(mod_name):
     """Get known module dependencies.
@@ -114,144 +105,3 @@ def parse_define_file(filepath, varname):
 def unique_id():
     """ Returns an unique id to be used as a VirtualHost identifier"""
     return binascii.hexlify(os.urandom(16)).decode("utf-8")
-
-
-def included_in_paths(filepath, paths):
-    """
-    Returns true if the filepath is included in the list of paths
-    that may contain full paths or wildcard paths that need to be
-    expanded.
-
-    :param str filepath: Filepath to check
-    :params list paths: List of paths to check against
-
-    :returns: True if included
-    :rtype: bool
-    """
-
-    return any(fnmatch.fnmatch(filepath, path) for path in paths)
-
-
-def parse_defines(apachectl):
-    """
-    Gets Defines from httpd process and returns a dictionary of
-    the defined variables.
-
-    :param str apachectl: Path to apachectl executable
-
-    :returns: dictionary of defined variables
-    :rtype: dict
-    """
-
-    variables = {}
-    define_cmd = [apachectl, "-t", "-D",
-                  "DUMP_RUN_CFG"]
-    matches = parse_from_subprocess(define_cmd, r"Define: ([^ \n]*)")
-    try:
-        matches.remove("DUMP_RUN_CFG")
-    except ValueError:
-        return {}
-
-    for match in matches:
-        if match.count("=") > 1:
-            logger.error("Unexpected number of equal signs in "
-                         "runtime config dump.")
-            raise errors.PluginError(
-                "Error parsing Apache runtime variables")
-        parts = match.partition("=")
-        variables[parts[0]] = parts[2]
-
-    return variables
-
-
-def parse_includes(apachectl):
-    """
-    Gets Include directives from httpd process and returns a list of
-    their values.
-
-    :param str apachectl: Path to apachectl executable
-
-    :returns: list of found Include directive values
-    :rtype: list of str
-    """
-
-    inc_cmd = [apachectl, "-t", "-D",
-               "DUMP_INCLUDES"]
-    return parse_from_subprocess(inc_cmd, r"\(.*\) (.*)")
-
-
-def parse_modules(apachectl):
-    """
-    Get loaded modules from httpd process, and return the list
-    of loaded module names.
-
-    :param str apachectl: Path to apachectl executable
-
-    :returns: list of found LoadModule module names
-    :rtype: list of str
-    """
-
-    mod_cmd = [apachectl, "-t", "-D",
-               "DUMP_MODULES"]
-    return parse_from_subprocess(mod_cmd, r"(.*)_module")
-
-
-def parse_from_subprocess(command, regexp):
-    """Get values from stdout of subprocess command
-
-    :param list command: Command to run
-    :param str regexp: Regexp for parsing
-
-    :returns: list parsed from command output
-    :rtype: list
-
-    """
-    stdout = _get_runtime_cfg(command)
-    return re.compile(regexp).findall(stdout)
-
-
-def _get_runtime_cfg(command):
-    """
-    Get runtime configuration info.
-
-    :param command: Command to run
-
-    :returns: stdout from command
-
-    """
-    try:
-        proc = subprocess.run(
-            command,
-            stdout=subprocess.PIPE,
-            stderr=subprocess.PIPE,
-            universal_newlines=True,
-            check=False,
-            env=util.env_no_snap_for_external_calls())
-        stdout, stderr = proc.stdout, proc.stderr
-
-    except (OSError, ValueError):
-        logger.error(
-            "Error running command %s for runtime parameters!%s",
-            command, os.linesep)
-        raise errors.MisconfigurationError(
-            "Error accessing loaded Apache parameters: {0}".format(
-                command))
-    # Small errors that do not impede
-    if proc.returncode != 0:
-        logger.warning("Error in checking parameter list: %s", stderr)
-        raise errors.MisconfigurationError(
-            "Apache is unable to check whether or not the module is "
-            "loaded because Apache is misconfigured.")
-
-    return stdout
-
-def find_ssl_apache_conf(prefix):
-    """
-    Find a TLS Apache config file in the dedicated storage.
-    :param str prefix: prefix of the TLS Apache config file to find
-    :return: the path the TLS Apache config file
-    :rtype: str
-    """
-    return pkg_resources.resource_filename(
-        "certbot_apache",
-        os.path.join("_internal", "tls_configs", "{0}-options-ssl-apache.conf".format(prefix)))

