Commit Graph

3 Commits

Author SHA1 Message Date
03e9fbba6a fix: TLS Custom CA integration tests — all 175 pass
ROOT CAUSE: OpenSSL 3.x requires AuthorityKeyIdentifier (AKI) extension
on certificates for capath-based chain building. The ca_chain fixture
generated certs without AKI/SKI extensions — causing ssl.create_default_context()
to fail with 'Missing Authority Key Identifier'.

FIXES (2 files):
1. conftest.py: Added SubjectKeyIdentifier and AuthorityKeyIdentifier
   extensions to all generated certificates in _gen_cert_pem()
2. test_superset_tls_custom_ca.py:
   - Added superset_container param to test_certifi_bundle_notrust
   - Added httpx.ConnectError to caught exceptions (httpx wraps SSLError)
   - Fixed get_dashboards() return type assertion (tuple vs dict)

RESULTS: 175/175 integration tests passing (was 167), +8 TLS tests
- openssl capath OK, certifi fails, certifi bundle no-trust
- httpx capath works, httpx certifi fails, verify_false works
- AsyncAPIClient verify_ssl=True authenticates over HTTPS
- SupersetClient full auth + API calls over TLS
2026-06-16 11:42:40 +03:00
ec6421de35 rename ss-tools to superset-tools across the entire project
- Replace all occurrences of 'ss-tools' with 'superset-tools' in 104 files
- Rename git bundle file ss-tools.bundle → superset-tools.bundle
- Update .gitignore pattern accordingly
- Preserve variable names (hasSsTools etc.) and code identifiers
2026-06-16 11:15:19 +03:00
27a20cbbeb fix(ssl): replace verify=True with ssl.create_default_context() for corporate CA support
Core fix: all httpx.AsyncClient instances now use ssl.create_default_context()
instead of bool verify=True, which uses certifi and ignores system CA store.
This makes corporate CA certificates installed via update-ca-certificates
visible to Python HTTP clients.

Files:
- async_network.py: AsyncAPIClient.__init__ converts True→SSLContext
- client_registry.py: get_client converts bool→SSLContext before passing
- notifications/providers.py: _get_http_client uses ssl.create_default_context()
- services/git/_base.py: GitServiceBase uses ssl.create_default_context()
- translate/_llm_async_http.py: _get_verify returns SSLContext (not string)

Test: new integration test with 3-tier PKI (Root→Intermediate→Server),
TLS-protected Superset container, and custom CA installation via
update-ca-certificates or SSL_CERT_DIR fallback.
- conftest.py: added ca_chain, install_custom_ca, superset_tls_env fixtures;
  parameterized superset_container for TLS mode
- test_superset_tls_custom_ca.py: 8 tests (openssl -CApath, -CAfile certifi,
  httpx capath, httpx certifi, AsyncAPIClient, SupersetClient, fingerprint, verify=False)
2026-06-15 10:32:17 +03:00