hermes-agent/tests/hermes_cli/test_custom_provider_tls.py
kshitijk4poor 676236bb1d fix(agent): honor custom CA certs on aux client + harden TLS resolution
The salvaged fix wired per-provider ssl_ca_cert / ssl_verify (and
HERMES_CA_BUNDLE) into the MAIN OpenAI client. This follow-up:

- Auxiliary client parity: process_bootstrap.build_keepalive_http_client
  accepts and forwards verify; auxiliary_client._resolve_aux_verify mirrors
  the main-client TLS resolution (via load_config_readonly, the read-only
  fast path) so compression/vision/web_extract/title-gen/session_search
  honor the same per-provider CA. Without this, chat worked against a
  private-CA endpoint but every auxiliary call still failed APIConnectionError.
- switch_model now reads custom_providers from live config (load_config_readonly)
  instead of the init-time agent._custom_providers snapshot, so ssl_ca_cert /
  ssl_verify edits are honored on mid-session model switch — matching the
  context-length reload (#15779).
- Drop the dead client-level verify= where a custom httpx transport is used
  (httpx ignores it there); verify lives on the transport. Fix docstrings.
  Applies to both run_agent._build_keepalive_http_client and process_bootstrap.
- resolve_httpx_verify: add CURL_CA_BUNDLE to the env chain (consistency with
  agent/ssl_guard._CA_BUNDLE_ENV_VARS) and emit a loud logger.warning naming
  the endpoint whenever ssl_verify:false disables verification.
- get_custom_provider_tls_settings: case-insensitive base_url match (config
  dedup already lowercases; scheme/host are case-insensitive) so a mixed-case
  entry doesn't silently drop its CA. Exact match preserved — no prefix bypass.
- Demote best-effort except Exception: pass in agent_init/switch_model to
  logger.debug(exc_info=True).
- Tests for aux verify forwarding, _resolve_aux_verify, case-insensitive
  match, and prefix-bypass rejection.
2026-07-02 04:51:56 +05:30

72 lines
2.3 KiB
Python

"""Tests for per-provider TLS settings in custom_providers config."""
from hermes_cli.config import (
apply_custom_provider_tls_to_client_kwargs,
get_custom_provider_tls_settings,
)
def test_get_custom_provider_tls_settings_matches_base_url():
providers = [
{
"name": "Ollama",
"base_url": "https://ollama.example.com/v1",
"ssl_ca_cert": "/etc/ssl/mkcert-root.pem",
}
]
tls = get_custom_provider_tls_settings(
"https://ollama.example.com/v1/",
custom_providers=providers,
)
assert tls == {"ssl_ca_cert": "/etc/ssl/mkcert-root.pem"}
def test_apply_custom_provider_tls_to_client_kwargs():
client_kwargs = {"api_key": "x", "base_url": "https://ollama.example.com/v1"}
providers = [
{
"name": "Ollama",
"base_url": "https://ollama.example.com/v1",
"ssl_ca_cert": "/etc/ssl/mkcert-root.pem",
"ssl_verify": True,
}
]
apply_custom_provider_tls_to_client_kwargs(
client_kwargs,
"https://ollama.example.com/v1",
custom_providers=providers,
)
assert client_kwargs["ssl_ca_cert"] == "/etc/ssl/mkcert-root.pem"
assert client_kwargs["ssl_verify"] is True
def test_get_custom_provider_tls_settings_matches_case_insensitively():
"""A config base_url with mixed case must still match a lowercased runtime base_url."""
providers = [
{
"name": "Ollama",
"base_url": "https://Ollama.Example.com/v1",
"ssl_ca_cert": "/etc/ssl/mkcert-root.pem",
}
]
tls = get_custom_provider_tls_settings(
"https://ollama.example.com/v1",
custom_providers=providers,
)
assert tls == {"ssl_ca_cert": "/etc/ssl/mkcert-root.pem"}
def test_get_custom_provider_tls_settings_no_substring_bypass():
"""A base_url that is only a prefix of an entry must NOT match."""
providers = [
{
"name": "Ollama",
"base_url": "https://ollama.example.com/v1",
"ssl_verify": False,
}
]
# A different host that shares a prefix must not pick up ssl_verify:false.
assert get_custom_provider_tls_settings(
"https://ollama.example.com.attacker.test/v1",
custom_providers=providers,
) == {}