certbot-apache/certbot_apache/_internal/apacheparser.py

@@ -1,173 +0,0 @@
-""" apacheconfig implementation of the ParserNode interfaces """
-from typing import Tuple
-
-from certbot_apache._internal import assertions
-from certbot_apache._internal import interfaces
-from certbot_apache._internal import parsernode_util as util
-
-
-class ApacheParserNode(interfaces.ParserNode):
-    """ apacheconfig implementation of ParserNode interface.
-
-        Expects metadata `ac_ast` to be passed in, where `ac_ast` is the AST provided
-        by parsing the equivalent configuration text using the apacheconfig library.
-    """
-
-    def __init__(self, **kwargs):
-        ancestor, dirty, filepath, metadata = util.parsernode_kwargs(kwargs)  # pylint: disable=unused-variable
-        super().__init__(**kwargs)
-        self.ancestor = ancestor
-        self.filepath = filepath
-        self.dirty = dirty
-        self.metadata = metadata
-        self._raw = self.metadata["ac_ast"]
-
-    def save(self, msg):  # pragma: no cover
-        pass
-
-    def find_ancestors(self, name):  # pylint: disable=unused-variable
-        """Find ancestor BlockNodes with a given name"""
-        return [ApacheBlockNode(name=assertions.PASS,
-                                parameters=assertions.PASS,
-                                ancestor=self,
-                                filepath=assertions.PASS,
-                                metadata=self.metadata)]
-
-
-class ApacheCommentNode(ApacheParserNode):
-    """ apacheconfig implementation of CommentNode interface """
-
-    def __init__(self, **kwargs):
-        comment, kwargs = util.commentnode_kwargs(kwargs)  # pylint: disable=unused-variable
-        super().__init__(**kwargs)
-        self.comment = comment
-
-    def __eq__(self, other):  # pragma: no cover
-        if isinstance(other, self.__class__):
-            return (self.comment == other.comment and
-                    self.dirty == other.dirty and
-                    self.ancestor == other.ancestor and
-                    self.metadata == other.metadata and
-                    self.filepath == other.filepath)
-        return False
-
-
-class ApacheDirectiveNode(ApacheParserNode):
-    """ apacheconfig implementation of DirectiveNode interface """
-
-    def __init__(self, **kwargs):
-        name, parameters, enabled, kwargs = util.directivenode_kwargs(kwargs)
-        super().__init__(**kwargs)
-        self.name = name
-        self.parameters = parameters
-        self.enabled = enabled
-        self.include = None
-
-    def __eq__(self, other):  # pragma: no cover
-        if isinstance(other, self.__class__):
-            return (self.name == other.name and
-                    self.filepath == other.filepath and
-                    self.parameters == other.parameters and
-                    self.enabled == other.enabled and
-                    self.dirty == other.dirty and
-                    self.ancestor == other.ancestor and
-                    self.metadata == other.metadata)
-        return False
-
-    def set_parameters(self, _parameters):  # pragma: no cover
-        """Sets the parameters for DirectiveNode"""
-        return
-
-
-class ApacheBlockNode(ApacheDirectiveNode):
-    """ apacheconfig implementation of BlockNode interface """
-
-    def __init__(self, **kwargs):
-        super().__init__(**kwargs)
-        self.children: Tuple[ApacheParserNode, ...] = ()
-
-    def __eq__(self, other):  # pragma: no cover
-        if isinstance(other, self.__class__):
-            return (self.name == other.name and
-                    self.filepath == other.filepath and
-                    self.parameters == other.parameters and
-                    self.children == other.children and
-                    self.enabled == other.enabled and
-                    self.dirty == other.dirty and
-                    self.ancestor == other.ancestor and
-                    self.metadata == other.metadata)
-        return False
-
-    # pylint: disable=unused-argument
-    def add_child_block(self, name, parameters=None, position=None):  # pragma: no cover
-        """Adds a new BlockNode to the sequence of children"""
-        new_block = ApacheBlockNode(name=assertions.PASS,
-                                    parameters=assertions.PASS,
-                                    ancestor=self,
-                                    filepath=assertions.PASS,
-                                    metadata=self.metadata)
-        self.children += (new_block,)
-        return new_block
-
-    # pylint: disable=unused-argument
-    def add_child_directive(self, name, parameters=None, position=None):  # pragma: no cover
-        """Adds a new DirectiveNode to the sequence of children"""
-        new_dir = ApacheDirectiveNode(name=assertions.PASS,
-                                      parameters=assertions.PASS,
-                                      ancestor=self,
-                                      filepath=assertions.PASS,
-                                      metadata=self.metadata)
-        self.children += (new_dir,)
-        return new_dir
-
-    # pylint: disable=unused-argument
-    def add_child_comment(self, comment="", position=None):  # pragma: no cover
-
-        """Adds a new CommentNode to the sequence of children"""
-        new_comment = ApacheCommentNode(comment=assertions.PASS,
-                                        ancestor=self,
-                                        filepath=assertions.PASS,
-                                        metadata=self.metadata)
-        self.children += (new_comment,)
-        return new_comment
-
-    def find_blocks(self, name, exclude=True): # pylint: disable=unused-argument
-        """Recursive search of BlockNodes from the sequence of children"""
-        return [ApacheBlockNode(name=assertions.PASS,
-                                parameters=assertions.PASS,
-                                ancestor=self,
-                                filepath=assertions.PASS,
-                                metadata=self.metadata)]
-
-    def find_directives(self, name, exclude=True): # pylint: disable=unused-argument
-        """Recursive search of DirectiveNodes from the sequence of children"""
-        return [ApacheDirectiveNode(name=assertions.PASS,
-                                    parameters=assertions.PASS,
-                                    ancestor=self,
-                                    filepath=assertions.PASS,
-                                    metadata=self.metadata)]
-
-    # pylint: disable=unused-argument
-    def find_comments(self, comment, exact=False):  # pragma: no cover
-        """Recursive search of DirectiveNodes from the sequence of children"""
-        return [ApacheCommentNode(comment=assertions.PASS,
-                                  ancestor=self,
-                                  filepath=assertions.PASS,
-                                  metadata=self.metadata)]
-
-    def delete_child(self, child):  # pragma: no cover
-        """Deletes a ParserNode from the sequence of children"""
-        return
-
-    def unsaved_files(self):  # pragma: no cover
-        """Returns a list of unsaved filepaths"""
-        return [assertions.PASS]
-
-    def parsed_paths(self):  # pragma: no cover
-        """Returns a list of parsed configuration file paths"""
-        return [assertions.PASS]
-
-
-interfaces.CommentNode.register(ApacheCommentNode)
-interfaces.DirectiveNode.register(ApacheDirectiveNode)
-interfaces.BlockNode.register(ApacheBlockNode)

