WIP: python3 compatibility

58baa47f · Jérome Perrin · 2cef78e4 · 58baa47f · 58baa47f · 58baa47f
Commit 58baa47f authored Oct 25, 2019 by Jérome Perrin
Showing with 163 additions and 134 deletions

kedifa/app.py kedifa/app.py +26 -24

kedifa/cli.py kedifa/cli.py +13 -11

kedifa/test_kedifa.py kedifa/test_kedifa.py +90 -70

kedifa/updater.py kedifa/updater.py +34 -29

No files found.
--- a/kedifa/app.py
+++ b/kedifa/app.py
@@ -17,6 +17,7 @@
 # See COPYING file for full licensing terms.
 # See https://www.nexedi.com/licensing for rationale and options.
+from __future__ import absolute_import
 from cryptography import x509
 from cryptography.hazmat.primitives.serialization import Encoding
 from threading import local
@@ -33,7 +34,8 @@ import signal
 import sqlite3
 import ssl
 import string
-import urlparse
+import six.moves.urllib.parse as urlparse
+import six
 import logging
 import logging.handlers
@@ -157,7 +159,7 @@ class SQLite3Storage(local):
          1
        ),
      )
-      return key
+      return key.encode()
  def validateUploader(self, reference, key):
    result = self._executeSingleRow(
@@ -168,7 +170,7 @@ class SQLite3Storage(local):
    return bool(result)
  def reserveId(self):
-    for trynum in range(10):
+    for _ in range(10):
      reserved_id = ''.join(
        random.choice(
          string.ascii_lowercase + string.digits) for _ in range(32))
@@ -186,7 +188,7 @@ class SQLite3Storage(local):
        '(reference, active) '
        'VALUES (?, 1)', (reserved_id,)
      )
-      return reserved_id
+      return reserved_id.encode()
  def checkReservedId(self, reference):
    if not self._executeSingleRow(
@@ -246,7 +248,7 @@ class SQLite3Storage(local):
        (reference, now, index),
      )
    if result:
-      return result['pem'].encode('ascii')
+      return result['pem'].encode('ascii') if six.PY2 else result['pem']
    return None
  def iterCertificateIndexes(self, reference):
@@ -364,7 +366,7 @@ class Kedifa(object):
        parameters = urlparse.parse_qs(qs, strict_parsing=True)
      except ValueError:
        start_response('400 Bad Request', headers_text_plain)
-        return ('Query string %r was not correct.' % (qs, ),)
+        return (b'Query string %r was not correct.' % (qs, ),)
    if len(path_list) == 2:
      _, reference = path_list
@@ -375,22 +377,22 @@ class Kedifa(object):
        index = None
    else:
      start_response('400 Bad Request', headers_text_plain)
-      return ('Wrong path',)
+      return (b'Wrong path',)
    if not reference:
      start_response('400 Bad Request', headers_text_plain)
-      return ('Wrong path',)
+      return (b'Wrong path',)
    if environ['REQUEST_METHOD'] == 'PUT':
      # key auth
      if 'auth' not in parameters:
        start_response('400 Bad Request', headers_text_plain)
-        return ('Missing auth',)
+        return (b'Missing auth',)
      elif not self.pocket_db.validateUploader(
        reference, parameters['auth'][0]):
        headers = headers_text_plain + [('WWW-Authenticate', 'transport')]
        start_response('401 Unauthorized', headers)
-        return ('',)
+        return (b'',)
      # play with curl --data-binary
      if index is not None:
        raise ValueError
@@ -398,9 +400,9 @@ class Kedifa(object):
      request_body = environ['wsgi.input'].read(request_body_size)
      try:
        certificate = self.checkKeyCertificate(request_body)
-      except CertificateError, e:
+      except CertificateError as e:
        start_response('422 Unprocessable Entity', headers_text_plain)
-        return e
+        return (str(e).encode(), )
      else:
        try:
          certificate_id = self.pocket_db.addCertificate(
@@ -412,10 +414,10 @@ class Kedifa(object):
          )
        except ReferenceNotFound:
          start_response('404 Not Found', headers_text_plain)
-          return ('Reservation required',)
+          return (b'Reservation required',)
        start_response('201 Created', headers_text_plain + [
          ('Location', '/'.join(path_list + [str(certificate_id)]))])
-        return ('',)
+        return (b'',)
    elif environ['REQUEST_METHOD'] == 'POST':
      # SSL-auth
      try:
@@ -423,7 +425,7 @@ class Kedifa(object):
      except Unauthorized:
        headers = headers_text_plain + [('WWW-Authenticate', 'transport')]
        start_response('401 Unauthorized', headers)
-        return ('',)
+        return (b'',)
      if index is not None:
        raise ValueError
      if reference != 'reserve-id':
@@ -431,7 +433,7 @@ class Kedifa(object):
      reserved_id = self.pocket_db.reserveId()
      start_response('201 Created', headers_text_plain + [
-        ('Location', '/%s' % reserved_id)])
+        ('Location', '/%s' % (reserved_id if six.PY2 else reserved_id.decode()))])
      return (reserved_id,)
    elif environ['REQUEST_METHOD'] == 'GET':
      if index == 'list':
@@ -441,23 +443,23 @@ class Kedifa(object):
        except Unauthorized:
          headers = headers_text_plain + [('WWW-Authenticate', 'transport')]
          start_response('401 Unauthorized', headers)
-          return ('',)
+          return (b'',)
        key_list = [
          str(q) for q in self.pocket_db.iterCertificateIndexes(reference)]
        start_response('200 OK', headers_application_json)
-        return (json.dumps(dict(key_list=key_list), indent=2),)
+        return (json.dumps(dict(key_list=key_list), indent=2).encode('utf-8'),)
      elif index == 'generateauth':
        try:
          key = self.pocket_db.addUploader(reference)
        except UserExists:
          start_response('403 Forbidden', headers_text_plain)
-          return ('Already exists',)
+          return (b'Already exists',)
        except ReferenceNotFound:
          start_response('404 Not Found', headers_text_plain)
-          return ('Reservation required',)
+          return (b'Reservation required',)
        else:
          start_response('201 Created', headers_text_plain)
-          return (key,)
+          return (key, )
      else:
        # SSL-auth
        try:
@@ -465,11 +467,11 @@ class Kedifa(object):
        except Unauthorized:
          headers = headers_text_plain + [('WWW-Authenticate', 'transport')]
          start_response('401 Unauthorized', headers)
-          return ('',)
+          return (b'',)
        certificate = self.pocket_db.getCertificate(reference, index)
        if certificate is None:
          start_response('404 Not Found', headers_text_plain)
-          return ('',)
+          return (b'',)
        else:
          start_response('200 OK', headers_text_plain)
          return (certificate,)
@@ -503,7 +505,7 @@ class Reloader(object):
    self.app = app
  def handle(self, signum, frame):
-    with open(self.ca_certificate_path) as ca, open(self.crl_path) as crl:
+    with open(self.ca_certificate_path, 'rb') as ca, open(self.crl_path, 'rb') as crl:
      self.app.loadCertificate(ca, crl)
    ssl_context = getSSLContext(
      self.server_key_path, self.ca_certificate_path, self.crl_path)

--- a/kedifa/cli.py
+++ b/kedifa/cli.py
@@ -17,13 +17,15 @@
 # See COPYING file for full licensing terms.
 # See https://www.nexedi.com/licensing for rationale and options.
+from __future__ import absolute_import
+from __future__ import print_function
 import argparse
-import httplib
+import six.moves.http_client
 import requests
 import sys
-import app
+from . import app
-from updater import Updater
+from .updater import Updater
 def http(*args):
@@ -49,19 +51,19 @@ def http(*args):
  )
  parser.add_argument(
    '--certificate',
-    type=argparse.FileType('r'),
+    type=argparse.FileType('rb'),
    help='Path SSL certificate.',
    required=True
  )
  parser.add_argument(
    '--ca-certificate',
-    type=argparse.FileType('r'),
+    type=argparse.FileType('rb'),
    help='Path SSL CA certificate.',
    required=True
  )
  parser.add_argument(
    '--crl',
-    type=argparse.FileType('r'),
+    type=argparse.FileType('rb'),
    help='Path SSL CRL.',
    required=True
  )
@@ -120,15 +122,15 @@ def getter(*args):
    response = requests.get(url, verify=parsed.server_ca_certificate.name,
                            cert=parsed.identity.name)
  except Exception as e:
-    print '%r not downloaded, problem %s' % (url, e)
+    print('%r not downloaded, problem %s' % (url, e))
    sys.exit(1)
  else:
-    if response.status_code != httplib.OK:
+    if response.status_code != six.moves.http_client.OK:
-      print '%r not downloaded, HTTP code %s' % (
+      print('%r not downloaded, HTTP code %s' % (
-        url, response.status_code)
+        url, response.status_code))
      sys.exit(1)
    if len(response.text) > 0:
-      with open(parsed.out, 'w') as out:
+      with open(parsed.out, 'wb') as out:
        out.write(response.text.encode('utf-8'))

