Align SSL adapters by removing bind()

Relocated `SSLConnection` instantiation from `bind()` to `wrap()` to align
with the adapter interface where wrap() is responsible for converting
raw sockets to SSL connections. With this chenge `bind()` serves no
purpose and so is deleted. This change also fixes the pyOpenSSL adapter
so that it doesn't prematurely wrap the raw socket, an issue in the old
`bind()` implementation.

Author: julianz-

.flake8

@@ -128,7 +128,7 @@ per-file-ignores =
   cheroot/errors.py: DAR101, DAR201, I003, RST304, WPS111, WPS121, WPS422
   cheroot/makefile.py: DAR101, DAR201, DAR401, E800, I003, I004, N801, N802, S101, WPS100, WPS110, WPS111, WPS117, WPS120, WPS121, WPS122, WPS123, WPS130, WPS204, WPS210, WPS212, WPS213, WPS220, WPS229, WPS231, WPS232, WPS338, WPS420, WPS422, WPS429, WPS431, WPS504, WPS604, WPS606
   cheroot/server.py: DAR003, DAR101, DAR201, DAR202, DAR301, DAR401, E800, I001, I003, I004, I005, N806, RST201, RST301, RST303, RST304, WPS100, WPS110, WPS111, WPS115, WPS120, WPS121, WPS122, WPS130, WPS132, WPS201, WPS202, WPS204, WPS210, WPS211, WPS212, WPS213, WPS214, WPS220, WPS221, WPS225, WPS226, WPS229, WPS230, WPS231, WPS236, WPS237, WPS238, WPS301, WPS338, WPS342, WPS410, WPS420, WPS421, WPS422, WPS429, WPS432, WPS504, WPS505, WPS601, WPS602, WPS608, WPS617
-  cheroot/ssl/builtin.py: DAR101, DAR201, DAR401, I001, I003, N806, RST304, WPS110, WPS111, WPS115, WPS117, WPS120, WPS121, WPS122, WPS130, WPS201, WPS210, WPS214, WPS229, WPS231, WPS338, WPS422, WPS501, WPS505, WPS529, WPS608, WPS612
+  cheroot/ssl/builtin.py: DAR101, DAR201, DAR401, I001, I003, N806, RST304, WPS110, WPS111, WPS115, WPS117, WPS120, WPS121, WPS122, WPS130, WPS201, WPS210, WPS214, WPS229, WPS231, WPS338, WPS422, WPS501, WPS505, WPS529, WPS608
   cheroot/ssl/pyopenssl.py: C815, DAR101, DAR201, DAR401, I001, I003, I005, N801, N804, RST304, WPS100, WPS110, WPS111, WPS117, WPS120, WPS121, WPS130, WPS210, WPS220, WPS221, WPS225, WPS229, WPS231, WPS238, WPS301, WPS335, WPS338, WPS420, WPS422, WPS430, WPS432, WPS501, WPS504, WPS505, WPS601, WPS608, WPS615
   cheroot/test/conftest.py: DAR101, DAR201, DAR301, I001, I003, I005, WPS100, WPS130, WPS325, WPS354, WPS420, WPS422, WPS430, WPS457
   cheroot/test/helper.py: DAR101, DAR201, DAR401, I001, I003, I004, N802, WPS110, WPS111, WPS121, WPS201, WPS220, WPS231, WPS301, WPS414, WPS421, WPS422, WPS505

cheroot/server.py

@@ -1987,7 +1987,6 @@ def bind(self, family, type, proto=0):
             type,
             proto,
             self.nodelay,
-            self.ssl_adapter,
             self.reuse_port,
         )
         sock = self.socket = self.bind_socket(sock, self.bind_addr)
@@ -2037,7 +2036,6 @@ def bind_unix_socket(self, bind_addr):  # noqa: C901  # FIXME
             type=socket.SOCK_STREAM,
             proto=0,
             nodelay=self.nodelay,
-            ssl_adapter=self.ssl_adapter,
             reuse_port=self.reuse_port,
         )
 
@@ -2112,7 +2110,6 @@ def prepare_socket(  # pylint: disable=too-many-positional-arguments
         type,
         proto,
         nodelay,
-        ssl_adapter,
         reuse_port=False,
     ):
         """Create and prepare the socket object."""
@@ -2140,9 +2137,6 @@ def prepare_socket(  # pylint: disable=too-many-positional-arguments
         if nodelay and not isinstance(bind_addr, (str, bytes)):
             sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
 
-        if ssl_adapter is not None:
-            sock = ssl_adapter.bind(sock)
-
         # If listening on the IPV6 any address ('::' = IN6ADDR_ANY),
         # activate dual-stack. See
         # https://github.com/cherrypy/cherrypy/issues/871.

cheroot/server.pyi

@@ -196,7 +196,6 @@ class HTTPServer:
         type,
         proto,
         nodelay,
-        ssl_adapter,
         reuse_port: bool = ...,
     ): ...
     @staticmethod

cheroot/ssl/__init__.py

@@ -1,5 +1,6 @@
 """Implementation of the SSL adapter base interface."""
 
+import warnings
 from abc import ABC, abstractmethod
 
 
@@ -31,9 +32,20 @@ def __init__(
         self.private_key_password = private_key_password
         self.context = None
 
-    @abstractmethod
     def bind(self, sock):
-        """Wrap and return the given socket."""
+        """
+        Wrap and return the given socket.
+
+        Deprecated:
+        This method no longer performs any SSL-specific operations.
+        SSL wrapping now happens in wrap(). This method will be
+        removed in a future version.
+        """
+        warnings.warn(
+            'SSLAdapter.bind() is deprecated and will be removed in a future version.',
+            DeprecationWarning,
+            stacklevel=2,
+        )
         return sock
 
     @abstractmethod

cheroot/ssl/__init__.pyi

@@ -18,7 +18,6 @@ class Adapter(ABC):
         *,
         private_key_password: str | bytes | None = ...,
     ): ...
-    @abstractmethod
     def bind(self, sock): ...
     @abstractmethod
     def wrap(self, sock): ...

cheroot/ssl/builtin.py

@@ -303,10 +303,6 @@ def context(self, context):
             if ssl.HAS_SNI and context.sni_callback is None:
                 context.sni_callback = _sni_callback
 
-    def bind(self, sock):
-        """Wrap and return the given socket."""
-        return super(BuiltinSSLAdapter, self).bind(sock)
-
     def wrap(self, sock):
         """Wrap and return the given socket, plus WSGI environ entries."""
         try:

cheroot/ssl/builtin.pyi

@@ -20,7 +20,6 @@ class BuiltinSSLAdapter(Adapter):
     def context(self): ...
     @context.setter
     def context(self, context) -> None: ...
-    def bind(self, sock): ...
     def wrap(self, sock): ...
     def get_environ(self, sock): ...
     def makefile(self, sock, mode: str = ..., bufsize: int = ...): ...

cheroot/ssl/pyopenssl.py

@@ -216,6 +216,8 @@ def __new__(mcl, name, bases, nmspc):
             'settimeout',
             'gettimeout',
             'shutdown',
+            'recv_into',
+            '_decref_socketios',
         )
         proxy_methods_no_args = ('shutdown',)
 
@@ -270,6 +272,17 @@ def __init__(self, *args):
         self._ssl_conn = SSL.Connection(*args)
         self._lock = threading.RLock()
 
+    @property
+    def _socket(self):
+        """
+        Expose underlying raw socket.
+
+        This is needed for times when the cheroot server needs access to the
+        original socket object, e.g. in replying to a client attempting
+        to speak plain HTTP on an HTTPS port.
+        """
+        return self._ssl_conn._socket
+
 
 class pyOpenSSLAdapter(Adapter):
     """A wrapper for integrating :doc:`pyOpenSSL <pyopenssl:index>`."""
@@ -320,20 +333,18 @@ def __init__(
 
         self._environ = None
 
-    def bind(self, sock):
-        """Wrap and return the given socket."""
-        if self.context is None:
-            self.context = self.get_context()
-        conn = SSLConnection(self.context, sock)
-        self._environ = self.get_environ()
-        return conn
-
     def wrap(self, sock):
         """Wrap and return the given socket, plus WSGI environ entries."""
         # pyOpenSSL doesn't perform the handshake until the first read/write
         # forcing the handshake to complete tends to result in the connection
         # closing so we can't reliably access protocol/client cert for the env
-        return sock, self._environ.copy()
+        if self.context is None:
+            self.context = self.get_context()
+        conn = SSLConnection(self.context, sock)
+
+        conn.set_accept_state()  # Tell OpenSSL this is a server connection
+        self._environ = self.get_environ()
+        return conn, self._environ
 
     def _password_callback(
         self,
@@ -442,7 +453,9 @@ def makefile(self, sock, mode='r', bufsize=-1):
             if 'r' in mode
             else SSLFileobjectStreamWriter
         )
-        if SSL and isinstance(sock, ssl_conn_type):
+        # sock is an pyopenSSL.SSLConnection instance here
+        # so checking against ssl_conn_type doesn't work
+        if SSL and isinstance(sock, (ssl_conn_type, SSLConnection)):
             wrapped_socket = cls(sock, mode, bufsize)
             wrapped_socket.ssl_timeout = sock.gettimeout()
             return wrapped_socket

cheroot/ssl/pyopenssl.pyi

@@ -34,7 +34,6 @@ class pyOpenSSLAdapter(Adapter):
         *,
         private_key_password: str | bytes | None = ...,
     ) -> None: ...
-    def bind(self, sock): ...
     def wrap(self, sock): ...
     def _password_callback(
         self,

cheroot/test/test_ssl.py

@@ -920,16 +920,14 @@ def test_openssl_adapter_with_false_key_password(
         private_key_password=false_password,
     )
 
-    httpserver.ssl_adapter = tls_adapter
-
     with expected_warn, pytest.raises(
         OpenSSL.SSL.Error,
         # Decode error has happened very rarely with Python 3.9 in MacOS.
         # Might be caused by a random issue in file handling leading
         # to interpretation of garbage characters in certificates.
         match=r'.+\'(bad decrypt|decode error)\'.+',
     ):
-        httpserver.prepare()
+        tls_adapter.get_context()
 
     assert not httpserver.requests._threads
     assert not httpserver.ready