build(BaseClient): Bumped httpx + updates related to secure requests (#407)

Co-authored-by: Alexander Sytsevich <[email protected]>

Author: DartBond

poetry.lock

@@ -23,13 +23,13 @@ classifiers = [
 python = "^3.8"
 fastavro = "^1.7.3"
 jsonschema = "^4.17.3"
-httpx = ">=0.26,<0.28"
+httpx = ">=0.28,<0.29"
 aiofiles = ">=23.1,<25.0"
 faust-streaming = {version = ">=0.10.11,<0.12.0", optional = true}
 
 [tool.poetry.group.dev.dependencies]
 mypy = "^1"
-ruff = ">=0.2,<0.5"
+ruff = "^0.8"
 pytest = ">=7,<9"
 pytest-cov = ">=4,<6"
 pytest-mock = "^3.10.0"

pyproject.toml

@@ -2,11 +2,14 @@
 
 import json
 import logging
+import os
+import ssl
 import typing
 from abc import abstractmethod
 from collections import defaultdict
 from urllib.parse import urlparse
 
+import certifi
 import httpx
 from httpx import USE_CLIENT_DEFAULT, Auth, BasicAuth
 from httpx._client import UseClientDefault
@@ -135,16 +138,18 @@ def _configure_auth(self) -> Auth:
     @staticmethod
     def _configure_client_tls(
         conf: dict,
-    ) -> typing.Optional[typing.Union[str, typing.Tuple[str, str], typing.Tuple[str, str, str]]]:
-        certificate = conf.get(utils.SSL_CERTIFICATE_LOCATION)
+    ) -> typing.Optional[typing.Union[typing.Tuple[str, str], typing.Tuple[str, str, str]]]:
+        cert = conf.get(utils.SSL_CERTIFICATE_LOCATION)
+        certificate = cert
 
-        if certificate is not None:
+        if cert is not None:
             key_path = conf.get(utils.SSL_KEY_LOCATION)
             key_password = conf.get(utils.SSL_KEY_PASSWORD)
+            certificate = (cert,)
 
             if key_path is not None:
                 certificate = (
-                    certificate,
+                    cert,
                     key_path,
                 )
 
@@ -154,16 +159,24 @@ def _configure_client_tls(
         return certificate
 
     def _get_client_kwargs(self) -> typing.Dict:
-        verify = self.conf.get(utils.SSL_CA_LOCATION, False)
-        certificate = self._configure_client_tls(self.conf)
         auth = self._configure_auth()
 
         client_kwargs: typing.Dict = {
-            "cert": certificate,
-            "verify": verify,
             "auth": auth,
         }
 
+        certificate = self._configure_client_tls(self.conf)
+
+        if certificate:
+            global_ca_location = self.conf.get(utils.SSL_CA_LOCATION, certifi.where())
+            ctx = ssl.create_default_context(
+                cafile=os.environ.get("SSL_CERT_FILE", global_ca_location),
+                capath=os.environ.get("SSL_CERT_DIR"),
+            )
+
+            ctx.load_cert_chain(*certificate)
+            client_kwargs["verify"] = ctx
+
         # If these values haven't been explicitly defined let httpx sort out
         # the default values.
         if self.extra_headers is not None:

schema_registry/client/client.py

@@ -10,9 +10,8 @@
 
 @pytest.mark.asyncio
 async def test_invalid_cert():
-    client = AsyncSchemaRegistryClient(url="https://127.0.0.1:65534", cert_location="/path/to/cert")
     with pytest.raises(FileNotFoundError):
-        await client.request("https://example.com")
+        AsyncSchemaRegistryClient(url="https://127.0.0.1:65534", cert_location="/path/to/cert")
 
 
 def test_cert_with_key(certificates):

tests/client/async_client/test_http_client.py

@@ -10,9 +10,8 @@
 
 
 def test_invalid_cert():
-    client = SchemaRegistryClient(url="https://127.0.0.1:65534", cert_location="/path/to/cert")
     with pytest.raises(FileNotFoundError):
-        client.request("https://example.com")
+        SchemaRegistryClient(url="https://127.0.0.1:65534", cert_location="/path/to/cert")
 
 
 def test_cert_with_key(certificates):

tests/client/sync_client/test_http_client.py

@@ -14,7 +14,7 @@ def test_create_avro_faust_serializer(client, avro_country_schema):
     schema_subject = "test-avro-country"
     faust_serializer = serializer.FaustSerializer(client, schema_subject, avro_country_schema)
 
-    assert type(faust_serializer.message_serializer) == AvroMessageSerializer
+    assert isinstance(faust_serializer.message_serializer, AvroMessageSerializer)
     assert faust_serializer.schema_subject == schema_subject
     assert faust_serializer.schema == avro_country_schema
     assert faust_serializer.message_serializer.schemaregistry_client == client
@@ -155,7 +155,7 @@ def test_create_json_faust_serializer(client, json_country_schema):
     schema_subject = "test-json-country"
     faust_serializer = serializer.FaustJsonSerializer(client, schema_subject, json_country_schema)
 
-    assert type(faust_serializer.message_serializer) == JsonMessageSerializer
+    assert isinstance(faust_serializer.message_serializer, JsonMessageSerializer)
     assert faust_serializer.schema_subject == schema_subject
     assert faust_serializer.schema == json_country_schema
     assert faust_serializer.message_serializer.schemaregistry_client == client