Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix ssl verify and update tests #16149

Merged
merged 5 commits into from
Dec 2, 2024
Merged

fix ssl verify and update tests #16149

merged 5 commits into from
Dec 2, 2024

Conversation

zzstoatzz
Copy link
Collaborator

@zzstoatzz zzstoatzz commented Nov 28, 2024
edited
Loading

closes #16148

  • uses the fork of respx with the fix until the main version is released
  • also updates the markdown tests setup to actually use the working version of prefect instead overwriting it

relatedly, #16168 fixes httpx issues with tests and an issue with the worker's cloud client context when adding flow run labels

@github-actions github-actions bot added bug Something isn't working development Tech debt, refactors, CI, tests, and other related work. labels Nov 28, 2024
@zzstoatzz zzstoatzz self-assigned this Nov 28, 2024
@codspeed-hq CodSpeed HQ
Copy link

codspeed-hq bot commented Nov 28, 2024
edited
Loading

CodSpeed Performance Report

Merging #16149 will not alter performance

Comparing fix-ssl-verify-ctx (64618b6) with main (ae5ce12)

Summary

✅ 3 untouched benchmarks

@desertaxle
Copy link
Member

According to lundberg/respx#277 respx isn't compatible with httpx==0.28.0. It looks like we could add using="httpx" to our respx.mock usage or wait for lundberg/respx#278 to be merged and released.

@github-actions github-actions bot added the upstream dependency An upstream issue caused by a bug in one of our dependencies label Dec 1, 2024
zzstoatzz
zzstoatzz commented Dec 1, 2024
View reviewed changes
.github/workflows/markdown-tests.yaml
Comment on lines +97 to +98
uv pip install --upgrade -r requirements-markdown-tests.txt
uv pip install --upgrade -e '.[dev]'
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

swapped the order here

mjpieters
mjpieters reviewed Dec 2, 2024
View reviewed changes
src/prefect/client/orchestration.py
Comment on lines 286 to +298
if PREFECT_API_TLS_INSECURE_SKIP_VERIFY:
httpx_settings.setdefault("verify", False)
# Create an unverified context for insecure connections
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
httpx_settings.setdefault("verify", ctx)
else:
cert_file = PREFECT_API_SSL_CERT_FILE.value()
if not cert_file:
cert_file = certifi.where()
httpx_settings.setdefault("verify", cert_file)
# Create a verified context with the certificate file
ctx = ssl.create_default_context(cafile=cert_file)
httpx_settings.setdefault("verify", ctx)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are repeating a few things in both branches that could be simplified out:

        ctx = ssl.create_default_context()
        if PREFECT_API_TLS_INSECURE_SKIP_VERIFY:
            # Update the context to not verify for insecure connections
            ctx.check_hostname = False
            ctx.verify_mode = ssl.CERT_NONE
        else:
            cert_file = PREFECT_API_SSL_CERT_FILE.value()
            if not cert_file:
                cert_file = certifi.where()
            # Update the context with the certificate file
            ctx.load_verify_locations(cafile=cert_file)
        httpx_settings.setdefault("verify", ctx)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hi @mjpieters! you are correct, thanks for pointing this out! in this draft PR i was exploring what fixes would be necessary

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, of course, sorry if I jumped the gun a bit here.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mjpieters no worries! if you're interested in following along, we're working through the same upstream issue's impact on our tests here

mjpieters
mjpieters reviewed Dec 2, 2024
View reviewed changes
src/prefect/client/orchestration.py
Comment on lines 3550 to +3562
if PREFECT_API_TLS_INSECURE_SKIP_VERIFY:
httpx_settings.setdefault("verify", False)
# Create an unverified context for insecure connections
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
httpx_settings.setdefault("verify", ctx)
else:
cert_file = PREFECT_API_SSL_CERT_FILE.value()
if not cert_file:
cert_file = certifi.where()
httpx_settings.setdefault("verify", cert_file)
# Create a verified context with the certificate file
ctx = ssl.create_default_context(cafile=cert_file)
httpx_settings.setdefault("verify", ctx)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ditto here.

@zzstoatzz zzstoatzz mentioned this pull request Dec 2, 2024
Closed
@zzstoatzz zzstoatzz marked this pull request as ready for review December 2, 2024 22:10
@zzstoatzz
Copy link
Collaborator Author

@desertaxle related to sync discussion, I've opened #16179

@zzstoatzz zzstoatzz merged commit 7bc9111 into main Dec 2, 2024
41 checks passed
@zzstoatzz zzstoatzz deleted the fix-ssl-verify-ctx branch December 2, 2024 22:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mjpieters mjpieters mjpieters left review comments

@desertaxle desertaxle desertaxle approved these changes

@cicdw cicdw Awaiting requested review from cicdw cicdw is a code owner

Assignees

@zzstoatzz zzstoatzz

Labels
bug Something isn't working development Tech debt, refactors, CI, tests, and other related work. upstream dependency An upstream issue caused by a bug in one of our dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

use of SSL verify=<str> is deprecated
3 participants
@zzstoatzz @desertaxle @mjpieters