Bump minimum pymongocrypt version to 1.1

XMLWordPrintableJSON

    • Type: Task
    • Resolution: Fixed
    • Priority: Major - P3
    • 4.0
    • Affects Version/s: None
    • Component/s: Encryption
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Azure, GCP, and temp AWS auth credentials all require pymongocrypt 1.1+. We should determine if we want to bump the minimum pymongocrypt version to 1.1 in setup.py or if we want to retain compatibility with pymongocrypt 1.0.

      Note that existing pymongo/CSFLE code is compatible. The only thing we would want to change is to raise informative errors when an app attempts to use Azure, GCP, or temp AWS auth credentials with pymongocrypt 1.0. If we bump the version requirement we don't need to add these checks.

      This issue is also discussed in PYTHON-2539 here: https://github.com/mongodb/mongo-python-driver/pull/569#pullrequestreview-592556017

      This is the error an app will see when attempting to temp AWS auth credentials (sessionToken) with pymongocrypt 1.0:

      Traceback (most recent call last):
  File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 77, in _wrap_encryption_errors
    yield
  File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 287, in encrypt
    encrypted_cmd = self._auto_encrypter.encrypt(database, encoded_cmd)
  File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/auto_encrypter.py", line 44, in encrypt
    return run_state_machine(ctx, self.callback)
  File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/state_machine.py", line 150, in run_state_machine
    callback.kms_request(kms_ctx)
  File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 133, in kms_request
    kms_context.feed(data)
  File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/mongocrypt.py", line 533, in feed
    self.__raise_from_status()
  File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/mongocrypt.py", line 542, in __raise_from_status
    raise exc
pymongocrypt.errors.MongoCryptError: Error in KMS response 'The security token included in the request is invalid.'. HTTP status=400

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/shane/git/mongo-python-driver/test/__init__.py", line 485, in wrap
    return f(*args, **kwargs)
  File "/Users/shane/git/mongo-python-driver/test/__init__.py", line 485, in wrap
    return f(*args, **kwargs)
  File "/Users/shane/git/mongo-python-driver/test/test_encryption.py", line 572, in run_scenario
    self.run_scenario(scenario_def, test)
  File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 548, in run_scenario
    self.run_test_ops(sessions, collection, test)
  File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 454, in run_test_ops
    self.run_operations(sessions, collection, test['operations'])
  File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 365, in run_operations
    self._run_op(sessions, collection, op, in_with_transaction)
  File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 355, in _run_op
    result = self.run_operation(sessions, collection, op.copy())
  File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 300, in run_operation
    result = cmd(**dict(arguments))
  File "/Users/shane/git/mongo-python-driver/pymongo/collection.py", line 642, in insert_one
    self._insert_one(
  File "/Users/shane/git/mongo-python-driver/pymongo/collection.py", line 592, in _insert_one
    self.__database.client._retryable_write(
  File "/Users/shane/git/mongo-python-driver/pymongo/mongo_client.py", line 1411, in _retryable_write
    return self._retry_with_session(retryable, func, s, None)
  File "/Users/shane/git/mongo-python-driver/pymongo/mongo_client.py", line 1297, in _retry_with_session
    return self._retry_internal(retryable, func, session, bulk)
  File "/Users/shane/git/mongo-python-driver/pymongo/mongo_client.py", line 1329, in _retry_internal
    return func(session, sock_info, retryable)
  File "/Users/shane/git/mongo-python-driver/pymongo/collection.py", line 580, in _insert_command
    result = sock_info.command(
  File "/Users/shane/git/mongo-python-driver/pymongo/pool.py", line 690, in command
    self._raise_connection_failure(error)
  File "/Users/shane/git/mongo-python-driver/pymongo/pool.py", line 674, in command
    return command(self, dbname, spec, slave_ok,
  File "/Users/shane/git/mongo-python-driver/pymongo/network.py", line 110, in command
    spec = orig = client._encrypter.encrypt(
  File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 293, in encrypt
    return encrypt_cmd
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/contextlib.py", line 131, in __exit__
    self.gen.throw(type, value, traceback)
  File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 83, in _wrap_encryption_errors
    raise EncryptionError(exc)
pymongo.errors.EncryptionError: Error in KMS response 'The security token included in the request is invalid.'. HTTP status=400

      This is the error an app will see when attempting to Azure or GCP with pymongocrypt 1.0:

      Traceback (most recent call last):
  File "/Users/shane/git/mongo-python-driver/test/__init__.py", line 485, in wrap
    return f(*args, **kwargs)
  File "/Users/shane/git/mongo-python-driver/test/__init__.py", line 485, in wrap
    return f(*args, **kwargs)
  File "/Users/shane/git/mongo-python-driver/test/test_encryption.py", line 551, in run_scenario
    self.run_scenario(scenario_def, test)
  File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 513, in run_scenario
    client = rs_client(
  File "/Users/shane/git/mongo-python-driver/test/utils.py", line 498, in rs_client
    return _mongo_client(h, p, **kwargs)
  File "/Users/shane/git/mongo-python-driver/test/utils.py", line 474, in _mongo_client
    client = MongoClient(_connection_string(host, authenticate), port,
  File "/Users/shane/git/mongo-python-driver/pymongo/mongo_client.py", line 753, in __init__
    self._encrypter = _Encrypter.create(
  File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 338, in create
    return _Encrypter(io_callbacks, opts)
  File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 264, in __init__
    self._auto_encrypter = AutoEncrypter(io_callbacks, MongoCryptOptions(
  File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/auto_encrypter.py", line 31, in __init__
    self.mongocrypt = MongoCrypt(mongo_crypt_opts)
  File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/mongocrypt.py", line 104, in __init__
    self.__init()
  File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/mongocrypt.py", line 142, in __init
    self.__raise_from_status()
  File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/mongocrypt.py", line 151, in __raise_from_status
    raise exc
pymongocrypt.errors.MongoCryptError: no kms provider set

              Assignee:
              Prashant Mital (Inactive)
              Reporter:
              Shane Harvey
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: