From ab1006c3ab35fcdd34de398d8a1497dcafc8b903 Mon Sep 17 00:00:00 2001
From: Mark Calvert <markcalvert84@gmail.com>
Date: Fri, 15 Nov 2024 17:32:45 +1300
Subject: [PATCH] Add CA bundle certificate path configuration and update SSL
 verification logic

---
 ckanext/invalid_uris/config_declaration.yaml | 8 +++++---
 ckanext/invalid_uris/helpers.py              | 5 +++--
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/ckanext/invalid_uris/config_declaration.yaml b/ckanext/invalid_uris/config_declaration.yaml
index e8a52b9..b28f665 100644
--- a/ckanext/invalid_uris/config_declaration.yaml
+++ b/ckanext/invalid_uris/config_declaration.yaml
@@ -1,4 +1,3 @@
-
 version: 1
 groups:
   - annotation: ckanext-invalid_uris
@@ -20,11 +19,14 @@ groups:
         default: true
         description: Whether to verify the SSL certificate
 
+      - key: ckanext.invalid_uris.ca_bundle_certificate_path
+        description: The path to the CA bundle certificate
+
       - key: ckanext.invalid_uris.retry_attempts
         type: int
         default: 3
         description: The number of times to retry a request
-      
+
       - key: ckanext.invalid_uris.recipient_name
         default: "Open Data"
         description: The name of the recipient of the data
@@ -34,4 +36,4 @@ groups:
 
       - key: ckanext.invalid_uris.domain_whitelist
         type: list
-        description: A list of domains to allow requests to
\ No newline at end of file
+        description: A list of domains to allow requests to
diff --git a/ckanext/invalid_uris/helpers.py b/ckanext/invalid_uris/helpers.py
index 253f3ee..9e70315 100644
--- a/ckanext/invalid_uris/helpers.py
+++ b/ckanext/invalid_uris/helpers.py
@@ -28,8 +28,9 @@ def valid_uri(uri, retries=0, method='head'):
     timeout = timeout * (retries+1)
     user_agent = config.get('ckanext.invalid_uris.user_agent')
     verify_certificate = toolkit.asbool(config.get('ckanext.invalid_uris.verify_certificate', True))
+    ca_bundle_path = config.get('ckanext.invalid_uris.ca_bundle_certificate_path', True)
     retry_attempts = toolkit.asint(config.get('ckanext.invalid_uris.retry_attempts', 3))
-    
+
     try:
         if proxy:
             proxies = {
@@ -44,7 +45,7 @@ def valid_uri(uri, retries=0, method='head'):
             method=method,
             url=uri,
             headers=headers,
-            verify=verify_certificate,
+            verify=ca_bundle_path if verify_certificate else False,
             timeout=timeout,
             proxies=proxies,
             allow_redirects=True,