fix(ssl): replace verify=True with ssl.create_default_context() for corporate CA support

Core fix: all httpx.AsyncClient instances now use ssl.create_default_context()
instead of bool verify=True, which uses certifi and ignores system CA store.
This makes corporate CA certificates installed via update-ca-certificates
visible to Python HTTP clients.

Files:
- async_network.py: AsyncAPIClient.__init__ converts True→SSLContext
- client_registry.py: get_client converts bool→SSLContext before passing
- notifications/providers.py: _get_http_client uses ssl.create_default_context()
- services/git/_base.py: GitServiceBase uses ssl.create_default_context()
- translate/_llm_async_http.py: _get_verify returns SSLContext (not string)

Test: new integration test with 3-tier PKI (Root→Intermediate→Server),
TLS-protected Superset container, and custom CA installation via
update-ca-certificates or SSL_CERT_DIR fallback.
- conftest.py: added ca_chain, install_custom_ca, superset_tls_env fixtures;
  parameterized superset_container for TLS mode
- test_superset_tls_custom_ca.py: 8 tests (openssl -CApath, -CAfile certifi,
  httpx capath, httpx certifi, AsyncAPIClient, SupersetClient, fingerprint, verify=False)
This commit is contained in:
2026-06-15 10:20:43 +03:00
parent af923972b6
commit 27a20cbbeb
7 changed files with 603 additions and 31 deletions

View File

@@ -18,6 +18,7 @@ import asyncio
import io
import json
from pathlib import Path
import ssl
from typing import Any
import httpx
@@ -59,23 +60,32 @@ class AsyncAPIClient:
# @DATA_CONTRACT Input[config: Dict[str, Any]] -> self._auth_cache_key[str]
# @RELATION CALLS -> [AsyncAPIClient._normalize_base_url]
# @RELATION DEPENDS_ON -> [SupersetAuthCache]
def __init__(self, config: dict[str, Any], verify_ssl: bool = True, timeout: int = DEFAULT_TIMEOUT,
def __init__(self, config: dict[str, Any], verify_ssl: bool | ssl.SSLContext = True, timeout: int = DEFAULT_TIMEOUT,
semaphore: asyncio.Semaphore | None = None):
self.base_url: str = self._normalize_base_url(config.get("base_url", ""))
self.api_base_url: str = f"{self.base_url}/api/v1"
self.auth = config.get("auth")
self.request_settings = {"verify_ssl": verify_ssl, "timeout": timeout}
# Use system CA store via ssl.create_default_context() instead of bool True.
# httpx defaults to certifi, ignoring SSL_CERT_FILE and corporate CA certs.
if verify_ssl is True:
ssl_context: bool | ssl.SSLContext = ssl.create_default_context()
elif verify_ssl is False:
ssl_context = False
else:
ssl_context = verify_ssl # уже SSLContext
self._client = httpx.AsyncClient(
verify=verify_ssl,
verify=ssl_context,
timeout=httpx.Timeout(timeout),
follow_redirects=True,
)
self._tokens: dict[str, str] = {}
self._authenticated = False
# Cache key по-прежнему использует bool для хеширования
self._auth_cache_key = SupersetAuthCache.build_key(
self.base_url,
self.auth,
verify_ssl,
verify_ssl if isinstance(verify_ssl, bool) else True,
)
# Optional shared semaphore for connection limiting (set by SupersetClientRegistry).
self._semaphore = semaphore

View File

@@ -19,6 +19,7 @@
# shows callers create SupersetClient anyway, defeating the purpose.
import asyncio
import ssl
from typing import Any
from ..logger import logger
@@ -47,6 +48,7 @@ def _build_env_id(env: Any) -> str:
if isinstance(env, dict):
return f"{env.get('base_url','')}|{env.get('username','')}"
return str(id(env))
# #endregion _build_env_id
# #region get_client [C:3] [TYPE Function]
@@ -97,9 +99,15 @@ async def get_client(
config = {}
verify_ssl = True
timeout = request_timeout
# Convert bool to SSLContext with system CA store — httpx defaults to certifi,
# ignoring corporate CA certificates installed via update-ca-certificates.
if verify_ssl is True:
ssl_context: bool | ssl.SSLContext = ssl.create_default_context()
else:
ssl_context = verify_ssl
async_client = AsyncAPIClient(
config=config,
verify_ssl=verify_ssl,
verify_ssl=ssl_context,
timeout=timeout,
)
semaphore = asyncio.Semaphore(connection_pool_size)