Uploaded image for project: 'Libmongocrypt'
  1. Libmongocrypt
  2. MONGOCRYPT-244

ctx_datakey_init returns a vague error if mongocrypt is initialized with empty AWS credentials

XMLWordPrintableJSON

    • Type: Icon: Improvement Improvement
    • Resolution: Unresolved
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: None
    • None

      To reproduce (code snippet using Ruby binding):

       

      mongocrypt = Mongo::Crypt::Binding.mongocrypt_new
# Set crypto hooks if you're using a no-crypto version
Mongo::Crypt::Binding.mongocrypt_setopt_kms_provider_aws(mongocrypt, "", -1, "", -1)
Mongo::Crypt::Binding.mongocrypt_init(mongocrypt)
ctx = Mongo::Crypt::Binding.mongocrypt_ctx_new(mongocrypt)
Mongo::Crypt::Binding.mongocrypt_ctx_setopt_masterkey_aws(ctx, "region", -1, "arn", -1)
result = Mongo::Crypt::Binding.mongocrypt_ctx_datakey_init(ctx)
  # => false

status = Mongo::Crypt::Binding.mongocrypt_status_new
Mongo::Crypt::Binding.mongocrypt_ctx_status(ctx, status)
print Mongo::Crypt::Binding.mongocrypt_status_message(status, nil)
  # => failed to create KMS message

       

       

      In this case, the issue is that the AWS credentials provided are empty, but the error isn't discovered until you attempt to initialize the context, and the error message is extremely vague.

      I could think of improving this in two ways:

      1. Have mongocrypt_setopt_kms_provider_aws to error if either the key or secret are empty
      2. Improve the error message that is returned when trying to initialize the context to make it clear that the issue is with the AWS credentials.

            Assignee:
            Unassigned Unassigned
            Reporter:
            emily.giurleo@mongodb.com Emily Giurleo (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: