(PC-34037)[API] fix: isolate the two Ubble requests sessions

In staging and production, going through an Ubble v2 flow has a nasty side-effect. The certificates used for mutual TLS are also sent during the Ubble v1 flow, making Ubble crash and return 500 errors. This commit attempts to isolate the requests session to prevent this side-effect.
pass-culture · Jan 16, 2025 · 0eb5cd4 · 0eb5cd4
1 parent 1ff2056
commit 0eb5cd4
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 11 deletions.
diff --git a/api/src/pcapi/connectors/beneficiaries/ubble.py b/api/src/pcapi/connectors/beneficiaries/ubble.py
@@ -83,10 +83,10 @@ def wrapper(*args: typing.Any, **kwargs: typing.Any) -> fraud_models.UbbleConten
 
 @log_and_handle_ubble_response("applicant")
 def create_applicant(external_applicant_id: str, email: str) -> str:
-    response = requests.post(
+    session = _configure_v2_session()
+    response = session.post(
         build_url("/v2/applicants"),
         json={"external_applicant_id": external_applicant_id, "email": email},
-        cert=(settings.UBBLE_CLIENT_CERTIFICATE_PATH, settings.UBBLE_CLIENT_KEY_PATH),
     )
     response.raise_for_status()
 
@@ -107,15 +107,15 @@ def create_applicant(external_applicant_id: str, email: str) -> str:
 def create_identity_verification(
     applicant_id: str, first_name: str, last_name: str, redirect_url: str, webhook_url: str
 ) -> fraud_models.UbbleContent:
-    response = requests.post(
+    session = _configure_v2_session()
+    response = session.post(
         build_url("/v2/identity-verifications"),
         json={
             "applicant_id": applicant_id,
             "declared_data": {"name": f"{first_name} {last_name}"},
             "redirect_url": redirect_url,
             "webhook_url": webhook_url,
         },
-        cert=(settings.UBBLE_CLIENT_CERTIFICATE_PATH, settings.UBBLE_CLIENT_KEY_PATH),
     )
     response.raise_for_status()
 
@@ -132,10 +132,9 @@ def create_identity_verification(
 
 @log_and_handle_ubble_response("identity-verifications-attempt")
 def create_identity_verification_attempt(identification_id: str, redirect_url: str) -> str:
-    response = requests.post(
-        build_url(f"/v2/identity-verifications/{identification_id}/attempts"),
-        json={"redirect_url": redirect_url},
-        cert=(settings.UBBLE_CLIENT_CERTIFICATE_PATH, settings.UBBLE_CLIENT_KEY_PATH),
+    session = _configure_v2_session()
+    response = session.post(
+        build_url(f"/v2/identity-verifications/{identification_id}/attempts"), json={"redirect_url": redirect_url}
     )
     response.raise_for_status()
 
@@ -150,14 +149,14 @@ def create_identity_verification_attempt(identification_id: str, redirect_url: s
 def create_and_start_identity_verification(
     first_name: str, last_name: str, redirect_url: str, webhook_url: str
 ) -> fraud_models.UbbleContent:
-    response = requests.post(
+    session = _configure_v2_session()
+    response = session.post(
         build_url("/v2/create-and-start-idv"),
         json={
             "declared_data": {"name": f"{first_name} {last_name}"},
             "webhook_url": webhook_url,
             "redirect_url": redirect_url,
         },
-        cert=(settings.UBBLE_CLIENT_CERTIFICATE_PATH, settings.UBBLE_CLIENT_KEY_PATH),
     )
     response.raise_for_status()
 
@@ -197,6 +196,12 @@ def request_webhook_notification(identification_id: str, webhook_url: str) -> No
     response.raise_for_status()
 
 
+def _configure_v2_session() -> requests.Session:
+    session = requests.Session()
+    session.cert = (settings.UBBLE_CLIENT_CERTIFICATE_PATH, settings.UBBLE_CLIENT_KEY_PATH)
+    return session
+
+
 def download_ubble_picture(http_url: pydantic_networks.HttpUrl) -> tuple[str | None, typing.Any]:
     try:
         response = requests.get(http_url, stream=True)
@@ -240,6 +245,7 @@ def start_identification(
     user_id: int, first_name: str, last_name: str, redirect_url: str, webhook_url: str
 ) -> fraud_models.UbbleContent:
     session = configure_session()
+    logger.info("Ubble v1 request session state", extra=session.__dict__)
 
     data = {
         "data": {
@@ -380,6 +386,7 @@ def configure_session() -> requests.Session:
             "Content-Type": "application/vnd.api+json",
         }
     )
+    session.cert = None
 
     return session
 

diff --git a/api/tests/connectors/beneficiaries/ubble_test.py b/api/tests/connectors/beneficiaries/ubble_test.py
@@ -133,7 +133,7 @@ def test_start_identification(self, ubble_mock, caplog):
         assert attributes["redirect_url"] == "http://redirect/url"
 
         assert len(caplog.records) >= 1
-        record = caplog.records[1]
+        record = caplog.records[2]
         assert record.extra["status_code"] == 201
         assert record.extra["identification_id"] == str(response.identification_id)
         assert record.extra["request_type"] == "start-identification"