-
Type:
Task
-
Resolution: Gone away
-
Priority:
Minor - P4
-
None
-
Affects Version/s: None
-
Component/s: Docs, pymongocrypt
If a Python 2 user provides the GCP privateKey field as a base64 encoded bytes (ie str) then pymongocrypt will perform another round of base64 encoding and the app will fail to encrypt/decrypt with these errors:
[2020/10/29 03:38:33.897] ====================================================================== [2020/10/29 03:38:33.897] ERROR: test_automatic (test_encryption.TestGCPEncryption) [2020/10/29 03:38:33.897] ---------------------------------------------------------------------- [2020/10/29 03:38:33.897] Traceback (most recent call last): [2020/10/29 03:38:33.897] File "/data/mci/3df8cb060a25f661650d096543c532ad/src/test/test_encryption.py", line 1232, in test_automatic [2020/10/29 03:38:33.897] expected_document_extjson, {"secret_gcp": "test"}) [2020/10/29 03:38:33.897] File "/data/mci/3df8cb060a25f661650d096543c532ad/src/test/test_encryption.py", line 1160, in _test_automatic [2020/10/29 03:38:33.897] coll.insert_one(payload) [2020/10/29 03:38:33.897] File "/data/mci/3df8cb060a25f661650d096543c532ad/src/pymongo/collection.py", line 701, in insert_one [2020/10/29 03:38:33.897] session=session), [2020/10/29 03:38:33.897] File "/data/mci/3df8cb060a25f661650d096543c532ad/src/pymongo/collection.py", line 615, in _insert [2020/10/29 03:38:33.897] bypass_doc_val, session) [2020/10/29 03:38:33.897] File "/data/mci/3df8cb060a25f661650d096543c532ad/src/pymongo/collection.py", line 603, in _insert_one [2020/10/29 03:38:33.897] acknowledged, _insert_command, session) [2020/10/29 03:38:33.897] File "/data/mci/3df8cb060a25f661650d096543c532ad/src/pymongo/mongo_client.py", line 1498, in _retryable_write [2020/10/29 03:38:33.897] return self._retry_with_session(retryable, func, s, None) [2020/10/29 03:38:33.897] File "/data/mci/3df8cb060a25f661650d096543c532ad/src/pymongo/mongo_client.py", line 1384, in _retry_with_session [2020/10/29 03:38:33.897] return self._retry_internal(retryable, func, session, bulk) [2020/10/29 03:38:33.897] File "/data/mci/3df8cb060a25f661650d096543c532ad/src/pymongo/mongo_client.py", line 1416, in _retry_internal [2020/10/29 03:38:33.897] return func(session, sock_info, retryable) [2020/10/29 03:38:33.897] File "/data/mci/3df8cb060a25f661650d096543c532ad/src/pymongo/collection.py", line 598, in _insert_command [2020/10/29 03:38:33.897] retryable_write=retryable_write) [2020/10/29 03:38:33.897] File "/data/mci/3df8cb060a25f661650d096543c532ad/src/pymongo/pool.py", line 699, in command [2020/10/29 03:38:33.897] self._raise_connection_failure(error) [2020/10/29 03:38:33.897] File "/data/mci/3df8cb060a25f661650d096543c532ad/src/pymongo/pool.py", line 694, in command [2020/10/29 03:38:33.897] exhaust_allowed=exhaust_allowed) [2020/10/29 03:38:33.897] File "/data/mci/3df8cb060a25f661650d096543c532ad/src/pymongo/network.py", line 113, in command [2020/10/29 03:38:33.897] dbname, spec, check_keys, codec_options) [2020/10/29 03:38:33.897] File "/data/mci/3df8cb060a25f661650d096543c532ad/src/pymongo/encryption.py", line 279, in encrypt [2020/10/29 03:38:33.897] return encrypt_cmd [2020/10/29 03:38:33.897] File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ [2020/10/29 03:38:33.897] self.gen.throw(type, value, traceback) [2020/10/29 03:38:33.897] File "/data/mci/3df8cb060a25f661650d096543c532ad/src/pymongo/encryption.py", line 79, in _wrap_encryption_errors [2020/10/29 03:38:33.897] raise EncryptionError(exc) [2020/10/29 03:38:33.897] EncryptionError: error constructing KMS message: Failed to create GCP oauth request signature [2020/10/29 03:38:33.897] ====================================================================== [2020/10/29 03:38:33.897] ERROR: test_explicit (test_encryption.TestGCPEncryption) [2020/10/29 03:38:33.897] ---------------------------------------------------------------------- [2020/10/29 03:38:33.897] Traceback (most recent call last): [2020/10/29 03:38:33.897] File "/data/mci/3df8cb060a25f661650d096543c532ad/src/test/test_encryption.py", line 1222, in test_explicit [2020/10/29 03:38:33.897] 'AaLFPEi8SURzjW5fDoeaPnoCGcOFAmFOPpn5584VPJJ8iXIgml3YDxMRZD9IWv5otyoft8fBzL1LsDEp0lTeB32cV1gOj0IYeAKHhGIleuHZtA==') [2020/10/29 03:38:33.897] File "/data/mci/3df8cb060a25f661650d096543c532ad/src/test/test_encryption.py", line 1132, in _test_explicit [2020/10/29 03:38:33.897] key_id=Binary.from_uuid(self.DEK['_id'], STANDARD)) [2020/10/29 03:38:33.897] File "/data/mci/3df8cb060a25f661650d096543c532ad/src/pymongo/encryption.py", line 505, in encrypt [2020/10/29 03:38:33.897] return decode(encrypted_doc)['v'] [2020/10/29 03:38:33.897] File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ [2020/10/29 03:38:33.897] self.gen.throw(type, value, traceback) [2020/10/29 03:38:33.897] File "/data/mci/3df8cb060a25f661650d096543c532ad/src/pymongo/encryption.py", line 79, in _wrap_encryption_errors [2020/10/29 03:38:33.897] raise EncryptionError(exc) [2020/10/29 03:38:33.897] EncryptionError: error constructing KMS message: Failed to create GCP oauth request signature
We should document this pitfall and suggest the proper behavior. The app can either:
- Pass the base64 decoded privateKey field as bytes (str on Python 2), or
- Pass the base64 encoded privateKey field as unicode.
Note a similar problem exists for the kms_providers.local.key field except that the user gets a different error. We should document this error as well.