Add TLSSocket abstraction for uniform SSL/TLS handling

[julianz-]

Introduces a new TLSSocket class to act as a unified wrapper for SSL/TLS connections, regardless of the underlying adapter (builtin, pyOpenSSL).

This refactoring aims to:

1. Simplify adapter logic by centralizing common TLS socket properties and methods.
2. Improve consistency when populating WSGI environment variables.
3. Centralize error handling for the adapters.

[codecov]

Codecov Report

❌ Patch coverage is 13.60000% with 216 lines in your changes missing coverage. Please review.
✅ Project coverage is 38.58%. Comparing base (a475500) to head (21b753e).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@             Coverage Diff             @@
##             main     #799       +/-   ##
===========================================
- Coverage   77.69%   38.58%   -39.12%     
===========================================
  Files          41       13       -28     
  Lines        4672      635     -4037     
  Branches      544        1      -543     
===========================================
- Hits         3630      245     -3385     
+ Misses        900      390      -510     
+ Partials      142        0      -142     

[webknjaz]

These are a few superficial observations. We'll have to work towards moving as much as possible into multiple small PRs so that this one will be reviewable. But one thing I'd want to request already is avoiding intercepting broad exception class and sticking to what's known and expected. I marked some things that are mostly ready for extraction out of this patch.

[webknjaz]

Better move this into the wrap method of the adapter and raise a NoSSLError so that it's handled in the same except block below for both adapters.
This way, the adapter internals won't leak into this layer.

[julianz-]

Much better yes!

[webknjaz]

Do we need a modern enough PyOpenSSL for sendall() to work well?

[julianz-]

I changed to:

if hasattr(sock, 'sendall'):
    sock.sendall(response_bytes)
else:
    # Fallback for older PyOpenSSL or SSL objects
    sock.send(response_bytes)

Is that safe enough?

[webknjaz]

I don't know. The fallback might need a loop or something. I was just mostly asking because you worked with that lib recently and I didn't. If it needs a newer PyOpenSSL, I'd maybe think of starting to provide a pyopenssl extra in the core packaging metadata.

[webknjaz]

Suggested change

	# we handle http over https pre-emptivley
	# we handle http over https pre-emptively

(although, with the suggestion above we could just drop the entire comment)

[julianz-]

Yes gone now

[webknjaz]

This method (or a simplified/standalone variant) could go into a separate PR so that we'd accept it earlier and have a smaller patch here.

[julianz-]

Sure. Will do.

[webknjaz]

I'm not sure we should be bringing TLS internals into the generic makefile. I'll have to think more about this..

[julianz-]

Good point. Maybe this is better?

# Check for wrapped socket
if hasattr(sock, 'read') and hasattr(sock, 'write'):
    raw_io = sock  # Already wrapped (could be TLSSocket) 
else:
    # Standard socket - wrap with SocketIO
    raw_io = socket.SocketIO(sock, mode)

[webknjaz]

With the @classmethod suggestion (#799 (comment)), this will be redundant.

[webknjaz]

With the @classmethod suggestion (#799 (comment)), this will be redundant.

[webknjaz]

This could probably be a cached properly.

[webknjaz]

We should just use pathlib for these.

[webknjaz]

Use f-strings instead of old-style interpolation.

[webknjaz]

This public API change might be dangerous for CherryPy. Will have to check if it uses this.

[webknjaz]

This module should only have a generic base class and sockets for different libs would be subclasses. Trying to put multiple corner cases from multiple libs is going to be difficult to maintain or extend.

[webknjaz]

I think this is only used in one test module. Unless it's used in more places, it should remain in that module.

[webknjaz]

Let's put moving these into a separate PR.

[webknjaz]

Rename to cheroot/test/ssl/test_builtin.py

[webknjaz]

Rename to cheroot/test/ssl/test_ssl_pyopenssl.py

[webknjaz]

If this var isn't used elsewhere, we might want to drop it from compat.

[webknjaz]

This would have to go into a separate PR and be coupled with changes to the core packaging metadata, linting configuration, dev env and CI setup.

[webknjaz]

Why is this needed?

