Refactor of cheroot.ssl.pyopenssl removing SSLConnectionProxyMeta

[julianz-]

Removes metaclass by using __getattr__(self, name) to intercept
method calls.

[webknjaz]

I wonder why this separation is even necessary just for shutdown. It might've been for some ancient pyopenssl compat.

[julianz-]

Shutdown on Python sockets expects a how parameter e.g. socket.SHUT_WR. OpenSSL does not take a similar parameter so PyOpenSSL doesn't either. It's not clear we need to support this parameter. I do see a couple of places where this question might be considered:

In threadpool.py:

def _force_close(conn):
        if conn.rfile.closed:
            return
        try:
            try:
                conn.socket.shutdown(socket.SHUT_RD)
            except TypeError:
                # pyOpenSSL sockets don't take an arg
                conn.socket.shutdown()
        except OSError:
            # shutdown sometimes fails (race with 'closed' check?)
            # ref #238
            pass

and server.py

def _close_kernel_socket(self):
        """Terminate the connection at the transport level."""
        # Honor ``sock_shutdown`` for PyOpenSSL connections.
        shutdown = getattr(
            self.socket,
            'sock_shutdown',
            self.socket.shutdown,
        )

        try:
            shutdown(socket.SHUT_RDWR)  # actually send a TCP FIN
        except errors.acceptable_sock_shutdown_exceptions:
            pass
        except socket.error as e:
            if e.errno not in errors.acceptable_sock_shutdown_error_codes:
                raise

[webknjaz]

Okay.. So in server.py the arg is passed in but in threadpool.py it's not. Got it. I'm not sure how I feel that the locking wrappers at all. I wish the hackery was just dropped.

[julianz-]

i think we can get rid of the locking wrappers. see next comment.

[webknjaz]

@julianz- yep, and decorate the methods in #786 directly?

[julianz-]

Yes i think so. In this version, SSLConnection is pretty bare bones but we can add the error handling in #786.

[webknjaz]

I would expect this to be somewhere in the helper, though. So we wouldn't be adding public attributes.
Additionally, I don't fully understand the property patching bit — why is it necessary? Also, do does the connection object even need to be made thread-safe? Why?

[julianz-]

I've revamped the whole thing - getting rid of the meta class, decorator, property patching, and avoiding adding any public attributes. See what you think. Great question about thread-safety. I think you are right - I don't think it's needed as the usual pattern involves one connection per thread. If so we can further simplify the SSLConnection class. Let me know if you think we should remove.

[webknjaz]

@julianz- so I did some research and here's my observations:

1. mass-searching source code, it seems like only CherryPy/Cheroot (often being vendored into something else) have any references to thread-safety: https://grep.app/search?f.lang=Python&regexp=true&q=%28threadsafe|thread-safe|thread+safe%29.*\n.*\n.*SSL\.Connection (CherryPy is what first had this module until the HTTP/WSGI part was split out of it).
2. mature projects like urllib3 that also make use of PyOpenSSL don't have any locking: https://github.com/urllib3/urllib3/blob/b20c836/src/urllib3/contrib/pyopenssl.py (although, it might be interesting to look at how they organize their socket wrapper)
3. somebody asked about thread-safety upstream and Paul said that it's fine: Is the pyopenssl thread-safe? pyca/pyopenssl#424. But he made a remark about subinterpreters / mod_wsgi and I know that CherryPy has some code that is probably not being tested in CI related to mod_wsgi. But this was nearly a decade ago.
4. https://stackoverflow.com/a/61826374/595220 hints that prior to OpenSSL 1.1.0 there would be some problems but not anymore. That version hit EOL 6 years ago: https://endoflife.date/openssl. So we shouldn't need to care about it.
5. Is SSL_SESSION supposed to be thread-safe? openssl/openssl#25343 / https://crypto.stackexchange.com/a/41344/70030 / https://docs.openssl.org/1.0.2/man3/threads/#description claim that low-level SSL_SESSION isn't thread-safe. But given the PyOpenSSL issue, I'm inclined to believe that it's fine in the Python land.
6. I did some Git paleontology and the commit that added locking on Sep 12, 2006 cherrypy/cherrypy@f2e3c1c (f2e3c1c); being terrified of exec(), I rewrote it to a metaclass on Sep 2, 2018 in e9e070b
   That commit does not really explain anything but references pyOpenSSL/tsafe.py. This was pre-PyPI which explains why things were being copied across projects and/or vendored. The first PyOpenSSL release on PyPI was 0.6 on Jun 4, 2008. So it's already two years past the CherryPy commit. We can't say for sure which version this was copied from. The very first import of PyOpenSSL from some other VCS into Git was on Feb 2, 2008 (pyca/pyopenssl@897bc25) but it's tagged as v0.14a1 while is probably an error or some weird historic artifact. However, that commit does contain the exec() snippet with locking that ended up in CherryPy — https://github.com/pyca/pyopenssl/blob/897bc2556fed43b76f6d1b14470c3e806df15af8/tsafe.py. On Jul 28, 2010, that module moved within the repo to https://github.com/pyca/pyopenssl/blob/94cc894795226537daf2f4e79e2d142ff51eacec/OpenSSL/tsafe.py (pyca/pyopenssl@94cc894#diff-eb4dc4606a8f26382d033c9859d6b5be8043e8bc511522f2e014e181bd09c09d). More history of this module: https://github.com/pyca/pyopenssl/commits/e41098f271dc96d6c411172bb11bbe5816f78710/src/OpenSSL/tsafe.py. It was deprecated on Sep 4, 2017 in PyOpenSSL v17.3.0 (Deprecate OpenSSL.tsafe pyca/pyopenssl#655 / Fixes #655 -- deprecate OpenSSL.tsafe  pyca/pyopenssl#673) and removed fully on Nov 27, 2020 in v20.0.0 (Remove deprecated tsafe module. pyca/pyopenssl#913). The maintainers thought nobody uses it and weren't sure it was functional. At the time of deletion, it was still using the original exec() (with an additional method added to the list throughout its life).

