add is_sync param

Author: sleepyStick

pymongo/asynchronous/encryption.py

@@ -180,6 +180,7 @@ async def kms_request(self, kms_context: MongoCryptKmsContext) -> None:
                 False,  # allow_invalid_certificates
                 False,  # allow_invalid_hostnames
                 False,  # disable_ocsp_endpoint_check
+                _IS_SYNC,
             )
         # CSOT: set timeout for socket creation.
         connect_timeout = max(_csot.clamp_remaining(_KMS_CONNECT_TIMEOUT), 0.001)
@@ -674,6 +675,7 @@ def __init__(
             key_vault_namespace,
             kms_tls_options=kms_tls_options,
             key_expiration_ms=key_expiration_ms,
+            is_sync=_IS_SYNC,
         )
         self._io_callbacks: Optional[_EncryptionIO] = _EncryptionIO(
             None, key_vault_coll, None, opts

pymongo/client_options.py

@@ -84,7 +84,9 @@ def _parse_read_concern(options: Mapping[str, Any]) -> ReadConcern:
     return ReadConcern(concern)
 
 
-def _parse_ssl_options(options: Mapping[str, Any]) -> tuple[Optional[SSLContext], bool]:
+def _parse_ssl_options(
+    options: Mapping[str, Any], is_sync: bool
+) -> tuple[Optional[SSLContext], bool]:
     """Parse ssl options."""
     use_tls = options.get("tls")
     if use_tls is not None:
@@ -138,6 +140,7 @@ def _parse_ssl_options(options: Mapping[str, Any]) -> tuple[Optional[SSLContext]
             allow_invalid_certificates,
             allow_invalid_hostnames,
             disable_ocsp_endpoint_check,
+            is_sync,
         )
         return ctx, allow_invalid_hostnames
     return None, allow_invalid_hostnames
@@ -167,7 +170,7 @@ def _parse_pool_options(
     compression_settings = CompressionSettings(
         options.get("compressors", []), options.get("zlibcompressionlevel", -1)
     )
-    ssl_context, tls_allow_invalid_hostnames = _parse_ssl_options(options)
+    ssl_context, tls_allow_invalid_hostnames = _parse_ssl_options(options, is_sync)
     load_balanced = options.get("loadbalanced")
     max_connecting = options.get("maxconnecting", common.MAX_CONNECTING)
     return PoolOptions(

pymongo/encryption_options.py

@@ -58,6 +58,7 @@ def __init__(
         bypass_query_analysis: bool = False,
         encrypted_fields_map: Optional[Mapping[str, Any]] = None,
         key_expiration_ms: Optional[int] = None,
+        is_sync: bool = True,
     ) -> None:
         """Options to configure automatic client-side field level encryption.
 
@@ -236,7 +237,7 @@ def __init__(
         if not any("idleShutdownTimeoutSecs" in s for s in self._mongocryptd_spawn_args):
             self._mongocryptd_spawn_args.append("--idleShutdownTimeoutSecs=60")
         # Maps KMS provider name to a SSLContext.
-        self._kms_ssl_contexts = _parse_kms_tls_options(kms_tls_options)
+        self._kms_ssl_contexts = _parse_kms_tls_options(kms_tls_options, is_sync)
         self._bypass_query_analysis = bypass_query_analysis
         self._key_expiration_ms = key_expiration_ms
 

pymongo/ssl_support.py

@@ -21,10 +21,12 @@
 from pymongo.errors import ConfigurationError
 
 HAVE_SSL = True
+HAVE_PYSSL = True
 
 try:
-    import pymongo.pyopenssl_context as _ssl
+    import pymongo.pyopenssl_context as _pyssl
 except (ImportError, AttributeError) as exc:
+    HAVE_PYSSL = False
     if isinstance(exc, AttributeError):
         warnings.warn(
             "Failed to use the installed version of PyOpenSSL. "
@@ -35,10 +37,10 @@
             UserWarning,
             stacklevel=2,
         )
-    try:
-        import pymongo.ssl_context as _ssl  # type: ignore[no-redef]
-    except ImportError:
-        HAVE_SSL = False
+try:
+    import pymongo.ssl_context as _ssl
+except ImportError:
+    HAVE_SSL = False
 
