Backport fixes for urllib3 2.x to vendored botocore

author: Chih-Hsuan Yen 2024-02-10 17:00:24 +0800
committer: Chih-Hsuan Yen 2024-02-10 17:21:41 +0800
commit: 407d0f60563344a7bcaf91fa1a7037e01b7ec0aa (patch)
tree: 4c63856849299f006372ec6ef82ddf9f9a721090
parent: e8817bd71d4b18321d5776d5d1c358f844d1c825 (diff)
download: aur-407d0f60563344a7bcaf91fa1a7037e01b7ec0aa.tar.gz
4 files changed, 159 insertions, 2 deletions
diff --git a/PKGBUILD b/PKGBUILD
index 8a6ab922b34e..527cbf764f90 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -24,14 +24,20 @@ source=("https://awscli.amazonaws.com/awscli-$pkgver.tar.gz"{,.sig}
         fix-env.diff
         "$pkgname-tz-fix.patch"
         "${pkgname}-ruamel-yaml-v4.patch"
-        allow-egg-info.diff)
+        allow-egg-info.diff
+        botocore-2922.patch
+        botocore-2924.patch
+        botocore-2990-rebased.patch)
 sha256sums=('f8172666cd5437d0314bfc3965a25701c21536b5ceef82080a2fb14a420a9b0c'
             'SKIP'
             '0267e41561ab2c46a97ebfb024f0b047aabc9e6b9866f204b2c1a84ee5810d63'
             '893d61d7e958c3c02bfa1e03bf58f6f6abd98849d248cc661f1c56423df9f312'
             '4fc614b8550d7363bb2d578c6b49326c9255203eb2f933fd0551f96ed5fb1f30'
             '20a9fcd5235bf606e86a6ec06ca30307ebbcfd36063d2ac561c1f9eff7243046'
-            '6768df8667fe7fd827e6eef1c4cdb3eae25aba5806bbc725270200a585f62152')
+            '6768df8667fe7fd827e6eef1c4cdb3eae25aba5806bbc725270200a585f62152'
+            '62be6cad0f9039ae682abffd167181abbd4a690e2680867418c5542893d74b36'
+            'aad8b863d9f9107c56401e71d76b71f526efd9f8efac31e2a007b9071f85b5b6'
+            'a43c3e9aba8974fc09f1780a37b6a94108b15dbbbcecdf6d9e7e224ca135816b')
 validpgpkeys=(
   'FB5DB77FD5C118B80511ADA8A6310ACC4672475C'  # the key mentioned on https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
 )
@@ -58,6 +64,17 @@ prepare() {
   # tests/dependencies checks dependencies, and many Arch Linux packages are not using PEP 517 yet
   patch -Np1 -i ../allow-egg-info.diff
 
+  # Backport fixes for urllib3 2.x to vendored botocore
+  pushd awscli
+  # [Defer to system defaults for cipher suites with urllib3 2.0+](https://github.com/boto/botocore/pull/2922)
+  patch --no-backup-if-mismatch -Np1 -i ../../botocore-2922.patch
+  # [Do not set_ciphers(DEFAULT_CIPHERS) if DEFAULT_CIPHERS is None](https://github.com/boto/botocore/pull/2924)
+  patch --no-backup-if-mismatch -Np1 -i ../../botocore-2924.patch
+  # [Move 100-continue behavior to use high-level request interface](https://github.com/boto/botocore/pull/2990)
+  # Manually rebased due to conflicts from refactoring
+  patch --no-backup-if-mismatch -Np1 -i ../../botocore-2990-rebased.patch
+  popd
+
   # use unittest.mock
   # https://src.fedoraproject.org/rpms/awscli2/blob/rawhide/f/awscli2.spec
   find -type f -name '*.py' -exec sed \
diff --git a/botocore-2922.patch b/botocore-2922.patch
new file mode 100644
index 000000000000..496ddeef32c5
--- /dev/null
+++ b/botocore-2922.patch
@@ -0,0 +1,36 @@
+From 59489584f929b2893a5909c9009d3bdd556552a9 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Mon, 20 Feb 2023 11:17:51 -0700
+Subject: [PATCH] Defer to system defaults for cipher suites with urllib3 2.0+
+
+---
+ botocore/httpsession.py | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/botocore/httpsession.py b/botocore/httpsession.py
+index 97a03644d6..48e2e5d269 100644
+--- a/botocore/httpsession.py
++++ b/botocore/httpsession.py
+@@ -20,7 +20,6 @@
+ from urllib3.exceptions import SSLError as URLLib3SSLError
+ from urllib3.util.retry import Retry
+ from urllib3.util.ssl_ import (
+-    DEFAULT_CIPHERS,
+     OP_NO_COMPRESSION,
+     PROTOCOL_TLS,
+     OP_NO_SSLv2,
+@@ -49,6 +48,14 @@
+ except ImportError:
+     from urllib3.util.ssl_ import SSLContext
+ 
++try:
++    from urllib3.util.ssl_ import DEFAULT_CIPHERS
++except ImportError:
++    # Defer to system configuration starting with
++    # urllib3 2.0. This will choose the ciphers provided by
++    # Openssl 1.1.1+ or secure system defaults.
