[Feature] Add SSL Certificate Context And Setting For Async/Sync HTTP Requests #6976
Conversation
deeleeramone
added
enhancement
deeleeramone
requested review from
piiq,
IgorWounds,
jmaslek,
andrewkenreich,
DidierRLopes,
hjoaquim and
montezdesousa
There was a problem hiding this comment.
I have a few concerns with this solution.
- We are modifying environment variables from within the application and the logic to so in
get_certificatesandrestore_certsis complex to follow. - We are introduction a state inside
Env(). I assume that's why we have some lines withEnv()to refresh the state (?). This class should be stateless and readonly for consistency and predictability. - The implementation requires us to constantly get and restore certificates, which is not obvious when implementing new requests.
I suggest using a single session that picks configurations and is shared across the app as proposed here #6939.
OK, try it out now, @montezdesousa. I found a way to hack the session into the Posthog handler. The implementation now goes the other way where
Using any of the utility HTTP request functions will read the system_settings.json and take precedence over any environment variable. Binding session objects to the
Any unclosed async session object will be closed on exit. |
This reverts commit 714df64.
|
When trying to test I get the same error both with |
This error seems to indicate that the self-signed certificate is not being found at all. I know there's lots of ways to make it not work, so rooting out the edge cases would be nice. What are your exact deployment steps here, is this a network deployment? Is the same Was the certificate created by the same version of Python and openssl used in the deployment and environment? |
…to feature/ssl-context
…ce/OpenBB into feature/ssl-context
| def get_python_request_settings() -> dict: | ||
| """Get the python settings.""" | ||
| # pylint: disable=import-outside-toplevel | ||
| from openbb_core.app.service.system_service import SystemService | ||
|
|
||
| python_settings = SystemService().system_settings.python_settings.model_dump() | ||
| http_settings = python_settings.get("http", {}) | ||
| allowed_keys = [ | ||
| "cafile", | ||
| "certfile", | ||
| "keyfile", | ||
| "password", | ||
| "verify_ssl", | ||
| "fingerprint", | ||
| "proxy", | ||
| "proxy_auth", | ||
| "proxy_headers", | ||
| "timeout", | ||
| "auth", | ||
| "headers", | ||
| "cookies", | ||
| ] | ||
|
|
||
| return { | ||
| k: v for k, v in http_settings.items() if v is not None and k in allowed_keys | ||
| } |
There was a problem hiding this comment.
http_settings should be defined explicitly in openbb_platform/core/openbb_core/app/model/python_settings.py as a dict, this becomes hidden if just mentioned here. That way we also don't need extra_allow=True in PythonSettings
There was a problem hiding this comment.
I'll add these to documentation so they are not hidden.
extra_allow makes it extendable for other futures uses. Adding extra keys to the JSON file won't actually do anything because those keys would not be reached by any code.
I don't see any real benefit to not allowing extras here. Think, VS Code settings file. All the VS Code extensions define specific behaviors and preferences in the same settings file as the main program.
| if kwargs: | ||
| for key, value in kwargs.items(): | ||
| try: | ||
| if hasattr(_session, key): | ||
| if hasattr(getattr(_session, key, None), "update"): | ||
| getattr(_session, key, {}).update(value) | ||
| else: | ||
| setattr(_session, key, value) | ||
| except AttributeError: | ||
| continue |
There was a problem hiding this comment.
I don't see this being used anywhere, what's the purpose of updating the keys of kwargs?
There was a problem hiding this comment.
In the sync/async functions the kwargs are applied in the function, but if you were to use this as a standalone function to create a session object, you might want to set something not defined by python_settings.
This was the intention at least.
Thanks for the help. I'm using |
Why?:
The Requests library accepts an environment variable,
REQUESTS_CA_BUNDLE, and AIOHTTP does not. This creates inconsistencies between synchronous and async HTTP requests. Furthermore, defining this variable limits the Requests library to that particular file. If you want to use a self-signed certificate for only some things, it is not straightforward.This solution combines the specified certificate with the
certifidefaults.What?:
system_settings.jsonto accept extras.httpas a nested dictionary.make_requestamake_requestamake_requestsuvicorn.runby storing them as a dictionary to:system_settings.python_settings.uvicornImpact:
REQUESTS_CA_BUNDLE, ports directly to the async requests.system_settings.jsoninstead of environment variables.cafileis an equivalent toREQUESTS_CA_BUNDLE, when pointing to a file."verify_ssl": false, SSL certificate verification is disabled within all OpenBB functions."python_settings["uvicorn"]"dictionary are passed directly touvicorn.runwhen launching the API as:python -m openbb_core.api.rest_apiopenbb-apiThese items, in
system_settings.json, will take precedence over environment variables:{ "python_settings": { "http": { "cafile": "/full/path/to/certificate/localhost.crt", "verify_ssl": null, "proxy": null, "certfile": null, "keyfile": null, } } }Note: Keyword arguments added to the command line from
openbb-apitake precedence over thesystem_settings.jsonfile.Testing Done:
.crtfile as shown above.requestsandopenbb_core.provider.utils.helpers.make_requestrequests.getshould fail whilemake_requestsucceeds.nulland addREQUESTS_CA_BUNDLE='/full/path/to/certificate/localhost.crt'to the.envfile.requests.getandmake_requestshould succeed.requests.get("https://google.com")will fail,make_requestshould succeed.With the environment variable defined, and not
system_settings.json, the same A/B can be applied toyfinance.download()vs. `obb.equity.price.historical(provider="yfinance")This fails because yFinance is only verifying against the self-signed certificate for
localhost.openbb_yfinance.utils.helpers.yf_downloadapplies the environment configuration for the duration of the request.