Introduce a shared helper that maps HERMES_CA_BUNDLE, SSL_CERT_FILE, and per-provider ssl_ca_cert settings to httpx verify contexts.
52 lines
1.5 KiB
Python
52 lines
1.5 KiB
Python
"""TLS verify resolution for httpx/OpenAI provider clients."""
|
|
|
|
from __future__ import annotations
|
|
|
|
import logging
|
|
import os
|
|
import ssl
|
|
from pathlib import Path
|
|
from typing import Any, Optional
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
def _coerce_insecure(ssl_verify: Any) -> bool:
|
|
if ssl_verify is False:
|
|
return True
|
|
if isinstance(ssl_verify, str) and ssl_verify.strip().lower() in {"false", "0", "no", "off"}:
|
|
return True
|
|
return False
|
|
|
|
|
|
def resolve_httpx_verify(
|
|
*,
|
|
ca_bundle: Optional[str] = None,
|
|
ssl_verify: Any = None,
|
|
) -> bool | ssl.SSLContext:
|
|
"""Resolve httpx ``verify`` for provider HTTP clients.
|
|
|
|
Priority:
|
|
1. ``ssl_verify: false`` — disable verification (local dev only)
|
|
2. explicit ``ca_bundle`` (per-provider ``ssl_ca_cert`` config field)
|
|
3. ``HERMES_CA_BUNDLE``, ``SSL_CERT_FILE``, ``REQUESTS_CA_BUNDLE`` env vars
|
|
4. ``True`` (httpx/certifi default)
|
|
"""
|
|
if _coerce_insecure(ssl_verify):
|
|
return False
|
|
|
|
effective_ca = (
|
|
(ca_bundle or "").strip()
|
|
or os.getenv("HERMES_CA_BUNDLE", "").strip()
|
|
or os.getenv("SSL_CERT_FILE", "").strip()
|
|
or os.getenv("REQUESTS_CA_BUNDLE", "").strip()
|
|
)
|
|
if effective_ca:
|
|
ca_path = str(Path(effective_ca).expanduser())
|
|
if os.path.isfile(ca_path):
|
|
return ssl.create_default_context(cafile=ca_path)
|
|
logger.warning(
|
|
"CA bundle path does not exist: %s — falling back to default certificates",
|
|
effective_ca,
|
|
)
|
|
return True
|