python : fix SSL for older Python versions (#16217)

* Fixed SSL pathing for older versions of Python (i.e. @:3.6.999).

* Fixed an issue where the 'python~ssl' variant wasn't properly being respected.

* Improved the '~ssl' patch by making it functional instead of diff-based (enables 3.X.Y patches).

* Fixed comment formatting to satisfy 'flake8' style requirements.

var/spack/repos/builtin/packages/python/package.py

@@ -132,6 +132,9 @@ class Python(AutotoolsPackage):
     depends_on('readline', when='+readline')
     depends_on('ncurses', when='+readline')
     depends_on('openssl', when='+ssl')
+    # https://raw.githubusercontent.com/python/cpython/84471935ed2f62b8c5758fd544c7d37076fe0fa5/Misc/NEWS
+    # https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-4rc1
+    depends_on('openssl@:1.0.2z', when='@:2.7.13,3.0.0:3.5.2+ssl')
     depends_on('openssl@1.0.2:', when='@3.7:+ssl')  # https://docs.python.org/3/whatsnew/3.7.html#build-changes
     depends_on('sqlite@3.0.8:', when='+sqlite3')
     depends_on('gdbm', when='+dbm')  # alternatively ndbm or berkeley-db
@@ -196,17 +199,46 @@ def url_for_version(self, version):
         url = "https://www.python.org/ftp/python/{0}/Python-{1}.tgz"
         return url.format(re.split('[a-z]', str(version))[0], version)
 
-    @when('@2.7:2.8,3.4:')
+    # TODO: Ideally, these patches would be applied as separate '@run_before'
+    # functions enabled via '@when', but these two decorators don't work
+    # when used together. See: https://github.com/spack/spack/issues/12736
     def patch(self):
         # NOTE: Python's default installation procedure makes it possible for a
         # user's local configurations to change the Spack installation.  In
         # order to prevent this behavior for a full installation, we must
         # modify the installation script so that it ignores user files.
-        ff = FileFilter('Makefile.pre.in')
-        ff.filter(
-            r'^(.*)setup\.py(.*)((build)|(install))(.*)$',
-            r'\1setup.py\2 --no-user-cfg \3\6'
-        )
+        if self.spec.satisfies('@2.7:2.8,3.4:'):
+            ff = FileFilter('Makefile.pre.in')
+            ff.filter(
+                r'^(.*)setup\.py(.*)((build)|(install))(.*)$',
+                r'\1setup.py\2 --no-user-cfg \3\6'
+            )
+
+        # NOTE: Older versions of Python do not support the '--with-openssl'
+        # configuration option, so the installation's module setup file needs
+        # to be modified directly in order to point to the correct SSL path.
+        # See: https://stackoverflow.com/a/5939170
+        if self.spec.satisfies('@:3.6.999+ssl'):
+            ff = FileFilter(join_path('Modules', 'Setup.dist'))
+            ff.filter(r'^#(((SSL=)|(_ssl))(.*))$', r'\1')
+            ff.filter(r'^#((.*)(\$\(SSL\))(.*))$', r'\1')
+            ff.filter(
+                r'^SSL=(.*)$',
+                r'SSL={0}'.format(self.spec['openssl'].prefix)
+            )
+        # Because Python uses compiler system paths during install, it's
+        # possible to pick up a system OpenSSL when building 'python~ssl'.
+        # To avoid this scenario, we disable the 'ssl' module with patching.
+        elif self.spec.satisfies('@:3.6.999~ssl'):
+            ff = FileFilter('setup.py')
+            ff.filter(
+                r'^(\s+(ssl_((incs)|(libs)))\s+=\s+)(.*)$',
+                r'\1 None and \6'
+            )
+            ff.filter(
+                r'^(\s+(opensslv_h)\s+=\s+)(.*)$',
+                r'\1 None and \3'
+            )
 
     def setup_build_environment(self, env):
         spec = self.spec
@@ -291,8 +323,8 @@ def configure_args(self):
         if '+pic' in spec:
             config_args.append('CFLAGS={0}'.format(self.compiler.cc_pic_flag))
 
-        if spec.satisfies('@3.7:'):
-            if '+ssl' in spec:
+        if '+ssl' in spec:
+            if spec.satisfies('@3.7:'):
                 config_args.append('--with-openssl={0}'.format(
                     spec['openssl'].prefix))