CLI-14/ssl-config #146
CLI-14/ssl-config #146
Conversation
|
Not clear on how versions are managed here, also don't see a changelog. |
| try: | ||
| from conda.base.context import context | ||
| from conda.gateways.connection.adapters.http import HTTPAdapter |
There was a problem hiding this comment.
Not sure if this will be graceful or not, but was my best guess on how to handle environments where conda was not available.
src/anaconda_auth/client.py
Outdated
| self.config.ssl_verify_policy = context.ssl_verify | ||
| self.config.proxy_servers = context.proxy_servers | ||
| self.config.ssl_verify = context.ssl_verify |
There was a problem hiding this comment.
Wanted to fall back on the config as the source of truth, that way we can handle any complicated logic with precedence if needed, or if we would like to overwrite.
|
|
||
| # We need an http adapter | ||
|
|
||
| http_adapter = HTTPAdapter(ssl_context=ssl_context) |
There was a problem hiding this comment.
This part is weird, and had to be imported from deep in the conda base module, so no idea how well this will play.
| if context.client_ssl_cert_key: | ||
| self.cert = (context.client_ssl_cert, context.client_ssl_cert_key) | ||
| elif context.client_ssl_cert: | ||
| self.cert = context.client_ssl_cert |
There was a problem hiding this comment.
Not sure if this is needed or not, but it was handled like this in the base conda, so figured why not?
|
I have no clue how to write tests to cover this, will need some help there. |
| api_key = get_api_key(access_token, config.ssl_verify) | ||
|
|
||
| api_key = get_api_key( | ||
| access_token, config.ssl_verify if isinstance(config.ssl_verify, bool) else True |
There was a problem hiding this comment.
Do we need to support trustore in the anaconda.com (and on-prem) routes?
There was a problem hiding this comment.
This was meant to bring the config inline with the base conda config which differed in type.
auths was bool
whereas base conda config was Union[bool, str] so I thought matching the base config type wise made sense.
There was a problem hiding this comment.
This type casting is just to control for that.
There was a problem hiding this comment.
I think I mean should the get_api_key be adjusted to support the string values rather than just true/false? Or is getting an api key working correctly for these users?
| from conda.base.context import context | ||
| from conda.gateways.connection.adapters.http import HTTPAdapter | ||
|
|
||
| # We need to decide which takes precedence, for now im assuming conda base config. |
There was a problem hiding this comment.
I need to read your code carefully, but the general precedence followed by unified cli is as follows (from low to high)
- Coded default in source code
- Config files (config.toml, condarc, etc)
- Env variables
- Direct kward override in init (like using this class in an ipython shell or jupyter notebook)
There was a problem hiding this comment.
Is this ascending or descending?
Because if 4. is lowest priority it is never really an "override" correct? or am missing somethin?
There was a problem hiding this comment.
it is ascending priority. 4 (init kwargs) is the absolute override of everything.
https://github.com/anaconda/anaconda-cli-base?tab=readme-ov-file#config-file
|
Versions are managed through the Releases tab on github. A Changelog would be nice we could pobably convert that info to a changelog 🤔 to get it started |
|
Let me see if I understand
Is any of the above correct? |
There are some certificate issues bubbling up in the conda env-logger in some enterprise envs where this plugin is in use. @mattkram speculated that it was because the plugin here used a different client for requests that lacked ssl config, so the idea is to port the ssl config from the base conda client into this plugin. My current understanding of precedence after the latest push is as follows.
|
| elif context.client_ssl_cert: | ||
| self.cert = context.client_ssl_cert | ||
|
|
||
| except Exception: |
There was a problem hiding this comment.
Could we catch something ImportError here?
| ssl_verify: Optional[bool] = None, | ||
| extra_headers: Optional[Union[str, dict]] = None, | ||
| hash_hostname: Optional[bool] = None, | ||
| proxy_servers: Optional[MutableMapping[str, str]] = None, |
There was a problem hiding this comment.
Should ssl_verify in this init support str?
https://anaconda.atlassian.net/browse/CLI-14
Some issues are bubbling up in the base conda client from the auth plugin http client not handling ssl contexts correctly.
I have ripped some of the ssl handling logic from the base client to attempt to remedy the issue.
FYI, I don't have much idea what im doing, be critical.