certbot-apache/certbot_apache/_internal/assertions.py

@@ -1,141 +0,0 @@
-"""Dual parser node assertions"""
-import fnmatch
-
-from certbot_apache._internal import interfaces
-
-PASS = "CERTBOT_PASS_ASSERT"
-
-
-def assertEqual(first, second):
-    """ Equality assertion """
-
-    if isinstance(first, interfaces.CommentNode):
-        assertEqualComment(first, second)
-    elif isinstance(first, interfaces.DirectiveNode):
-        assertEqualDirective(first, second)
-
-    # Do an extra interface implementation assertion, as the contents were
-    # already checked for BlockNode in the assertEqualDirective
-    if isinstance(first, interfaces.BlockNode):
-        assert isinstance(second, interfaces.BlockNode)
-
-    # Skip tests if filepath includes the pass value. This is done
-    # because filepath is variable of the base ParserNode interface, and
-    # unless the implementation is actually done, we cannot assume getting
-    # correct results from boolean assertion for dirty
-    if not isPass(first.filepath) and not isPass(second.filepath):
-        assert first.dirty == second.dirty
-        # We might want to disable this later if testing with two separate
-        # (but identical) directory structures.
-        assert first.filepath == second.filepath
-
-def assertEqualComment(first, second): # pragma: no cover
-    """ Equality assertion for CommentNode """
-
-    assert isinstance(first, interfaces.CommentNode)
-    assert isinstance(second, interfaces.CommentNode)
-
-    if not isPass(first.comment) and not isPass(second.comment):  # type: ignore
-        assert first.comment == second.comment  # type: ignore
-
-def _assertEqualDirectiveComponents(first, second): # pragma: no cover
-    """ Handles assertion for instance variables for DirectiveNode and BlockNode"""
-
-    # Enabled value cannot be asserted, because Augeas implementation
-    # is unable to figure that out.
-    # assert first.enabled == second.enabled
-    if not isPass(first.name) and not isPass(second.name):
-        assert first.name == second.name
-
-    if not isPass(first.parameters) and not isPass(second.parameters):
-        assert first.parameters == second.parameters
-
-def assertEqualDirective(first, second):
-    """ Equality assertion for DirectiveNode """
-
-    assert isinstance(first, interfaces.DirectiveNode)
-    assert isinstance(second, interfaces.DirectiveNode)
-    _assertEqualDirectiveComponents(first, second)
-
-def isPass(value): # pragma: no cover
-    """Checks if the value is set to PASS"""
-    if isinstance(value, bool):
-        return True
-    return PASS in value
-
-def isPassDirective(block):
-    """ Checks if BlockNode or DirectiveNode should pass the assertion """
-
-    if isPass(block.name):
-        return True
-    if isPass(block.parameters): # pragma: no cover
-        return True
-    if isPass(block.filepath): # pragma: no cover
-        return True
-    return False
-
-def isPassComment(comment):
-    """ Checks if CommentNode should pass the assertion """
-
-    if isPass(comment.comment):
-        return True
-    if isPass(comment.filepath): # pragma: no cover
-        return True
-    return False
-
-def isPassNodeList(nodelist): # pragma: no cover
-    """ Checks if a ParserNode in the nodelist should pass the assertion,
-    this function is used for results of find_* methods. Unimplemented find_*
-    methods should return a sequence containing a single ParserNode instance
-    with assertion pass string."""
-
-    try:
-        node = nodelist[0]
-    except IndexError:
-        node = None
-
-    if not node: # pragma: no cover
-        return False
-
-    if isinstance(node, interfaces.DirectiveNode):
-        return isPassDirective(node)
-    return isPassComment(node)
-
-def assertEqualSimple(first, second):
-    """ Simple assertion """
-    if not isPass(first) and not isPass(second):
-        assert first == second
-
-def isEqualVirtualHost(first, second):
-    """
-    Checks that two VirtualHost objects are similar. There are some built
-    in differences with the implementations: VirtualHost created by ParserNode
-    implementation doesn't have "path" defined, as it was used for Augeas path
-    and that cannot obviously be used in the future. Similarly the legacy
-    version lacks "node" variable, that has a reference to the BlockNode for the
-    VirtualHost.
-    """
-    return (
-        first.name == second.name and
-        first.aliases == second.aliases and
-        first.filep == second.filep and
-        first.addrs == second.addrs and
-        first.ssl == second.ssl and
-        first.enabled == second.enabled and
-        first.modmacro == second.modmacro and
-        first.ancestor == second.ancestor
-    )
-
-def assertEqualPathsList(first, second):  # pragma: no cover
-    """
-    Checks that the two lists of file paths match. This assertion allows for wildcard
-    paths.
-    """
-    if any(isPass(path) for path in first):
-        return
-    if any(isPass(path) for path in second):
-        return
-    for fpath in first:
-        assert any(fnmatch.fnmatch(fpath, spath) for spath in second)
-    for spath in second:
-        assert any(fnmatch.fnmatch(fpath, spath) for fpath in first)

certbot-apache/certbot_apache/_internal/augeas_lens/httpd.aug

@@ -6,7 +6,7 @@ Authors:
   Raphael Pinson <raphink@gmail.com>
 
 About: Reference
-  Online Apache configuration manual: https://httpd.apache.org/docs/trunk/
+  Online Apache configuration manual: http://httpd.apache.org/docs/trunk/
 
 About: License
     This file is licensed under the LGPL v2+.

certbot-apache/certbot_apache/_internal/augeasparser.py

@@ -1,538 +0,0 @@
-"""
-Augeas implementation of the ParserNode interfaces.
-
-Augeas works internally by using XPATH notation. The following is a short example
-of how this all works internally, to better understand what's going on under the
-hood.
-
-A configuration file /etc/apache2/apache2.conf with the following content:
-
-    # First comment line
-    # Second comment line
-    WhateverDirective whatevervalue
-    <ABlock>
-        DirectiveInABlock dirvalue
-    </ABlock>
-    SomeDirective somedirectivevalue
-    <ABlock>
-        AnotherDirectiveInABlock dirvalue
-    </ABlock>
-    # Yet another comment
-
-
-Translates over to Augeas path notation (of immediate children), when calling
-for example: aug.match("/files/etc/apache2/apache2.conf/*")
-
-[
-    "/files/etc/apache2/apache2.conf/#comment[1]",
-    "/files/etc/apache2/apache2.conf/#comment[2]",
-    "/files/etc/apache2/apache2.conf/directive[1]",
-    "/files/etc/apache2/apache2.conf/ABlock[1]",
-    "/files/etc/apache2/apache2.conf/directive[2]",
-    "/files/etc/apache2/apache2.conf/ABlock[2]",
-    "/files/etc/apache2/apache2.conf/#comment[3]"
-]
-
-Regardless of directives name, its key in the Augeas tree is always "directive",
-with index where needed of course. Comments work similarly, while blocks
-have their own key in the Augeas XPATH notation.
-
-It's important to note that all of the unique keys have their own indices.
-
-Augeas paths are case sensitive, while Apache configuration is case insensitive.
-It looks like this:
-
-    <block>
-        directive value
-    </block>
-    <Block>
-        Directive Value
-    </Block>
-    <block>
-        directive value
-    </block>
-    <bLoCk>
-        DiReCtiVe VaLuE
-    </bLoCk>
-
-Translates over to:
-
-[
-    "/files/etc/apache2/apache2.conf/block[1]",
-    "/files/etc/apache2/apache2.conf/Block[1]",
-    "/files/etc/apache2/apache2.conf/block[2]",
-    "/files/etc/apache2/apache2.conf/bLoCk[1]",
-]
-"""
-from typing import Set
-
-from certbot import errors
-from certbot.compat import os
-from certbot_apache._internal import apache_util
-from certbot_apache._internal import assertions
-from certbot_apache._internal import interfaces
-from certbot_apache._internal import parser
-from certbot_apache._internal import parsernode_util as util
-
-
-class AugeasParserNode(interfaces.ParserNode):
-    """ Augeas implementation of ParserNode interface """
-
-    def __init__(self, **kwargs):
-        ancestor, dirty, filepath, metadata = util.parsernode_kwargs(kwargs)  # pylint: disable=unused-variable
-        super().__init__(**kwargs)
-        self.ancestor = ancestor
-        self.filepath = filepath
-        self.dirty = dirty
-        self.metadata = metadata
-        self.parser = self.metadata.get("augeasparser")
-        try:
-            if self.metadata["augeaspath"].endswith("/"):
-                raise errors.PluginError(
-                    "Augeas path: {} has a trailing slash".format(
-                        self.metadata["augeaspath"]
-                    )
-                )
-        except KeyError:
-            raise errors.PluginError("Augeas path is required")
-
-    def save(self, msg):
-        self.parser.save(msg)
-
-    def find_ancestors(self, name):
-        """
-        Searches for ancestor BlockNodes with a given name.
-
-        :param str name: Name of the BlockNode parent to search for
-
-        :returns: List of matching ancestor nodes.
-        :rtype: list of AugeasBlockNode
-        """
-
-        ancestors = []
-
-        parent = self.metadata["augeaspath"]
-        while True:
-            # Get the path of ancestor node
-            parent = parent.rpartition("/")[0]
-            # Root of the tree
-            if not parent or parent == "/files":
-                break
-            anc = self._create_blocknode(parent)
-            if anc.name.lower() == name.lower():
-                ancestors.append(anc)
-
-        return ancestors
-
-    def _create_blocknode(self, path):
-        """
-        Helper function to create a BlockNode from Augeas path. This is used by
-        AugeasParserNode.find_ancestors and AugeasBlockNode.
-        and AugeasBlockNode.find_blocks
-
-        """
-
-        name = self._aug_get_name(path)
-        metadata = {"augeasparser": self.parser, "augeaspath": path}
-
-        # Check if the file was included from the root config or initial state
-        enabled = self.parser.parsed_in_original(
-            apache_util.get_file_path(path)
-        )
-
-        return AugeasBlockNode(name=name,
-                               enabled=enabled,
-                               ancestor=assertions.PASS,
-                               filepath=apache_util.get_file_path(path),
-                               metadata=metadata)
-
-    def _aug_get_name(self, path):
-        """
-        Helper function to get name of a configuration block or variable from path.
-        """
-
-        # Remove the ending slash if any
-        if path[-1] == "/":  # pragma: no cover
-            path = path[:-1]
-
-        # Get the block name
-        name = path.split("/")[-1]
-
-        # remove [...], it's not allowed in Apache configuration and is used
-        # for indexing within Augeas
-        name = name.split("[")[0]
-        return name
-
-
-class AugeasCommentNode(AugeasParserNode):
-    """ Augeas implementation of CommentNode interface """
-
-    def __init__(self, **kwargs):
-        comment, kwargs = util.commentnode_kwargs(kwargs)  # pylint: disable=unused-variable
-        super().__init__(**kwargs)
-        # self.comment = comment
-        self.comment = comment
-
-    def __eq__(self, other):
-        if isinstance(other, self.__class__):
-            return (self.comment == other.comment and
-                    self.filepath == other.filepath and
-                    self.dirty == other.dirty and
-                    self.ancestor == other.ancestor and
-                    self.metadata == other.metadata)
-        return False
-
-
-class AugeasDirectiveNode(AugeasParserNode):
-    """ Augeas implementation of DirectiveNode interface """
-
-    def __init__(self, **kwargs):
-        name, parameters, enabled, kwargs = util.directivenode_kwargs(kwargs)
-        super().__init__(**kwargs)
-        self.name = name
-        self.enabled = enabled
-        if parameters:
-            self.set_parameters(parameters)
-
-    def __eq__(self, other):
-        if isinstance(other, self.__class__):
-            return (self.name == other.name and
-                    self.filepath == other.filepath and
-                    self.parameters == other.parameters and
-                    self.enabled == other.enabled and
-                    self.dirty == other.dirty and
-                    self.ancestor == other.ancestor and
-                    self.metadata == other.metadata)
-        return False
-
-    def set_parameters(self, parameters):
-        """
-        Sets parameters of a DirectiveNode or BlockNode object.
-
-        :param list parameters: List of all parameters for the node to set.
-        """
-        orig_params = self._aug_get_params(self.metadata["augeaspath"])
-
-        # Clear out old parameters
-        for _ in orig_params:
-            # When the first parameter is removed, the indices get updated
-            param_path = "{}/arg[1]".format(self.metadata["augeaspath"])
-            self.parser.aug.remove(param_path)
-        # Insert new ones
-        for pi, param in enumerate(parameters):
-            param_path = "{}/arg[{}]".format(self.metadata["augeaspath"], pi+1)
-            self.parser.aug.set(param_path, param)
-
-    @property
-    def parameters(self):
-        """
-        Fetches the parameters from Augeas tree, ensuring that the sequence always
-        represents the current state
-
-        :returns: Tuple of parameters for this DirectiveNode
-        :rtype: tuple:
-        """
-        return tuple(self._aug_get_params(self.metadata["augeaspath"]))
-
-    def _aug_get_params(self, path):
-        """Helper function to get parameters for DirectiveNodes and BlockNodes"""
-
-        arg_paths = self.parser.aug.match(path + "/arg")
-        return [self.parser.get_arg(apath) for apath in arg_paths]
-
-
-class AugeasBlockNode(AugeasDirectiveNode):
-    """ Augeas implementation of BlockNode interface """
-
-    def __init__(self, **kwargs):
-        super().__init__(**kwargs)
-        self.children = ()
-
-    def __eq__(self, other):
-        if isinstance(other, self.__class__):
-            return (self.name == other.name and
-                    self.filepath == other.filepath and
-                    self.parameters == other.parameters and
-                    self.children == other.children and
-                    self.enabled == other.enabled and
-                    self.dirty == other.dirty and
-                    self.ancestor == other.ancestor and
-                    self.metadata == other.metadata)
-        return False
-
-    # pylint: disable=unused-argument
-    def add_child_block(self, name, parameters=None, position=None):  # pragma: no cover
-        """Adds a new BlockNode to the sequence of children"""
-
-        insertpath, realpath, before = self._aug_resolve_child_position(
-            name,
-            position
-        )
-        new_metadata = {"augeasparser": self.parser, "augeaspath": realpath}
-
-        # Create the new block
-        self.parser.aug.insert(insertpath, name, before)
-        # Check if the file was included from the root config or initial state
-        enabled = self.parser.parsed_in_original(
-            apache_util.get_file_path(realpath)
-        )
-
-        # Parameters will be set at the initialization of the new object
-        new_block = AugeasBlockNode(name=name,
-                                    parameters=parameters,
-                                    enabled=enabled,
-                                    ancestor=assertions.PASS,
-                                    filepath=apache_util.get_file_path(realpath),
