From 4c78500ec97a4fb5845bc6ede19b0231feae45ee Mon Sep 17 00:00:00 2001
From: Warren Chen <warrenchen@innovedus.com>
Date: Wed, 18 Feb 2026 12:02:35 +0900
Subject: [PATCH] fix(docker): Update Dockerfile to install ca-certificates and
 create unprivileged user

fix(settings): Ensure SSL_CERT_FILE is set using certifi if not already defined

chore(requirements): Add certifi to requirements for SSL certificate handling
---
 innovedus_cms/Dockerfile              | 6 +++++-
 innovedus_cms/mysite/settings/base.py | 9 +++++++++
 innovedus_cms/requirements.txt        | 3 ++-
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/innovedus_cms/Dockerfile b/innovedus_cms/Dockerfile
index 755d6ea..5ff3085 100644
--- a/innovedus_cms/Dockerfile
+++ b/innovedus_cms/Dockerfile
@@ -10,7 +10,11 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
 WORKDIR /code
 
 # Create an unprivileged user to run the app
-RUN adduser --disabled-password --gecos '' app
+RUN set -ex && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends ca-certificates && \
+    rm -rf /var/lib/apt/lists/* && \
+    adduser --disabled-password --gecos '' app
 
 COPY requirements.txt /tmp/requirements.txt
 RUN set -ex && \
diff --git a/innovedus_cms/mysite/settings/base.py b/innovedus_cms/mysite/settings/base.py
index 4b43aa4..128f2b9 100644
--- a/innovedus_cms/mysite/settings/base.py
+++ b/innovedus_cms/mysite/settings/base.py
@@ -13,9 +13,18 @@ https://docs.djangoproject.com/en/5.2/ref/settings/
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 import os
 
+try:
+    import certifi
+except Exception:
+    certifi = None
+
 PROJECT_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 BASE_DIR = os.path.dirname(PROJECT_DIR)
 
+# Ensure Python SSL always has a CA bundle unless caller explicitly sets one.
+if not os.environ.get("SSL_CERT_FILE") and certifi is not None:
+    os.environ["SSL_CERT_FILE"] = certifi.where()
+
 def env_list(name, default):
     """
     Return a list from a comma-separated env var; fall back to provided default list.
diff --git a/innovedus_cms/requirements.txt b/innovedus_cms/requirements.txt
index 806a9eb..ab34ab3 100644
--- a/innovedus_cms/requirements.txt
+++ b/innovedus_cms/requirements.txt
@@ -4,4 +4,5 @@ gunicorn
 dj-database-url
 psycopg[binary]
 python-dotenv
-django-storages[boto3]
\ No newline at end of file
+django-storages[boto3]
+certifi