unkin/artifactapi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix S3 SSL certificate validation and boto3 checksum compatibility

Browse Source 
- Add support for custom CA bundle via REQUESTS_CA_BUNDLE/SSL_CERT_FILE environment variables
- Configure boto3 client with custom SSL verification to support Ceph RadosGW through nginx proxy
- Maintain boto3 checksum validation configuration for compatibility with third-party S3 providers
- Resolves XAmzContentSHA256Mismatch errors when connecting to RadosGW endpoints

Fixes #4400 compatibility issue with boto3 v1.36+ stricter checksum validation
This commit is contained in:
Ben Vincent 2026-01-08 23:54:39 +11:00
parent 1fb6b89a5f
commit b7205e09a3
1 changed files with 19 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
src/artifactapi/storage.py
View File

@ -22,16 +22,25 @@ class S3Storage:
self.bucket = bucket self.bucket = bucket
self.secure = secure self.secure = secure
self.client = boto3.client( ca_bundle = os.environ.get('REQUESTS_CA_BUNDLE') or os.environ.get('SSL_CERT_FILE')
"s3", config_kwargs = {
endpoint_url=f"http{'s' if self.secure else ''}://{self.endpoint}", "request_checksum_calculation": "when_required",
aws_access_key_id=self.access_key, "response_checksum_validation": "when_required"
aws_secret_access_key=self.secret_key, }
config=Config( client_kwargs = {
request_checksum_calculation="when_required", "endpoint_url": f"http{'s' if self.secure else ''}://{self.endpoint}",
response_checksum_validation="when_required" "aws_access_key_id": self.access_key,
) "aws_secret_access_key": self.secret_key,
) "config": Config(**config_kwargs)
}
if ca_bundle and os.path.exists(ca_bundle):
client_kwargs["verify"] = ca_bundle
print(f"Debug: Using CA bundle: {ca_bundle}")
else:
print(f"Debug: No CA bundle found. REQUESTS_CA_BUNDLE={os.environ.get('REQUESTS_CA_BUNDLE')}, SSL_CERT_FILE={os.environ.get('SSL_CERT_FILE')}")
self.client = boto3.client("s3", **client_kwargs)
# Try to ensure bucket exists, but don't fail if MinIO isn't ready yet # Try to ensure bucket exists, but don't fail if MinIO isn't ready yet
try: try: