-
Type: Task
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: Encryption
-
None
Azure, GCP, and temp AWS auth credentials all require pymongocrypt 1.1+. We should determine if we want to bump the minimum pymongocrypt version to 1.1 in setup.py or if we want to retain compatibility with pymongocrypt 1.0.
Note that existing pymongo/CSFLE code is compatible. The only thing we would want to change is to raise informative errors when an app attempts to use Azure, GCP, or temp AWS auth credentials with pymongocrypt 1.0. If we bump the version requirement we don't need to add these checks.
This issue is also discussed in PYTHON-2539 here: https://github.com/mongodb/mongo-python-driver/pull/569#pullrequestreview-592556017
This is the error an app will see when attempting to temp AWS auth credentials (sessionToken) with pymongocrypt 1.0:
Traceback (most recent call last): File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 77, in _wrap_encryption_errors yield File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 287, in encrypt encrypted_cmd = self._auto_encrypter.encrypt(database, encoded_cmd) File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/auto_encrypter.py", line 44, in encrypt return run_state_machine(ctx, self.callback) File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/state_machine.py", line 150, in run_state_machine callback.kms_request(kms_ctx) File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 133, in kms_request kms_context.feed(data) File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/mongocrypt.py", line 533, in feed self.__raise_from_status() File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/mongocrypt.py", line 542, in __raise_from_status raise exc pymongocrypt.errors.MongoCryptError: Error in KMS response 'The security token included in the request is invalid.'. HTTP status=400 During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/Users/shane/git/mongo-python-driver/test/__init__.py", line 485, in wrap return f(*args, **kwargs) File "/Users/shane/git/mongo-python-driver/test/__init__.py", line 485, in wrap return f(*args, **kwargs) File "/Users/shane/git/mongo-python-driver/test/test_encryption.py", line 572, in run_scenario self.run_scenario(scenario_def, test) File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 548, in run_scenario self.run_test_ops(sessions, collection, test) File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 454, in run_test_ops self.run_operations(sessions, collection, test['operations']) File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 365, in run_operations self._run_op(sessions, collection, op, in_with_transaction) File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 355, in _run_op result = self.run_operation(sessions, collection, op.copy()) File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 300, in run_operation result = cmd(**dict(arguments)) File "/Users/shane/git/mongo-python-driver/pymongo/collection.py", line 642, in insert_one self._insert_one( File "/Users/shane/git/mongo-python-driver/pymongo/collection.py", line 592, in _insert_one self.__database.client._retryable_write( File "/Users/shane/git/mongo-python-driver/pymongo/mongo_client.py", line 1411, in _retryable_write return self._retry_with_session(retryable, func, s, None) File "/Users/shane/git/mongo-python-driver/pymongo/mongo_client.py", line 1297, in _retry_with_session return self._retry_internal(retryable, func, session, bulk) File "/Users/shane/git/mongo-python-driver/pymongo/mongo_client.py", line 1329, in _retry_internal return func(session, sock_info, retryable) File "/Users/shane/git/mongo-python-driver/pymongo/collection.py", line 580, in _insert_command result = sock_info.command( File "/Users/shane/git/mongo-python-driver/pymongo/pool.py", line 690, in command self._raise_connection_failure(error) File "/Users/shane/git/mongo-python-driver/pymongo/pool.py", line 674, in command return command(self, dbname, spec, slave_ok, File "/Users/shane/git/mongo-python-driver/pymongo/network.py", line 110, in command spec = orig = client._encrypter.encrypt( File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 293, in encrypt return encrypt_cmd File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/contextlib.py", line 131, in __exit__ self.gen.throw(type, value, traceback) File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 83, in _wrap_encryption_errors raise EncryptionError(exc) pymongo.errors.EncryptionError: Error in KMS response 'The security token included in the request is invalid.'. HTTP status=400
This is the error an app will see when attempting to Azure or GCP with pymongocrypt 1.0:
Traceback (most recent call last): File "/Users/shane/git/mongo-python-driver/test/__init__.py", line 485, in wrap return f(*args, **kwargs) File "/Users/shane/git/mongo-python-driver/test/__init__.py", line 485, in wrap return f(*args, **kwargs) File "/Users/shane/git/mongo-python-driver/test/test_encryption.py", line 551, in run_scenario self.run_scenario(scenario_def, test) File "/Users/shane/git/mongo-python-driver/test/utils_spec_runner.py", line 513, in run_scenario client = rs_client( File "/Users/shane/git/mongo-python-driver/test/utils.py", line 498, in rs_client return _mongo_client(h, p, **kwargs) File "/Users/shane/git/mongo-python-driver/test/utils.py", line 474, in _mongo_client client = MongoClient(_connection_string(host, authenticate), port, File "/Users/shane/git/mongo-python-driver/pymongo/mongo_client.py", line 753, in __init__ self._encrypter = _Encrypter.create( File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 338, in create return _Encrypter(io_callbacks, opts) File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 264, in __init__ self._auto_encrypter = AutoEncrypter(io_callbacks, MongoCryptOptions( File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/auto_encrypter.py", line 31, in __init__ self.mongocrypt = MongoCrypt(mongo_crypt_opts) File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/mongocrypt.py", line 104, in __init__ self.__init() File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/mongocrypt.py", line 142, in __init self.__raise_from_status() File "/Users/shane/pymongo-pycharm-3.8/lib/python3.8/site-packages/pymongocrypt/mongocrypt.py", line 151, in __raise_from_status raise exc pymongocrypt.errors.MongoCryptError: no kms provider set