#2753 drop PyOpenSSL usage
Merged a year ago by tkopecek. Opened a year ago by tkopecek.
tkopecek/koji issue2752  into  master

file modified
-2
@@ -119,7 +119,6 @@ 

  %else

  Requires: rpm-python

  %endif

- Requires: pyOpenSSL

  Requires: python-requests

  Requires: python-requests-gssapi

  Requires: python-dateutil
@@ -139,7 +138,6 @@ 

  %else

  Requires: rpm-python%{python3_pkgversion}

  %endif

- Requires: python%{python3_pkgversion}-pyOpenSSL

  Requires: python%{python3_pkgversion}-requests

  %if 0%{?fedora} >= 32 || 0%{?rhel} >= 8

  Requires: python%{python3_pkgversion}-requests-gssapi > 1.2.1

file modified
+1 -50
@@ -68,15 +68,6 @@ 

  __version__ = _version.__version__

  __version_info__ = _version.__version_info__

  

- SSL_Error = None

- try:

-     from OpenSSL.SSL import Error as SSL_Error

- except Exception:  # pragma: no cover

-     # the hub imports koji, and sometimes this import fails there

-     # see: https://cryptography.io/en/latest/faq/#starting-cryptography-using-mod-wsgi-produces-an-internalerror-during-a-call-in-register-osrandom-engine  # noqa: E501

-     # unfortunately the workaround at the above link does not always work, so

-     # we ignore it here

-     pass

  try:

      import requests_gssapi as reqgssapi

  except ImportError:  # pragma: no cover
@@ -2275,46 +2266,6 @@ 

      return False

  

  

- def is_cert_error(e):

-     """Determine if an OpenSSL error is due to a bad cert"""

- 

-     if SSL_Error is None:  # pragma: no cover

-         # import failed, so we can't determine

-         raise Exception("OpenSSL library did not load")

-     if not isinstance(e, SSL_Error):

-         return False

- 

-     # pyOpenSSL doesn't use different exception

-     # subclasses, we have to actually parse the args

-     for arg in e.args:

-         # First, check to see if 'arg' is iterable because

-         # it can be anything..

-         try:

-             iter(arg)

-         except TypeError:

-             continue

- 

-         # We do all this so that we can detect cert expiry

-         # so we can avoid retrying those over and over.

-         for items in arg:

-             try:

-                 iter(items)

-             except TypeError:

-                 continue

- 

-             if len(items) != 3:

-                 continue

- 

-             _, _, ssl_reason = items

- 

-             if ('certificate revoked' in ssl_reason or

-                     'certificate expired' in ssl_reason):

-                 return True

- 

-     # otherwise

-     return False

- 

- 

  def is_conn_error(e):

      """Determine if an error seems to be from a dropped connection"""

      # This is intended for the case where e is a socket error.
@@ -2806,7 +2757,7 @@ 

                      tb_str = ''.join(traceback.format_exception(*sys.exc_info()))

                      self.new_session()

  

-                     if is_cert_error(e) or is_requests_cert_error(e):

+                     if is_requests_cert_error(e):

                          # There's no point in retrying for this

                          raise

  

file modified
-1
@@ -11,7 +11,6 @@ 

  

      requires = [

          'python-dateutil',

-         'pyOpenSSL',

          'requests',

          'requests-gssapi',

          'six',

file modified
-11
@@ -36,17 +36,6 @@ 

  import koji.tasks

  

  

- class NoSuchException(Exception):

-     pass

- 

- 

- try:

-     # pyOpenSSL might not be around

-     from OpenSSL.SSL import Error as SSL_Error

- except Exception:

-     SSL_Error = NoSuchException

- 

- 

  themeInfo = {}

  themeCache = {}

  

We've replaced it with requests library some time ago, this code has no
better sensitivity than requests error checking, so we can drop it
completely.

Fixes: https://pagure.io/koji/issue/2752

Metadata Update from @tkopecek:
- Pull-request tagged with: testing-ready

a year ago

I have not tested this, but it looks sane

Metadata Update from @jobrauer:
- Pull-request tagged with: testing-done

a year ago

My only (slight) concern here is removing the is_cert_error() function from the lib. However, I think it is ok. While the function isn't specifically marked as private, it is definitely not meant to be used directly by clients, and I don't believe any do. A web search for "is_cert_error" only pulls up koji and a couple clearly unrelated items.

So, :thumbsup:

Commit b5c8d41 fixes this pull-request

Pull-Request has been merged by tkopecek

a year ago