Map PyOpenSSL SysCallErrors to standard Python ConnectionErrors

julianz- · julianz- · commit b594cd5fc6fe · 2025-10-31T13:37:37.000-07:00
diff --git a/cheroot/ssl/pyopenssl.py b/cheroot/ssl/pyopenssl.py
@@ -50,6 +50,8 @@
    pyopenssl
 """
 
+import errno
+import os
 import socket
 import sys
 import threading
@@ -76,6 +78,49 @@
 from ..makefile import StreamReader, StreamWriter
 from . import Adapter
 
+def proxy_wrapper(self, method, *new_args):
+    # This is where your bugfix gets activated:
+    with _morph_syscall_to_connection_error():
+        return getattr(self._ssl_conn, method)(*new_args)
+
+@contextlib.contextmanager
+def _morph_syscall_to_connection_error(method_name, /):
+    """
+    Handle :exc:`OpenSSL.SSL.SysCallError` in a wrapped method.
+
+    This context manager catches and re-raises SSL system call errors
+    with appropriate exception types.
+
+    Yields:
+        None: Execution continues within the context block.
+    """  # noqa: DAR301
+    try:
+        yield
+    except SSL.SysCallError as ssl_syscall_err:
+        connection_error_map = {
+            errno.EBADF: ConnectionError,  # socket is gone?
+            errno.ECONNABORTED: ConnectionAbortedError,
+            errno.ECONNREFUSED: ConnectionRefusedError,
+            errno.ECONNRESET: ConnectionResetError,
+            errno.ENOTCONN: ConnectionError,
+            errno.EPIPE: BrokenPipeError,
+            errno.ESHUTDOWN: BrokenPipeError,
+        }
+        error_code = ssl_syscall_err.args[0] if ssl_syscall_err.args else None
+        error_msg = (
+            os.strerror(error_code)
+            if error_code is not None
+            else repr(ssl_syscall_err)
+        )
+        conn_err_cls = connection_error_map.get(
+            error_code,
+            ConnectionError,
+        )
+        raise conn_err_cls(
+            error_code,
+            f'Faied to {method_name!s} the PyOpenSSL connection: {error_msg!s}',
+        ) from ssl_syscall_err
+
 
 class SSLFileobjectMixin:
     """Base mixin for a TLS socket stream."""
@@ -229,7 +274,9 @@ def proxy_wrapper(self, *args):
                     new_args = (
                         args[:] if method not in proxy_methods_no_args else []
                     )
-                    return getattr(self._ssl_conn, method)(*new_args)
+                    # translate any SysCallError to ConnectionError
+                    with _morph_syscall_to_connection_error(method):
+                        return getattr(self._ssl_conn, method)(*new_args)
                 finally:
                     self._lock.release()
 
diff --git a/cheroot/test/test_ssl_pyopenssl.py b/cheroot/test/test_ssl_pyopenssl.py
@@ -0,0 +1,56 @@
+# Assuming your existing test file has fixtures for the SSL objects
+import pytest
+import errno
+from OpenSSL import SSL
+from cheroot.ssl.pyopenssl import SSLConnection
+
+@pytest.fixture
+def mock_ssl_context(mocker):
+    """Fixture providing a mock instance of SSL.Context."""
+    return mocker.Mock(spec=SSL.Context)
+
+@pytest.fixture
+def mock_ssl_conn_class(mocker):
+    """Fixture patching the SSL.Connection class constructor."""
+    return mocker.patch('OpenSSL.SSL.Connection')
+
+# (SysCallError errno, Expected Exception Type)
+ERROR_MAPPINGS = [
+    (errno.EBADF, ConnectionError),
+    (errno.ECONNABORTED, ConnectionAbortedError),
+    (errno.ECONNREFUSED, ConnectionRefusedError),
+    (errno.ECONNRESET, ConnectionResetError),
+    (errno.ENOTCONN, ConnectionError),
+    (errno.EPIPE, BrokenPipeError),
+    (errno.ESHUTDOWN, BrokenPipeError),
+]
+
+@pytest.mark.parametrize(
+    'simulated_errno, expected_exception', ERROR_MAPPINGS
+)
+def test_close_morphs_syscall_error_correctly(
+    mocker, mock_ssl_context, mock_ssl_conn_class, 
+    simulated_errno, expected_exception
+):
+    # The SSLConnection object will now have a safe mock for self._ssl_conn
+    conn = SSLConnection(mock_ssl_context) 
+    
+    # Define the specific OpenSSL error based on the parameter
+    simulated_error = SSL.SysCallError(simulated_errno, 'Simulated connection error')
+
+    # 4. Patch the 'close' method on the underlying MOCK object.
+    # We retrieve the mock object that was placed in conn._ssl_conn during init.
+    # The return value of the mocked SSL.Connection class is what conn._ssl_conn holds.
+    underlying_mock = conn._ssl_conn 
+    
+    mocker.patch.object(
+        underlying_mock, 'close',
+        side_effect=simulated_error
+    )
+
+    # Assert the expected exception is raised based on the parameter
+    with pytest.raises(expected_exception) as excinfo:
+        conn.close()
+
+    # 6. Assert the original SysCallError is included in the new exception's cause
+    assert excinfo.value.__cause__ is simulated_error
diff --git a/docs/changelog-fragments.d/786.bugfix.rst b/docs/changelog-fragments.d/786.bugfix.rst
@@ -0,0 +1,3 @@
+OpenSSL system call errors are now intercepted and reraised as standard Python ConnectionErrors.
+
+-- by :user:`julianz-`

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+OpenSSL system call errors are now intercepted and reraised as standard Python ConnectionErrors.`
	`2`	`+`
	`3`	+-- by :user:`julianz-`