fix: always load the default certs on our custom SSL context #196
Conversation
Signed-off-by: Norbert Biczo <[email protected]>
Signed-off-by: Norbert Biczo <[email protected]>
Signed-off-by: Norbert Biczo <[email protected]>
Signed-off-by: Norbert Biczo <[email protected]>
…t to the `test` folder At this point if `requests 2.32.3` is installed, the issue is reproducable. Signed-off-by: Norbert Biczo <[email protected]>
Signed-off-by: Norbert Biczo <[email protected]>
Signed-off-by: Norbert Biczo <[email protected]>
test/test_http_adapter.py
Outdated
| service = BaseService(service_url='https://raw.githubusercontent.com', authenticator=NoAuthAuthenticator()) | ||
| assert service.disable_ssl_verification is False | ||
| prepped = service.prepare_request('GET', url='/IBM/python-sdk-core/main/README.md') |
There was a problem hiding this comment.
I'm not too happy with this solution, but I found this to be the most reliable way to reproduce the problem. Actually the only way because I was not able to trigger the exception in any of my local experiments. I totally understand if you have concerns about this, so let's discuss.
test/test_http_adapter.py
Outdated
| with pytest.raises(SSLError): | ||
| with pytest.raises(SSLError, match="certificate verify failed: self-signed certificate"): |
There was a problem hiding this comment.
Just a small tweak to make sure we catch the exact same error that we want.
pyrooka
force-pushed
the
nb/https-test-improvements
branch
from
99404de to
e783e05
Compare
Signed-off-by: Norbert Biczo <[email protected]>
pyrooka
force-pushed
the
nb/https-test-improvements
branch
from
e783e05 to
d975630
Compare
test/test_http_adapter.py
Outdated
| service = BaseService(service_url='https://raw.githubusercontent.com', authenticator=NoAuthAuthenticator()) | ||
| assert service.disable_ssl_verification is False | ||
| prepped = service.prepare_request('GET', url='/IBM/python-sdk-core/main/README.md') |
There was a problem hiding this comment.
I'm not too happy with this solution, but I found this to be the most reliable way to reproduce the problem. Actually the only way because I was not able to trigger the exception in any of my local experiments. I totally understand if you have concerns about this, so let's discuss.
The only other thing I can think of is listing the certs available and checking it is more than 0, but I don't know if we have enough visibility to be able to do that.
Certainly using a website that has a public certificate chain leading to some default root cert is a surefire way to prove that it can successfully negotiate a connection using the loaded default certs. However, whilst connecting to github proves we have some default certs it doesn't necessarily prove we have the certificate we need so perhaps switching to some cloud.ibm.com site would offer more value since it will likely use the same root certifcate chain as our services do? Maybe something like https://cloud.ibm.com/status or with a filter like https://cloud.ibm.com/status/security?component=ibm-cloud&location=global if it's too large a page otherwise?
There was a problem hiding this comment.
The only other thing I can think of is listing the certs available and checking it is more than 0, but I don't know if we have enough visibility to be able to do that.
That's a clever idea but I can't tell either - at least off the to of my head. I think I'll take a look because this sounds interesting.
...perhaps switching to some
cloud.ibm.comsite would offer more value...
Agreed, it makes sense!
Signed-off-by: Norbert Biczo <[email protected]>
Signed-off-by: Norbert Biczo <[email protected]>
Signed-off-by: Norbert Biczo <[email protected]>
test/test_http_adapter.py
Outdated
| ssl_context = service.http_adapter.poolmanager.connection_pool_kw.get("ssl_context") | ||
| assert ssl_context is not None | ||
| # In some cases (especially in Ubuntu containers that we use for testing on Travis) | ||
| # the default CA certifications are stored in a different place, so let's try to |
There was a problem hiding this comment.
A really minor nit...
| # the default CA certifications are stored in a different place, so let's try to | |
| # the default CA certificates are stored in a different place, so let's try to |
Signed-off-by: Norbert Biczo <[email protected]>
## [3.20.2](v3.20.1...v3.20.2) (2024-07-09) ### Bug Fixes * always load the default certs on our custom SSL context ([#196](#196)) ([ff14a4b](ff14a4b))
|
🎉 This PR is included in version 3.20.2 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This is a follow-up PR of this one. In the linked PR we had to specify and older version of the
requestspackage to avoid a regression.This PR contains the fix for that, so we can continue using always the latest version. Furthermore, the HTTPS related tests have been improved and moved to the directory of the unit tests, to always include them in our builds.