test_model_metadata_ssl.py
1 """Tests for _resolve_requests_verify() env var precedence. 2 3 Verifies that custom provider `/models` fetches honour the three supported 4 CA bundle env vars (HERMES_CA_BUNDLE, REQUESTS_CA_BUNDLE, SSL_CERT_FILE) 5 in the documented priority order, and that non-existent paths are 6 skipped gracefully rather than breaking the request. 7 8 No filesystem or network I/O required — we use tmp_path to create real 9 CA bundle stand-in files and monkeypatch env vars. 10 """ 11 12 import os 13 import sys 14 from pathlib import Path 15 16 sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..")) 17 18 import pytest 19 20 from agent.model_metadata import _resolve_requests_verify 21 22 23 _CA_ENV_VARS = ("HERMES_CA_BUNDLE", "REQUESTS_CA_BUNDLE", "SSL_CERT_FILE") 24 25 26 @pytest.fixture 27 def clean_env(monkeypatch): 28 """Clear all three SSL env vars so each test starts from a known state.""" 29 for var in _CA_ENV_VARS: 30 monkeypatch.delenv(var, raising=False) 31 return monkeypatch 32 33 34 @pytest.fixture 35 def bundle_file(tmp_path: Path) -> str: 36 """Create a placeholder CA bundle file and return its absolute path.""" 37 path = tmp_path / "ca.pem" 38 path.write_text("-----BEGIN CERTIFICATE-----\nstub\n-----END CERTIFICATE-----\n") 39 return str(path) 40 41 42 class TestResolveRequestsVerify: 43 def test_no_env_returns_true(self, clean_env): 44 assert _resolve_requests_verify() is True 45 46 def test_hermes_ca_bundle_returns_path(self, clean_env, bundle_file): 47 clean_env.setenv("HERMES_CA_BUNDLE", bundle_file) 48 assert _resolve_requests_verify() == bundle_file 49 50 def test_requests_ca_bundle_returns_path(self, clean_env, bundle_file): 51 clean_env.setenv("REQUESTS_CA_BUNDLE", bundle_file) 52 assert _resolve_requests_verify() == bundle_file 53 54 def test_ssl_cert_file_returns_path(self, clean_env, bundle_file): 55 clean_env.setenv("SSL_CERT_FILE", bundle_file) 56 assert _resolve_requests_verify() == bundle_file 57 58 def test_priority_hermes_over_requests(self, clean_env, tmp_path, bundle_file): 59 other = tmp_path / "other.pem" 60 other.write_text("stub") 61 clean_env.setenv("HERMES_CA_BUNDLE", bundle_file) 62 clean_env.setenv("REQUESTS_CA_BUNDLE", str(other)) 63 assert _resolve_requests_verify() == bundle_file 64 65 def test_priority_requests_over_ssl_cert_file(self, clean_env, tmp_path, bundle_file): 66 other = tmp_path / "other.pem" 67 other.write_text("stub") 68 clean_env.setenv("REQUESTS_CA_BUNDLE", bundle_file) 69 clean_env.setenv("SSL_CERT_FILE", str(other)) 70 assert _resolve_requests_verify() == bundle_file 71 72 def test_nonexistent_path_falls_through(self, clean_env, tmp_path, bundle_file): 73 missing = tmp_path / "does_not_exist.pem" 74 clean_env.setenv("HERMES_CA_BUNDLE", str(missing)) 75 clean_env.setenv("REQUESTS_CA_BUNDLE", bundle_file) 76 assert _resolve_requests_verify() == bundle_file 77 78 def test_all_nonexistent_returns_true(self, clean_env, tmp_path): 79 missing1 = tmp_path / "a.pem" 80 missing2 = tmp_path / "b.pem" 81 missing3 = tmp_path / "c.pem" 82 clean_env.setenv("HERMES_CA_BUNDLE", str(missing1)) 83 clean_env.setenv("REQUESTS_CA_BUNDLE", str(missing2)) 84 clean_env.setenv("SSL_CERT_FILE", str(missing3)) 85 assert _resolve_requests_verify() is True 86 87 def test_empty_string_env_var_ignored(self, clean_env, bundle_file): 88 clean_env.setenv("HERMES_CA_BUNDLE", "") 89 clean_env.setenv("REQUESTS_CA_BUNDLE", bundle_file) 90 assert _resolve_requests_verify() == bundle_file