Restrict custom CA certificate configurations for the Azure SDK to Linux only (#2282)

#### Reference Issues/PRs

Extracted from #2252. 

See discussions in
conda-forge/azure-core-cpp-feedstock#23.

#### What does this implement or fix?

Have the Azure SDK on Windows only use WinHTTP instead of `libcurl`. 

#### Any other comments?

#### Checklist

<details>
  <summary>
   Checklist for code changes...
  </summary>
 
- [x] Have you updated the relevant docstrings, documentation and
copyright notice?
- [ ] Is this contribution tested against [all ArcticDB's
features](../docs/mkdocs/docs/technical/contributing.md)?
- [ ] Do all exceptions introduced raise appropriate [error
messages](https://docs.arcticdb.io/error_messages/)?
 - [ ] Are API changes highlighted in the PR description?
- [ ] Is the PR labelled as enhancement or bug so it appears in
autogenerated release notes?
</details>

<!--
Thanks for contributing a Pull Request to ArcticDB! Please ensure you
have taken a look at:
- ArcticDB's Code of Conduct:
https://github.com/man-group/ArcticDB/blob/master/CODE_OF_CONDUCT.md
- ArcticDB's Contribution Licensing:
https://github.com/man-group/ArcticDB/blob/master/docs/mkdocs/docs/technical/contributing.md#contribution-licensing
-->

---------

Signed-off-by: Julien Jerphanion <[email protected]>
Co-authored-by: Phoebus Mak <[email protected]>

Author: jjerphan

cpp/arcticdb/storage/azure/azure_client_impl.cpp

@@ -6,11 +6,52 @@
  * will be governed by the Apache License, version 2.0.
  */
 
+/**
+ * Azure Transport Selection:
+ *
+ * This file implements platform-specific HTTP transport selection for Azure storage operations:
+ *
+ * - On Windows (_WIN32):
+ *   - Always uses WinHTTP (native Windows HTTP client)
+ *   - CA certificate settings are not supported as WinHTTP uses Windows certificate store
+ *   - Custom CA certificates must be installed via Windows Certificate Manager (certmgr.msc)
+ *   - This provides better performance and integration with Windows security
+ *
+ * - On macOS (__APPLE__):
+ *   - Always uses libcurl as the HTTP transport
+ *   - CA certificate settings are not supported
+ *   - Custom CA certificates must be installed via Keychain Access
+ *
+ * - On Linux:
+ *   - Always uses libcurl as the HTTP transport
+ *   - Supports custom CA certificate configuration via ca_cert_path and ca_cert_dir
+ *
+ * The selection is done at compile time via preprocessor directives to ensure
+ * optimal performance and minimal runtime overhead. The appropriate transport
+ * header is included based on the platform, and the transport is configured
+ * in get_client_options().
+ *
+ * Note, for conda-forge's builds, the distribution of `libcurl` uses CA certificates
+ * provided by the `ca-certificates` package originated from the certifi python package.
+ *
+ * See:
+ * https://github.com/conda-forge/ca-certificates-feedstock/blob/d13d63b3192ec707b514637930fd215d0776c604/recipe/meta.yaml#L8
+ * https://github.com/conda-forge/curl-feedstock/blob/c6144ac9941ab00393a5a76954ddc19fab8005d1/recipe/build.sh#L19
+ */
+
+#if defined(_WIN32)
+#include <azure/core/http/win_http_transport.hpp>
+#else
 #include <azure/core/http/curl_transport.hpp>
+#endif
+
+#include <azure/core.hpp>
+#include <azure/storage/blobs.hpp>
 
 #include <arcticdb/storage/azure/azure_client_impl.hpp>
 #include <arcticdb/storage/azure/azure_client_interface.hpp>
 #include <arcticdb/storage/object_store_utils.hpp>
+#include <arcticdb/util/error_code.hpp>
 
 namespace arcticdb::storage {
 using namespace object_store_utils;
@@ -31,18 +72,54 @@ RealAzureClient::RealAzureClient(const Config& conf) :
 
