4867: Reviewboard mishandles a changed Perforce fingerprint (vs the initial cert)


What version are you running?


What's the URL of the page containing the problem?

(where 3 is the perforce repo)

What steps will reproduce the problem?

  1. renew an SSL cert in perforce (which typically expire every 2 years)
  2. RB fails to post and some UI components are missing from reviews (eg. the Information panel on the right above Reviewers)
  3. Editing the repo fails when you save it again and then hit the "trust..." button (ends up sending the "p4 -p <path> trust -i ..." command gibberish and results in a 500 error.

What is the expected output? What do you see instead?

RB parse the trust error properly in the case of a changed fingerprint. This is how I hacked it to fix the issue but could be handled more elegantly (around line 500):

elif "To allow connection use the 'p4 trust' command" in error:
fingerprint = error.split(r'\n')[3]
if fingerprint.startswith("If this is not a scheduled key change"):
fingerprint = error.split(r'\n')[6]
logging.info("fingerprint is: %s", fingerprint)
raise UnverifiedCertificateError(
raise SCMError(error)

In the case of the initial cert index [3] contains the fingerprint. In the case of a changed cert index [6] contains the fingerprint. With the original code, it passed "If this is a scheduled key change" to p4 trust -i which timesout and causes a 500 error.

What operating system are you using? What browser?

N/A - server side. RB server is running on Ubuntu 16.04

Please provide any additional information below.

To figure out the issue I added a logging.info of the error message which contained this

error: [P4#run] Errors during command execution( "p4 login" )

[Error]: "******* WARNING P4PORT IDENTIFICATION HAS CHANGED! *******\nIt is possible that someone is intercepting your connection\nto the Perforce P4PORT '<p4-server>:1666'\nIf this is not a scheduled key change, then you should contact\nyour Perforce administrator.\nThe fingerprint for the mismatched key sent to your client is\n00:11:22:33:44:55:66:77:88:99:00:11:22:33\nTo allow connection use the 'p4 trust' command."

The stacktrace wasn't helpful by itself since it doesn't contain the error message only this:

File "/usr/local/lib/python2.7/dist-packages/ReviewBoard-3.0.14-py2.7.egg/reviewboard/scmtools/perforce.py", line 755, in get_changeset
File "/usr/local/lib/python2.7/dist-packages/ReviewBoard-3.0.14-py2.7.egg/reviewboard/scmtools/perforce.py", line 514, in get_changeset

File "/usr/lib/python2.7/contextlib.py", line 17, in enter
return self.gen.next()
File "/usr/local/lib/python2.7/dist-packages/ReviewBoard-3.0.14-py2.7.egg/reviewboard/scmtools/perforce.py", line 497, in run_worker
raise UnverifiedCertificateError(
UnverifiedCertificateError: A verified SSL certificate is required to connect to this repository.