chore: add ca bundle discovery helper (#1479)

Author: radu-mocanu

packages/uipath-platform/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "uipath-platform"
-version = "0.1.6"
+version = "0.1.7"
 description = "HTTP client library for programmatic access to UiPath Platform"
 readme = { file = "README.md", content-type = "text/markdown" }
 requires-python = ">=3.11"

packages/uipath-platform/src/uipath/platform/common/__init__.py

@@ -18,7 +18,7 @@
 from ._execution_context import UiPathExecutionContext
 from ._external_application_service import ExternalApplicationService
 from ._folder_context import FolderContext, header_folder
-from ._http_config import get_httpx_client_kwargs
+from ._http_config import get_ca_bundle_path, get_httpx_client_kwargs
 from ._models import Endpoint, RequestSpec
 from ._service_url_overrides import inject_routing_headers, resolve_service_url
 from ._span_utils import UiPathSpan, _SpanUtils
@@ -92,6 +92,7 @@
     "Endpoint",
     "UiPathUrl",
     "user_agent_value",
+    "get_ca_bundle_path",
     "get_httpx_client_kwargs",
     "resource_override",
     "header_folder",

packages/uipath-platform/src/uipath/platform/common/_http_config.py

@@ -14,22 +14,40 @@ def expand_path(path):
     return path
 
 
-def create_ssl_context():
-    # Try truststore first (system certificates)
+def get_ca_bundle_path() -> str | None:
+    """Resolve CA bundle path from environment variables.
+
+    Returns None if SSL verification is disabled via UIPATH_DISABLE_SSL_VERIFY.
+    Otherwise returns the CA bundle path with priority:
+    SSL_CERT_FILE > REQUESTS_CA_BUNDLE > certifi default.
+    """
+    disable_ssl_env = os.environ.get("UIPATH_DISABLE_SSL_VERIFY", "").lower()
+    if disable_ssl_env in ("1", "true", "yes", "on"):
+        return None
+
+    import certifi
+
+    ssl_cert_file = expand_path(os.environ.get("SSL_CERT_FILE"))
+    requests_ca_bundle = expand_path(os.environ.get("REQUESTS_CA_BUNDLE"))
+
+    return ssl_cert_file or requests_ca_bundle or certifi.where()
+
+
+def create_ssl_context(cafile: str):
+    """Create an SSL context for httpx clients.
+
+    Args:
+        cafile: Path to the CA bundle file.
+    """
     try:
         import truststore
 
         return truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
     except ImportError:
-        # Fallback to manual certificate configuration
-        import certifi
-
-        ssl_cert_file = expand_path(os.environ.get("SSL_CERT_FILE"))
-        requests_ca_bundle = expand_path(os.environ.get("REQUESTS_CA_BUNDLE"))
         ssl_cert_dir = expand_path(os.environ.get("SSL_CERT_DIR"))
 
         return ssl.create_default_context(
-            cafile=ssl_cert_file or requests_ca_bundle or certifi.where(),
+            cafile=cafile,
             capath=ssl_cert_dir,
         )
 
@@ -44,13 +62,9 @@ def get_httpx_client_kwargs(
             Caller headers take priority on key conflicts.
     """
     client_kwargs: Dict[str, Any] = {"follow_redirects": True, "timeout": 30.0}
-    disable_ssl_env = os.environ.get("UIPATH_DISABLE_SSL_VERIFY", "").lower()
-    disable_ssl_from_env = disable_ssl_env in ("1", "true", "yes", "on")
 
-    if disable_ssl_from_env:
-        client_kwargs["verify"] = False
-    else:
-        client_kwargs["verify"] = create_ssl_context()
+    ca_bundle = get_ca_bundle_path()
+    client_kwargs["verify"] = create_ssl_context(ca_bundle) if ca_bundle else False
 
     from ._config import UiPathConfig
     from .constants import HEADER_LICENSING_CONTEXT