--- a/kedifa/test_kedifa.py
+++ b/kedifa/test_kedifa.py
@@ -17,10 +17,14 @@
 # See COPYING file for full licensing terms.
 # See https://www.nexedi.com/licensing for rationale and options.
-import StringIO
+from __future__ import absolute_import
+try:
+  from StringIO import StringIO
+except ImportError: # BBB PY2
+  from io import StringIO
 import contextlib
 import datetime
-import httplib
+import six.moves.http_client
 import ipaddress
 import json
 import mock
@@ -36,6 +40,7 @@ import time
 import unittest
 import zc.lockfile
 import socket
+import six
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
@@ -47,8 +52,10 @@ from cryptography.x509.oid import NameOID
 import caucase.cli
 import caucase.http
-import cli
+from . import cli
-import updater
+from . import updater
+import six
+from six.moves import range
 def findFreeTCPPort(ip=''):
@@ -62,7 +69,7 @@ def findFreeTCPPort(ip=''):
 @contextlib.contextmanager
 def captured_output():
-  new_out, new_err = StringIO.StringIO(), StringIO.StringIO()
+  new_out, new_err = StringIO(), StringIO()
  old_out, old_err = sys.stdout, sys.stderr
  try:
    sys.stdout, sys.stderr = new_out, new_err
@@ -81,7 +88,13 @@ class KedifaMixin(object):
 class KedifaMixinCaucase(KedifaMixin):
+  if six.PY2:
+    assertRegex = unittest.TestCase.assertRaisesRegexp
  def createKey(self):
+    """Generates a key and return a tuple containing the RSAPrivateKey
+    and the PEM encoded version as a string.
+    """
    key = rsa.generate_private_key(
      public_exponent=65537, key_size=2048, backend=default_backend())
    key_pem = key.private_bytes(
@@ -89,7 +102,7 @@ class KedifaMixinCaucase(KedifaMixin):
      format=serialization.PrivateFormat.TraditionalOpenSSL,
      encryption_algorithm=serialization.NoEncryption()
    )
-    return key, key_pem
+    return key, key_pem.decode('ascii')
  def generateCSR(self, ip):
    key_pem_file = os.path.join(self.testdir, '%s-key.pem' % (ip,))
@@ -103,12 +116,12 @@ class KedifaMixinCaucase(KedifaMixin):
       x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"KeDiFa Test"),
    ])).add_extension(
      x509.SubjectAlternativeName([
-        x509.IPAddress(ipaddress.ip_address(ip))
+        x509.IPAddress(ipaddress.ip_address(six.text_type(ip)))
      ]),
      critical=False,
    ).sign(key, hashes.SHA256(), default_backend())
-    with open(csr_pem_file, 'w') as out:
+    with open(csr_pem_file, 'wb') as out:
      out.write(csr.public_bytes(serialization.Encoding.PEM))
    return key_pem_file, csr_pem_file
@@ -117,6 +130,14 @@ class KedifaMixinCaucase(KedifaMixin):
    self,
    not_valid_before=datetime.datetime.utcnow() - datetime.timedelta(days=1),
    not_valid_after=datetime.datetime.utcnow() + datetime.timedelta(days=2)):
+    """Generates certificate and key
+    Returns a tuple with:
+      - key as a classcryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey
+      - pem encoded key as string
+      - certificate as a cryptography.x509.Certificate
+      - pem encoded certificate as string
+    """
    key, key_pem = self.createKey()
    subject = issuer = x509.Name([
      x509.NameAttribute(NameOID.COUNTRY_NAME, u"XX"),
@@ -139,7 +160,7 @@ class KedifaMixinCaucase(KedifaMixin):
      not_valid_after
    ).sign(key, hashes.SHA256(), default_backend())
    certificate_pem = certificate.public_bytes(serialization.Encoding.PEM)
-    return key, key_pem, certificate, certificate_pem
+    return key, key_pem, certificate, certificate_pem.decode('ascii')
  def createPem(self):
    _, key_pem, _, certificate_pem = self.generateKeyCertificateData()
@@ -198,7 +219,7 @@ class KedifaMixinCaucase(KedifaMixin):
        )
    self.cas = cas.split()
-    kedifa_key_pem, csr_file = self.generateCSR(unicode(common_name))
+    kedifa_key_pem, csr_file = self.generateCSR(common_name)
    with captured_output() as (out, err):
      caucase.cli.main(argv=self.cas + [
        '--send-csr', csr_file
@@ -268,15 +289,15 @@ class KedifaMixinCaucase(KedifaMixin):
      verify=self.ca_crt_pem, cert=self.client_key_pem)
    self.assertEqual(
      result.status_code,
-      httplib.CREATED
+      six.moves.http_client.CREATED
    )
    location = result.headers.get('Location', '')
-    self.assertRegexpMatches(
+    self.assertRegex(
      location,
      r'^/[a-z0-9]{32}$'