-                                    metadata=new_metadata)
-        return new_block
-
-    # pylint: disable=unused-argument
-    def add_child_directive(self, name, parameters=None, position=None):  # pragma: no cover
-        """Adds a new DirectiveNode to the sequence of children"""
-
-        if not parameters:
-            raise errors.PluginError("Directive requires parameters and none were set.")
-
-        insertpath, realpath, before = self._aug_resolve_child_position(
-            "directive",
-            position
-        )
-        new_metadata = {"augeasparser": self.parser, "augeaspath": realpath}
-
-        # Create the new directive
-        self.parser.aug.insert(insertpath, "directive", before)
-        # Set the directive key
-        self.parser.aug.set(realpath, name)
-        # Check if the file was included from the root config or initial state
-        enabled = self.parser.parsed_in_original(
-            apache_util.get_file_path(realpath)
-        )
-
-        new_dir = AugeasDirectiveNode(name=name,
-                                      parameters=parameters,
-                                      enabled=enabled,
-                                      ancestor=assertions.PASS,
-                                      filepath=apache_util.get_file_path(realpath),
-                                      metadata=new_metadata)
-        return new_dir
-
-    def add_child_comment(self, comment="", position=None):
-        """Adds a new CommentNode to the sequence of children"""
-
-        insertpath, realpath, before = self._aug_resolve_child_position(
-            "#comment",
-            position
-        )
-        new_metadata = {"augeasparser": self.parser, "augeaspath": realpath}
-
-        # Create the new comment
-        self.parser.aug.insert(insertpath, "#comment", before)
-        # Set the comment content
-        self.parser.aug.set(realpath, comment)
-
-        new_comment = AugeasCommentNode(comment=comment,
-                                        ancestor=assertions.PASS,
-                                        filepath=apache_util.get_file_path(realpath),
-                                        metadata=new_metadata)
-        return new_comment
-
-    def find_blocks(self, name, exclude=True):
-        """Recursive search of BlockNodes from the sequence of children"""
-
-        nodes = []
-        paths = self._aug_find_blocks(name)
-        if exclude:
-            paths = self.parser.exclude_dirs(paths)
-        for path in paths:
-            nodes.append(self._create_blocknode(path))
-
-        return nodes
-
-    def find_directives(self, name, exclude=True):
-        """Recursive search of DirectiveNodes from the sequence of children"""
-
-        nodes = []
-        ownpath = self.metadata.get("augeaspath")
-
-        directives = self.parser.find_dir(name, start=ownpath, exclude=exclude)
-        already_parsed: Set[str] = set()
-        for directive in directives:
-            # Remove the /arg part from the Augeas path
-            directive = directive.partition("/arg")[0]
-            # find_dir returns an object for each _parameter_ of a directive
-            # so we need to filter out duplicates.
-            if directive not in already_parsed:
-                nodes.append(self._create_directivenode(directive))
-                already_parsed.add(directive)
-
-        return nodes
-
-    def find_comments(self, comment):
-        """
-        Recursive search of DirectiveNodes from the sequence of children.
-
-        :param str comment: Comment content to search for.
-        """
-
-        nodes = []
-        ownpath = self.metadata.get("augeaspath")
-
-        comments = self.parser.find_comments(comment, start=ownpath)
-        for com in comments:
-            nodes.append(self._create_commentnode(com))
-
-        return nodes
-
-    def delete_child(self, child):
-        """
-        Deletes a ParserNode from the sequence of children, and raises an
-        exception if it's unable to do so.
-        :param AugeasParserNode: child: A node to delete.
-        """
-        if not self.parser.aug.remove(child.metadata["augeaspath"]):
-
-            raise errors.PluginError(
-                ("Could not delete child node, the Augeas path: {} doesn't " +
-                 "seem to exist.").format(child.metadata["augeaspath"])
-            )
-
-    def unsaved_files(self):
-        """Returns a list of unsaved filepaths"""
-        return self.parser.unsaved_files()
-
-    def parsed_paths(self):
-        """
-        Returns a list of file paths that have currently been parsed into the parser
-        tree. The returned list may include paths with wildcard characters, for
-        example: ['/etc/apache2/conf.d/*.load']
-
-        This is typically called on the root node of the ParserNode tree.
-
-        :returns: list of file paths of files that have been parsed
-        """
-
-        res_paths = []
-
-        paths = self.parser.existing_paths
-        for directory in paths:
-            for filename in paths[directory]:
-                res_paths.append(os.path.join(directory, filename))
-
-        return res_paths
-
-    def _create_commentnode(self, path):
-        """Helper function to create a CommentNode from Augeas path"""
-
-        comment = self.parser.aug.get(path)
-        metadata = {"augeasparser": self.parser, "augeaspath": path}
-
-        # Because of the dynamic nature of AugeasParser and the fact that we're
-        # not populating the complete node tree, the ancestor has a dummy value
-        return AugeasCommentNode(comment=comment,
-                                 ancestor=assertions.PASS,
-                                 filepath=apache_util.get_file_path(path),
-                                 metadata=metadata)
-
-    def _create_directivenode(self, path):
-        """Helper function to create a DirectiveNode from Augeas path"""
-
-        name = self.parser.get_arg(path)
-        metadata = {"augeasparser": self.parser, "augeaspath": path}
-
-        # Check if the file was included from the root config or initial state
-        enabled = self.parser.parsed_in_original(
-            apache_util.get_file_path(path)
-        )
-        return AugeasDirectiveNode(name=name,
-                                   ancestor=assertions.PASS,
-                                   enabled=enabled,
-                                   filepath=apache_util.get_file_path(path),
-                                   metadata=metadata)
-
-    def _aug_find_blocks(self, name):
-        """Helper function to perform a search to Augeas DOM tree to search
-        configuration blocks with a given name"""
-
-        # The code here is modified from configurator.get_virtual_hosts()
-        blk_paths = set()
-        for vhost_path in list(self.parser.parser_paths):
-            paths = self.parser.aug.match(
-                ("/files%s//*[label()=~regexp('%s')]" %
-                    (vhost_path, parser.case_i(name))))
-            blk_paths.update([path for path in paths if
-                              name.lower() in os.path.basename(path).lower()])
-        return blk_paths
-
-    def _aug_resolve_child_position(self, name, position):
-        """
-        Helper function that iterates through the immediate children and figures
-        out the insertion path for a new AugeasParserNode.
-
-        Augeas also generalizes indices for directives and comments, simply by
-        using "directive" or "comment" respectively as their names.
-
-        This function iterates over the existing children of the AugeasBlockNode,
-        returning their insertion path, resulting Augeas path and if the new node
-        should be inserted before or after the returned insertion path.
-
-        Note: while Apache is case insensitive, Augeas is not, and blocks like
-        Nameofablock and NameOfABlock have different indices.
-
-        :param str name: Name of the AugeasBlockNode to insert, "directive" for
-            AugeasDirectiveNode or "comment" for AugeasCommentNode
-        :param int position: The position to insert the child AugeasParserNode to
-
-        :returns: Tuple of insert path, resulting path and a boolean if the new
-            node should be inserted before it.
-        :rtype: tuple of str, str, bool
-        """
-
-        # Default to appending
-        before = False
-
-        all_children = self.parser.aug.match("{}/*".format(
-            self.metadata["augeaspath"])
-        )
-
-        # Calculate resulting_path
-        # Augeas indices start at 1. We use counter to calculate the index to
-        # be used in resulting_path.
-        counter = 1
-        for i, child in enumerate(all_children):
-            if position is not None and i >= position:
-                # We're not going to insert the new node to an index after this
-                break
-            childname = self._aug_get_name(child)
-            if name == childname:
-                counter += 1
-
-        resulting_path = "{}/{}[{}]".format(
-            self.metadata["augeaspath"],
-            name,
-            counter
-        )
-
-        # Form the correct insert_path
-        # Inserting the only child and appending as the last child work
-        # similarly in Augeas.
-        append = not all_children or position is None or position >= len(all_children)
-        if append:
-            insert_path = "{}/*[last()]".format(
-                self.metadata["augeaspath"]
-            )
-        elif position == 0:
-            # Insert as the first child, before the current first one.
-            insert_path = all_children[0]
-            before = True
-        else:
-            insert_path = "{}/*[{}]".format(
-                self.metadata["augeaspath"],
-                position
-            )
-
-        return (insert_path, resulting_path, before)
-
-
-interfaces.CommentNode.register(AugeasCommentNode)
-interfaces.DirectiveNode.register(AugeasDirectiveNode)
-interfaces.BlockNode.register(AugeasBlockNode)

