Details
-
Task
-
Status: Closed
-
Major - P3
-
Resolution: Fixed
-
None
-
None
Description
Azure, GCP, and temp AWS auth credentials all require pymongocrypt 1.1+. We should determine if we want to bump the minimum pymongocrypt version to 1.1 in setup.py or if we want to retain compatibility with pymongocrypt 1.0.
Note that existing pymongo/CSFLE code is compatible. The only thing we would want to change is to raise informative errors when an app attempts to use Azure, GCP, or temp AWS auth credentials with pymongocrypt 1.0. If we bump the version requirement we don't need to add these checks.
This issue is also discussed in PYTHON-2539 here: https://github.com/mongodb/mongo-python-driver/pull/569#pullrequestreview-592556017
This is the error an app will see when attempting to temp AWS auth credentials (sessionToken) with pymongocrypt 1.0:
Traceback (most recent call last):
|
File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 77, in _wrap_encryption_errors |
yield |
File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 287, in encrypt |
encrypted_cmd = self._auto_encrypter.encrypt(database, encoded_cmd) |
File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/auto_encrypter.py", line 44, in encrypt |
return run_state_machine(ctx, self.callback) |
File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/state_machine.py", line 150, in run_state_machine |
callback.kms_request(kms_ctx)
|
File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 133, in kms_request |
kms_context.feed(data)
|
File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/mongocrypt.py", line 533, in feed |
self.__raise_from_status() |
File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/mongocrypt.py", line 542, in __raise_from_status |
raise exc |
pymongocrypt.errors.MongoCryptError: Error in KMS response 'The security token included in the request is invalid.'. HTTP status=400 |
|
|
During handling of the above exception, another exception occurred:
|
|
|
Traceback (most recent call last):
|
File "/Users/shane/git/mongo-python-driver/test/__init__.py", line 485, in wrap |
return f(*args, **kwargs) |
File "/Users/shane/git/mongo-python-driver/test/__init__.py", line 485, in wrap |
return f(*args, **kwargs) |
File "/Users/shane/git/mongo-python-driver/test/test_encryption.py", line 572, in run_scenario |
self.run_scenario(scenario_def, test) |
File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 548, in run_scenario |
self.run_test_ops(sessions, collection, test) |
File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 454, in run_test_ops |
self.run_operations(sessions, collection, test['operations']) |
File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 365, in run_operations |
self._run_op(sessions, collection, op, in_with_transaction) |
File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 355, in _run_op |
result = self.run_operation(sessions, collection, op.copy()) |
File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 300, in run_operation |
result = cmd(**dict(arguments)) |
File "/Users/shane/git/mongo-python-driver/pymongo/collection.py", line 642, in insert_one |
self._insert_one( |
File "/Users/shane/git/mongo-python-driver/pymongo/collection.py", line 592, in _insert_one |
self.__database.client._retryable_write( |
File "/Users/shane/git/mongo-python-driver/pymongo/mongo_client.py", line 1411, in _retryable_write |
return self._retry_with_session(retryable, func, s, None) |
File "/Users/shane/git/mongo-python-driver/pymongo/mongo_client.py", line 1297, in _retry_with_session |
return self._retry_internal(retryable, func, session, bulk) |
File "/Users/shane/git/mongo-python-driver/pymongo/mongo_client.py", line 1329, in _retry_internal |
return func(session, sock_info, retryable) |
File "/Users/shane/git/mongo-python-driver/pymongo/collection.py", line 580, in _insert_command |
result = sock_info.command( |
File "/Users/shane/git/mongo-python-driver/pymongo/pool.py", line 690, in command |
self._raise_connection_failure(error) |
File "/Users/shane/git/mongo-python-driver/pymongo/pool.py", line 674, in command |
return command(self, dbname, spec, slave_ok, |
File "/Users/shane/git/mongo-python-driver/pymongo/network.py", line 110, in command |
spec = orig = client._encrypter.encrypt( |
File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 293, in encrypt |
return encrypt_cmd |
File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/contextlib.py", line 131, in __exit__ |
self.gen.throw(type, value, traceback) |
File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 83, in _wrap_encryption_errors |
raise EncryptionError(exc) |
pymongo.errors.EncryptionError: Error in KMS response 'The security token included in the request is invalid.'. HTTP status=400 |
This is the error an app will see when attempting to Azure or GCP with pymongocrypt 1.0:
Traceback (most recent call last):
|
File "/Users/shane/git/mongo-python-driver/test/__init__.py", line 485, in wrap |
return f(*args, **kwargs) |
File "/Users/shane/git/mongo-python-driver/test/__init__.py", line 485, in wrap |
return f(*args, **kwargs) |
File "/Users/shane/git/mongo-python-driver/test/test_encryption.py", line 551, in run_scenario |
self.run_scenario(scenario_def, test) |
File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 513, in run_scenario |
client = rs_client( |
File "/Users/shane/git/mongo-python-driver/test/utils.py", line 498, in rs_client |
return _mongo_client(h, p, **kwargs) |
File "/Users/shane/git/mongo-python-driver/test/utils.py", line 474, in _mongo_client |
client = MongoClient(_connection_string(host, authenticate), port, |
File "/Users/shane/git/mongo-python-driver/pymongo/mongo_client.py", line 753, in __init__ |
self._encrypter = _Encrypter.create( |
File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 338, in create |
return _Encrypter(io_callbacks, opts) |
File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 264, in __init__ |
self._auto_encrypter = AutoEncrypter(io_callbacks, MongoCryptOptions( |
File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/auto_encrypter.py", line 31, in __init__ |
self.mongocrypt = MongoCrypt(mongo_crypt_opts) |
File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/mongocrypt.py", line 104, in __init__ |
self.__init() |
File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/mongocrypt.py", line 142, in __init |
self.__raise_from_status() |
File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/mongocrypt.py", line 151, in __raise_from_status |
raise exc |
pymongocrypt.errors.MongoCryptError: no kms provider set |