Configuration setting to use system SSL certificates #249
Conversation
tim-goddard-flexcompute
changed the title
tim-goddard-flexcompute
changed the title
|
Had a look at that failing matrix test, but it's complaining about a line not altered in this PR, last change dated to 6 months ago. No idea why that would pop out now. https://github.com/flexcompute/Flow360/blob/develop/flow360/__init__.py#L7 |
tim-goddard-flexcompute
force-pushed
the
use-system-certs
branch
from
782377f
to
f1e621f
Compare
tim-goddard-flexcompute
force-pushed
the
use-system-certs
branch
from
f1e621f
to
61c14f8
Compare
| return self._use_system_certs | ||
|
|
||
| config_map = self.config.get(self.profile, {}) | ||
| setting = config_map.get("usesystemcerts", False) |
There was a problem hiding this comment.
this one to work requires usesystemcerts being available in config.toml file which is managed by flow360 CLI. You can add this option to the CLI so the user can set it only once: https://github.com/flexcompute/Flow360/blob/develop/flow360/cli/app.py
There was a problem hiding this comment.
the _test_... are not run automatically in the pipeline. This is why I think this test will have no effect
|
@dominik-flex can you look at this PR? Do we need this or can we close it? |
|
@maciej-flexcompute I think we no longer need this. The solution for requests made with the Python |
This is an in-progress patch to support using the OS certificate store (e.g. Windows certificate store) for Flow360 requests, when given a configuration option to change this behavior. Not expected to alter existing default behavior. Further testing is required before taking the "draft" mark off this.
We have a customer who is experiencing SSL-related errors, likely related to an SSL intercepting proxy. The certificates for these are usually distributed to the OS certificate store, but will not be copied to the certipy default bundle. This may resolve such issues, by allowing the OS store which the organisation is managing to be used.
Any advice on testing approach would be welcome. The current unit tests don't make any real HTTP requests, which would be needed to test this functionality. Making those requests would require Internet connectivity where tests are run. In the draft tests I ran, there were issues connecting to the Flow360 API (even public endpoints), because the client is not designed to connect without an access key.