[MONGOCRYPT-244] ctx_datakey_init returns a vague error if mongocrypt is initialized with empty AWS credentials Created: 03/Feb/20  Updated: 30/Mar/22

Status: Backlog
Project: Libmongocrypt
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Emily Giurleo (Inactive) Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to MONGOCRYPT-257 KMS request error message should incl... Closed

 Description   

To reproduce (code snippet using Ruby binding):

 

mongocrypt = Mongo::Crypt::Binding.mongocrypt_new
# Set crypto hooks if you're using a no-crypto version
Mongo::Crypt::Binding.mongocrypt_setopt_kms_provider_aws(mongocrypt, "", -1, "", -1)
Mongo::Crypt::Binding.mongocrypt_init(mongocrypt)
ctx = Mongo::Crypt::Binding.mongocrypt_ctx_new(mongocrypt)
Mongo::Crypt::Binding.mongocrypt_ctx_setopt_masterkey_aws(ctx, "region", -1, "arn", -1)
result = Mongo::Crypt::Binding.mongocrypt_ctx_datakey_init(ctx)
  # => false
 
status = Mongo::Crypt::Binding.mongocrypt_status_new
Mongo::Crypt::Binding.mongocrypt_ctx_status(ctx, status)
print Mongo::Crypt::Binding.mongocrypt_status_message(status, nil)
  # => failed to create KMS message

 

 

In this case, the issue is that the AWS credentials provided are empty, but the error isn't discovered until you attempt to initialize the context, and the error message is extremely vague.

I could think of improving this in two ways:

  1. Have mongocrypt_setopt_kms_provider_aws to error if either the key or secret are empty
  2. Improve the error message that is returned when trying to initialize the context to make it clear that the issue is with the AWS credentials.


 Comments   
Comment by Shane Harvey [ 20/Oct/20 ]

This issue might be solved by MONGOCRYPT-257.

Generated at Thu Feb 08 09:08:17 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.