mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-07-09 13:21:42 +00:00
The salvaged fix wired per-provider ssl_ca_cert / ssl_verify (and HERMES_CA_BUNDLE) into the MAIN OpenAI client. This follow-up: - Auxiliary client parity: process_bootstrap.build_keepalive_http_client accepts and forwards verify; auxiliary_client._resolve_aux_verify mirrors the main-client TLS resolution (via load_config_readonly, the read-only fast path) so compression/vision/web_extract/title-gen/session_search honor the same per-provider CA. Without this, chat worked against a private-CA endpoint but every auxiliary call still failed APIConnectionError. - switch_model now reads custom_providers from live config (load_config_readonly) instead of the init-time agent._custom_providers snapshot, so ssl_ca_cert / ssl_verify edits are honored on mid-session model switch — matching the context-length reload (#15779). - Drop the dead client-level verify= where a custom httpx transport is used (httpx ignores it there); verify lives on the transport. Fix docstrings. Applies to both run_agent._build_keepalive_http_client and process_bootstrap. - resolve_httpx_verify: add CURL_CA_BUNDLE to the env chain (consistency with agent/ssl_guard._CA_BUNDLE_ENV_VARS) and emit a loud logger.warning naming the endpoint whenever ssl_verify:false disables verification. - get_custom_provider_tls_settings: case-insensitive base_url match (config dedup already lowercases; scheme/host are case-insensitive) so a mixed-case entry doesn't silently drop its CA. Exact match preserved — no prefix bypass. - Demote best-effort except Exception: pass in agent_init/switch_model to logger.debug(exc_info=True). - Tests for aux verify forwarding, _resolve_aux_verify, case-insensitive match, and prefix-bypass rejection.
72 lines
2.3 KiB
Python
72 lines
2.3 KiB
Python
"""Tests for per-provider TLS settings in custom_providers config."""
|
|
|
|
from hermes_cli.config import (
|
|
apply_custom_provider_tls_to_client_kwargs,
|
|
get_custom_provider_tls_settings,
|
|
)
|
|
|
|
|
|
def test_get_custom_provider_tls_settings_matches_base_url():
|
|
providers = [
|
|
{
|
|
"name": "Ollama",
|
|
"base_url": "https://ollama.example.com/v1",
|
|
"ssl_ca_cert": "/etc/ssl/mkcert-root.pem",
|
|
}
|
|
]
|
|
tls = get_custom_provider_tls_settings(
|
|
"https://ollama.example.com/v1/",
|
|
custom_providers=providers,
|
|
)
|
|
assert tls == {"ssl_ca_cert": "/etc/ssl/mkcert-root.pem"}
|
|
|
|
|
|
def test_apply_custom_provider_tls_to_client_kwargs():
|
|
client_kwargs = {"api_key": "x", "base_url": "https://ollama.example.com/v1"}
|
|
providers = [
|
|
{
|
|
"name": "Ollama",
|
|
"base_url": "https://ollama.example.com/v1",
|
|
"ssl_ca_cert": "/etc/ssl/mkcert-root.pem",
|
|
"ssl_verify": True,
|
|
}
|
|
]
|
|
apply_custom_provider_tls_to_client_kwargs(
|
|
client_kwargs,
|
|
"https://ollama.example.com/v1",
|
|
custom_providers=providers,
|
|
)
|
|
assert client_kwargs["ssl_ca_cert"] == "/etc/ssl/mkcert-root.pem"
|
|
assert client_kwargs["ssl_verify"] is True
|
|
|
|
|
|
def test_get_custom_provider_tls_settings_matches_case_insensitively():
|
|
"""A config base_url with mixed case must still match a lowercased runtime base_url."""
|
|
providers = [
|
|
{
|
|
"name": "Ollama",
|
|
"base_url": "https://Ollama.Example.com/v1",
|
|
"ssl_ca_cert": "/etc/ssl/mkcert-root.pem",
|
|
}
|
|
]
|
|
tls = get_custom_provider_tls_settings(
|
|
"https://ollama.example.com/v1",
|
|
custom_providers=providers,
|
|
)
|
|
assert tls == {"ssl_ca_cert": "/etc/ssl/mkcert-root.pem"}
|
|
|
|
|
|
def test_get_custom_provider_tls_settings_no_substring_bypass():
|
|
"""A base_url that is only a prefix of an entry must NOT match."""
|
|
providers = [
|
|
{
|
|
"name": "Ollama",
|
|
"base_url": "https://ollama.example.com/v1",
|
|
"ssl_verify": False,
|
|
}
|
|
]
|
|
# A different host that shares a prefix must not pick up ssl_verify:false.
|
|
assert get_custom_provider_tls_settings(
|
|
"https://ollama.example.com.attacker.test/v1",
|
|
custom_providers=providers,
|
|
) == {}
|