Skip to content

chore(auth): update lower bounds and testing constraints for Python 3.11 - 3.14 compatibility#17593

Open
ohmayr wants to merge 23 commits into
mainfrom
fix-pyopenssl-compat-3.14
Open

chore(auth): update lower bounds and testing constraints for Python 3.11 - 3.14 compatibility#17593
ohmayr wants to merge 23 commits into
mainfrom
fix-pyopenssl-compat-3.14

Conversation

@ohmayr

@ohmayr ohmayr commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

This PR updates the package's minimum dependency bounds in setup.py and the corresponding unit test constraints to support newer Python versions (3.11 through 3.14).
It also introduces support in noxfile.py to test optional extras (enterprise_cert and rsa) under boundary sessions (install_deprecated_extras=True) which were not previously included in boundary testing. This ensures all extras are validated against their lower bounds.

  1. setup.py Lower Bounds:
    • Conditioned cryptography minimum to >= 41.0.5 on Python 3.14+ (older versions fail to build/run).
    • Conditioned requests to >= 2.30.0 and aiohttp to >= 3.9.0 on Python 3.11+ to resolve compatibility issues with urllib3 v2+.
    • Bumped the obsolete rsa extra dependency to >= 4.0, < 5.
  2. Nox Test Isolation & Configuration:
    • Expanded boundary test coverage to explicitly include optional extras (enterprise_cert and rsa) when running with install_deprecated_extras=True (these were not covered in boundary tests previously).
    • Configured noxfile.py to dynamically load a dedicated constraints-extras-<python_version>.txt file (if present) for boundary testing.
  3. Dependency Constraints:
    • Added complete core constraint files for Python 3.11, 3.12, 3.13, and 3.14 to pin core dependencies at their respective setup.py lower bounds during CI.
    • Introduced constraints-extras-3.10.txt and constraints-extras-3.14.txt to properly capture the boundary versions of optional packages (such as rsa and pyu2f) without affecting the clean core library validation.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the minimum required version of pyopenssl to 23.2.0 in setup.py and introduces a new constraints file for Python 3.14. The review feedback correctly identifies a dependency resolution conflict in the new constraints file, where pyopenssl 23.2.0 requires cryptography >= 41.0.1, but cryptography is currently pinned to 38.0.3. It is recommended to update the cryptography version to avoid installation failures.

# are correct in setup.py for Python 3.14
pyasn1-modules==0.2.1
setuptools==40.3.0
cryptography==38.0.3

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The minimum version of pyopenssl has been raised to 23.2.0. However, pyopenssl 23.2.0 requires cryptography >= 41.0.1. Keeping cryptography==38.0.3 in this constraints file will cause a dependency resolution conflict during installation. Please update the cryptography version to 41.0.1 or higher to ensure compatibility.

cryptography==41.0.1

@ohmayr ohmayr force-pushed the fix-pyopenssl-compat-3.14 branch from 0a5609b to 1dd7463 Compare July 6, 2026 19:07
@ohmayr ohmayr changed the title fix(google-auth): raise minimum pyopenssl version to 23.2.0 chore(auth): update lower bounds and testing constraints for Python 3.11 - 3.14 compatibility Jul 6, 2026
@ohmayr ohmayr marked this pull request as ready for review July 6, 2026 19:35
@ohmayr ohmayr requested review from a team as code owners July 6, 2026 19:35
@ohmayr ohmayr removed their assignment Jul 6, 2026
pyu2f==0.1.5
rsa==4.0
aiohttp==3.8.0
requests==2.30.0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it looks like the lower bound for requests for 3.10 should be 2.20.0

@@ -40,7 +48,7 @@
# TODO(https://github.com/googleapis/google-auth-library-python/issues/1739): Add bounds for urllib3 and packaging dependencies.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we address this TODO now?

@@ -0,0 +1,11 @@
# Lower-bound constraints for Python 3.10 extended/optional extras (rsa, enterprise_cert).
# Used during boundary Nox unit sessions (install_deprecated_extras=True) to test legacy/extra paths on 3.10.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add comments showing which extra each dependency belongs to?

aiohttp==3.9.0
requests==2.30.0
pyjwt==2.0
urllib3==2.0.0 No newline at end of file

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we remove the "extra" dependency from the non-extra constraints files? (requests, pyjwt, etc) That would help us make sure the libraries still work even without the extras are installed

I'm not sure if that would break the tests too much though

session.install("oauth2client")
extras_str += ",rsa"

# Use the dedicated extras constraints file if it exists

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm finding this test matrix a bit confusing. Both install_deprecated_extras=True and install_deprecated_extras=False installs some extras (urllib3, requests, pyjwt). But only install_deprecated_extras=True uses the constraints-extras-3.14.txt constraints file. And the constraints file contains constraints for all extras, not just deprecated ones

Can we try to re-think this a bit? One option: have all the extras isolated in one constraints file, and the core dependencies in another, and run the tests with a install_extras parameter, which determines which constraints files are included. That way we can make sure the tests work with all valid versions, and the core library works even without any extras installed.

"urllib3": urllib3_extra_require,
"rsa": rsa_extra_require,
# TODO(https://github.com/googleapis/google-auth-library-python/issues/1735): Add an extra for `grpcio` dependency.
# TODO(https://github.com/googleapis/google-auth-library-python/issues/1736): Add an extra for `oauth2client` dependency.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should address or remove all these TODOs, since we're making changes to the extras here?

I don't think we'd want to add an extra for oauth2client though, since it's a dead library.

# rsa and oauth2client were both archived and support dropped,
# but we still test old code paths
# but we still test old code paths
session.install("oauth2client")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be added to constraints-extras-3.14.txt, now that we have a constraints file for this

We don't formally support oauth2client anymore, but we do have some tests in place that reference it

CURRENT_DIRECTORY / "testing" / f"constraints-{session.python}.txt"
)

session.install("-e", f".[{extras_str}]", "-c", constraints_path)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: you can install using multiple constraints files, so we could make this so that the main -c constraints-3.x.txt is always installed, and then optionally add another c constraints-extras-3.x.txt if needed. That way we don't have to repeat the core dependencies in both

@parthea parthea assigned ohmayr and unassigned daniel-sanche Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants