# HG changeset patch
# Parent 165cab80bf93c4f6b0ef5b2ecf5d76caa4f28fd8
avoid use of pycurl with openid due to certificate validation issues

diff --git a/storm/storm/config/auth.py b/storm/storm/config/auth.py
--- a/storm/storm/config/auth.py
+++ b/storm/storm/config/auth.py
@@ -17,6 +17,19 @@
 import oauth2 as oauth
 from webob.exc import status_map
 
+# openid prefers to use pycurl if available, but that package has a limited
+# certificate store and fails to validate the google openid url.
+# See http://www.cozmanova.com/node/8 for a way to manually install the
+# needed certificates, but for now we just tell openid to prefer urllib2.
+# (XXX - presumably this means *no* certificate validation is done, which
+# probably isn't a good thing...)
+from openid.fetchers import Urllib2Fetcher, setDefaultFetcher
+setDefaultFetcher(Urllib2Fetcher())
+
+import logging
+
+log = logging.getLogger(__name__)
+
 def redirect(url, code=302):
     """Raises a redirect exception to the specified URL
 
@@ -132,11 +145,13 @@
         openid = request.params.get('openid', None)
         if openid is None:
             session.save()
+            log.info('redirecting to %r for login', self.login_path)
             return redirect(self.login_path)(environ, start_response)
         try:
             authrequest = consumer.begin(openid)
         except DiscoveryFailure, e:
             session.save()
+            log.info('redirecting to %r due to openid discovery failure: %s', self.login_path, e)
             return redirect(self.login_path)(environ, start_response)
 
         sreg_optional = [a.strip() for a in request.params.get('sreg_optional',"").split(',') if a]