++    DEFAULT_CIPHERS = None
++
+ import botocore.awsrequest
+ from botocore.compat import (
+     IPV6_ADDRZ_RE,
diff --git a/botocore-2924.patch b/botocore-2924.patch
new file mode 100644
index 000000000000..2a18b9f1a3e3
--- /dev/null
+++ b/botocore-2924.patch
@@ -0,0 +1,27 @@
+From 5ec04be95d1531bf551056f80d3f7d84d48e5138 Mon Sep 17 00:00:00 2001
+From: Thomas Grainger <tagrain@gmail.com>
+Date: Fri, 28 Apr 2023 12:06:22 +0100
+Subject: [PATCH] Do not set_ciphers(DEFAULT_CIPHERS) if DEFAULT_CIPHERS is
+ None
+
+Fixes #2921
+---
+ botocore/httpsession.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/botocore/httpsession.py b/botocore/httpsession.py
+index 48e2e5d269..b3fe6e6c0c 100644
+--- a/botocore/httpsession.py
++++ b/botocore/httpsession.py
+@@ -113,7 +113,10 @@ def create_urllib3_context(
+ 
+     context = SSLContext(ssl_version)
+ 
+-    context.set_ciphers(ciphers or DEFAULT_CIPHERS)
++    if ciphers:
++        context.set_ciphers(ciphers)
++    elif DEFAULT_CIPHERS:
++        context.set_ciphers(DEFAULT_CIPHERS)
+ 
+     # Setting the default here, as we may have no ssl module on import
+     cert_reqs = ssl.CERT_REQUIRED if cert_reqs is None else cert_reqs
diff --git a/botocore-2990-rebased.patch b/botocore-2990-rebased.patch
new file mode 100644
index 000000000000..69c6b1e2b8b5
--- /dev/null
+++ b/botocore-2990-rebased.patch
@@ -0,0 +1,77 @@
+From 86564e713ba922feafe3feb7883d5305cb6a0ec2 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Wed, 26 Jul 2023 17:36:30 -0600
+Subject: [PATCH 1/3] Move 100-continue behavior to use request API
+
+---
+ botocore/awsrequest.py | 37 +++++++++++++++++++++----------------
+ 1 file changed, 21 insertions(+), 16 deletions(-)
+
+diff --git a/botocore/awsrequest.py b/botocore/awsrequest.py
+index f00a0dde57..9123e65c9d 100644
+--- a/botocore/awsrequest.py
++++ b/botocore/awsrequest.py
+@@ -66,33 +66,34 @@ class AWSConnection:
+     def __init__(self, *args, **kwargs):
+         super(AWSConnection, self).__init__(*args, **kwargs)
+         self._original_response_cls = self.response_class
+-        # We'd ideally hook into httplib's states, but they're all
+-        # __mangled_vars so we use our own state var.  This variable is set
+-        # when we receive an early response from the server.  If this value is
+-        # set to True, any calls to send() are noops.  This value is reset to
+-        # false every time _send_request is called.  This is to workaround the
+-        # fact that py2.6 (and only py2.6) has a separate send() call for the
+-        # body in _send_request, as opposed to endheaders(), which is where the
+-        # body is sent in all versions > 2.6.
++        # This variable is set when we receive an early response from the
++        # server. If this value is set to True, any calls to send() are noops.
++        # This value is reset to false every time _send_request is called.
++        # This is to workaround changes in urllib3 2.0 which uses separate
++        # send() calls in request() instead of delegating to endheaders(),
++        # which is where the body is sent in CPython's HTTPConnection.
+         self._response_received = False
+         self._expect_header_set = False
++        self._send_called = False
+ 
+     def close(self):
+         super(AWSConnection, self).close()
+         # Reset all of our instance state we were tracking.
+         self._response_received = False
+         self._expect_header_set = False
++        self._send_called = False
+         self.response_class = self._original_response_cls
+ 
+-    def _send_request(self, method, url, body, headers, *args, **kwargs):
++    def request(self, method, url, body=None, headers=None, *args, **kwargs):
++        if headers is None:
++            headers = {}
+         self._response_received = False
+         if headers.get('Expect', b'') == b'100-continue':
+             self._expect_header_set = True
+         else:
+             self._expect_header_set = False
+             self.response_class = self._original_response_cls
+-        rval = super(AWSConnection, self)._send_request(
+-            method, url, body, headers, *args, **kwargs)
++        rval = super().request(method, url, body, headers, *args, **kwargs)
+         self._expect_header_set = False
+         return rval
+ 
+@@ -210,8 +210,15 @@ def _send_message_body(self, message_body):
+ 
+     def send(self, str):
+         if self._response_received:
+-            logger.debug("send() called, but reseponse already received. "
+-                         "Not sending data.")
++            if not self._send_called:
++                # urllib3 2.0 chunks and calls send potentially
++                # thousands of times inside `request` unlike the
++                # standard library. Only log this once for sanity.
++                logger.debug(
++                    "send() called, but response already received. "
++                    "Not sending data."
++                )
++            self._send_called = True
+             return
+         return super(AWSConnection, self).send(str)
+
author	Chih-Hsuan Yen	2024-02-10 17:00:24 +0800
committer	Chih-Hsuan Yen	2024-02-10 17:21:41 +0800
commit	407d0f60563344a7bcaf91fa1a7037e01b7ec0aa (patch)
tree	4c63856849299f006372ec6ef82ddf9f9a721090
parent	e8817bd71d4b18321d5776d5d1c358f844d1c825 (diff)
download	aur-407d0f60563344a7bcaf91fa1a7037e01b7ec0aa.tar.gz