boto / botocore

The low-level, core functionality of boto3 and the AWS CLI.
Apache License 2.0
1.51k stars 1.09k forks source link

botocore fails to import with older versions of pyopenssl installed due to an AttributeError #3312

Closed gibsondan closed 1 day ago

gibsondan commented 1 week ago

Describe the bug

if you have pyopenssl < 22.1.0 installed and try to import botocore.httpsession, you hit the following error on import:

>>> import botocore.httpsession
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.11/site-packages/botocore/httpsession.py", line 45, in <module>
    from urllib3.contrib.pyopenssl import (
  File "/usr/local/lib/python3.11/site-packages/urllib3/contrib/pyopenssl.py", line 43, in <module>
    import OpenSSL.SSL  # type: ignore[import-untyped]
    ^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import crypto, SSL
  File "/usr/local/lib/python3.11/site-packages/OpenSSL/crypto.py", line 1570, in <module>
    class X509StoreFlags(object):
  File "/usr/local/lib/python3.11/site-packages/OpenSSL/crypto.py", line 1589, in X509StoreFlags
    NOTIFY_POLICY = _lib.X509_V_FLAG_NOTIFY_POLICY
AttributeError: module 'lib' has no attribute 'X509_V_FLAG_NOTIFY_POLICY'. Did you mean: 'X509_V_FLAG_EXPLICIT_POLICY'?

The callsite guards against ImportErrors (i.e. what you would see if the package was not installed at all) but does not guard against AttributeErrors, so the import fails: https://github.com/boto/botocore/blob/1ad32855c799456250b44c2762cacd67f5647a6e/botocore/httpsession.py#L39-L49

Regression Issue

Expected Behavior

botocore to still import on older versions of pyopenssl

Current Behavior

An error is raised on import with the above stack traced

Reproduction Steps

In a new venv (on a Macbook M2):

pip install -U botocore 'pyopenssl<22.1.0' python -c 'import botocore.httpsession'

Possible Solution

Catch AttributeError as well as ImportError in the linked import callsite above

Additional Information/Context

No response

SDK version used

1.35.71

Environment details (OS name and version, etc.)

Mac OS M2

tim-finnigan commented 1 day ago

Thanks for reaching out — this appears to be a duplicate of https://github.com/boto/boto3/issues/3585, where a maintainer replied:

Thanks for the report! Boto3 doesn't actually use pyOpenSSL. In fact, we'd actively discourage for most use cases in favor of the ssl module that's present in all supported versions of Python.

What we're hitting here is urllib3 accessing code within pyopenssl that may not have bindings available. Depending on which version of urllib3 you're using, it typically supports pyOpenSSL>=0.14.0. It looks like that may not be accurate on every system (or PyOpenSSL has released some breaking changes in some versions).

From Boto3's side, we can expand our exception handling to deal with the AttributeError that will hopefully help prevent this edge case. I'll leave this marked as a bug while we're working on a patch.

I'm going to close this as a duplicate and we can continue tracking this in https://github.com/boto/boto3/issues/3585.