fix: pass sys ssl certificates to bedrock client (#718)

Author: radu-mocanu

pyproject.toml

@@ -1,13 +1,13 @@
 [project]
 name = "uipath-langchain"
-version = "0.9.3"
+version = "0.9.4"
 description = "Python SDK that enables developers to build and deploy LangGraph agents to the UiPath Cloud Platform"
 readme = { file = "README.md", content-type = "text/markdown" }
 requires-python = ">=3.11"
 dependencies = [
     "uipath>=2.10.22, <2.11.0",
     "uipath-core>=0.5.2, <0.6.0",
-    "uipath-platform>=0.1.5, <0.2.0",
+    "uipath-platform>=0.1.7, <0.2.0",
     "uipath-runtime>=0.9.1, <0.10.0",
     "langgraph>=1.0.0, <2.0.0",
     "langchain-core>=1.2.11, <2.0.0",

src/uipath_langchain/chat/bedrock.py

@@ -7,7 +7,11 @@
 from langchain_core.messages import BaseMessage
 from langchain_core.outputs import ChatGenerationChunk, ChatResult
 from tenacity import AsyncRetrying, Retrying
-from uipath.platform.common import EndpointManager, resource_override
+from uipath.platform.common import (
+    EndpointManager,
+    get_ca_bundle_path,
+    resource_override,
+)
 
 from .http_client import build_uipath_headers, resolve_gateway_url
 from .http_client.header_capture import HeaderCapture
@@ -110,8 +114,10 @@ def _unsigned_config(self, **overrides):
 
     def get_client(self):
         session = self._build_session()
+        ca_bundle = get_ca_bundle_path()
         client = session.client(
             "bedrock-runtime",
+            verify=ca_bundle if ca_bundle is not None else False,
             config=self._unsigned_config(
                 retries={"total_max_attempts": 1},
                 read_timeout=300,
@@ -127,8 +133,10 @@ def get_client(self):
 
     def get_bedrock_client(self):
         session = self._build_session()
+        ca_bundle = get_ca_bundle_path()
         return session.client(
             "bedrock",
+            verify=ca_bundle if ca_bundle is not None else False,
             config=self._unsigned_config(),
         )
 

tests/chat/test_bedrock.py

@@ -167,3 +167,82 @@ def test_generate_converts_file_blocks(self, mock_session_cls):
             },
         }
         assert result == fake_result
+
+
+class TestBedrockSslConfiguration:
+    def _make_passthrough(self):
+        return AwsBedrockCompletionsPassthroughClient(
+            model="anthropic.claude-haiku-4-5-20251001",
+            token="test-token",
+            api_flavor="converse",
+        )
+
+    @patch("uipath_langchain.chat.bedrock.boto3.Session")
+    @patch.dict(os.environ, {"SSL_CERT_FILE": "/tmp/test-ca-bundle.pem"}, clear=False)
+    def test_get_client_uses_ssl_cert_file(self, mock_session_cls):
+        os.environ.pop("REQUESTS_CA_BUNDLE", None)
+        os.environ.pop("UIPATH_DISABLE_SSL_VERIFY", None)
+        mock_session = mock_session_cls.return_value
+
+        self._make_passthrough().get_client()
+
+        mock_session.client.assert_called_once()
+        _, kwargs = mock_session.client.call_args
+        assert kwargs["verify"] == "/tmp/test-ca-bundle.pem"
+
+    @patch("uipath_langchain.chat.bedrock.boto3.Session")
+    @patch.dict(os.environ, {"SSL_CERT_FILE": "/tmp/test-ca-bundle.pem"}, clear=False)
+    def test_get_bedrock_client_uses_ssl_cert_file(self, mock_session_cls):
+        os.environ.pop("REQUESTS_CA_BUNDLE", None)
+        os.environ.pop("UIPATH_DISABLE_SSL_VERIFY", None)
+        mock_session = mock_session_cls.return_value
+
+        self._make_passthrough().get_bedrock_client()
+
+        mock_session.client.assert_called_once()
+        _, kwargs = mock_session.client.call_args
+        assert kwargs["verify"] == "/tmp/test-ca-bundle.pem"
+
+    @patch("uipath_langchain.chat.bedrock.boto3.Session")
+    @patch.dict(
+        os.environ,
+        {
+            "SSL_CERT_FILE": "/tmp/ssl-cert.pem",
+            "REQUESTS_CA_BUNDLE": "/tmp/requests-ca.pem",
+        },
+        clear=False,
+    )
+    def test_ssl_cert_file_takes_priority_over_requests_ca_bundle(
+        self, mock_session_cls
+    ):
+        os.environ.pop("UIPATH_DISABLE_SSL_VERIFY", None)
+        mock_session = mock_session_cls.return_value
+
+        self._make_passthrough().get_client()
+
+        _, kwargs = mock_session.client.call_args
+        assert kwargs["verify"] == "/tmp/ssl-cert.pem"
+
+    @patch("uipath_langchain.chat.bedrock.boto3.Session")
+    @patch.dict(os.environ, {"UIPATH_DISABLE_SSL_VERIFY": "true"}, clear=False)
+    def test_disable_ssl_verify(self, mock_session_cls):
+        mock_session = mock_session_cls.return_value
+
+        self._make_passthrough().get_client()
+
+        _, kwargs = mock_session.client.call_args
+        assert kwargs["verify"] is False
+
+    @patch("uipath_langchain.chat.bedrock.boto3.Session")
+    def test_default_uses_certifi(self, mock_session_cls):
+        import certifi
+
+        os.environ.pop("SSL_CERT_FILE", None)
+        os.environ.pop("REQUESTS_CA_BUNDLE", None)
+        os.environ.pop("UIPATH_DISABLE_SSL_VERIFY", None)
+        mock_session = mock_session_cls.return_value
+
+        self._make_passthrough().get_client()
+
+        _, kwargs = mock_session.client.call_args
+        assert kwargs["verify"] == certifi.where()