Add optional ssl config flag

[szaffarano]

To address #1801 I'm proposing to add a new CLI boolean flag flag --use-system-ca-files/--no-use-system-ca-files to let the user decide when to use the system root CAs or the certifi ones.

The default value is false to keep it backward compatible.

Summary by CodeRabbit

• New Features
  • Added configurable SSL/TLS certificate handling for Slack connections, enabling custom SSL context configuration.
  • Introduced --use-system-ca-files CLI flag (default enabled) to allow users to choose between system or bundled certificate authorities for secure connections.

[coderabbitai]

Walkthrough

The changes add SSL context handling to Slack clients and introduce a system CA file configuration option. A new ssl_context parameter is added to SlackClient and its subclasses, while a new use_system_ca_files configuration flag is introduced in Config and wired through the CLI monitor and send_report commands.

Changes

Cohort / File(s)	Summary
Slack Client SSL Context Support elementary/clients/slack/client.py	Added ssl_context parameter to SlackClient.__init__ and _initial_client methods. Updated SlackWebClient and SlackWebhookClient to accept and propagate ssl_context to parent class and underlying Slack API clients. Added ssl and certifi imports for CA bundle handling.
Config System CA Flag elementary/config/config.py	Added use_system_ca_files: bool = True parameter to Config.__init__ and assigned to self.use_system_ca_files attribute.
CLI System CA Option elementary/monitor/cli.py	Added --use-system-ca-files/--no-use-system-ca-files CLI flag (default True) to common monitor options. Updated monitor and send_report command signatures to accept and propagate use_system_ca_files to Config construction.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Areas requiring attention:
  • Verify SSL context is correctly instantiated and passed through all three Slack client classes (SlackClient, SlackWebClient, SlackWebhookClient)
  • Confirm ssl_context parameter propagation chain from CLI flag → Config → Slack client initialization
  • Check that default behavior (system CA files) matches expected SSL/TLS validation behavior
  • Validate that the certifi and ssl imports are correctly used in client creation

Poem

🐰 A rabbit hops through certificates and keys,
Where Slack now speaks with custom SSL ease,
From CLI flags to clients passing through,
System CAs or bundles—the choice is true! 🔒

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Title check	❓ Inconclusive	The title 'Add optional ssl config flag' is vague and generic, using non-descriptive terms that don't convey the specific purpose of the change.	Provide a more specific title that describes what the flag does, such as 'Add --use-system-ca-files CLI flag to control SSL certificate validation' or similar.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 912546c and 5e7da25.

📒 Files selected for processing (3)

• elementary/clients/slack/client.py (5 hunks)
• elementary/config/config.py (2 hunks)
• elementary/monitor/cli.py (5 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

elementary/clients/slack/client.py (1)

elementary/monitor/data_monitoring/alerts/integrations/slack/slack.py (1)

• _initial_client (87-93)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Create an explicit system CA SSLContext

When use_system_ca_files is True, ssl_context is set to None, which leaves the Slack SDK on its certifi-backed default. The flag never enables system trust roots. Instead, build a context with ssl.create_default_context() for the system store, and keep the certifi override only when the flag is False.

-            ssl_context = (
-                None
-                if config.use_system_ca_files
-                else ssl.create_default_context(cafile=certifi.where())
-            )
+            ssl_context = (
+                ssl.create_default_context()
+                if config.use_system_ca_files
+                else ssl.create_default_context(cafile=certifi.where())
+            )
@@
-            ssl_context = (
-                ssl.create_default_context(cafile=certifi.where())
-                if not config.use_system_ca_files
-                else None
-            )
+            ssl_context = (
+                ssl.create_default_context()
+                if config.use_system_ca_files
+                else ssl.create_default_context(cafile=certifi.where())
+            )

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ssl_context = (
	None
	if config.use_system_ca_files
	else ssl.create_default_context(cafile=certifi.where())
	)
	return SlackWebClient(
	token=config.slack_token, tracking=tracking, ssl_context=ssl_context
	)
	elif config.slack_webhook:
	logger.debug("Creating Slack client with webhook.")
	return SlackWebhookClient(webhook=config.slack_webhook, tracking=tracking)
	logger.debug(
	"Creating Slack client with webhook (system CA? = %s).",
	config.use_system_ca_files,
	)
	ssl_context = (
	ssl.create_default_context(cafile=certifi.where())
	if not config.use_system_ca_files
	else None
	)
	return SlackWebhookClient(
	webhook=config.slack_webhook, tracking=tracking, ssl_context=ssl_context
	)
	ssl_context = (
	ssl.create_default_context()
	if config.use_system_ca_files
	else ssl.create_default_context(cafile=certifi.where())
	)
	return SlackWebClient(
	token=config.slack_token, tracking=tracking, ssl_context=ssl_context
	)
	elif config.slack_webhook:
	logger.debug(
	"Creating Slack client with webhook (system CA? = %s).",
	config.use_system_ca_files,
	)
	ssl_context = (
	ssl.create_default_context()
	if config.use_system_ca_files
	else ssl.create_default_context(cafile=certifi.where())
	)
	return SlackWebhookClient(
	webhook=config.slack_webhook, tracking=tracking, ssl_context=ssl_context
	)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Restore use_system_ca_files default to False

Line 76 flips the default to True, so every existing Config(...) call silently swaps from the certifi bundle to system trust stores. That breaks backward compatibility and contradicts the PR description (“default value is false”). Set the default back to False so legacy behavior remains unchanged.

-        use_system_ca_files: bool = True,
+        use_system_ca_files: bool = False,

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	use_system_ca_files: bool = True,
	):
	use_system_ca_files: bool = False,
	):

🤖 Prompt for AI Agents

In elementary/config/config.py around lines 76 to 77, the parameter default for
use_system_ca_files was changed to True which breaks backward compatibility;
change its default back to False so Config(...) continues to use the certifi
bundle by default and preserve legacy behavior. Update the function/class
signature to set use_system_ca_files: bool = False and run tests or type checks
to ensure no other call sites rely on the flipped default.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Keep the CLI flag default aligned with legacy behavior

The new click option currently defaults to True, undoing the certifi-based behavior for anyone who doesn’t pass the flag. Align it with the intended default (False) so --use-system-ca-files opt-in matches the Config change.

-            func = click.option(
-                "--use-system-ca-files/--no-use-system-ca-files",
-                default=True,
+            func = click.option(
+                "--use-system-ca-files/--no-use-system-ca-files",
+                default=False,

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func = click.option(
	"--use-system-ca-files/--no-use-system-ca-files",
	default=True,
	help="Whether to use the system CA files for SSL connections or the ones provided by certify (see https://pypi.org/project/certifi).",
	)(func)
	func = click.option(
	"--use-system-ca-files/--no-use-system-ca-files",
	default=False,
	help="Whether to use the system CA files for SSL connections or the ones provided by certify (see https://pypi.org/project/certifi).",
	)(func)

🤖 Prompt for AI Agents

In elementary/monitor/cli.py around lines 76 to 80, the Click option for
--use-system-ca-files currently defaults to True which reverses the intended
certifi-based behavior; change the option's default from True to False so that
system CA files are only used when the flag is explicitly passed, keeping the
CLI default aligned with the Config change.