 Azure::Storage::Blobs::BlobClientOptions RealAzureClient::get_client_options(const Config& conf) {
     BlobClientOptions client_options;
-    if (!conf.ca_cert_path().empty() ||
-        !conf.ca_cert_dir().empty()) { // WARNING: Setting ca_cert_path or ca_cert_dir will force Azure sdk uses libcurl
-                                       // as backend support, instead of winhttp
-        Azure::Core::Http::CurlTransportOptions curl_transport_options;
-        if (!conf.ca_cert_path().empty()) {
-            curl_transport_options.CAInfo = conf.ca_cert_path();
-        }
-        if (!conf.ca_cert_dir().empty()) {
-            curl_transport_options.CAPath = conf.ca_cert_dir();
-        }
-        client_options.Transport.Transport = std::make_shared<Azure::Core::Http::CurlTransport>(curl_transport_options);
+
+#if defined(_WIN32)
+    // On Windows, always use WinHTTP
+    ARCTICDB_RUNTIME_DEBUG(log::storage(), "Using WinHTTP transport");
+    if (conf.ca_cert_path().empty() && conf.ca_cert_dir().empty()) {
+        client_options.Transport.Transport = std::make_shared<Azure::Core::Http::WinHttpTransport>();
+    } else {
+        throw ArcticSpecificException<ErrorCode::E_INVALID_USER_ARGUMENT>(
+                "CA certificate settings are not supported on Windows. "
+                "Please use Windows Certificate Manager (certmgr.msc) to manage certificates:\n"
+                "1. Open Certificate Manager (certmgr.msc)\n"
+                "2. Navigate to 'Trusted Root Certification Authorities'\n"
+                "3. Right-click and select 'All Tasks > Import'\n"
+                "4. Select your certificate file and follow the import wizard\n"
+                "5. Ensure 'Place all certificates in the following store' is selected\n"
+                "6. Complete the import by clicking 'Next' and 'Finish'"
+        );
+    }
+#elif defined(__APPLE__)
+    // On macOS, always use libcurl but ignore CA cert paths
+    ARCTICDB_RUNTIME_DEBUG(log::storage(), "Using libcurl transport");
+    if (conf.ca_cert_path().empty() && conf.ca_cert_dir().empty()) {
+        client_options.Transport.Transport = std::make_shared<Azure::Core::Http::CurlTransport>();
+    } else {
+        throw ArcticSpecificException<ErrorCode::E_INVALID_USER_ARGUMENT>(
+                "CA certificate settings are not supported on macOS. "
+                "Please use Keychain Access to manage certificates:\n"
+                "1. Open Keychain Access (Applications > Utilities > Keychain Access)\n"
+                "2. Select 'System' keychain from the left sidebar\n"
+                "3. Click File > Import Items\n"
+                "4. Select your certificate file\n"
+                "5. Enter your keychain password if prompted\n"
+                "6. The certificate will be added to the System keychain"
+        );
     }
+#else
+    // On Linux, use libcurl with CA cert configuration
+    ARCTICDB_RUNTIME_DEBUG(log::storage(), "Using libcurl transport");
+    Azure::Core::Http::CurlTransportOptions curl_transport_options;
+    if (!conf.ca_cert_path().empty()) {
+        curl_transport_options.CAInfo = conf.ca_cert_path();
+    }
+    if (!conf.ca_cert_dir().empty()) {
+        curl_transport_options.CAPath = conf.ca_cert_dir();
+    }
+    client_options.Transport.Transport = std::make_shared<Azure::Core::Http::CurlTransport>(curl_transport_options);
+#endif
+
     return client_options;
 }
 

cpp/arcticdb/storage/azure/azure_client_impl.hpp

@@ -15,11 +15,11 @@ class RealAzureClient : public AzureClientWrapper {
   private:
     Azure::Storage::Blobs::BlobContainerClient container_client;
 
-    static Azure::Storage::Blobs::BlobClientOptions get_client_options(const Config& conf);
-
   public:
     explicit RealAzureClient(const Config& conf);
 
+    static Azure::Storage::Blobs::BlobClientOptions get_client_options(const Config& conf);
+
     void write_blob(
             const std::string& blob_name, Segment& segment,
             const Azure::Storage::Blobs::UploadBlockBlobFromOptions& upload_option, unsigned int request_timeout
@@ -36,4 +36,4 @@ class RealAzureClient : public AzureClientWrapper {
 
