[MONGOCRYPT-492] Return a clearer error if required KMS providers are not satisfied by `mongocrypt_ctx_provide_kms_providers` Created: 03/Nov/22  Updated: 28/Oct/23  Resolved: 17/Nov/22

Status: Closed
Project: Libmongocrypt
Component/s: None
Affects Version/s: None
Fix Version/s: 1.7.0, 1.7.0-alpha0

Type: Improvement Priority: Major - P3
Reporter: Kevin Albertson Assignee: Gil Alon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Binding Changes: Not Needed

 Description   

Scope

  • Return a clearer error if required KMS providers are not satisfied by mongocrypt_ctx_provide_kms_providers

Background & Motivation

The error observed in this patch build:

[2022/11/03 15:16:02.218]         {"error":"invalid_request","error_description":"AADSTS900023: Specified tenant identifier '(null)' is neither a valid DNS name, nor a valid external domain.\r\nTrace ID: b80dba1a-e591-482a-9368-99f17eae6e00\r\nCorrelation ID: 7a7d0c34-a27c-463d-8bb1-02563e1e373b\r\nTimestamp: 2022-11-03 15:16:01Z","error_codes":[900023],"timestamp":"2022-11-03 15:16:01Z","trace_id":"b80dba1a-e591-482a-9368-99f17eae6e00","correlation_id":"7a7d0c34-a27c-463d-8bb1-02563e1e373b","error_uri":"https://login.microsoftonline.com/error?code=900023"}
[2022/11/03 15:16:02.218]             at app//com.mongodb.crypt.capi.MongoKeyDecryptorImpl.throwExceptionFromStatus(MongoKeyDecryptorImpl.java:100)
[2022/11/03 15:16:02.218]             at app//com.mongodb.crypt.capi.MongoKeyDecryptorImpl.feed(MongoKeyDecryptorImpl.java:92)
[2022/11/03 15:16:02.218]             at app//com.mongodb.client.internal.Crypt.decryptKey(Crypt.java:357)
[2022/11/03 15:16:02.218]             at app//com.mongodb.client.internal.Crypt.decryptKeys(Crypt.java:339)

This appears due the initial KMS providers being configured with:

{ "gcp": {} }

When creating a data key with the "azure" KMS provider.

Here is a repro in the C driver: https://spruce.mongodb.com/task/mongo_c_driver_testazurekms_variant_testazurekms_task_patch_a7cc359463dca30167f5ee8d149ba5b7ffb12dbc_6363eff63e8e865efa8c4ffe_22_11_03_16_44_39/logs?execution=1



 Comments   
Comment by Githook User [ 17/Nov/22 ]

Author:

{'name': 'Gil Alon', 'email': '47804748+galon1@users.noreply.github.com', 'username': 'galon1'}

Message: MONGOCRYPT-492 Add check if datakey provider and the initial KMS provider set match (#498)
Branch: master
https://github.com/mongodb/libmongocrypt/commit/9d3ae270be47d4c9fd7bee0cc6f7bd447813d6ff

Generated at Thu Feb 08 09:08:48 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.