---

So I'd get rid for the hacks and made it as simple as possible, instead of trying to preserve them w/o a good recorded/explainable justification.

[julianz-]

Very thorough! But obviously removing the thread-safety is a potentially breaking change if anyone is relying on it.

[codecov]

Codecov Report

❌ Patch coverage is 66.66667% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 79.41%. Comparing base (22bb430) to head (2aa8da3).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #787      +/-   ##
==========================================
- Coverage   79.60%   79.41%   -0.20%     
==========================================
  Files          29       29              
  Lines        4261     4240      -21     
  Branches      542      539       -3     
==========================================
- Hits         3392     3367      -25     
- Misses        726      729       +3     
- Partials      143      144       +1     

[webknjaz]

@julianz- linking the thread where I posted more thoughts in case it gets lost in the UI: #787 (comment).

[webknjaz]

Can we plz keep the error conversion in a standalone PR? Also, I still prefer this to be a context manager rather than a callable.

[webknjaz]

no lock?

[webknjaz]

typing.Optional is considered confusing because it's actually Union[thing, None].

Suggested change

	def shutdown(self, how: Optional[int] = None) -> None: ...
	def shutdown(self, how: int | None = None) -> None: ...

[webknjaz]

Instead of this, can we just have the class inherit SSL.Connection? I'd like to avoid dynamic things that aren't really lintable staticly (by things like MyPy and similar).

[webknjaz]

Docstrings are expected to be RST, so it's either double backticks or proper roles to reference things. Try this:

Suggested change

	` shutdown(how=None)` is available for interface compatibility..
	:py:meth:`.shutdown` is available for interface compatibility.

This is where it's rendered: https://cheroot--787.org.readthedocs.build/en/787/pkg/cheroot.ssl.pyopenssl/#cheroot.ssl.pyopenssl.SSLConnection

[webknjaz]

Suggested change

cheroot/test/ssl/test_ssl_pyopenssl.py: DAR101, DAR201, WPS226

[webknjaz]

What are these exactly?

[webknjaz]

I wonder if we should have something for sock_shutdown().

[webknjaz]

Let's try to make this better: https://cheroot--787.org.readthedocs.build/en/787/pkg/cheroot.ssl.pyopenssl/#cheroot.ssl.pyopenssl.SSLConnection.shutdown

Suggested change

	how: Ignored.
	PyOpenSSL's shutdown() method does not accept any arguments.
	Present here for interface compatibility with Python
	socket.shutdown(how).
	:param how: Ignored. PyOpenSSL's :py:meth:`~OpenSSL.SSL.Connection.shutdown` \
	method does not accept any arguments.\
	Present here for interface compatibility with Python \
	:py:meth:`socket.shutdown` that :py:class:`ssl.SSLSocket` wrapper \
	exposes.
	:type how: object

[webknjaz]

This is probably redundant once its wrapped in the docstring properly.

Suggested change

pyOpenSSL

[webknjaz]

Changelog does't do things, it doesn't remove locking. It is supposed to describe what's changed. Use a different writing style to show what the effect is compared to the previous release. It can be the past tense or present simple but not third person.

Maybe this explanation will work for you https://pip-tools.rtfd.io/en/stable/contributing/#rationale

[webknjaz]

Suggested change

	A compatibility wrapper around pyOpenSSL's SSL.Connection.
	A compatibility wrapper around :py:class:`OpenSSL.SSL.Connection`.

[webknjaz]

I'm actually not sure if this constitutes a breaking change. SemVer talks about breaking changes in the context of API compatibility and the API seems to have remained intact. WDYT?