     Azure::Storage::Blobs::ListBlobsPagedResponse list_blobs(const std::string& prefix) override;
 };
-} // namespace arcticdb::storage::azure
+} // namespace arcticdb::storage::azure

cpp/arcticdb/storage/test/test_azure_transport.cpp

@@ -0,0 +1,84 @@
+/* Copyright 2023 Man Group Operations Limited
+ *
+ * Use of this software is governed by the Business Source License 1.1 included in the file licenses/BSL.txt.
+ *
+ * As of the Change Date specified in that file, in accordance with the Business Source License, use of this software
+ * will be governed by the Apache License, version 2.0.
+ */
+
+#include <gtest/gtest.h>
+#include <arcticdb/util/test/gtest_utils.hpp>
+
+#include <arcticdb/storage/azure/azure_client_impl.hpp>
+#include <arcticdb/storage/azure/azure_client_interface.hpp>
+#include <arcticdb/util/error_code.hpp>
+
+using namespace arcticdb;
+using namespace storage;
+using namespace azure;
+
+class AzureTransportTest : public testing::Test {
+  protected:
+    arcticdb::proto::azure_storage::Config config;
+
+    void SetUp() override {
+        config.set_endpoint("https://testaccount.blob.core.windows.net");
+        config.set_container_name("testcontainer");
+    }
+};
+
+TEST_F(AzureTransportTest, TestWindowsTransportSelection) {
+#if defined(_WIN32)
+    // Test that WinHTTP is used when no CA cert settings are provided
+    auto options = RealAzureClient::get_client_options(config);
+    ASSERT_NE(options.Transport.Transport, nullptr);
+
+    // Test that an exception is thrown when CA cert settings are provided
+    config.set_ca_cert_path("/path/to/cert.pem");
+    ASSERT_THROW(RealAzureClient::get_client_options(config), ArcticSpecificException<ErrorCode::E_INVALID_USER_ARGUMENT>);
+
+    config.set_ca_cert_path("");
+    config.set_ca_cert_dir("/path/to/certs");
+    ASSERT_THROW(RealAzureClient::get_client_options(config), ArcticSpecificException<ErrorCode::E_INVALID_USER_ARGUMENT>);
+#endif
+}
+
+TEST_F(AzureTransportTest, TestMacOSTransportSelection) {
+#if defined(__APPLE__)
+    // Test that libcurl is used when no CA cert settings are provided
+    auto options = RealAzureClient::get_client_options(config);
+    ASSERT_NE(options.Transport.Transport, nullptr);
+
+    // Test that an exception is thrown when CA cert settings are provided
+    config.set_ca_cert_path("/path/to/cert.pem");
+    ASSERT_THROW(RealAzureClient::get_client_options(config), ArcticSpecificException<ErrorCode::E_INVALID_USER_ARGUMENT>);
+
+    config.set_ca_cert_path("");
+    config.set_ca_cert_dir("/path/to/certs");
+    ASSERT_THROW(RealAzureClient::get_client_options(config), ArcticSpecificException<ErrorCode::E_INVALID_USER_ARGUMENT>);
+#endif
+}
+
+TEST_F(AzureTransportTest, TestLinuxTransportSelection) {
+#if !defined(_WIN32) && !defined(__APPLE__)
+    // Test that libcurl is used with default settings
+    auto options = RealAzureClient::get_client_options(config);
+    ASSERT_NE(options.Transport.Transport, nullptr);
+
+    // Test that libcurl is used with CA cert path
+    config.set_ca_cert_path("/path/to/cert.pem");
+    options = RealAzureClient::get_client_options(config);
+    ASSERT_NE(options.Transport.Transport, nullptr);
+
+    // Test that libcurl is used with CA cert directory
+    config.set_ca_cert_path("");
+    config.set_ca_cert_dir("/path/to/certs");
+    options = RealAzureClient::get_client_options(config);
+    ASSERT_NE(options.Transport.Transport, nullptr);
+
+    // Test that libcurl is used with both CA cert path and directory
+    config.set_ca_cert_path("/path/to/cert.pem");
+    options = RealAzureClient::get_client_options(config);
+    ASSERT_NE(options.Transport.Transport, nullptr);
+#endif
+}

cpp/vcpkg.json

@@ -68,7 +68,18 @@
       "name": "arrow",
       "default-features": false
     },
-    "azure-core-cpp",
+    {
+      "name": "azure-core-cpp",
+      "default-features": false,
+      "features": [ "winhttp" ],
+      "platform": "windows"
+    },
+    {
+      "name": "azure-core-cpp",
+      "default-features": false,
+      "features": [ "curl" ],
+      "platform": "!windows"
+    },
     "azure-identity-cpp",
     "azure-storage-blobs-cpp",
     "benchmark",

python/arcticdb/adapters/azure_library_adapter.py

@@ -6,21 +6,22 @@
 As of the Change Date specified in that file, in accordance with the Business Source License, use of this software will be governed by the Apache License, version 2.0.
 """
 
