From 364ed6aaa7e4676a5ce322072c48821c46990744 Mon Sep 17 00:00:00 2001 From: Bruce Schultz Date: Fri, 19 Sep 2025 10:54:53 +0200 Subject: [PATCH 1/2] fix(ssl): add SSL context to proxy mounts --- project/dependencies.py | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/project/dependencies.py b/project/dependencies.py index cb62df7..ecdf3e8 100644 --- a/project/dependencies.py +++ b/project/dependencies.py @@ -114,10 +114,23 @@ def get_client_id( raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="JWT is malformed") +@lru_cache +def get_ssl_context( + settings: Annotated[Settings, Depends(get_settings)], +): + # see https://www.python-httpx.org/advanced/ssl/#configuring-client-instances + ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT) + if settings.extra_ca_certs is not None: + ctx.load_verify_locations(cafile=settings.extra_ca_certs) + return ctx + ProxyMount = dict[str, httpx.HTTPTransport] | None -def get_proxy_mounts(settings: Annotated[Settings, Depends(get_settings)]): +def get_proxy_mounts( + settings: Annotated[Settings, Depends(get_settings)], + ssl_context: Annotated[ssl.SSLContext, Depends(get_ssl_context)] +): proxy = settings.proxy proxy_mounts = {} @@ -127,7 +140,7 @@ def get_proxy_mounts(settings: Annotated[Settings, Depends(get_settings)]): if http_proxy_set and https_proxy_set: # if two urls are provided, set them for each mode of transport individually proxy_mounts["http://"] = httpx.HTTPTransport(proxy=str(proxy.http_url)) - proxy_mounts["https://"] = httpx.HTTPTransport(proxy=str(proxy.https_url)) + proxy_mounts["https://"] = httpx.HTTPTransport(proxy=str(proxy.https_url), verify=ssl_context) elif not http_proxy_set and not https_proxy_set: # if no urls are provided, do nothing pass @@ -136,7 +149,7 @@ def get_proxy_mounts(settings: Annotated[Settings, Depends(get_settings)]): proxy_url = str(proxy.http_url) if http_proxy_set else str(proxy.https_url) proxy_mounts["http://"] = httpx.HTTPTransport(proxy=proxy_url) - proxy_mounts["https://"] = httpx.HTTPTransport(proxy=proxy_url) + proxy_mounts["https://"] = httpx.HTTPTransport(proxy=proxy_url, verify=ssl_context) if len(proxy_mounts) == 0: return None @@ -144,17 +157,6 @@ def get_proxy_mounts(settings: Annotated[Settings, Depends(get_settings)]): return proxy_mounts -@lru_cache -def get_ssl_context( - settings: Annotated[Settings, Depends(get_settings)], -): - # see https://www.python-httpx.org/advanced/ssl/#configuring-client-instances - ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT) - if settings.extra_ca_certs is not None: - ctx.load_verify_locations(cafile=settings.extra_ca_certs) - return ctx - - def get_flame_hub_auth_flow( settings: Annotated[Settings, Depends(get_settings)], ssl_context: Annotated[ssl.SSLContext, Depends(get_ssl_context)], From 3849d812f518d8dc8860f0d1aef9ca9f8360526c Mon Sep 17 00:00:00 2001 From: pbrassel <52356233+pbrassel@users.noreply.github.com> Date: Tue, 23 Sep 2025 14:47:32 +0200 Subject: [PATCH 2/2] style: check style via ruff --- project/dependencies.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/project/dependencies.py b/project/dependencies.py index ecdf3e8..08e9a56 100644 --- a/project/dependencies.py +++ b/project/dependencies.py @@ -124,12 +124,13 @@ def get_ssl_context( ctx.load_verify_locations(cafile=settings.extra_ca_certs) return ctx + ProxyMount = dict[str, httpx.HTTPTransport] | None def get_proxy_mounts( - settings: Annotated[Settings, Depends(get_settings)], - ssl_context: Annotated[ssl.SSLContext, Depends(get_ssl_context)] + settings: Annotated[Settings, Depends(get_settings)], + ssl_context: Annotated[ssl.SSLContext, Depends(get_ssl_context)], ): proxy = settings.proxy proxy_mounts = {}