b4fbd6fe9f
Deploy Site / deploy-vercel (push) Has been skipped
Deploy Site / deploy-docs (push) Has been skipped
Build Skills Index / build-index (push) Has been skipped
CI / Deny unrelated histories (push) Has been skipped
CI / Detect affected areas (push) Successful in 27m35s
CI / OSV scan (push) Failing after 4s
CI / Build&Test Docker image (push) Successful in 9s
CI / Supply-chain scan (push) Has been skipped
CI / Lint Docker scripts (push) Failing after 5m13s
CI / Check contributors (push) Failing after 12m8s
CI / Docs Site (push) Failing after 12m8s
CI / TypeScript (push) Failing after 12m8s
CI / Python lints (push) Failing after 12m9s
CI / Python tests (push) Failing after 12m9s
CI / Check uv.lock (push) Failing after 23m22s
CI / CI timing report (push) Has been cancelled
Build Skills Index / trigger-deploy (push) Has been cancelled
CI / All required checks pass (push) Has been cancelled
64 lines
2.0 KiB
Python
64 lines
2.0 KiB
Python
"""TLS verify resolution for httpx/OpenAI provider clients."""
|
|
|
|
from __future__ import annotations
|
|
|
|
import logging
|
|
import os
|
|
import ssl
|
|
from pathlib import Path
|
|
from typing import Any, Optional
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
def _coerce_insecure(ssl_verify: Any) -> bool:
|
|
if ssl_verify is False:
|
|
return True
|
|
if isinstance(ssl_verify, str) and ssl_verify.strip().lower() in {"false", "0", "no", "off"}:
|
|
return True
|
|
return False
|
|
|
|
|
|
def resolve_httpx_verify(
|
|
*,
|
|
ca_bundle: Optional[str] = None,
|
|
ssl_verify: Any = None,
|
|
base_url: str = "",
|
|
) -> bool | ssl.SSLContext:
|
|
"""Resolve httpx ``verify`` for provider HTTP clients.
|
|
|
|
Priority:
|
|
1. ``ssl_verify: false`` — disable verification (local dev only)
|
|
2. explicit ``ca_bundle`` (per-provider ``ssl_ca_cert`` config field)
|
|
3. ``HERMES_CA_BUNDLE``, ``SSL_CERT_FILE``, ``REQUESTS_CA_BUNDLE``,
|
|
``CURL_CA_BUNDLE`` env vars
|
|
4. ``True`` (httpx/certifi default)
|
|
|
|
``base_url`` is used only for the insecure-mode warning message.
|
|
"""
|
|
if _coerce_insecure(ssl_verify):
|
|
logger.warning(
|
|
"TLS certificate verification DISABLED (ssl_verify: false) for %s — "
|
|
"this is intended for local development only and is unsafe on any "
|
|
"network you do not fully control.",
|
|
base_url or "a custom provider endpoint",
|
|
)
|
|
return False
|
|
|
|
effective_ca = (
|
|
(ca_bundle or "").strip()
|
|
or os.getenv("HERMES_CA_BUNDLE", "").strip()
|
|
or os.getenv("SSL_CERT_FILE", "").strip()
|
|
or os.getenv("REQUESTS_CA_BUNDLE", "").strip()
|
|
or os.getenv("CURL_CA_BUNDLE", "").strip()
|
|
)
|
|
if effective_ca:
|
|
ca_path = str(Path(effective_ca).expanduser())
|
|
if os.path.isfile(ca_path):
|
|
return ssl.create_default_context(cafile=ca_path)
|
|
logger.warning(
|
|
"CA bundle path does not exist: %s — falling back to default certificates",
|
|
effective_ca,
|
|
)
|
|
return True
|