+import platform
 import re
+import ssl
 import time
+from collections import namedtuple
+from dataclasses import dataclass, fields
 from typing import Optional
-import ssl
-import platform
 
 from arcticc.pb2.storage_pb2 import EnvironmentConfigsMap, LibraryConfig
-from arcticdb.version_store.helper import add_azure_library_to_env
 from arcticdb.config import _DEFAULT_ENV
+from arcticdb.encoding_version import EncodingVersion
+from arcticdb.exceptions import ArcticException
 from arcticdb.version_store._store import NativeVersionStore
+from arcticdb.version_store.helper import add_azure_library_to_env
 from arcticdb.adapters.arctic_library_adapter import ArcticLibraryAdapter, set_library_options
 from arcticdb_ext.storage import StorageOverride, AzureOverride, CONFIG_LIBRARY_NAME
-from arcticdb.encoding_version import EncodingVersion
-from collections import namedtuple
-from dataclasses import dataclass, fields
 
 PARSED_QUERY = namedtuple("PARSED_QUERY", ["region"])
 
@@ -59,13 +60,18 @@ def __init__(self, uri: str, encoding_version: EncodingVersion, *args, **kwargs)
             ]
         )
         self._container = self._query_params.Container
-        if platform.system() != "Linux" and (self._query_params.CA_cert_path or self._query_params.CA_cert_dir):
+
+        # Extract CA certificate settings from parsed query parameters
+        # Ensure values are always strings (not None)
+        self._ca_cert_path = str(self._query_params.CA_cert_path) if self._query_params.CA_cert_path else ""
+        self._ca_cert_dir = str(self._query_params.CA_cert_dir) if self._query_params.CA_cert_dir else ""
+
+        if platform.system() != "Linux" and (self._ca_cert_path or self._ca_cert_dir):
             raise ValueError(
                 "You have provided `ca_cert_path` or `ca_cert_dir` in the URI which is only supported on Linux. "
                 "Remove the setting in the connection URI and use your operating system defaults."
             )
-        self._ca_cert_path = self._query_params.CA_cert_path
-        self._ca_cert_dir = self._query_params.CA_cert_dir
+
         if not self._ca_cert_path and not self._ca_cert_dir and platform.system() == "Linux":
             if ssl.get_default_verify_paths().cafile is not None:
                 self._ca_cert_path = ssl.get_default_verify_paths().cafile

python/arcticdb/version_store/helper.py

@@ -430,8 +430,10 @@ def get_azure_proto(
             azure.prefix = f"{lib_name}{time.time() * 1e9:.0f}"
     else:
         azure.prefix = lib_name
-    azure.ca_cert_path = ca_cert_path if ca_cert_path else ""
-    azure.ca_cert_dir = ca_cert_dir if ca_cert_dir else ""
+    # Always set the values explicitly to ensure they're stored in the config
+    # Convert None to empty string, but preserve non-empty strings
+    azure.ca_cert_path = str(ca_cert_path) if ca_cert_path is not None else ""
+    azure.ca_cert_dir = str(ca_cert_dir) if ca_cert_dir is not None else ""
 
     sid, storage = get_storage_for_lib_name(azure.prefix, env)
     storage.config.Pack(azure, type_url_prefix="cxx.arctic.org")

python/tests/integration/arcticdb/test_arctic.py

@@ -274,25 +274,6 @@ def test_azurite_no_ssl_verification(monkeypatch, azurite_storage, client_cert_f
         ac.delete_library(lib_name)
 
 
-@AZURE_TESTS_MARK
-@SSL_TESTS_MARK
-@pytest.mark.parametrize("client_cert_file", parameter_display_status)
-@pytest.mark.parametrize("client_cert_dir", parameter_display_status)
-def test_azurite_ssl_verification(azurite_ssl_storage, monkeypatch, client_cert_file, client_cert_dir, lib_name):
-    storage = azurite_ssl_storage
-    # Leaving ca file and ca dir unset will fallback to using os default setting,
-    # which is different from the test environment
-    default_setting = DefaultSetting(storage.factory)
-    monkeypatch.setattr("ssl.get_default_verify_paths", lambda: default_setting)
-    uri = edit_connection_string(storage.arctic_uri, ";", storage, None, client_cert_file, client_cert_dir)
-    ac = Arctic(uri)
-    try:
-        lib = ac.create_library(lib_name)
-        lib.write("sym", pd.DataFrame())
-    finally:
-        ac.delete_library(lib_name)
-
-
 def test_basic_metadata(lmdb_version_store):
     lib = lmdb_version_store
     df = pd.DataFrame({"col1": [1, 2, 3], "col2": [4, 5, 6]})