fix: trying to fix ssl certification issue while downloading on some macs

Author: ParticularlyPythonicBS

backend/__init__.py

@@ -0,0 +1 @@
+# Package marker for Temoa Web GUI Backend

backend/main.py

@@ -15,6 +15,10 @@
 from datetime import datetime
 from pathlib import Path
 from typing import List, Optional
+import urllib.request
+import shutil
+
+from .utils import create_secure_ssl_context
 
 from fastapi import (
     FastAPI,
@@ -152,6 +156,27 @@ def list_files(path: str = "."):
         raise HTTPException(status_code=500, detail=str(e))
 
 
+@app.post("/api/download_tutorial")
+def download_tutorial():
+    """Downloads the tutorial database from the main repo."""
+    try:
+        url = "https://raw.githubusercontent.com/TemoaProject/temoa-web-gui/main/assets/tutorial_database.sqlite"
+        assets_path = Path("assets")
+        assets_path.mkdir(exist_ok=True)
+        target_path = assets_path / "tutorial_database.sqlite"
+
+        ctx = create_secure_ssl_context()
+
+        with urllib.request.urlopen(url, context=ctx) as response:
+            with open(target_path, "wb") as out_file:
+                shutil.copyfileobj(response, out_file)
+
+        return {"status": "ok", "path": str(target_path.absolute())}
+    except Exception as e:
+        logging.exception("Failed to download tutorial")
+        raise HTTPException(status_code=500, detail=f"Download failed: {str(e)}") from e
+
+
 @app.get("/api/solvers")
 def list_solvers():
     """Detect available solvers on the local system."""

backend/tests/test_download.py

@@ -0,0 +1,52 @@
+import pytest
+from unittest.mock import patch, MagicMock
+from fastapi.testclient import TestClient
+from backend.main import app
+import ssl
+
+client = TestClient(app)
+
+
+@pytest.mark.parametrize("skip_verify", ["0", "1"])
+def test_download_tutorial_ssl_context(skip_verify, monkeypatch):
+    """
+    Test that the SSL context is correctly configured based on TEMOA_SKIP_CERT_VERIFY.
+    This test is parametrized to ensure deterministic behavior.
+    """
+    monkeypatch.setenv("TEMOA_SKIP_CERT_VERIFY", skip_verify)
+
+    # Patch targets must be on the module that USES the functions
+    with patch("backend.main.urllib.request.urlopen") as mock_urlopen, patch(
+        "backend.main.shutil.copyfileobj"
+    ), patch("backend.main.open", new_callable=MagicMock):
+        # Configure the mock response
+        mock_response = MagicMock()
+        mock_urlopen.return_value.__enter__.return_value = mock_response
+
+        response = client.post("/api/download_tutorial")
+
+        assert response.status_code == 200
+        assert response.json()["status"] == "ok"
+
+        # Verify SSL context
+        _, kwargs = mock_urlopen.call_args
+        assert "context" in kwargs
+        ctx = kwargs["context"]
+        assert isinstance(ctx, ssl.SSLContext)
+
+        if skip_verify == "1":
+            assert ctx.check_hostname is False
+            assert ctx.verify_mode == ssl.CERT_NONE
+        else:
+            assert ctx.check_hostname is True
+            assert ctx.verify_mode == ssl.CERT_REQUIRED
+
+
+def test_download_tutorial_failure():
+    # Patch on the actual module to ensure it's intercepted
+    with patch(
+        "backend.main.urllib.request.urlopen", side_effect=Exception("Network error")
+    ):
+        response = client.post("/api/download_tutorial")
+        assert response.status_code == 500
+        assert "Download failed" in response.json()["detail"]

backend/utils.py

@@ -0,0 +1,27 @@
+import ssl
+import certifi
+import os
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+def create_secure_ssl_context():
+    """
+    Creates a secure SSL context using certifi's CA bundle.
+    Allows bypassing verification ONLY if TEMOA_SKIP_CERT_VERIFY is set to '1'.
+    """
+    skip_verify = os.environ.get("TEMOA_SKIP_CERT_VERIFY") == "1"
+
+    if skip_verify:
+        logger.warning(
+            "SSL certificate verification is DISABLED via TEMOA_SKIP_CERT_VERIFY."
+        )
+        ctx = ssl.create_default_context()
+        ctx.check_hostname = False
+        ctx.verify_mode = ssl.CERT_NONE
+        return ctx
+
+    # Secure default using certifi
+    ctx = ssl.create_default_context(cafile=certifi.where())
+    return ctx

pyproject.toml

@@ -4,14 +4,6 @@ version = "0.1.0"
 description = "Web interface for Temoa Energy System Model"
 readme = "README.md"
 requires-python = ">=3.12"
-dependencies = [
-    "temoa>=4.0.0a1",
-    "fastapi",
-    "uvicorn[standard]",
-    "tomlkit",
-    "datasette",
-    "websockets",
-]
 
 [tool.pytest.ini_options]
 pythonpath = ["."]

temoa_runner.py

@@ -7,16 +7,21 @@
 #     "tomlkit",
 #     "websockets",
 #     "datasette",
+#     "certifi",
 # ]
 # ///
 
 import asyncio
 import logging
 import sys
+import shutil
 from datetime import datetime
 from pathlib import Path
 from typing import List, Optional
 import urllib.request
+import os
+import certifi
+import ssl
 
 from fastapi import (
     FastAPI,
@@ -29,6 +34,28 @@
 from fastapi.staticfiles import StaticFiles
 from pydantic import BaseModel
 
+
+def create_secure_ssl_context():
+    """
+    Creates a secure SSL context using certifi's CA bundle.
+    Allows bypassing verification ONLY if TEMOA_SKIP_CERT_VERIFY is set to '1'.
+    """
+    skip_verify = os.environ.get("TEMOA_SKIP_CERT_VERIFY") == "1"
+
+    if skip_verify:
+        logging.warning(
+            "SSL certificate verification is DISABLED via TEMOA_SKIP_CERT_VERIFY."
+        )
+        ctx = ssl.create_default_context()
+        ctx.check_hostname = False
+        ctx.verify_mode = ssl.CERT_NONE
+        return ctx
+
+    # Secure default using certifi
+    ctx = ssl.create_default_context(cafile=certifi.where())
+    return ctx
+
+
 # --- Temoa Imports ---
 # We assume temoa is installed in the same environment
 try:
@@ -119,12 +146,19 @@ def ensure_assets():
     assets_dir.mkdir(exist_ok=True)
 
     files = ["tutorial_database.sqlite", "tutorial_config.toml"]
+
+    ctx = create_secure_ssl_context()
+
     for f in files:
         target = assets_dir / f
         if not target.exists():
             print(f"Downloading missing asset: {f}...")
             try:
-                urllib.request.urlretrieve(base_url + f, target)
+                # Use urlopen with context instead of urlretrieve
+                url = base_url + f
+                with urllib.request.urlopen(url, context=ctx) as response:
+                    with open(target, "wb") as out_file:
+                        shutil.copyfileobj(response, out_file)
             except Exception as e:
                 print(f"Failed to download {f}: {e}")