certbot-apache/certbot_apache/_internal/centos-options-ssl-apache.conf

@@ -0,0 +1,25 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
+
+SSLEngine on
+
+# Intermediate configuration, tweak to your needs
+SSLProtocol             all -SSLv2 -SSLv3
+SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+SSLHonorCipherOrder     on
+
+SSLOptions +StrictRequire
+
+# Add vhost name to log entries:
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
+LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
+
+#CustomLog /var/log/apache2/access.log vhost_combined
+#LogLevel warn
+#ErrorLog /var/log/apache2/error.log
+
+# Always ensure Cookies have "Secure" set (JAH 2012/1)
+#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"

certbot-apache/certbot_apache/_internal/constants.py

@@ -3,6 +3,7 @@ import pkg_resources
 
 from certbot.compat import os
 
+
 MOD_SSL_CONF_DEST = "options-ssl-apache.conf"
 """Name of the mod_ssl config file as saved in `IConfig.config_dir`."""
 
@@ -24,9 +25,6 @@ ALL_SSL_OPTIONS_HASHES = [
     '0fcdc81280cd179a07ec4d29d3595068b9326b455c488de4b09f585d5dafc137',
     '86cc09ad5415cd6d5f09a947fe2501a9344328b1e8a8b458107ea903e80baa6c',
     '06675349e457eae856120cdebb564efe546f0b87399f2264baeb41e442c724c7',
-    '5cc003edd93fb9cd03d40c7686495f8f058f485f75b5e764b789245a386e6daf',
-    '007cd497a56a3bb8b6a2c1aeb4997789e7e38992f74e44cc5d13a625a738ac73',
-    '34783b9e2210f5c4a23bced2dfd7ec289834716673354ed7c7abf69fe30192a3',
 ]
 """SHA256 hashes of the contents of previous versions of all versions of MOD_SSL_CONF_SRC"""
 

certbot-apache/certbot_apache/_internal/display_ops.py

@@ -3,10 +3,10 @@ import logging
 
 import zope.component
 
+import certbot.display.util as display_util
 from certbot import errors
 from certbot import interfaces
 from certbot.compat import os
-import certbot.display.util as display_util
 
 logger = logging.getLogger(__name__)
 
@@ -21,7 +21,7 @@ def select_vhost_multiple(vhosts):
     :rtype: :class:`list`of type `~obj.Vhost`
     """
     if not vhosts:
-        return []
+        return list()
     tags_list = [vhost.display_repr()+"\n" for vhost in vhosts]
     # Remove the extra newline from the last entry
     if tags_list:
@@ -37,7 +37,7 @@ def select_vhost_multiple(vhosts):
 def _reversemap_vhosts(names, vhosts):
     """Helper function for select_vhost_multiple for mapping string
     representations back to actual vhost objects"""
-    return_vhosts = []
+    return_vhosts = list()
 
     for selection in names:
         for vhost in vhosts:
@@ -119,7 +119,7 @@ def _vhost_menu(domain, vhosts):
             "guidance in non-interactive mode. Certbot may need "
             "vhosts to be explicitly labelled with ServerName or "
             "ServerAlias directives.".format(domain))
-        logger.error(msg)
+        logger.warning(msg)
         raise errors.MissingCommandlineFlag(msg)
 
