Uploaded image for project: 'Python Driver'
  1. Python Driver
  2. PYTHON-2583

Bump minimum pymongocrypt version to 1.1

    XMLWordPrintableJSON

Details

    • Task
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • None
    • 4.0
    • Encryption
    • None

    Description

      Azure, GCP, and temp AWS auth credentials all require pymongocrypt 1.1+. We should determine if we want to bump the minimum pymongocrypt version to 1.1 in setup.py or if we want to retain compatibility with pymongocrypt 1.0.

      Note that existing pymongo/CSFLE code is compatible. The only thing we would want to change is to raise informative errors when an app attempts to use Azure, GCP, or temp AWS auth credentials with pymongocrypt 1.0. If we bump the version requirement we don't need to add these checks.

      This issue is also discussed in PYTHON-2539 here: https://github.com/mongodb/mongo-python-driver/pull/569#pullrequestreview-592556017

      This is the error an app will see when attempting to temp AWS auth credentials (sessionToken) with pymongocrypt 1.0:

      Traceback (most recent call last):
        File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 77, in _wrap_encryption_errors
          yield
        File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 287, in encrypt
          encrypted_cmd = self._auto_encrypter.encrypt(database, encoded_cmd)
        File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/auto_encrypter.py", line 44, in encrypt
          return run_state_machine(ctx, self.callback)
        File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/state_machine.py", line 150, in run_state_machine
          callback.kms_request(kms_ctx)
        File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 133, in kms_request
          kms_context.feed(data)
        File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/mongocrypt.py", line 533, in feed
          self.__raise_from_status()
        File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/mongocrypt.py", line 542, in __raise_from_status
          raise exc
      pymongocrypt.errors.MongoCryptError: Error in KMS response 'The security token included in the request is invalid.'. HTTP status=400
       
      During handling of the above exception, another exception occurred:
       
      Traceback (most recent call last):
        File "/Users/shane/git/mongo-python-driver/test/__init__.py", line 485, in wrap
          return f(*args, **kwargs)
        File "/Users/shane/git/mongo-python-driver/test/__init__.py", line 485, in wrap
          return f(*args, **kwargs)
        File "/Users/shane/git/mongo-python-driver/test/test_encryption.py", line 572, in run_scenario
          self.run_scenario(scenario_def, test)
        File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 548, in run_scenario
          self.run_test_ops(sessions, collection, test)
        File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 454, in run_test_ops
          self.run_operations(sessions, collection, test['operations'])
        File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 365, in run_operations
          self._run_op(sessions, collection, op, in_with_transaction)
        File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 355, in _run_op
          result = self.run_operation(sessions, collection, op.copy())
        File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 300, in run_operation
          result = cmd(**dict(arguments))
        File "/Users/shane/git/mongo-python-driver/pymongo/collection.py", line 642, in insert_one
          self._insert_one(
        File "/Users/shane/git/mongo-python-driver/pymongo/collection.py", line 592, in _insert_one
          self.__database.client._retryable_write(
        File "/Users/shane/git/mongo-python-driver/pymongo/mongo_client.py", line 1411, in _retryable_write
          return self._retry_with_session(retryable, func, s, None)
        File "/Users/shane/git/mongo-python-driver/pymongo/mongo_client.py", line 1297, in _retry_with_session
          return self._retry_internal(retryable, func, session, bulk)
        File "/Users/shane/git/mongo-python-driver/pymongo/mongo_client.py", line 1329, in _retry_internal
          return func(session, sock_info, retryable)
        File "/Users/shane/git/mongo-python-driver/pymongo/collection.py", line 580, in _insert_command
          result = sock_info.command(
        File "/Users/shane/git/mongo-python-driver/pymongo/pool.py", line 690, in command
          self._raise_connection_failure(error)
        File "/Users/shane/git/mongo-python-driver/pymongo/pool.py", line 674, in command
          return command(self, dbname, spec, slave_ok,
        File "/Users/shane/git/mongo-python-driver/pymongo/network.py", line 110, in command
          spec = orig = client._encrypter.encrypt(
        File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 293, in encrypt
          return encrypt_cmd
        File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/contextlib.py", line 131, in __exit__
          self.gen.throw(type, value, traceback)
        File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 83, in _wrap_encryption_errors
          raise EncryptionError(exc)
      pymongo.errors.EncryptionError: Error in KMS response 'The security token included in the request is invalid.'. HTTP status=400
      

      This is the error an app will see when attempting to Azure or GCP with pymongocrypt 1.0:

      Traceback (most recent call last):
        File "/Users/shane/git/mongo-python-driver/test/__init__.py", line 485, in wrap
          return f(*args, **kwargs)
        File "/Users/shane/git/mongo-python-driver/test/__init__.py", line 485, in wrap
          return f(*args, **kwargs)
        File "/Users/shane/git/mongo-python-driver/test/test_encryption.py", line 551, in run_scenario
          self.run_scenario(scenario_def, test)
        File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 513, in run_scenario
          client = rs_client(
        File "/Users/shane/git/mongo-python-driver/test/utils.py", line 498, in rs_client
          return _mongo_client(h, p, **kwargs)
        File "/Users/shane/git/mongo-python-driver/test/utils.py", line 474, in _mongo_client
          client = MongoClient(_connection_string(host, authenticate), port,
        File "/Users/shane/git/mongo-python-driver/pymongo/mongo_client.py", line 753, in __init__
          self._encrypter = _Encrypter.create(
        File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 338, in create
          return _Encrypter(io_callbacks, opts)
        File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 264, in __init__
          self._auto_encrypter = AutoEncrypter(io_callbacks, MongoCryptOptions(
        File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/auto_encrypter.py", line 31, in __init__
          self.mongocrypt = MongoCrypt(mongo_crypt_opts)
        File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/mongocrypt.py", line 104, in __init__
          self.__init()
        File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/mongocrypt.py", line 142, in __init
          self.__raise_from_status()
        File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/mongocrypt.py", line 151, in __raise_from_status
          raise exc
      pymongocrypt.errors.MongoCryptError: no kms provider set
      

      Attachments

        Activity

          People

            prashant.mital Prashant Mital (Inactive)
            shane.harvey@mongodb.com Shane Harvey
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: