PYTHON-5309 Ensure AsyncMongoClient doesn't use PyOpenSSL

[sleepyStick]

jira: https://jira.mongodb.org/browse/PYTHON-5309
problem: if a user had pyopenssl installed on their machine, the async client wouldnt configure ssl properly
brief description of my changes:

• ssl_context will try to load both stdlib ssl and pyopenssl
• the driver will now dynamically determine which ssl to use (if the user has both) depending on async vs sync context
• to get this to work, AutoEncryptionOpts delays the resolution of _kms_ssl_contexts

[ShaneHarvey]

What's the motivation for adding this section?

[sleepyStick]

Oh uh, I was struggling to get it working and asked Noah a bunch of questions, so he suggested I add a section here.

[ShaneHarvey]

I'm concerned about people seeing this section and misinterpreting it to mean that they should be using tlsAllowInvalidCertificates. Can we remove it or make it very clear that this is only for local testing (using our test certificates) and not production?

[ShaneHarvey]

This is a public api so we can't add "is_sync" here. What's the motivation for this?

[sleepyStick]

Oh, I added is_sync as a param to a few functions because in ssl_support.get_ssl_context(), we'll need to know which version of ssl should be used,, is there another way to go about this that is preferred?

[ShaneHarvey]

Thanks, we still can not add "is_sync" here so we need to find another way.

[ShaneHarvey]

One way would be to lazily init the async SSLContext in kms_request().

[sleepyStick]

I think I did it? Not sure if this is what you meant, but what I have now would leave the params to AutoEncryptOpts unchanged.
I basically delayed the parse_kms_tls_options because that's where is_sync was needed. I believe i appropriately delayed the definition of kms_tls_options but let me know if I missed something. I'm not super familiar with how encryption in the driver works >.<

[NoahStapp]

Can you schedule a run of all the pyopenssl variants/tasks?

[sleepyStick]

Can you schedule a run of all the pyopenssl variants/tasks?

oops yeah, sorry i'll add it to the latest run with the updated evergreen patch changes from steve's PR

[NoahStapp]

What's the motivation behind the renaming to _pysslConn here?

[sleepyStick]

When i was making these changes, I started interpreting py* to mean it would refer to pyopenssl (if it existed, and stdlib ssl if it did not) whereas ssl related vars without py in the front meant it was strictly referring to stdlib ssl. I'm not strongly attached to the renaming and wouldn't mind undoing it, but it helped my brain read the code.

[ShaneHarvey]

I'd prefer the old name (_sslConn). A larger refactor could be a good idea but I'd prefer this PR be as minimal as possible to avoid regressions because it's going into a bugfix release.

[NoahStapp]

Can we use Union types here to remove the need for two separate exports of everything? Something like:

BLOCKING_IO_ERRORS = _ssl.BLOCKING_IO_ERRORS | _pyssl.BLOCKING_IO_ERRORS

Are there any situations where we specifically care if an exception type is from PyOpenSSL or stdlib SSL?

[sleepyStick]

ooo good call out. I don't think we particularly care if its pyopenssl vs stdlib ssl error.

[sleepyStick]

I think python3.9 didn't love the union types? so i just made them tuples. But its a similar idea.
I couldn't apply this to SSLError though because sometimes we'd raise SSLError so it needed to be one specific type.

[NoahStapp]

Can you expand on why the union types didn't work? We use Union elsewhere in our type hints.

[sleepyStick]

hmm okay not sure what i did incorrectly last time, but it works now! sorry about that >.<
(I'm going to guess i handled BLOCKING_IO_ERRORS incorrectly cuz i believe that's already a tuple of types and the union of two different types of tuples was not good?)

[sleepyStick]

Wait,, how am i supposed to do it then? I thought Union[x, y] was for type hints??

[NoahStapp]

That error is from trying to use the pipe | operator, right? What happens when you use Union[x, y] instead?

[sleepyStick]

Ah, it works! thanks!

[blink1073]

Oh, this is a runtime object, not a type hint. We should be using the same type as ssl.BLOCKING_IO_ERRORS (most likely a tuple or a list)

[sleepyStick]

yeah, it didn't immediately error (as a runtime object) so i thought it was just something I didn't know about how python works HAHA but okay, changing it back to a tuple now xD

[NoahStapp]

🥳

[ShaneHarvey]

I'm concerned about people seeing this section and misinterpreting it to mean that they should be using tlsAllowInvalidCertificates. Can we remove it or make it very clear that this is only for local testing (using our test certificates) and not production?

[sleepyStick]

That's fair, I've removed it and added it to our onboarding google doc for now. :)

[NoahStapp]

That's fair, I've removed it and added it to our onboarding google doc for now. :)

I would rather keep the section in contributing.md to help any external contributors. Having a warning that this is purely for local testing and should never be done in production seems sufficient to me.

[ShaneHarvey]

These tests should use the real validation path. Something like:

        # Error cases:
        opts = AutoEncryptionOpts({}, "k.d", kms_tls_options={"kmip": 1})
        with self.assertRaisesRegex(TypeError, r'kms_tls_options\["kmip"\] must be a dict'):
            self.mongo_client(auto_encryption_opts=opts)

Alternatively, we can keep the old sync validation behavior in the AutoEncryptionOpts constructor and only re-parse the kms_tls_options in the async _EncryptionIO case.

I'm fine with either option.

[ShaneHarvey]

I would rather keep the section in contributing.md to help any external contributors. Having a warning that this is purely for local testing and should never be done in production seems sufficient to me.

That's fine but it's unrelated to this PR so should be done in a different ticket.

[ShaneHarvey]

@sleepyStick could you also update the PR title to describe the bug fix?

[ShaneHarvey]

These tests should raise from the AsyncMongoClient constructor, without even attempting to connect. We could even use AsyncMongoClient() directly:

        with self.assertRaisesRegex(TypeError, r'kms_tls_options\["kmip"\] must be a dict'):
            AsyncMongoClient(auto_encryption_opts=opts)

Could you confirm?

[ShaneHarvey]

Based on the test failure, the current approach is a little problematic because the validation error happens after we've created an internal MongoClient. When the validation fails, we leave the client open, leading to a resource warning.

[sleepyStick]

Ahhh yeah, i see now. Thanks for popping over to further explain it, and for working thru the soln with me!

[ShaneHarvey]

It's worth adding a comment here to explain that we call this here so that parsing errors can be raised before creating internal clients.

[sleepyStick]

makes sense, added :)

[ShaneHarvey]

Please remove type:ignore[assignment]. Those are bug factories and should only be used in exceptional circumstances.

[sleepyStick]

and fixed

[mongodb-drivers-pr-bot]

Sorry, unable to cherry-pick to v4.12, please backport manually. Here are approximate instructions:

1. Checkout backport branch and update it.

git checkout -b cherry-pick-v4.12-c3e3373df2bf93c616dca0d53c7fbe3f7064d7ba v4.12

git fetch origin c3e3373df2bf93c616dca0d53c7fbe3f7064d7ba

2. Cherry pick the first parent branch of the this PR on top of the older branch:

git cherry-pick -x -m1 c3e3373df2bf93c616dca0d53c7fbe3f7064d7ba

3. You will likely have some merge/cherry-pick conflicts here, fix them and commit:

git commit -am {message}

4. Push to a named branch:

git push origin cherry-pick-v4.12-c3e3373df2bf93c616dca0d53c7fbe3f7064d7ba

5. Create a PR against branch v4.12. I would have named this PR:

"PYTHON-5309 Ensure AsyncMongoClient doesn't use PyOpenSSL (#2286) [v4.12]"