[15.0] external dependency "cryptography" causes error 'X509_V_FLAG_CB_ISSUER_CHECK'

[CRogos]

Module auth_jwt

The name of the module that has a bug.
auth_jwt has an external dependency "cryptography" which seems not be compatible with Odoo anymore:
odoo/odoo@55d2da4

Describe the bug

The Odoo server is not starting because of dependency incompatibilities.
similar topics:
odoo/odoo#89798
https://www.odoo.com/de_DE/forum/hilfe-1/attributeerror-module-lib-has-no-attribute-x509-v-flag-cb-issuer-check-when-creating-new-staging-branch-202955

To Reproduce

Affected versions: 15.0
Odoo does not start when this repository is added to the addon folder.
Error:
File "/usr/lib/python3/dist-packages/OpenSSL/init.py", line 8, in
from OpenSSL import crypto, SSL
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1553, in
class X509StoreFlags(object):
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1573, in X509StoreFlags
CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK
AttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'

Steps to reproduce the behavior:

1. I am using Odoo.sh with an empty database referencing this repository. The server with an empty db does not start.

Expected behavior

Additional context
I've added the following line to the requirements.txt and the error is gone:
cryptography==36.0.2 # last version working with pyopenssl==19.0.0

But I am not using the auth_jwt module, so I am not sure if the module is still working with the changed requirements.txt?
Is this something this repository should react on, or will this probably be fixed in odoo?

[sbidoul]

This has been fixed in Odoo: odoo/odoo#99829

[CRogos]

This has been fixed in Odoo: odoo/odoo#99829

@sbidoul are you sure? I still get the same error when not setting the cryptography version in the requirements.txt.

[sbidoul]

I don't know which version your odoo sh instance has, but I'm 100% sure we should not pin the version in this repo.

[CRogos]

Odoo.sh is using the latest Odoo version and the Odoo patch is applied:

I agree that pinning it to a version is ugly, but without it is not building anymore.

All builds newer than 2 weeks have the same issue:
https://runboat.odoo-community.org/webui/builds.html?repo=oca/server-auth&target_branch=15.0

[sbidoul]

Butt, is your issue with odoo.sh or runboat?

[CRogos]

I am using odoo.sh, but I am also using runboat, and I can reproduce the issue on both.

[sbidoul]

Ah, I see it now. I think some other dependency of this repo requires a cryptography version greater than the one in odoo's requirements.txt. We need to find which one.

[CRogos]

Cryptography is used in auth_jwt (and auth_jwt_demo), which both have the version 14 in the 15 branch?!?!

server-auth/auth_jwt/__manifest__.py

Line 8 in 45a78e4

"version": "14.0.1.2.0",

[CRogos]

@sbidoul the external_dependencies of auth_jwt are not added to the requirements.txt because in the manifest the installable is set to False.

What is the reason why the 14.0.1.2.0 was added to the 15.0 branch without migration?
When I set the module to installable = True and remove it from the "not installable addons" list, I get more migration related issues.

I think the easiest way to fix this topic is to delete the auth_jwt module from the 15.0 branch and migrate it properly.
Do you agree?

[sbidoul]

What is the reason why the 14.0.1.2.0 was added to the 15.0 branch without migration?

This comes from #320. But that is not the cause of the problem.

Depending on cryptography without version constraint is fine, because it is preinstalled with the version pinned by Odoo's requirements.txt (both in odoo.sh and runboat), and pip install cryptography then says requirement already satisfied and everyone is happy.

The problem here comes from the pysaml2 package which depends on cryptography>=3.1. Since Odoo has version 2.6.x pre-installed, pip wants to upgrade it to the latest version to satisfy >=3.1. And since the relationship between cryptography and pyopenssl version is complicated and not declared in their respective dependencies pip has no way to know it can't install cryptography 38.

I'm trying #429 with a fix that is closer to the root cause.