[webknjaz]

This is still checking obscure properties of objects to infer TLS relation. We shouldn't be relying on whether something is TLS or not in here. This is an abstraction leak no matter the method of checking.
The callers should decide if something needs wrapping and this is best done through providing alternative constructors.

[webknjaz]

Removing arguments or changing their order is a backwards incompatible change. We should avoid those and at least have a deprecation period to allow for downstream adoption. Deprecations would have to be dedicated multi-stage coordinated processes.

[webknjaz]

Don't use napoleon that is not integrated. Use Sphinx-native param lists.

Suggested change

	Args:
	components: Iterable of (key, value) tuples
	key_prefix: 'SSL_CLIENT' or 'SSL_SERVER'
	dn_type: 'S' for subject or 'I' for issuer
	Returns:
	dict: ``DN`` and ``CN`` environment variables
	:param components: Iterable of (key, value) tuples
	:param key_prefix: 'SSL_CLIENT' or 'SSL_SERVER'
	:param dn_type: 'S' for subject or 'I' for issuer
	:returns: ``DN`` and ``CN`` environment variables
	:rtype: dict

Currently, it's not rendered well and Sphinx objects aren't recorded for params: https://cheroot--799.org.readthedocs.build/en/799/pkg/cheroot.ssl/#cheroot.ssl._parse_dn_components.

When done correctly, the params are clearly marked and well-formatted. As well as return values and raised exceptions. Example: https://cheroot--799.org.readthedocs.build/en/799/pkg/cheroot._compat/#cheroot._compat.extract_bytes.

[webknjaz]

Use full words in docstrings. Not "environ" or "dict", because docstrings are user-facing. Additionally, it's possible to link objects Sphinx knows of, like :class:`dict`.

Within the scope of this function, it doesn't really matter how the caller will use the dict. So claiming that it's an "environ dict" doesn't make sense. It's just a dict and that's it. The caller might put it into a context.

Perhaps, this would be better:

Suggested change

	Parse Distinguished Name components into environ dict.
	Transform Distinguished Name components list into a dictionary.

[webknjaz]

We'll probably have to keep this for a while (with a sentinel default). And issue a warning when the value isn't that sentinel.

[webknjaz]

Oh, look — another abstraction leak to fight..

[webknjaz]

@julianz- the PR is so big that it can't be reviewed efficiently. I just can't keep up. Let's focus on finding all the things that can be merged as standalone PRs first. I'm trying to spot some of those but maybe, you'll see a few opportunities too.

[julianz-]

@webknjaz Agreed. Let's do things in smaller chunks.

[webknjaz]

These helpers look like they could be a separate refactoring PR. Also, I'm not sure if it's a good idea to put adapter-specific things into a shared module.

[webknjaz]

@julianz- let's proceed here by splitting out the makefile function removal into a separate PR. And another PR for the certificate parsing helpers. This should help use make this one as small as possible. Plus cleaning up unrelated config changes will be helpful too.

[julianz-]

After checking, removing the makefile really depends on using a unified class to represent the adpaters - i.e. the one I added here: TLSSocket. At least that's the way I was able to remove makefile in this PR. Not sure whether that is what you had in mind? I can probably split out the getenviron() stuff.

[webknjaz]

removing the makefile really depends on using a unified class to represent the adpaters - i.e. the one I added here: TLSSocket. At least that's the way I was able to remove makefile in this PR. Not sure whether that is what you had in mind?

I was imagining you'd replace things like from .makefile import MakeFile with from .makefile import StreamReader and MakeFile(...) with StreamReader(...). Without any functional changes, that doesn't seem to depend on TLSSocket. What am I missing?

I can probably split out the getenviron() stuff.

Go for it!

---

Once done, this PR can be rebased and it'll be easier to see what to do with the rest. It's also a good idea to drop any unrelated linting / tooling changes.

[julianz-]

Ah okay. I have done something more minimal that removes the MakeFile function in makefile.py but keeps the makefile functions in the adapters. See #805.

[webknjaz]

Having looked into it, I see that it's not as simple to get rid of makefile. I don't have a vision of how to handle that properly but at least "get environ" doesn't seem too complicated so feel free to focus on it first.

Once that's done, we you can rebase this and we'd strategize further. Sounds good?