    )
    reserved_reference = result.text
-    self.assertRegexpMatches(
+    self.assertRegex(
      reserved_reference,
      r'^[a-z0-9]{32}$'
    )
@@ -294,7 +315,7 @@ class KedifaMixinCaucase(KedifaMixin):
    self.setUpCaucase()
    self.kedifa_ip = os.environ['SLAPOS_TEST_IPV6']
-    self.setUpKedifaKey(self.kedifa_ip)
+    self.setUpKedifaKey(six.text_type(self.kedifa_ip))
    self.setUpClientKey()
    self.setUpKedifa(self.kedifa_ip)
    self.reference = self.reserveReference()
@@ -341,9 +362,8 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    return destination
  def _updater_get(self, url, certificate, destination):
-    mapping = tempfile.NamedTemporaryFile(dir=self.testdir, delete=False)
+    with tempfile.NamedTemporaryFile(dir=self.testdir, delete=False, mode="w") as mapping:
-    mapping.write("%s %s" % (url, destination))
+      mapping.write("%s %s" % (url, destination))
-    mapping.close()
    state = tempfile.NamedTemporaryFile(dir=self.testdir, delete=False)
    state.close()
    cli.updater(
@@ -373,7 +393,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    # KeDiFa does not support nothing on / so for now it just raises
    # possibly in the future it will become self-describing interface
    self.assertEqual(
-      httplib.BAD_REQUEST,
+      six.moves.http_client.BAD_REQUEST,
      result.status_code
    )
    self.assertEqual(
@@ -385,7 +405,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    os.rename(self.logfile, self.logfile + '.rotated')
    result = self.requests_get(self.kedifa_url)
    self.assertEqual(
-      httplib.BAD_REQUEST,
+      six.moves.http_client.BAD_REQUEST,
      result.status_code
    )
    self.assertLastLogEntry('"GET / HTTP/1.1" 400')
@@ -394,7 +414,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference, cert=self.client_key_pem)
    self.assertEqual(
-      httplib.NOT_FOUND,
+      six.moves.http_client.NOT_FOUND,
      result.status_code
    )
    self.assertEqual(
@@ -408,7 +428,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference, cert=self.client_key_pem)
    self.assertEqual(
-      httplib.OK,
+      six.moves.http_client.OK,
      result.status_code
    )
    self.assertEqual(
@@ -452,7 +472,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference, cert=self.client_key_pem)
-    self.assertEqual(httplib.UNAUTHORIZED, result.status_code)
+    self.assertEqual(six.moves.http_client.UNAUTHORIZED, result.status_code)
    self.assertEqual('transport', result.headers.get('WWW-Authenticate'))
    self.assertEqual('', result.text)
@@ -467,7 +487,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference, cert=self.client_key_pem)
    self.assertEqual(
-      httplib.OK,
+      six.moves.http_client.OK,
      result.status_code
    )
    self.assertEqual(
@@ -492,7 +512,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference, cert=self.client_key_pem)
    self.assertEqual(
-      httplib.OK,
+      six.moves.http_client.OK,
      result.status_code
    )
    self.assertEqual(
@@ -504,7 +524,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    self.put()
    result = self.requests_get(self.kedifa_url + self.reference)
    self.assertEqual(
-      httplib.UNAUTHORIZED,
+      six.moves.http_client.UNAUTHORIZED,
      result.status_code
    )
    self.assertEqual(
@@ -585,7 +605,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference + '/1', cert=self.client_key_pem)
    self.assertEqual(
-      httplib.OK,
+      six.moves.http_client.OK,
      result.status_code
    )
    self.assertEqual(
@@ -597,7 +617,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference + '/list', cert=self.client_key_pem)
    self.assertEqual(
-      httplib.OK,
+      six.moves.http_client.OK,
      result.status_code
    )
    self.assertEqual(
@@ -610,7 +630,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference + '/list', cert=self.client_key_pem)
    self.assertEqual(
-      httplib.OK,
+      six.moves.http_client.OK,
      result.status_code
    )
    self.assertEqual(
@@ -623,7 +643,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference + '/list')
    self.assertEqual(
-      httplib.UNAUTHORIZED,
+      six.moves.http_client.UNAUTHORIZED,
      result.status_code
    )
    self.assertEqual(
