From d7eb41fff4dfade35d7a9345d859c8d415516c45 Mon Sep 17 00:00:00 2001
From: Dave Page <dpage@pgadmin.org>
Date: Mon, 23 Jul 2018 16:15:58 +0100
Subject: [PATCH] Include a cacert file when needed for the upgrade check.
 Fixes #3185

---
 .gitignore                      | 3 ++-
 pkg/mac/build.sh                | 2 ++
 web/config.py                   | 6 +++++-
 web/pgadmin/browser/__init__.py | 6 +++++-
 4 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/.gitignore b/.gitignore
index 82f92e076..1a70115df 100644
--- a/.gitignore
+++ b/.gitignore
@@ -41,4 +41,5 @@ web/regression/test_config.json
 node_modules/
 web/pgAdmin/static/js/generated
 web/pgadmin/static/js/generated
-web/yarn-error.log
\ No newline at end of file
+web/yarn-error.log
+/web/cacert.pem
diff --git a/pkg/mac/build.sh b/pkg/mac/build.sh
index 1ad63fe77..11d17e801 100755
--- a/pkg/mac/build.sh
+++ b/pkg/mac/build.sh
@@ -198,6 +198,8 @@ _complete_bundle() {
     pushd $SOURCEDIR/web
         yarn install
         yarn run bundle
+
+        curl https://curl.haxx.se/ca/cacert.pem -o cacert.pem -s || { echo Failed to download cacert.pem; exit 1; }
     popd
 
     # copy the web directory to the bundle as it is required by runtime
diff --git a/web/config.py b/web/config.py
index a47c74f66..9e7d7d92a 100644
--- a/web/config.py
+++ b/web/config.py
@@ -294,6 +294,11 @@ UPGRADE_CHECK_ENABLED = True
 # Where should we get the data from?
 UPGRADE_CHECK_URL = 'https://www.pgadmin.org/versions.json'
 
+# Which CA file should we use?
+# Default to cacert.pem in the same directory as config.py et al.
+CA_FILE = os.path.join(os.path.dirname(os.path.realpath(__file__)),
+                       "cacert.pem")
+
 ##########################################################################
 # Storage Manager storage url config settings
 # If user sets STORAGE_DIR to empty it will show all volumes if platform
@@ -399,4 +404,3 @@ if (SUPPORT_SSH_TUNNEL is True and
     ((sys.version_info[0] == 2 and sys.version_info[1] < 7) or
      (sys.version_info[0] == 3 and sys.version_info[1] < 4))):
     SUPPORT_SSH_TUNNEL = False
-
diff --git a/web/pgadmin/browser/__init__.py b/web/pgadmin/browser/__init__.py
index fb1eb7db7..7bcf36487 100644
--- a/web/pgadmin/browser/__init__.py
+++ b/web/pgadmin/browser/__init__.py
@@ -9,6 +9,7 @@
 
 import json
 import logging
+import os
 from abc import ABCMeta, abstractmethod, abstractproperty
 from smtplib import SMTPConnectError, SMTPResponseException, \
     SMTPServerDisconnected, SMTPDataError, SMTPHeloError, SMTPException, \
@@ -505,7 +506,10 @@ def index():
             # Do not wait for more than 5 seconds.
             # It stuck on rendering the browser.html, while working in the
             # broken network.
-            response = urlreq.urlopen(url, data, 5)
+            if os.path.exists(config.CA_FILE):
+                response = urlreq.urlopen(url, data, 5, cafile=config.CA_FILE)
+            else:
+                response = urlreq.urlopen(url, data, 5)
             current_app.logger.debug(
                 'Version check HTTP response code: %d' % response.getcode()
             )