f

2026-02-11 18:16:07 -08:00
parent cc715e1fef
commit 1d0de1118b
27 changed files with 1167 additions and 1075 deletions
--- a/API/ssl_certs.py
+++ b/API/ssl_certs.py
@@ -0,0 +1,109 @@
+"""SSL certificate bundle resolution helpers.
+
+This module is intentionally lightweight (no httpx import) so it can be used by
+providers that still rely on `requests` without paying the import cost of the
+full HTTP client stack.
+"""
+
+from __future__ import annotations
+
+import logging
+import os
+import sys
+from typing import Optional, Union
+
+logger = logging.getLogger(__name__)
+
+
+def resolve_verify_value(verify_ssl: bool) -> Union[bool, str]:
+    """Return the value suitable for `requests`/`httpx` verify parameters.
+
+    - If verify_ssl is not True (False or a path-like string), it is returned.
+    - Respects an existing SSL_CERT_FILE env var.
+    - Tries optional helpers (`pip_system_certs`, `certifi_win32`).
+    - Falls back to `certifi.where()`.
+    - Otherwise returns True.
+    """
+
+    if verify_ssl is not True:
+        return verify_ssl
+
+    env_cert = os.environ.get("SSL_CERT_FILE")
+    if env_cert:
+        return env_cert
+
+    def _try_module_bundle(mod_name: str) -> Optional[str]:
+        mod = sys.modules.get(mod_name)
+        if mod is None:
+            try:
+                import importlib.util
+
+                spec = importlib.util.find_spec(mod_name)
+                if spec is None:
+                    return None
+                import importlib
+
+                mod = importlib.import_module(mod_name)
+            except Exception:
+                return None
+
+        for attr in ("where", "get_ca_bundle", "bundle_path", "get_bundle_path", "get_bundle"):
+            fn = getattr(mod, attr, None)
+            if callable(fn):
+                try:
+                    res = fn()
+                    if res:
+                        return str(res)
+                except Exception:
+                    continue
+            elif isinstance(fn, str) and fn:
+                return fn
+
+        for call_attr in ("add_windows_store_certs", "add_system_certs", "merge_system_certs"):
+            fn = getattr(mod, call_attr, None)
+            if callable(fn):
+                try:
+                    fn()
+                    try:
+                        import certifi as _certifi  # type: ignore
+
+                        res = _certifi.where()
+                        if res:
+                            return str(res)
+                    except Exception:
+                        logger.exception("Failed while probing certifi helper inner block")
+                except Exception:
+                    logger.exception("Failed while invoking cert helper function")
+        return None
+
+    for mod_name in ("pip_system_certs", "certifi_win32"):
+        path = _try_module_bundle(mod_name)
+        if path:
+            try:
+                os.environ["SSL_CERT_FILE"] = path
+            except Exception:
+                logger.exception("Failed to set SSL_CERT_FILE environment variable")
+            logger.info(f"SSL_CERT_FILE not set; using bundle from {mod_name}: {path}")
+            return path
+
+    try:
+        import certifi  # type: ignore
+
+        path = certifi.where()
+        if path:
+            try:
+                os.environ["SSL_CERT_FILE"] = path
+            except Exception:
+                logger.exception("Failed to set SSL_CERT_FILE environment variable during certifi fallback")
+            logger.info(f"SSL_CERT_FILE not set; using certifi bundle: {path}")
+            return str(path)
+    except Exception:
+        logger.exception("Failed to probe certifi for trust bundle")
+
+    return True
+
+
+def get_requests_verify_value(verify_ssl: bool = True) -> Union[bool, str]:
+    """Backwards-friendly alias for call sites that only care about requests."""
+
+    return resolve_verify_value(verify_ssl)