-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] Add SSL Certificate Context And Setting For Async/Sync HTTP Requests #6976
base: develop
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a few concerns with this solution.
- We are modifying environment variables from within the application and the logic to so in
get_certificates
andrestore_certs
is complex to follow. - We are introduction a state inside
Env()
. I assume that's why we have some lines withEnv()
to refresh the state (?). This class should be stateless and readonly for consistency and predictability. - The implementation requires us to constantly get and restore certificates, which is not obvious when implementing new requests.
I suggest using a single session that picks configurations and is shared across the app as proposed here #6939.
OK, try it out now, @montezdesousa. I found a way to hack the session into the Posthog handler. The implementation now goes the other way where
Using any of the utility HTTP request functions will read the system_settings.json and take precedence over any environment variable. Binding session objects to the
Any unclosed async session object will be closed on exit. |
When trying to test I get the same error both with
|
This error seems to indicate that the self-signed certificate is not being found at all. I know there's lots of ways to make it not work, so rooting out the edge cases would be nice. What are your exact deployment steps here, is this a network deployment? Is the same
Was the certificate created by the same version of Python and openssl used in the deployment and environment? |
…to feature/ssl-context
…ce/OpenBB into feature/ssl-context
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested and it works as expected, just left some comments and suggestions mostly on code readability.
def get_python_request_settings() -> dict: | ||
"""Get the python settings.""" | ||
# pylint: disable=import-outside-toplevel | ||
from openbb_core.app.service.system_service import SystemService | ||
|
||
python_settings = SystemService().system_settings.python_settings.model_dump() | ||
http_settings = python_settings.get("http", {}) | ||
allowed_keys = [ | ||
"cafile", | ||
"certfile", | ||
"keyfile", | ||
"password", | ||
"verify_ssl", | ||
"fingerprint", | ||
"proxy", | ||
"proxy_auth", | ||
"proxy_headers", | ||
"timeout", | ||
"auth", | ||
"headers", | ||
"cookies", | ||
] | ||
|
||
return { | ||
k: v for k, v in http_settings.items() if v is not None and k in allowed_keys | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
http_settings
should be defined explicitly in openbb_platform/core/openbb_core/app/model/python_settings.py
as a dict
, this becomes hidden if just mentioned here. That way we also don't need extra_allow=True
in PythonSettings
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll add these to documentation so they are not hidden.
extra_allow
makes it extendable for other futures uses. Adding extra keys to the JSON file won't actually do anything because those keys would not be reached by any code.
I don't see any real benefit to not allowing extras here. Think, VS Code settings file. All the VS Code extensions define specific behaviors and preferences in the same settings file as the main program.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They are hidden in the code, documentation is useful for detailing what code cannot convey. The benefit is explicit field definition, one should know all the python settings by looking at the PythonSettings
model.
With extra_allow=True
you open the door to implicit definitions all over the code with no real benefit, like http
(I think a better name would be something like request_settings
, http
is too general) that only lives inside the helper function get_python_request_settings
. If we add a few more like this and it will become hard to track which settings exist.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While you do raise a good point, the intention is to allow others (developers, users, etc.) to extend functionality without having to change code in the core library. This is a major benefit, and has very little downside.
I'll add it into the model, but I feel pretty strongly about making it way easier for people to build custom components and configurations. It won't be hard to keep track of.
I would expect more people to look for this type of information in the documentation - i.e, where you are supposed to find out about the available settings - rather than trying to figure out how to import some subclass just to read the annotations.
http
settings is a more accurate name for what the key is responsible for, and it doesn't have to exist only for serving those specific keys. It's filtered in the function to not allow other settings in those functions, but there can easily be other cases where you need additional settings - like maybe httpx or some other library somebody wants to use.
Thanks for the help. I'm using |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lgtm
Edit: updating review
def get_python_request_settings() -> dict: | ||
"""Get the python settings.""" | ||
# pylint: disable=import-outside-toplevel | ||
from openbb_core.app.service.system_service import SystemService | ||
|
||
python_settings = SystemService().system_settings.python_settings.model_dump() | ||
http_settings = python_settings.get("http", {}) | ||
allowed_keys = [ | ||
"cafile", | ||
"certfile", | ||
"keyfile", | ||
"password", | ||
"verify_ssl", | ||
"fingerprint", | ||
"proxy", | ||
"proxy_auth", | ||
"proxy_headers", | ||
"timeout", | ||
"auth", | ||
"headers", | ||
"cookies", | ||
] | ||
|
||
return { | ||
k: v for k, v in http_settings.items() if v is not None and k in allowed_keys | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They are hidden in the code, documentation is useful for detailing what code cannot convey. The benefit is explicit field definition, one should know all the python settings by looking at the PythonSettings
model.
With extra_allow=True
you open the door to implicit definitions all over the code with no real benefit, like http
(I think a better name would be something like request_settings
, http
is too general) that only lives inside the helper function get_python_request_settings
. If we add a few more like this and it will become hard to track which settings exist.
Why?:
The Requests library accepts an environment variable,
REQUESTS_CA_BUNDLE
, and AIOHTTP does not. This creates inconsistencies between synchronous and async HTTP requests. Furthermore, defining this variable limits the Requests library to that particular file. If you want to use a self-signed certificate for only some things, it is not straightforward.This solution combines the specified certificate with the
certifi
defaults.What?:
system_settings.json
to accept extras.http
as a nested dictionary.make_request
amake_request
amake_requests
uvicorn.run
by storing them as a dictionary to:system_settings.python_settings.uvicorn
Impact:
REQUESTS_CA_BUNDLE
, ports directly to the async requests.system_settings.json
instead of environment variables.cafile
is an equivalent toREQUESTS_CA_BUNDLE
, when pointing to a file."verify_ssl": false
, SSL certificate verification is disabled within all OpenBB functions."python_settings["uvicorn"]"
dictionary are passed directly touvicorn.run
when launching the API as:python -m openbb_core.api.rest_api
openbb-api
These items, in
system_settings.json
, will take precedence over environment variables:Note: Keyword arguments added to the command line from
openbb-api
take precedence over thesystem_settings.json
file.Testing Done:
.crt
file as shown above.requests
andopenbb_core.provider.utils.helpers.make_request
requests.get
should fail whilemake_request
succeeds.null
and addREQUESTS_CA_BUNDLE='/full/path/to/certificate/localhost.crt'
to the.env
file.requests.get
andmake_request
should succeed.requests.get("https://google.com")
will fail,make_request
should succeed.With the environment variable defined, and not
system_settings.json
, the same A/B can be applied toyfinance.download()
vs. `obb.equity.price.historical(provider="yfinance")This fails because yFinance is only verifying against the self-signed certificate for
localhost
.openbb_yfinance.utils.helpers.yf_download
applies the environment configuration for the duration of the request.