Raise an error if peer certificate chain APIs aren't available in Python <3.13

sethmlarson · web-flow · commit 14078644429f · 2024-08-21T08:25:12.000-05:00
diff --git a/src/truststore/__init__.py b/src/truststore/__init__.py
@@ -5,9 +5,32 @@
 if _sys.version_info < (3, 10):
     raise ImportError("truststore requires Python 3.10 or later")
 
+# Detect Python runtimes which don't implement SSLObject.get_unverified_chain() API
+# This API only became public in Python 3.13 but was available in CPython and PyPy since 3.10.
+if _sys.version_info < (3, 13):
+    try:
+        import ssl as _ssl
+    except ImportError:
+        raise ImportError("truststore requires the 'ssl' module")
+    else:
+        _sslmem = _ssl.MemoryBIO()
+        _sslobj = _ssl.create_default_context().wrap_bio(
+            _sslmem,
+            _sslmem,
+        )
+        try:
+            while not hasattr(_sslobj, "get_unverified_chain"):
+                _sslobj = _sslobj._sslobj  # type: ignore[attr-defined]
+        except AttributeError:
+            raise ImportError(
+                "truststore requires peer certificate chain APIs to be available"
+            ) from None
+
+        del _ssl, _sslobj, _sslmem  # noqa: F821
+
 from ._api import SSLContext, extract_from_ssl, inject_into_ssl  # noqa: E402
 
 del _api, _sys  # type: ignore[name-defined] # noqa: F821
 
 __all__ = ["SSLContext", "inject_into_ssl", "extract_from_ssl"]
-__version__ = "0.9.1"
+__version__ = "0.9.2"
diff --git a/tests/requests_with_inject.py b/tests/requests_with_inject.py
@@ -0,0 +1,10 @@
+# Used by the test: test_inject.py::test_requests_work_with_inject
+
+import truststore
+
+truststore.inject_into_ssl()
+
+import requests  # noqa: E402
+
+resp = requests.request("GET", "https://example.com")
+assert resp.status_code == 200
diff --git a/tests/test_inject.py b/tests/test_inject.py
@@ -1,9 +1,11 @@
 import asyncio
+import pathlib
 import ssl
+import subprocess
+import sys
 
 import httpx
 import pytest
-import requests
 import urllib3
 from aiohttp import ClientSession
 
@@ -97,16 +99,12 @@ async def test_aiohttp_works_with_inject(server: Server) -> None:
         assert resp.status == 200
 
 
-@pytest.mark.asyncio
-@pytest.mark.usefixtures("inject_truststore")
-async def test_requests_works_with_inject(server: Server) -> None:
-    def test_requests():
-        with requests.Session() as http:
-            resp = http.request("GET", server.base_url)
-        assert resp.status_code == 200
-
-    thread = asyncio.to_thread(test_requests)
-    await thread
+def test_requests_works_with_inject() -> None:
+    # We completely isolate the requests module because
+    # pytest or some other part of our test infra is messing
+    # with the order it's loaded into modules.
+    script = pathlib.Path(__file__).parent / "requests_with_inject.py"
+    subprocess.check_output([sys.executable, script])
 
 
 @pytest.mark.asyncio