     return code, tag

certbot-apache/certbot_apache/_internal/dualparser.py

@@ -1,306 +0,0 @@
-""" Dual ParserNode implementation """
-from certbot_apache._internal import apacheparser
-from certbot_apache._internal import assertions
-from certbot_apache._internal import augeasparser
-
-
-class DualNodeBase:
-    """ Dual parser interface for in development testing. This is used as the
-    base class for dual parser interface classes. This class handles runtime
-    attribute value assertions."""
-
-    def save(self, msg):  # pragma: no cover
-        """ Call save for both parsers """
-        self.primary.save(msg)
-        self.secondary.save(msg)
-
-    def __getattr__(self, aname):
-        """ Attribute value assertion """
-        firstval = getattr(self.primary, aname)
-        secondval = getattr(self.secondary, aname)
-        exclusions = [
-            # Metadata will inherently be different, as ApacheParserNode does
-            # not have Augeas paths and so on.
-            aname == "metadata",
-            callable(firstval)
-        ]
-        if not any(exclusions):
-            assertions.assertEqualSimple(firstval, secondval)
-        return firstval
-
-    def find_ancestors(self, name):
-        """ Traverses the ancestor tree and returns ancestors matching name """
-        return self._find_helper(DualBlockNode, "find_ancestors", name)
-
-    def _find_helper(self, nodeclass, findfunc, search, **kwargs):
-        """A helper for find_* functions. The function specific attributes should
-        be passed as keyword arguments.
-
-        :param interfaces.ParserNode nodeclass: The node class for results.
-        :param str findfunc: Name of the find function to call
-        :param str search: The search term
-        """
-
-        primary_res = getattr(self.primary, findfunc)(search, **kwargs)
-        secondary_res = getattr(self.secondary, findfunc)(search, **kwargs)
-
-        # The order of search results for Augeas implementation cannot be
-        # assured.
-
-        pass_primary = assertions.isPassNodeList(primary_res)
-        pass_secondary = assertions.isPassNodeList(secondary_res)
-        new_nodes = []
-
-        if pass_primary and pass_secondary:
-            # Both unimplemented
-            new_nodes.append(nodeclass(primary=primary_res[0],
-                                       secondary=secondary_res[0]))  # pragma: no cover
-        elif pass_primary:
-            for c in secondary_res:
-                new_nodes.append(nodeclass(primary=primary_res[0],
-                                           secondary=c))
-        elif pass_secondary:
-            for c in primary_res:
-                new_nodes.append(nodeclass(primary=c,
-                                           secondary=secondary_res[0]))
-        else:
-            assert len(primary_res) == len(secondary_res)
-            matches = self._create_matching_list(primary_res, secondary_res)
-            for p, s in matches:
-                new_nodes.append(nodeclass(primary=p, secondary=s))
-
-        return new_nodes
-
-
-class DualCommentNode(DualNodeBase):
-    """ Dual parser implementation of CommentNode interface """
-
-    def __init__(self, **kwargs):
-        """ This initialization implementation allows ordinary initialization
-        of CommentNode objects as well as creating a DualCommentNode object
-        using precreated or fetched CommentNode objects if provided as optional
-        arguments primary and secondary.
-
-        Parameters other than the following are from interfaces.CommentNode:
-
-        :param CommentNode primary: Primary pre-created CommentNode, mainly
-            used when creating new DualParser nodes using add_* methods.
-        :param CommentNode secondary: Secondary pre-created CommentNode
-        """
-
-        kwargs.setdefault("primary", None)
-        kwargs.setdefault("secondary", None)
-        primary = kwargs.pop("primary")
-        secondary = kwargs.pop("secondary")
-
-        if primary or secondary:
-            assert primary and secondary
-            self.primary = primary
-            self.secondary = secondary
-        else:
-            self.primary = augeasparser.AugeasCommentNode(**kwargs)
-            self.secondary = apacheparser.ApacheCommentNode(**kwargs)
-
-        assertions.assertEqual(self.primary, self.secondary)
-
-
-class DualDirectiveNode(DualNodeBase):
-    """ Dual parser implementation of DirectiveNode interface """
-
-    def __init__(self, **kwargs):
-        """ This initialization implementation allows ordinary initialization
-        of DirectiveNode objects as well as creating a DualDirectiveNode object
-        using precreated or fetched DirectiveNode objects if provided as optional
-        arguments primary and secondary.
-
-        Parameters other than the following are from interfaces.DirectiveNode:
-
-        :param DirectiveNode primary: Primary pre-created DirectiveNode, mainly
-            used when creating new DualParser nodes using add_* methods.
-        :param DirectiveNode secondary: Secondary pre-created DirectiveNode
-
-
-        """
-
-        kwargs.setdefault("primary", None)
-        kwargs.setdefault("secondary", None)
-        primary = kwargs.pop("primary")
-        secondary = kwargs.pop("secondary")
-
-        if primary or secondary:
-            assert primary and secondary
-            self.primary = primary
-            self.secondary = secondary
-        else:
-            self.primary = augeasparser.AugeasDirectiveNode(**kwargs)
-            self.secondary = apacheparser.ApacheDirectiveNode(**kwargs)
-
-        assertions.assertEqual(self.primary, self.secondary)
-
-    def set_parameters(self, parameters):
-        """ Sets parameters and asserts that both implementation successfully
-        set the parameter sequence """
-
-        self.primary.set_parameters(parameters)
-        self.secondary.set_parameters(parameters)
-        assertions.assertEqual(self.primary, self.secondary)
-
-
-class DualBlockNode(DualNodeBase):
-    """ Dual parser implementation of BlockNode interface """
-
-    def __init__(self, **kwargs):
-        """ This initialization implementation allows ordinary initialization
-        of BlockNode objects as well as creating a DualBlockNode object
-        using precreated or fetched BlockNode objects if provided as optional
-        arguments primary and secondary.
-
-        Parameters other than the following are from interfaces.BlockNode:
-
-        :param BlockNode primary: Primary pre-created BlockNode, mainly
-            used when creating new DualParser nodes using add_* methods.
-        :param BlockNode secondary: Secondary pre-created BlockNode
-        """
-
-        kwargs.setdefault("primary", None)
-        kwargs.setdefault("secondary", None)
-        primary = kwargs.pop("primary")
-        secondary = kwargs.pop("secondary")
-
-        if primary or secondary:
-            assert primary and secondary
-            self.primary = primary
-            self.secondary = secondary
-        else:
-            self.primary = augeasparser.AugeasBlockNode(**kwargs)
-            self.secondary = apacheparser.ApacheBlockNode(**kwargs)
-
-        assertions.assertEqual(self.primary, self.secondary)
-
-    def add_child_block(self, name, parameters=None, position=None):
-        """ Creates a new child BlockNode, asserts that both implementations
-        did it in a similar way, and returns a newly created DualBlockNode object
-        encapsulating both of the newly created objects """
-
-        primary_new = self.primary.add_child_block(name, parameters, position)
-        secondary_new = self.secondary.add_child_block(name, parameters, position)
-        assertions.assertEqual(primary_new, secondary_new)
-        new_block = DualBlockNode(primary=primary_new, secondary=secondary_new)
-        return new_block
-
-    def add_child_directive(self, name, parameters=None, position=None):
-        """ Creates a new child DirectiveNode, asserts that both implementations
-        did it in a similar way, and returns a newly created DualDirectiveNode
-        object encapsulating both of the newly created objects """
-
-        primary_new = self.primary.add_child_directive(name, parameters, position)
-        secondary_new = self.secondary.add_child_directive(name, parameters, position)
-        assertions.assertEqual(primary_new, secondary_new)
-        new_dir = DualDirectiveNode(primary=primary_new, secondary=secondary_new)
-        return new_dir
-
-    def add_child_comment(self, comment="", position=None):
-        """ Creates a new child CommentNode, asserts that both implementations
-        did it in a similar way, and returns a newly created DualCommentNode
-        object encapsulating both of the newly created objects """
-
-        primary_new = self.primary.add_child_comment(comment, position)
-        secondary_new = self.secondary.add_child_comment(comment, position)
-        assertions.assertEqual(primary_new, secondary_new)
-        new_comment = DualCommentNode(primary=primary_new, secondary=secondary_new)
-        return new_comment
-
-    def _create_matching_list(self, primary_list, secondary_list):
-        """ Matches the list of primary_list to a list of secondary_list and
-        returns a list of tuples. This is used to create results for find_
-        methods.
-
-        This helper function exists, because we cannot ensure that the list of
-        search results returned by primary.find_* and secondary.find_* are ordered
-        in a same way. The function pairs the same search results from both
-        implementations to a list of tuples.
-        """
-
-        matched = []
-        for p in primary_list:
-            match = None
-            for s in secondary_list:
-                try:
-                    assertions.assertEqual(p, s)
-                    match = s
-                    break
-                except AssertionError:
-                    continue
-            if match:
-                matched.append((p, match))
-            else:
-                raise AssertionError("Could not find a matching node.")
-        return matched
-
-    def find_blocks(self, name, exclude=True):
-        """
-        Performs a search for BlockNodes using both implementations and does simple
-        checks for results. This is built upon the assumption that unimplemented
-        find_* methods return a list with a single assertion passing object.
-        After the assertion, it creates a list of newly created DualBlockNode
-        instances that encapsulate the pairs of returned BlockNode objects.
-        """
-
-        return self._find_helper(DualBlockNode, "find_blocks", name,
-                                 exclude=exclude)
-
-    def find_directives(self, name, exclude=True):
-        """
-        Performs a search for DirectiveNodes using both implementations and
-        checks the results. This is built upon the assumption that unimplemented
-        find_* methods return a list with a single assertion passing object.
-        After the assertion, it creates a list of newly created DualDirectiveNode
-        instances that encapsulate the pairs of returned DirectiveNode objects.
-        """
-
-        return self._find_helper(DualDirectiveNode, "find_directives", name,
-                                 exclude=exclude)
-
-    def find_comments(self, comment):
-        """
-        Performs a search for CommentNodes using both implementations and
-        checks the results. This is built upon the assumption that unimplemented
-        find_* methods return a list with a single assertion passing object.
-        After the assertion, it creates a list of newly created DualCommentNode
-        instances that encapsulate the pairs of returned CommentNode objects.
-        """
-
-        return self._find_helper(DualCommentNode, "find_comments", comment)
-
-    def delete_child(self, child):
-        """Deletes a child from the ParserNode implementations. The actual
-        ParserNode implementations are used here directly in order to be able
-        to match a child to the list of children."""
-
-        self.primary.delete_child(child.primary)
-        self.secondary.delete_child(child.secondary)
-
-    def unsaved_files(self):
-        """ Fetches the list of unsaved file paths and asserts that the lists
-        match """
-        primary_files = self.primary.unsaved_files()
-        secondary_files = self.secondary.unsaved_files()
-        assertions.assertEqualSimple(primary_files, secondary_files)
-
-        return primary_files
-
-    def parsed_paths(self):
-        """
-        Returns a list of file paths that have currently been parsed into the parser
-        tree. The returned list may include paths with wildcard characters, for
-        example: ['/etc/apache2/conf.d/*.load']
-
-        This is typically called on the root node of the ParserNode tree.
-
-        :returns: list of file paths of files that have been parsed
-        """
-
-        primary_paths = self.primary.parsed_paths()
-        secondary_paths = self.secondary.parsed_paths()
-        assertions.assertEqualPathsList(primary_paths, secondary_paths)
-        return primary_paths