@@ -653,7 +673,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference + '/list', cert=self.client_key_pem)
    self.assertEqual(
-      httplib.OK,
+      six.moves.http_client.OK,
      result.status_code
    )
    self.assertEqual(
@@ -664,7 +684,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference, cert=self.client_key_pem)
    self.assertEqual(
-      httplib.OK,
+      six.moves.http_client.OK,
      result.status_code
    )
    self.assertEqual(
@@ -675,7 +695,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference + '/2', cert=self.client_key_pem)
    self.assertEqual(
-      httplib.OK,
+      six.moves.http_client.OK,
      result.status_code
    )
    self.assertEqual(
@@ -686,7 +706,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference + '/1', cert=self.client_key_pem)
    self.assertEqual(
-      httplib.OK,
+      six.moves.http_client.OK,
      result.status_code
    )
    self.assertEqual(
@@ -695,7 +715,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    )
  def test_GET_invalid_yet(self):
-    from app import SQLite3Storage
+    from .app import SQLite3Storage
    pocket_db = SQLite3Storage(self.db)
    _, key_pem, _, certificate_pem = self.generateKeyCertificateData()
    not_valid_before = datetime.datetime.utcnow() + datetime.timedelta(days=10)
@@ -721,7 +741,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference + '/list', cert=self.client_key_pem)
    self.assertEqual(
-      httplib.OK,
+      six.moves.http_client.OK,
      result.status_code
    )
    self.assertEqual(
@@ -732,7 +752,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference, cert=self.client_key_pem)
    self.assertEqual(
-      httplib.OK,
+      six.moves.http_client.OK,
      result.status_code
    )
    self.assertEqual(
@@ -743,7 +763,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference + '/2', cert=self.client_key_pem)
    self.assertEqual(
-      httplib.OK,
+      six.moves.http_client.OK,
      result.status_code
    )
    self.assertEqual(
@@ -754,7 +774,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference + '/1', cert=self.client_key_pem)
    self.assertEqual(
-      httplib.NOT_FOUND,
+      six.moves.http_client.NOT_FOUND,
      result.status_code
    )
    self.assertEqual(
@@ -763,7 +783,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    )
  def test_GET_expired(self):
-    from app import SQLite3Storage
+    from .app import SQLite3Storage
    pocket_db = SQLite3Storage(self.db)
    _, key_pem, _, certificate_pem = self.generateKeyCertificateData()
    not_valid_before = datetime.datetime.utcnow() - datetime.timedelta(days=10)
@@ -789,7 +809,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference + '/list', cert=self.client_key_pem)
    self.assertEqual(
-      httplib.OK,
+      six.moves.http_client.OK,
      result.status_code
    )
    self.assertEqual(
@@ -800,7 +820,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference, cert=self.client_key_pem)
    self.assertEqual(
-      httplib.OK,
+      six.moves.http_client.OK,
      result.status_code
    )
    self.assertEqual(
@@ -811,7 +831,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference + '/2', cert=self.client_key_pem)
    self.assertEqual(
-      httplib.OK,
+      six.moves.http_client.OK,
      result.status_code
    )
    self.assertEqual(
@@ -822,7 +842,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference + '/1', cert=self.client_key_pem)
    self.assertEqual(
-      httplib.NOT_FOUND,
+      six.moves.http_client.NOT_FOUND,
      result.status_code
    )
    self.assertEqual(
@@ -836,7 +856,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + reference + '/generateauth')
    self.assertEqual(
-      httplib.CREATED,
+      six.moves.http_client.CREATED,
      result.status_code
    )
    return result.text
@@ -844,7 +864,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
  def test_GET_generateauth(self):
    auth = self.generateauth()
-    self.assertRegexpMatches(
+    self.assertRegex(
      auth,
      r'^[a-z0-9]{32}$'
    )
@@ -852,7 +872,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + self.reference + '/generateauth')
    self.assertEqual(
-      httplib.FORBIDDEN,
+      six.moves.http_client.FORBIDDEN,
      result.status_code
    )
    self.assertEqual('Already exists', result.text)
