fix(ssl): replace verify=True with ssl.create_default_context() for corporate CA support
Core fix: all httpx.AsyncClient instances now use ssl.create_default_context() instead of bool verify=True, which uses certifi and ignores system CA store. This makes corporate CA certificates installed via update-ca-certificates visible to Python HTTP clients. Files: - async_network.py: AsyncAPIClient.__init__ converts True→SSLContext - client_registry.py: get_client converts bool→SSLContext before passing - notifications/providers.py: _get_http_client uses ssl.create_default_context() - services/git/_base.py: GitServiceBase uses ssl.create_default_context() - translate/_llm_async_http.py: _get_verify returns SSLContext (not string) Test: new integration test with 3-tier PKI (Root→Intermediate→Server), TLS-protected Superset container, and custom CA installation via update-ca-certificates or SSL_CERT_DIR fallback. - conftest.py: added ca_chain, install_custom_ca, superset_tls_env fixtures; parameterized superset_container for TLS mode - test_superset_tls_custom_ca.py: 8 tests (openssl -CApath, -CAfile certifi, httpx capath, httpx certifi, AsyncAPIClient, SupersetClient, fingerprint, verify=False)
This commit is contained in:
@@ -18,6 +18,7 @@ import asyncio
|
||||
import io
|
||||
import json
|
||||
from pathlib import Path
|
||||
import ssl
|
||||
from typing import Any
|
||||
|
||||
import httpx
|
||||
@@ -59,23 +60,32 @@ class AsyncAPIClient:
|
||||
# @DATA_CONTRACT Input[config: Dict[str, Any]] -> self._auth_cache_key[str]
|
||||
# @RELATION CALLS -> [AsyncAPIClient._normalize_base_url]
|
||||
# @RELATION DEPENDS_ON -> [SupersetAuthCache]
|
||||
def __init__(self, config: dict[str, Any], verify_ssl: bool = True, timeout: int = DEFAULT_TIMEOUT,
|
||||
def __init__(self, config: dict[str, Any], verify_ssl: bool | ssl.SSLContext = True, timeout: int = DEFAULT_TIMEOUT,
|
||||
semaphore: asyncio.Semaphore | None = None):
|
||||
self.base_url: str = self._normalize_base_url(config.get("base_url", ""))
|
||||
self.api_base_url: str = f"{self.base_url}/api/v1"
|
||||
self.auth = config.get("auth")
|
||||
self.request_settings = {"verify_ssl": verify_ssl, "timeout": timeout}
|
||||
# Use system CA store via ssl.create_default_context() instead of bool True.
|
||||
# httpx defaults to certifi, ignoring SSL_CERT_FILE and corporate CA certs.
|
||||
if verify_ssl is True:
|
||||
ssl_context: bool | ssl.SSLContext = ssl.create_default_context()
|
||||
elif verify_ssl is False:
|
||||
ssl_context = False
|
||||
else:
|
||||
ssl_context = verify_ssl # уже SSLContext
|
||||
self._client = httpx.AsyncClient(
|
||||
verify=verify_ssl,
|
||||
verify=ssl_context,
|
||||
timeout=httpx.Timeout(timeout),
|
||||
follow_redirects=True,
|
||||
)
|
||||
self._tokens: dict[str, str] = {}
|
||||
self._authenticated = False
|
||||
# Cache key по-прежнему использует bool для хеширования
|
||||
self._auth_cache_key = SupersetAuthCache.build_key(
|
||||
self.base_url,
|
||||
self.auth,
|
||||
verify_ssl,
|
||||
verify_ssl if isinstance(verify_ssl, bool) else True,
|
||||
)
|
||||
# Optional shared semaphore for connection limiting (set by SupersetClientRegistry).
|
||||
self._semaphore = semaphore
|
||||
|
||||
@@ -19,6 +19,7 @@
|
||||
# shows callers create SupersetClient anyway, defeating the purpose.
|
||||
|
||||
import asyncio
|
||||
import ssl
|
||||
from typing import Any
|
||||
|
||||
from ..logger import logger
|
||||
@@ -47,6 +48,7 @@ def _build_env_id(env: Any) -> str:
|
||||
if isinstance(env, dict):
|
||||
return f"{env.get('base_url','')}|{env.get('username','')}"
|
||||
return str(id(env))