certbot-apache/certbot_apache/_internal/entrypoint.py

@@ -1,13 +1,16 @@
 """ Entry point for Apache Plugin """
-from distutils.version import LooseVersion
+# Pylint does not like disutils.version when running inside a venv.
+# See: https://github.com/PyCQA/pylint/issues/73
+from distutils.version import LooseVersion  # pylint: disable=no-name-in-module,import-error
 
 from certbot import util
+
 from certbot_apache._internal import configurator
 from certbot_apache._internal import override_arch
-from certbot_apache._internal import override_centos
+from certbot_apache._internal import override_fedora
 from certbot_apache._internal import override_darwin
 from certbot_apache._internal import override_debian
-from certbot_apache._internal import override_fedora
+from certbot_apache._internal import override_centos
 from certbot_apache._internal import override_gentoo
 from certbot_apache._internal import override_suse
 

certbot-apache/certbot_apache/_internal/http_01.py

@@ -1,13 +1,13 @@
 """A class that performs HTTP-01 challenges for Apache"""
-import errno
 import logging
-from typing import List
-from typing import Set
+
+from acme.magic_typing import List, Set  # pylint: disable=unused-import, no-name-in-module
 
 from certbot import errors
-from certbot.compat import filesystem
 from certbot.compat import os
+from certbot.compat import filesystem
 from certbot.plugins import common
+
 from certbot_apache._internal.obj import VirtualHost  # pylint: disable=unused-import
 from certbot_apache._internal.parser import get_aug_path
 
@@ -47,7 +47,7 @@ class ApacheHttp01(common.ChallengePerformer):
     """
 
     def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
+        super(ApacheHttp01, self).__init__(*args, **kwargs)
         self.challenge_conf_pre = os.path.join(
             self.configurator.conf("challenge-location"),
             "le_http_01_challenge_pre.conf")
@@ -57,7 +57,7 @@ class ApacheHttp01(common.ChallengePerformer):
         self.challenge_dir = os.path.join(
             self.configurator.config.work_dir,
             "http_challenges")
-        self.moded_vhosts: Set[VirtualHost] = set()
+        self.moded_vhosts = set()  # type: Set[VirtualHost]
 
     def perform(self):
         """Perform all HTTP-01 challenges."""
@@ -93,7 +93,7 @@ class ApacheHttp01(common.ChallengePerformer):
                     self.configurator.enable_mod(mod, temp=True)
 
     def _mod_config(self):
-        selected_vhosts: List[VirtualHost] = []
+        selected_vhosts = []  # type: List[VirtualHost]
         http_port = str(self.configurator.config.http01_port)
         for chall in self.achalls:
             # Search for matching VirtualHosts
@@ -169,15 +169,7 @@ class ApacheHttp01(common.ChallengePerformer):
 
     def _set_up_challenges(self):
         if not os.path.isdir(self.challenge_dir):
-            old_umask = filesystem.umask(0o022)
-            try:
-                filesystem.makedirs(self.challenge_dir, 0o755)
-            except OSError as exception:
-                if exception.errno not in (errno.EEXIST, errno.EISDIR):
-                    raise errors.PluginError(
-                        "Couldn't create root for http-01 challenge")
-            finally:
-                filesystem.umask(old_umask)
+            filesystem.makedirs(self.challenge_dir, 0o755)
 
         responses = []
         for achall in self.achalls:
@@ -203,8 +195,8 @@ class ApacheHttp01(common.ChallengePerformer):
 
         if vhost not in self.moded_vhosts:
             logger.debug(
-                "Adding a temporary challenge validation Include for name: %s in: %s",
-                vhost.name, vhost.filep)
+                "Adding a temporary challenge validation Include for name: %s " +
+                "in: %s", vhost.name, vhost.filep)
             self.configurator.parser.add_dir_beginning(
                 vhost.path, "Include", self.challenge_conf_pre)
             self.configurator.parser.add_dir(