Fetch AIA intermediate certificates with credential-free HTTP sessions

[dkirov-dd]

What does this PR do?

Fetches AIA (Authority Information Access) intermediate certificates using fresh, credential-free HTTP sessions.

The primary fix is in the shared base HTTP wrapper: RequestsWrapper.load_intermediate_certs() now fetches the certificate's AIA CA Issuers URI with a new clean RequestsWrapper instead of reusing the configured wrapper. Each fetch attempts secure TLS first, then falls back to a no-verify plain HTTP path, and disables proxy inheritance for the AIA fetch session.

The TLS integration has a separate AIA chasing implementation, so this PR applies the same credential-free fetching pattern there as well. Existing caching, recursion, hashing/dedup, and certificate loading behavior are preserved.

The fetch_intermediate_certs option behavior is unchanged: it was already respected, and its default remains false.

Motivation

Security case VULN-1192: AIA chasing should not reuse an integration instance's configured HTTP session for peer-provided certificate issuer URLs.

Review checklist (to be filled by reviewers)

• Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
• Add qa/required if this PR needs QA validation, or qa/skip-qa if it does not. Exactly one of the two is required.
• If you need to backport this PR to another branch, you can add the backport/<branch-name> label to the PR and it will automatically open a backport PR once this one is merged

[datadog-prod-us1-5]

   

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 3 Pipeline jobs failed

Validate repository | Run Validations / Validate     

PR All | test / j8217a3a / TeamCity     

PR All | test / ja7f6415 / Redis     

ℹ️ Info

No other issues found (see more)

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
• Patch Coverage: 92.82%
• Overall Coverage: 88.13%

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: b3e1af0 | Docs | Datadog PR Page | Give us feedback!}

[dd-octo-sts]

Validation Report

Validation	Description	Status
license-headers	Validate Python files have proper license headers	❌

Run ddev validate all changed --fix to attempt to auto-fix supported validations.

Passed validations (20)

Validation	Description	Status
agent-reqs	Verify check versions match the Agent requirements file	✅
ci	Validate CI configuration and code coverage settings	✅
codeowners	Validate every integration has a CODEOWNERS entry	✅
config	Validate default configuration files against spec.yaml	✅
dep	Verify dependency pins are consistent and Agent-compatible	✅
http	Validate integrations use the HTTP wrapper correctly	✅
imports	Validate check imports do not use deprecated modules	✅
integration-style	Validate check code style conventions	✅
jmx-metrics	Validate JMX metrics definition files and config	✅
labeler	Validate PR labeler config matches integration directories	✅
legacy-signature	Validate no integration uses the legacy Agent check signature	✅
licenses	Validate third-party license attribution list	✅
metadata	Validate metadata.csv metric definitions	✅
models	Validate configuration data models match spec.yaml	✅
openmetrics	Validate OpenMetrics integrations disable the metric limit	✅
package	Validate Python package metadata and naming	✅
qa-label	Validate the pull request declares whether it needs QA for the next Agent release	✅
readmes	Validate README files have required sections	✅
saved-views	Validate saved view JSON file structure and fields	✅
version	Validate version consistency between package and changelog	✅

View full run