|
||||
# #endregion _build_env_id
|
||||
|
||||
|
||||
# #region get_client [C:3] [TYPE Function]
|
||||
@@ -97,9 +99,15 @@ async def get_client(
|
||||
config = {}
|
||||
verify_ssl = True
|
||||
timeout = request_timeout
|
||||
# Convert bool to SSLContext with system CA store — httpx defaults to certifi,
|
||||
# ignoring corporate CA certificates installed via update-ca-certificates.
|
||||
if verify_ssl is True:
|
||||
ssl_context: bool | ssl.SSLContext = ssl.create_default_context()
|
||||
else:
|
||||
ssl_context = verify_ssl
|
||||
async_client = AsyncAPIClient(
|
||||
config=config,
|
||||
verify_ssl=verify_ssl,
|
||||
verify_ssl=ssl_context,
|
||||
timeout=timeout,
|
||||
)
|
||||
semaphore = asyncio.Semaphore(connection_pool_size)
|
||||
|
||||
@@ -16,6 +16,7 @@
|
||||
|
||||
import asyncio
|
||||
import os
|
||||
import ssl
|
||||
from typing import Any
|
||||
|
||||
import httpx
|
||||
@@ -31,19 +32,22 @@ DEFAULT_MAX_TOKENS: int = 8192
|
||||
|
||||
|
||||
# #region _get_verify [C:1] [TYPE Function] [SEMANTICS translate, ssl, verify]
|
||||
# @BRIEF Resolve SSL verification path from LLM_SSL_VERIFY env var.
|
||||
# @RATIONALE Используем capath=/etc/ssl/certs/ вместо cafile, потому что
|
||||
# OpenSSL 3.x не использует intermediate CA сертификаты из cafile для
|
||||
# построения цепочки (verify code 20). capath с хеш-симлинками работает
|
||||
# корректно (verify code 0).
|
||||
# @BRIEF Resolve SSL verification context from LLM_SSL_VERIFY env var.
|
||||
# @RATIONALE Используем capath=/etc/ssl/certs/ через ssl.create_default_context,
|
||||
# потому что OpenSSL 3.x не использует intermediate CA сертификаты из cafile
|
||||
# для построения цепочки (verify code 20). capath с хеш-симлинками работает
|
||||
# корректно (verify code 0). Возвращаем SSLContext вместо строки — httpx 0.28.x
|
||||
# депрекейтит строковый путь в verify=.
|
||||
# @REJECTED cafile отвергнут — OpenSSL 3.x не использует intermediate CA
|
||||
# из единого bundle-файла. Только capath с хеш-симлинками даёт code 0.
|
||||
# @POST Returns path to /etc/ssl/certs/ when enabled, False when disabled.
|
||||
def _get_verify() -> str | bool:
|
||||
# @REJECTED Строковый путь "/etc/ssl/certs/" отвергнут — httpx 0.28.x депрекейтит
|
||||
# строки в verify=, требует SSLContext.
|
||||
# @POST Returns ssl.SSLContext with capath when enabled, False when disabled.
|
||||
def _get_verify() -> ssl.SSLContext | bool:
|
||||
raw = os.getenv("LLM_SSL_VERIFY", "true").strip().lower()
|
||||
if raw in ("false", "0", "no", "off"):
|
||||
return False
|
||||
return "/etc/ssl/certs/"
|
||||
return ssl.create_default_context(capath="/etc/ssl/certs/")
|
||||
# #endregion _get_verify
|
||||
|
||||
|
||||
|
||||
@@ -14,6 +14,7 @@ import os
|
||||
from pathlib import Path
|
||||
import re
|
||||
import shutil
|
||||
import ssl
|
||||
import threading
|
||||
from urllib.parse import quote
|
||||
|
||||
@@ -56,8 +57,11 @@ class GitServiceBase:
|
||||
self._closed = False
|
||||
self._close_lock = threading.Lock()
|
||||
|
||||
# Fix 5: Shared httpx.AsyncClient with connection pooling
|
||||
# Fix 5: Shared httpx.AsyncClient with connection pooling.
|
||||
# Uses system CA store (ssl.create_default_context) instead of certifi
|
||||
# to trust corporate CA certificates installed via update-ca-certificates.
|
||||
self._http_client = httpx.AsyncClient(
|
||||
verify=ssl.create_default_context(),
|
||||
timeout=30.0,
|
||||
limits=httpx.Limits(max_keepalive_connections=20, max_connections=100),
|
||||
)
|
||||
@@ -397,5 +401,3 @@ class GitServiceBase:
|
||||
# endregion close
|
||||
# #endregion GitServiceBase
|
||||
# #endregion GitServiceBase
|
||||
# #endregion GitServiceBase
|
||||
# #endregion GitServiceBase
|
||||
|
||||
@@ -20,6 +20,7 @@
|
||||
from abc import ABC, abstractmethod
|
||||
from email.mime.multipart import MIMEMultipart
|
||||
from email.mime.text import MIMEText
|
||||
import ssl
|
||||
from typing import Any
|
||||
|
||||
import aiosmtplib
|
||||
@@ -32,10 +33,16 @@ _http_client: httpx.AsyncClient | None = None
|
||||
|
||||
|
||||
async def _get_http_client() -> httpx.AsyncClient:
|
||||
"""Get or create the module-level httpx.AsyncClient singleton."""
|
||||
"""Get or create the module-level httpx.AsyncClient singleton.
|
||||
Uses system CA store (ssl.create_default_context) instead of certifi
|
||||
to trust corporate CA certificates installed via update-ca-certificates.
|
||||
"""
|
||||
global _http_client
|
||||
if _http_client is None:
|
||||
_http_client = httpx.AsyncClient(timeout=httpx.Timeout(30.0))
|
||||
_http_client = httpx.AsyncClient(
|
||||
verify=ssl.create_default_context(),
|
||||
timeout=httpx.Timeout(30.0),
|
||||
)
|
||||
return _http_client
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user