mirrors/mongodb
mirrors/mongodb
0
0
Fork 0
mirror of https://github.com/mongodb/mongo.git synced 2024-12-01 09:32:32 +01:00
Code Issues Releases Activity

SERVER-44721 Parse AWS responses as non-strict, ignore unexpected fields

Browse Source
This commit is contained in:
Mark Benvenuto 2019-11-19 16:37:56 +00:00 committed by evergreen
parent 880ae5c3e0
commit 60c957304e
3 changed files with 26 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
jstests/client_encrypt/lib/kms_http_server.py
View File

@ -212,7 +212,7 @@ class AwsKmsHandler(http.server.BaseHTTPRequestHandler):
elif fault_type == FAULT_ENCRYPT_CORRECT_FORMAT:
response = {
"__type" : "NotFoundException",
"message" : "Error encrypting message",
"Message" : "Error encrypting message",
}
self._send_reply(json.dumps(response).encode('utf-8'))
@ -259,7 +259,7 @@ class AwsKmsHandler(http.server.BaseHTTPRequestHandler):
elif fault_type == FAULT_DECRYPT_CORRECT_FORMAT:
response = {
"__type" : "NotFoundException",
"message" : "Error decrypting message",
"Message" : "Error decrypting message",
}
self._send_reply(json.dumps(response).encode('utf-8'))

6
src/mongo/shell/kms.idl
View File

@ -43,11 +43,12 @@ enums:
structs:
awsKMSError:
description: "AWS KMS error"
strict: false
fields:
__type:
type: string
cpp_name: type
message: string
Message: string
# Options passed to Mongo() javascript constructor
awsKMS:
@ -97,6 +98,7 @@ structs:
awsEncryptResponse:
description: "Response from AWS KMS Encrypt request, i.e. TrentService.Encrypt"
strict: false
fields:
CiphertextBlob:
type: string
@ -105,6 +107,8 @@ structs:
awsDecryptResponse:
description: "Response from AWS KMS Decrypt request, i.e. TrentService.Decrypt"
# Nov 13, 2019 they added EncryptionAlgorithm but it is not documented
strict: false
fields:
Plaintext:
type: string

24
src/mongo/shell/kms_aws.cpp
View File

@ -219,14 +219,21 @@ std::vector<uint8_t> AWSKMSService::encrypt(ConstDataRange cdr, StringData kmsKe
auto field = obj["__type"];
if (!field.eoo()) {
auto awsResponse = AwsKMSError::parse(IDLParserErrorContext("root"), obj);
AwsKMSError awsResponse;
try {
awsResponse = AwsKMSError::parse(IDLParserErrorContext("awsEncryptError"), obj);
} catch (DBException& dbe) {
uasserted(51274,
str::stream() << "AWS KMS failed to parse error message: " << dbe.toString()
<< ", Response : " << obj);
}
uasserted(51224,
str::stream() << "AWS KMS failed to encrypt: " << awsResponse.getType() << " : "
<< awsResponse.getMessage());
}
auto awsResponse = AwsEncryptResponse::parse(IDLParserErrorContext("root"), obj);
auto awsResponse = AwsEncryptResponse::parse(IDLParserErrorContext("awsEncryptResponse"), obj);
auto blobStr = base64::decode(awsResponse.getCiphertextBlob().toString());
@ -249,7 +256,7 @@ BSONObj AWSKMSService::encryptDataKey(ConstDataRange cdr, StringData keyId) {
}
SecureVector<uint8_t> AWSKMSService::decrypt(ConstDataRange cdr, BSONObj masterKey) {
auto awsMasterKey = AwsMasterKey::parse(IDLParserErrorContext("root"), masterKey);
auto awsMasterKey = AwsMasterKey::parse(IDLParserErrorContext("awsMasterKey"), masterKey);
auto request = UniqueKmsRequest(kms_decrypt_request_new(
reinterpret_cast<const uint8_t*>(cdr.data()), cdr.length(), nullptr));
@ -272,14 +279,21 @@ SecureVector<uint8_t> AWSKMSService::decrypt(ConstDataRange cdr, BSONObj masterK
auto field = obj["__type"];
if (!field.eoo()) {
auto awsResponse = AwsKMSError::parse(IDLParserErrorContext("root"), obj);
AwsKMSError awsResponse;
try {
awsResponse = AwsKMSError::parse(IDLParserErrorContext("awsDecryptError"), obj);
} catch (DBException& dbe) {
uasserted(51275,
str::stream() << "AWS KMS failed to parse error message: " << dbe.toString()
<< ", Response : " << obj);
}
uasserted(51225,
str::stream() << "AWS KMS failed to decrypt: " << awsResponse.getType() << " : "
<< awsResponse.getMessage());
}
auto awsResponse = AwsDecryptResponse::parse(IDLParserErrorContext("root"), obj);
auto awsResponse = AwsDecryptResponse::parse(IDLParserErrorContext("awsDecryptResponse"), obj);
auto blobStr = base64::decode(awsResponse.getPlaintext().toString());