To fix the SSL issue for TLS enablement b/w service and chatbot (#1756)

* fix wca ssl fix

* fix codeQL suggestions and pre-commit failure

* fix review

* fix test

* fix comment

* fix UTs

* fix uts

Signed-off-by: Sumit Jaiswal <[email protected]>

* fix uts

* fix healthchek mocking ut

* fix chatview UTs

* pre-commit

* fix utc

* fix review

* address ci issues

* fix sonar cloud grading

* fix review

* fix ci and review

---------

Signed-off-by: Sumit Jaiswal <[email protected]>

Author: justjais

ansible_ai_connect/ai/api/model_pipelines/http/pipelines.py

@@ -15,7 +15,6 @@
 import copy
 import json
 import logging
-import ssl
 from json import JSONDecodeError
 from typing import Any, AsyncGenerator
 
@@ -57,6 +56,7 @@
     HealthCheckSummary,
     HealthCheckSummaryException,
 )
+from ansible_ai_connect.main.ssl_manager import ssl_manager
 
 logger = logging.getLogger(__name__)
 
@@ -66,7 +66,9 @@ class HttpMetaData(MetaData[HttpConfiguration]):
 
     def __init__(self, config: HttpConfiguration):
         super().__init__(config=config)
-        self.session = requests.Session()
+        # Use centralized SSL manager for all HTTP requests
+        self.session = ssl_manager.get_requests_session()
+
         self.headers = {"Content-Type": "application/json"}
         i = self.config.timeout
         self._timeout = int(i) if i is not None else None
@@ -97,9 +99,6 @@ def invoke(self, params: CompletionsParameters) -> CompletionsResponse:
                 headers=self.headers,
                 json=model_input,
                 timeout=self.task_gen_timeout(task_count),
-                verify=(
-                    self.config.ca_cert_file if self.config.ca_cert_file else self.config.verify_ssl
-                ),
             )
             result.raise_for_status()
             response = json.loads(result.text)
@@ -117,11 +116,8 @@ def self_test(self) -> HealthCheckSummary:
             }
         )
         try:
-            res = requests.get(
+            res = self.session.get(
                 url,
-                verify=(
-                    self.config.ca_cert_file if self.config.ca_cert_file else self.config.verify_ssl
-                ),
                 timeout=1,
             )
             res.raise_for_status()
@@ -151,13 +147,10 @@ def self_test(self) -> HealthCheckSummary:
         )
         try:
             headers = {"Content-Type": "application/json"}
-            r = requests.get(
+            r = self.session.get(
                 self.config.inference_url + "/readiness",
                 headers=headers,
                 timeout=1,
-                verify=(
-                    self.config.ca_cert_file if self.config.ca_cert_file else self.config.verify_ssl
-                ),
             )
             r.raise_for_status()
 
@@ -178,6 +171,20 @@ def self_test(self) -> HealthCheckSummary:
             )
         return summary
 
+    def _safe_parse_error_detail(self, response_text: str) -> str:
+        """
+        Safely parse error detail from response text.
+        If JSON parsing fails, return the raw text or a default message.
+        """
+        if not response_text:
+            return "No error details available"
+        try:
+            parsed = json.loads(response_text)
+            return parsed.get("detail", response_text)
+        except (json.JSONDecodeError, TypeError):
+            # Return raw text if JSON parsing fails, but limit length for safety
+            return response_text[:500] if len(response_text) <= 500 else response_text[:500] + "..."
+
 
 @Register(api_type="http")
 class HttpChatBotPipeline(HttpChatBotMetaData, ModelPipelineChatBot[HttpConfiguration]):
@@ -209,12 +216,11 @@ def invoke(self, params: ChatBotParameters) -> ChatBotResponse:
         if params.mcp_headers:
             headers["MCP-HEADERS"] = json.dumps(params.mcp_headers)
 
-        response = requests.post(
+        response = self.session.post(
             self.config.inference_url + "/v1/query",
-            headers=self.headers,
+            headers=headers,
             json=data,
             timeout=self.task_gen_timeout(1),
-            verify=self.config.ca_cert_file if self.config.ca_cert_file else self.config.verify_ssl,
         )
 
         if response.status_code == 200:
@@ -228,19 +234,19 @@ def invoke(self, params: ChatBotParameters) -> ChatBotResponse:
             return data
 
         elif response.status_code == 401:
-            detail = json.loads(response.text).get("detail", "")
+            detail = self._safe_parse_error_detail(response.text)
             raise ChatbotUnauthorizedException(detail=detail)
         elif response.status_code == 403:
-            detail = json.loads(response.text).get("detail", "")
+            detail = self._safe_parse_error_detail(response.text)
             raise ChatbotForbiddenException(detail=detail)
         elif response.status_code == 413:
-            detail = json.loads(response.text).get("detail", "")
+            detail = self._safe_parse_error_detail(response.text)
             raise ChatbotPromptTooLongException(detail=detail)
         elif response.status_code == 422:
-            detail = json.loads(response.text).get("detail", "")
+            detail = self._safe_parse_error_detail(response.text)
             raise ChatbotValidationException(detail=detail)
         else:
-            detail = json.loads(response.text).get("detail", "")
+            detail = self._safe_parse_error_detail(response.text)
             raise ChatbotInternalServerException(detail=detail)
 
