Uploaded image for project: 'Libmongocrypt'
  1. Libmongocrypt
  2. MONGOCRYPT-257

KMS request error message should include information about what failed

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.1.0
    • Affects Version/s: None
    • Component/s: None
    • None

      When libmongocrypt fails to create a KMS request it sets the status error message to something like "failed to create KMS message". This is great but it does not give us any information about the underlying cause of the failure. For example, if the underlying issues is that a driver crypto callback fails we set a status message to inform libmongocrypt of the error. Instead, libmongocrypt ignores the driver's error message and simply returns "failed to create KMS message":

      ERROR: test_decrypt (test.test_mongocrypt.TestMongoCrypt)
      ----------------------------------------------------------------------
      Traceback (most recent call last):
        File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/test/test_mongocrypt.py", line 191, in test_decrypt
          self._test_kms_context(ctx)
        File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/test/test_mongocrypt.py", line 136, in _test_kms_context
          ctx.add_mongo_operation_result(bson_data('key-document.json'))
        File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 286, in add_mongo_operation_result
          self._raise_from_status()
        File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 269, in _raise_from_status
          raise exc
      pymongocrypt.errors.MongoCryptError: failed to create KMS message
      

      In some places libmongocrypt helpfully forwards this error along. For example, here the python aes_256_cbc_encrypt callback falls and we include the entire traceback in the error message:

      ERROR: test_data_key_creation (test.test_mongocrypt.TestExplicitEncryption)
      ----------------------------------------------------------------------
      Traceback (most recent call last):
        File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/test/test_mongocrypt.py", line 337, in test_data_key_creation
          key_alt_names=key_alt_names)
        File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/explicit_encrypter.py", line 112, in create_data_key
          with self.mongocrypt.data_key_context(kms_provider, opts) as ctx:
        File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 228, in data_key_context
          return DataKeyContext(self._create_context(), kms_provider, opts)
        File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 472, in __init__
          self._raise_from_status()
        File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 269, in _raise_from_status
          raise exc
      pymongocrypt.errors.MongoCryptError: Traceback (most recent call last):
        File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/crypto.py", line 53, in aes_256_cbc_encrypt
          backend=default_backend())
        File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/backends/__init__.py", line 15, in default_backend
          from cryptography.hazmat.backends.openssl.backend import backend
        File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module>
          from cryptography.hazmat.backends.openssl.backend import backend
        File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/backends/openssl/backend.py", line 75, in <module>
          from cryptography.hazmat.bindings.openssl import binding
        File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/bindings/openssl/binding.py", line 205, in <module>
          _verify_openssl_version(Binding.lib)
        File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/bindings/openssl/binding.py", line 169, in _verify_openssl_version
          "You are linking against OpenSSL 1.0.1, which is no longer "
      RuntimeError: You are linking against OpenSSL 1.0.1, which is no longer supported by the OpenSSL project. You need to upgrade to a newer version of OpenSSL.
      

      I think KMS failures should also keep the original error message intact (or include the original error message) similar to data key failures.

            Assignee:
            kevin.albertson@mongodb.com Kevin Albertson
            Reporter:
            shane.harvey@mongodb.com Shane Harvey
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: