pyatls: use urllib3 v2 #12
Conversation
HernanGatta
requested review from
zizhong,
chester-leung,
octaviansima and
ggroode
🦙 MegaLinter status: ✅ SUCCESS
See detailed report in MegaLinter reports You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:
MegaLinter is graciously provided by |
| @@ -1,4 +1,5 @@ | |||
| cryptography==41.0.3 | |||
| PyJWT==2.8.0 | |||
| pyOpenSSL==23.2.0 | |||
| urllib3==1.26.16 | |||
| requests==2.31.0 | |||
There was a problem hiding this comment.
The
requestslibrary is not marked as a dependency of this package
do we need it here?
There was a problem hiding this comment.
I suppose it depends on what we use this file for. If it's for development dependencies, then yes; if it's for general dependencies, then I'd say no.
There was a problem hiding this comment.
Maybe I should rename it to requirements-dev.txt.
There was a problem hiding this comment.
I think it is fine to have it here.
| @@ -1,4 +1,5 @@ | |||
| cryptography==41.0.3 | |||
| PyJWT==2.8.0 | |||
| pyOpenSSL==23.2.0 | |||
| urllib3==1.26.16 | |||
| requests==2.31.0 | |||
There was a problem hiding this comment.
I think it is fine to have it here.
| from urllib3.util.connection import _TYPE_SOCKET_OPTIONS | ||
| from urllib3.util.timeout import _DEFAULT_TIMEOUT, _TYPE_TIMEOUT |
There was a problem hiding this comment.
Not a huge deal, but importing variables starting with _ feels a bit weird since they are the python equivalent of private variables and methods (and therefore I am not certain if they are protected from changing / breaking between minor version bumps unlike public methods).
There was a problem hiding this comment.
Yeah, I don't like it either. The alternative though is duplicating them, which felt nastier when I was considering what to do.
Thinking about it more now, maybe I should duplicate them since these end up being part of the aTLS package's public API.
| from urllib3.util.timeout import _DEFAULT_TIMEOUT, _TYPE_TIMEOUT | ||
|
|
||
|
|
||
| class _HTTPAConnectionShim(HTTPAConnection): |
There was a problem hiding this comment.
Any particular reason this file and class have an _ in front, because my understanding is that means you don't intend to import it anywhere else, but you do end up importing it in other files (I also have never seen a python file that starts with an _, but that might be a convention I am not aware of).
There was a problem hiding this comment.
Regarding the file name, I saw it in the requests library:
https://github.com/psf/requests/blob/main/src/requests/_internal_utils.py
As for the class name, the intention is to mark it as internal to the library, but still available to the library itself. Some tools (like VS Code) automatically hide modules (.py files) and types that start with an underscore.
I suppose that if the file starts with an underscore, then there is no point to also the class starting with one.
I can leave the underscore in the file and remove it from the class. Thoughts?
Overview
There are multiple mutually-incompatible HTTP libraries for Python: the built-in
httplibrary,urllib3, andrequests.These are layered in that
requestsusesurllib3which in turn useshttp. These libraries provide similarly or identically named classes to those in the lower layers but have different interfaces and exhibit different behavior, depending on usage.As a result, care must be taken to not mix them. Additionally, the general consensus in the Python world is to use
urllib3because of its superior feature set, such as built-in support for connection pooling.Note: The individual commits are meant to be reviewed individually.
Changes
Previously, the aTLS library used the
httplibrary directly, provided a shim to plug it intourllib3, and provided an aTLS adapter for therequestslibrary directly atop thehttp-based implementation.Additionally, the library used
urllib3v1.x, which is being deprecated in favor of v2.x, which is not API-compatible with v1.x. It follows that currently the aTLS library only works when v1.x is in the environment, though in a clean environmentpipwould install the v2.x series. Pinningurllib3to< 2.0.0would be less than ideal as its users move on.Lastly, the current implementation of the aTLS library is not compatible with Python 3.8 due to its usage of 3.10 syntax.
This PR fixes all of these problems.
Tested
Against an Opaque Prompts instance in confidential ACI:
[X] Clean Python 3.8 environment
[X] Idem, Python 3.10
[X] Idem, Python 3.11