@@ -862,7 +882,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(
      self.kedifa_url + key + '/generateauth')
    self.assertEqual(
-      httplib.NOT_FOUND,
+      six.moves.http_client.NOT_FOUND,
      result.status_code
    )
    self.assertEqual(
@@ -882,14 +902,14 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
      'Content-Type': 'application/x-x509-ca-cert',
    })
    self.assertEqual(
-      httplib.CREATED,
+      six.moves.http_client.CREATED,
      result.status_code
    )
    self.assertEqual(
      '',
      result.text
    )
-    self.assertRegexpMatches(
+    self.assertRegex(
      result.headers.get('Location', ''),
      r'^/%s/\d+$' % key
    )
@@ -929,7 +949,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    url = self.kedifa_url + self.reference + '?auth=%s' % (auth, )
    result = self.requests_put(url, data=key_pem + certificate_pem)
    self.assertEqual(
-      httplib.UNPROCESSABLE_ENTITY,
+      six.moves.http_client.UNPROCESSABLE_ENTITY,
      result.status_code
    )
    self.assertEqual(
@@ -946,7 +966,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    url = self.kedifa_url + self.reference + '?auth=%s' % (auth, )
    result = self.requests_put(url, data=key_pem + certificate_pem)
    self.assertEqual(
-      httplib.UNPROCESSABLE_ENTITY,
+      six.moves.http_client.UNPROCESSABLE_ENTITY,
      result.status_code
    )
    self.assertEqual(
@@ -960,7 +980,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    url = self.kedifa_url + self.reference + '?auth=%s' % (auth, )
    result = self.requests_put(url, data=key_pem + certificate_pem)
    self.assertEqual(
-      httplib.CREATED,
+      six.moves.http_client.CREATED,
      result.status_code
    )
    self.assertEqual(
@@ -974,7 +994,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    url = self.kedifa_url + self.reference + '?auth=%s' % (auth, )
    result = self.requests_put(url, data=key_pem)
    self.assertEqual(
-      httplib.UNPROCESSABLE_ENTITY,
+      six.moves.http_client.UNPROCESSABLE_ENTITY,
      result.status_code
    )
    self.assertEqual(
@@ -988,7 +1008,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    url = self.kedifa_url + self.reference + '?auth=%s' % (auth, )
    result = self.requests_put(url, data=certificate_pem)
    self.assertEqual(
-      httplib.UNPROCESSABLE_ENTITY,
+      six.moves.http_client.UNPROCESSABLE_ENTITY,
      result.status_code
    )
    self.assertEqual(
@@ -1003,7 +1023,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    url = self.kedifa_url + self.reference + '?auth=%s' % (auth, )
    result = self.requests_put(url, data=certificate_pem + key_pem)
    self.assertEqual(
-      httplib.UNPROCESSABLE_ENTITY,
+      six.moves.http_client.UNPROCESSABLE_ENTITY,
      result.status_code
    )
    self.assertEqual(
@@ -1016,7 +1036,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    url = self.kedifa_url + self.reference + '?auth=%s' % (auth, )
    result = self.requests_put(url, data='badcert')
    self.assertEqual(
-      httplib.UNPROCESSABLE_ENTITY,
+      six.moves.http_client.UNPROCESSABLE_ENTITY,
      result.status_code
    )
    self.assertEqual(
@@ -1028,7 +1048,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    url = self.kedifa_url + self.reference
    result = self.requests_put(url, data=self.pem)
    self.assertEqual(
-      httplib.BAD_REQUEST,
+      six.moves.http_client.BAD_REQUEST,
      result.status_code
    )
    self.assertEqual(
@@ -1040,7 +1060,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    url = self.kedifa_url + self.reference + '?auth=wrong'
    result = self.requests_put(url, data=self.pem)
    self.assertEqual(
-      httplib.UNAUTHORIZED,
+      six.moves.http_client.UNAUTHORIZED,
      result.status_code
    )
    self.assertEqual(
@@ -1053,7 +1073,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    )
  def addExpiredNonvalidyetCertificate(self, key):
-    from app import SQLite3Storage
+    from .app import SQLite3Storage
    pocket_db = SQLite3Storage(self.db)
    not_valid_before_valid = datetime.datetime.utcnow() - \
@@ -1083,7 +1103,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    )
  def _getDBCertificateCount(self):
-    from app import SQLite3Storage
+    from .app import SQLite3Storage
    pocket_db = SQLite3Storage(self.db)