 
@@ -275,14 +281,42 @@ def send_schema1_event(self, ev):
 
         send_schema1_event(ev)
 
+    def _get_aiohttp_connector(self, verify_ssl: bool = True) -> aiohttp.TCPConnector:
+        """Create aiohttp connector with proper SSL configuration.
+        - aiohttp.TCPConnector does NOT accept ssl=None
+        - ssl=True: Uses system default SSL verification (SECURE)
+        - ssl=False: Disables SSL verification completely (INSECURE needed for dev/test)
+        - ssl=SSLContext: Uses custom SSL context (SECURE with custom CAs)
+        Args:
+            verify_ssl: Whether SSL verification should be enabled
+        Returns:
+            TCPConnector with consistent SSL behavior:
+            - verify_ssl=True + custom context: ssl=SSLContext (infrastructure CA bundle)
+            - verify_ssl=True + no context: ssl=True (system default CAs)
+            - verify_ssl=False: ssl=False (DISABLED - consistent with requests.Session)
+        Raises:
+            ssl.SSLError: If SSL context creation fails when verify_ssl=True
+        """
+        if not verify_ssl:
+            # SECURITY NOTE: This disables SSL verification
+            # should only be used in development/testing
+            # This matches requests.Session.verify=False behavior for consistency
+            return aiohttp.TCPConnector(ssl=False)
+
+        # Get SSL context from centralized SSL manager
+        ssl_context = ssl_manager.get_ssl_context()
+
+        if ssl_context is not None:
+            # Use custom SSL context from SSL manager (infrastructure CA bundle)
+            return aiohttp.TCPConnector(ssl=ssl_context)
+        else:
+            # Use system default SSL verification (fallback when no custom CA bundle)
+            return aiohttp.TCPConnector(ssl=True)
+
     async def async_invoke(self, params: StreamingChatBotParameters) -> AsyncGenerator:
 
-        # Configure SSL context based on verify_ssl setting
-        if self.config.ca_cert_file:
-            ssl_context = ssl.create_default_context(cafile=self.config.ca_cert_file)
-            connector = aiohttp.TCPConnector(ssl=ssl_context)
-        else:
-            connector = aiohttp.TCPConnector(ssl=self.config.verify_ssl)
+        # Create connector with proper SSL handling
+        connector = self._get_aiohttp_connector(verify_ssl=self.config.verify_ssl)
 
         async with aiohttp.ClientSession(raise_for_status=True, connector=connector) as session:
             headers = {

ansible_ai_connect/ai/api/model_pipelines/http/tests/test_healthcheck.py

@@ -31,12 +31,13 @@
     TestModelPipelineHealthCheck,
 )
 from ansible_ai_connect.ai.api.model_pipelines.tests.test_wca_client import MockResponse
+from ansible_ai_connect.main import ssl_manager
 
 
 @override_settings(ANSIBLE_AI_MODEL_MESH_CONFIG=mock_config("http"))
 class TestModelPipelineFactory(TestModelPipelineHealthCheck):
 
-    @mock.patch("requests.get", return_value=MockResponse(None, 200))
+    @mock.patch("requests.Session.get", return_value=MockResponse(None, 200))
     def test_completions_healthcheck(self, *args, **kwargs):
         self.assert_ok(ModelPipelineCompletions, "http")
 
@@ -55,10 +56,16 @@ def test_playbook_explanation_healthcheck(self):
     def test_role_explanation_healthcheck(self):
         self.assert_skipped(ModelPipelineRoleExplanation, "nop")
 
-    @mock.patch("requests.get", return_value=MockResponse({"ready": True}, 200))
-    def test_chatbot_healthcheck(self, *args, **kwargs):
+    @mock.patch.object(ssl_manager.ssl_manager, "get_requests_session")
+    def test_chatbot_healthcheck(self, mock_session_factory):
+        mock_session = mock.Mock()
+        mock_session.get.return_value = MockResponse({"ready": True}, 200)
+        mock_session_factory.return_value = mock_session
         self.assert_ok(ModelPipelineChatBot, "http")
 
-    @mock.patch("requests.get", return_value=MockResponse({"ready": True}, 200))
-    def test_streaming_chatbot_healthcheck(self, *args, **kwargs):
+    @mock.patch.object(ssl_manager.ssl_manager, "get_requests_session")
+    def test_streaming_chatbot_healthcheck(self, mock_session_factory):
+        mock_session = mock.Mock()
+        mock_session.get.return_value = MockResponse({"ready": True}, 200)
+        mock_session_factory.return_value = mock_session
         self.assert_ok(ModelPipelineStreamingChatBot, "http")