 
 if HAVE_SSL:
@@ -65,8 +67,13 @@ def get_ssl_context(
         allow_invalid_certificates: bool,
         allow_invalid_hostnames: bool,
         disable_ocsp_endpoint_check: bool,
+        is_sync: bool,
     ) -> _ssl.SSLContext:
         """Create and return an SSLContext object."""
+        if is_sync and HAVE_PYSSL:
+            ssl_in_use = _pyssl
+        else:
+            ssl_in_use = _ssl
         verify_mode = CERT_NONE if allow_invalid_certificates else CERT_REQUIRED
         ctx = _ssl.SSLContext(_ssl.PROTOCOL_SSLv23)
         if verify_mode != CERT_NONE:
@@ -80,21 +87,21 @@ def get_ssl_context(
             # up to date versions of MongoDB 2.4 and above already disable
             # SSLv2 and SSLv3, python disables SSLv2 by default in >= 2.7.7
             # and >= 3.3.4 and SSLv3 in >= 3.4.3.
-            ctx.options |= _ssl.OP_NO_SSLv2
-            ctx.options |= _ssl.OP_NO_SSLv3
-            ctx.options |= _ssl.OP_NO_COMPRESSION
-            ctx.options |= _ssl.OP_NO_RENEGOTIATION
+            ctx.options |= ssl_in_use.OP_NO_SSLv2
+            ctx.options |= ssl_in_use.OP_NO_SSLv3
+            ctx.options |= ssl_in_use.OP_NO_COMPRESSION
+            ctx.options |= ssl_in_use.OP_NO_RENEGOTIATION
         if certfile is not None:
             try:
                 ctx.load_cert_chain(certfile, None, passphrase)
-            except _ssl.SSLError as exc:
+            except ssl_in_use.SSLError as exc:
                 raise ConfigurationError(f"Private key doesn't match certificate: {exc}") from None
         if crlfile is not None:
-            if _ssl.IS_PYOPENSSL:
+            if ssl_in_use.IS_PYOPENSSL:
                 raise ConfigurationError("tlsCRLFile cannot be used with PyOpenSSL")
             # Match the server's behavior.
             ctx.verify_flags = getattr(  # type:ignore[attr-defined]
-                _ssl, "VERIFY_CRL_CHECK_LEAF", 0
+                ssl_in_use, "VERIFY_CRL_CHECK_LEAF", 0
             )
             ctx.load_verify_locations(crlfile)
         if ca_certs is not None:

pymongo/synchronous/encryption.py

@@ -179,6 +179,7 @@ def kms_request(self, kms_context: MongoCryptKmsContext) -> None:
                 False,  # allow_invalid_certificates
                 False,  # allow_invalid_hostnames
                 False,  # disable_ocsp_endpoint_check
+                _IS_SYNC,
             )
         # CSOT: set timeout for socket creation.
         connect_timeout = max(_csot.clamp_remaining(_KMS_CONNECT_TIMEOUT), 0.001)
@@ -667,6 +668,7 @@ def __init__(
             key_vault_namespace,
             kms_tls_options=kms_tls_options,
             key_expiration_ms=key_expiration_ms,
+            is_sync=_IS_SYNC,
         )
         self._io_callbacks: Optional[_EncryptionIO] = _EncryptionIO(
             None, key_vault_coll, None, opts

pymongo/uri_parser_shared.py

@@ -420,7 +420,9 @@ def _check_options(nodes: Sized, options: Mapping[str, Any]) -> None:
             raise ConfigurationError("Cannot specify replicaSet with loadBalanced=true")
 
 
-def _parse_kms_tls_options(kms_tls_options: Optional[Mapping[str, Any]]) -> dict[str, SSLContext]:
+def _parse_kms_tls_options(
+    kms_tls_options: Optional[Mapping[str, Any]], is_sync
+) -> dict[str, SSLContext]:
     """Parse KMS TLS connection options."""
     if not kms_tls_options:
         return {}
@@ -435,7 +437,7 @@ def _parse_kms_tls_options(kms_tls_options: Optional[Mapping[str, Any]]) -> dict
         opts = _handle_security_options(opts)
         opts = _normalize_options(opts)
         opts = cast(_CaseInsensitiveDictionary, validate_options(opts))
-        ssl_context, allow_invalid_hostnames = _parse_ssl_options(opts)
+        ssl_context, allow_invalid_hostnames = _parse_ssl_options(opts, is_sync)
         if ssl_context is None:
             raise ConfigurationError("TLS is required for KMS providers")
         if allow_invalid_hostnames:

test/asynchronous/test_client_bulk_write.py

@@ -545,6 +545,7 @@ async def test_returns_error_if_auto_encryption_configured(self):
         opts = AutoEncryptionOpts(
             key_vault_namespace="db.coll",
             kms_providers={"aws": {"accessKeyId": "foo", "secretAccessKey": "bar"}},
+            is_sync=_IS_SYNC,
         )
         client = await self.async_rs_or_single_client(auto_encryption_opts=opts)