    return pocket_db._executeSingleRow(
      'SELECT COUNT(*) FROM certificate')['COUNT(*)']
@@ -1104,7 +1124,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    self.assertEqual(1, self._getDBCertificateCount())
    self.assertEqual(
-      httplib.OK,
+      six.moves.http_client.OK,
      result.status_code
    )
    self.assertEqual(
@@ -1128,7 +1148,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    self.assertEqual(1, self._getDBCertificateCount())
    self.assertEqual(
-      httplib.OK,
+      six.moves.http_client.OK,
      result.status_code
    )
    self.assertEqual(
@@ -1140,7 +1160,7 @@ class KedifaIntegrationTest(KedifaMixinCaucase, unittest.TestCase):
    result = self.requests_get(self.kedifa_url + '/!?&&==')
    self.assertEqual(
-      httplib.BAD_REQUEST,
+      six.moves.http_client.BAD_REQUEST,
      result.status_code
    )
    self.assertEqual(
@@ -1158,9 +1178,8 @@ class KedifaUpdaterMixin(KedifaMixin):
    self.state = state.name
  def setupMapping(self, mapping_content=''):
-    mapping = tempfile.NamedTemporaryFile(dir=self.testdir, delete=False)
+    with tempfile.NamedTemporaryFile(dir=self.testdir, delete=False, mode="w") as mapping:
-    mapping.write(mapping_content)
+      mapping.write(mapping_content)
-    mapping.close()
    self.mapping = mapping.name
@@ -1231,7 +1250,7 @@ class KedifaUpdaterUpdateCertificateTest(
    fallback_file = None
    if fallback:
      fallback_file = tempfile.NamedTemporaryFile(
-        dir=self.testdir, delete=False)
+        dir=self.testdir, delete=False, mode='w')
      fallback_file.write(fallback)
      fallback_file.close()
    mapping = 'http://example.com %s' % (self.certificate_file_name,)
@@ -1247,7 +1266,8 @@ class KedifaUpdaterUpdateCertificateTest(
      updater.Updater, 'fetchCertificate', return_value=fetch):
      result = u.updateCertificate(self.certificate_file_name, master_content)
    u.writeState()
-    return open(self.certificate_file_name, 'r').read(), result
+    with open(self.certificate_file_name, 'r') as out:
+      return out.read(), result
  def assertState(self, state):
    with open(self.state, 'r') as fh:
@@ -1413,13 +1433,13 @@ class KedifaUpdaterUpdateCertificatePrepareTest(
    fallback_file = None
    if fallback:
      fallback_file = tempfile.NamedTemporaryFile(
-        dir=self.testdir, delete=False)
+        dir=self.testdir, delete=False, mode='w')
      fallback_file.write(fallback)
      fallback_file.close()
    master_file = '/master/certificate/file'
    if master_content:
      master_file = tempfile.NamedTemporaryFile(
-        dir=self.testdir, delete=False)
+        dir=self.testdir, delete=False, mode='w')
      master_file.write(master_content)
      master_file.close()
      master_file = master_file.name

--- a/kedifa/updater.py
+++ b/kedifa/updater.py
-import httplib
+from __future__ import absolute_import
+from __future__ import print_function
+import six.moves.http_client as httplib
 import json
 import os
 import requests
@@ -38,11 +40,11 @@ class Updater(object):
        elif len(line_content) == 3:
          url, certificate, fallback = line_content
        else:
-          print 'Line %r is incorrect' % (line,)
+          print('Line %r is incorrect' % (line,))
          continue
        if certificate in self.mapping:
-          print 'Line %r is incorrect, duplicated certificate %r' % (
+          print('Line %r is incorrect, duplicated certificate %r' % (
-            line, certificate)
+            line, certificate))
          raise ValueError
        self.mapping[certificate] = (url, fallback)
@@ -53,16 +55,16 @@ class Updater(object):
        url, verify=self.server_ca_certificate_file, cert=self.identity_file,
        timeout=10)
    except Exception as e:
-      print 'Certificate %r: problem with %r not downloaded: %s' % (
+      print('Certificate %r: problem with %r not downloaded: %s' % (
-        certificate_file, url, e)
+        certificate_file, url, e))
    else:
      if response.status_code != httplib.OK:
-        print 'Certificate %r: %r not downloaded, HTTP code %s' % (
+        print('Certificate %r: %r not downloaded, HTTP code %s' % (
-          certificate_file, url, response.status_code)
+          certificate_file, url, response.status_code))
      else:
        certificate = response.text
        if len(certificate) == 0:
-          print 'Certificate %r: %r is empty' % (certificate_file, url,)
+          print('Certificate %r: %r is empty' % (certificate_file, url,))
    return certificate
  def updateCertificate(self, certificate_file, master_content=None):
@@ -98,7 +100,7 @@ class Updater(object):
    if current != certificate:
      with open(certificate_file, 'w') as fh:
        fh.write(certificate)
-        print 'Certificate %r: updated from %r' % (certificate_file, url)
+        print('Certificate %r: updated from %r' % (certificate_file, url))
        return True
    else:
      return False
@@ -106,7 +108,7 @@ class Updater(object):
  def callOnUpdate(self):
    if self.on_update is not None:
      status = os.system(self.on_update)
-      print 'Called %r with status %i' % (self.on_update, status)
+      print('Called %r with status %i' % (self.on_update, status))
  def readState(self):
    self.state_dict = {}
@@ -134,27 +136,30 @@ class Updater(object):
      if not os.path.exists(self.master_certificate_file):
        if master_certificate_file_fallback and os.path.exists(
          master_certificate_file_fallback):
-          open(self.master_certificate_file, 'w').write(
+          with open(self.master_certificate_file, 'w') as out,\
-            open(master_certificate_file_fallback, 'r').read()
+              open(master_certificate_file_fallback, 'r') as in_:
-          )
+            out.write(in_.read())
-          print 'Prepare: Used %r for %r' % (
+          print('Prepare: Used %r for %r' % (
-            master_certificate_file_fallback, self.master_certificate_file)
+            master_certificate_file_fallback, self.master_certificate_file))
    master_content = None
    if self.master_certificate_file and os.path.exists(
      self.master_certificate_file):
-      master_content = open(self.master_certificate_file, 'r').read()
+      with open(self.master_certificate_file, 'r') as f:
+        master_content = f.read()
    for certificate, (_, fallback) in prepare_mapping.items():
      if os.path.exists(certificate):
        continue
      if fallback and os.path.exists(fallback):
-        open(certificate, 'w').write(open(fallback, 'r').read())
+        with open(certificate, 'w') as out, open(fallback, 'r') as in_:
-        print 'Prepare: Used %r for %r' % (fallback, certificate)
+          out.write(in_.read())
+        print('Prepare: Used %r for %r' % (fallback, certificate))
      elif master_content:
-        open(certificate, 'w').write(master_content)
+        with open(certificate, 'w') as out:
-        print 'Prepare: Used %r for %r' % (
+          out.write(master_content)
-          self.master_certificate_file, certificate)
+        print('Prepare: Used %r for %r' % (
+          self.master_certificate_file, certificate))
  def action(self):
    self.readState()
@@ -170,8 +175,8 @@ class Updater(object):
        with open(self.master_certificate_file, 'r') as fh:
          master_content = fh.read() or None
          if master_content:
-            print 'Using master certificate from %r' % (
+            print('Using master certificate from %r' % (
-              self.master_certificate_file,)
+              self.master_certificate_file,))
      except IOError:
        pass
@@ -189,12 +194,12 @@ class Updater(object):
        if not self.prepare_only:
          lock = zc.lockfile.LockFile(self.state_lock_file)
      except zc.lockfile.LockError as e:
-        print e,
+        print(e, end=' ')
        if self.once or self.prepare_only:
-          print '...exiting.'
+          print('...exiting.')
          sys.exit(1)
        else:
-          print "...will try again later."
+          print("...will try again later.")
      else:
        try:
          self.prepare()
@@ -206,8 +211,8 @@ class Updater(object):
            try:
              os.unlink(self.state_lock_file)
            except Exception as e:
-              print 'Problem while unlinking %r' % (self.state_lock_file,)
+              print('Problem while unlinking %r' % (self.state_lock_file,))
      if self.once or self.prepare_only:
        break
-      print 'Sleeping for %is' % (self.sleep,)
+      print('Sleeping for %is' % (self.sleep,))
      time.sleep(self.sleep)