SERVER-44721 Parse AWS responses as non-strict, ignore unexpected fields

(cherry picked from commit 60c957304e503dbca360838627cf0f8402764929)

3 files changed, 26 insertions, 8 deletions

diff --git a/jstests/client_encrypt/lib/kms_http_server.py b/jstests/client_encrypt/lib/kms_http_server.py
index 57b855a818a..2bf5b574c74 100755
--- a/jstests/client_encrypt/lib/kms_http_server.py
+++ b/jstests/client_encrypt/lib/kms_http_server.py
@@ -212,7 +212,7 @@ class AwsKmsHandler(http.server.BaseHTTPRequestHandler):
         elif fault_type == FAULT_ENCRYPT_CORRECT_FORMAT:
             response = {
                 "__type" : "NotFoundException",
-                "message" : "Error encrypting message",
+                "Message" : "Error encrypting message",
             }
 
             self._send_reply(json.dumps(response).encode('utf-8'))
@@ -259,7 +259,7 @@ class AwsKmsHandler(http.server.BaseHTTPRequestHandler):
         elif fault_type == FAULT_DECRYPT_CORRECT_FORMAT:
             response = {
                 "__type" : "NotFoundException",
-                "message" : "Error decrypting message",
+                "Message" : "Error decrypting message",
             }
 
             self._send_reply(json.dumps(response).encode('utf-8'))
diff --git a/src/mongo/shell/kms.idl b/src/mongo/shell/kms.idl
index 0f37073f351..5cd0f6284a7 100644
--- a/src/mongo/shell/kms.idl
+++ b/src/mongo/shell/kms.idl
@@ -43,11 +43,12 @@ enums:
 structs:
     awsKMSError:
         description: "AWS KMS error"
+        strict: false
         fields:
           __type:
             type: string
             cpp_name: type
-          message: string
+          Message: string
 
     # Options passed to Mongo() javascript constructor
     awsKMS:
@@ -97,6 +98,7 @@ structs:
 
     awsEncryptResponse:
         description: "Response from AWS KMS Encrypt request, i.e. TrentService.Encrypt"
+        strict: false
         fields:
           CiphertextBlob:
             type: string
@@ -105,6 +107,8 @@ structs:
 
     awsDecryptResponse:
         description: "Response from AWS KMS Decrypt request, i.e. TrentService.Decrypt"
+        # Nov 13, 2019 they added EncryptionAlgorithm but it is not documented
+        strict: false
         fields:
           Plaintext:
             type: string
diff --git a/src/mongo/shell/kms_aws.cpp b/src/mongo/shell/kms_aws.cpp
index 34b185a4f62..307789d73c2 100644
--- a/src/mongo/shell/kms_aws.cpp
+++ b/src/mongo/shell/kms_aws.cpp
@@ -268,14 +268,21 @@ std::vector<uint8_t> AWSKMSService::encrypt(ConstDataRange cdr, StringData kmsKe
     auto field = obj["__type"];
 
     if (!field.eoo()) {
-        auto awsResponse = AwsKMSError::parse(IDLParserErrorContext("root"), obj);
+        AwsKMSError awsResponse;
+        try {
+            awsResponse = AwsKMSError::parse(IDLParserErrorContext("awsEncryptError"), obj);
+        } catch (DBException& dbe) {
+            uasserted(51274,
+                      str::stream() << "AWS KMS failed to parse error message: " << dbe.toString()
+                                    << ", Response : " << obj);
+        }
 
         uasserted(51224,
                   str::stream() << "AWS KMS failed to encrypt: " << awsResponse.getType() << " : "
                                 << awsResponse.getMessage());
     }
 
-    auto awsResponse = AwsEncryptResponse::parse(IDLParserErrorContext("root"), obj);
+    auto awsResponse = AwsEncryptResponse::parse(IDLParserErrorContext("awsEncryptResponse"), obj);
 
     auto blobStr = base64::decode(awsResponse.getCiphertextBlob().toString());
 
@@ -298,7 +305,7 @@ BSONObj AWSKMSService::encryptDataKey(ConstDataRange cdr, StringData keyId) {
 }
 
 SecureVector<uint8_t> AWSKMSService::decrypt(ConstDataRange cdr, BSONObj masterKey) {
-    auto awsMasterKey = AwsMasterKey::parse(IDLParserErrorContext("root"), masterKey);
+    auto awsMasterKey = AwsMasterKey::parse(IDLParserErrorContext("awsMasterKey"), masterKey);
 
     auto request = UniqueKmsRequest(kms_decrypt_request_new(
         reinterpret_cast<const uint8_t*>(cdr.data()), cdr.length(), nullptr));
@@ -321,14 +328,21 @@ SecureVector<uint8_t> AWSKMSService::decrypt(ConstDataRange cdr, BSONObj masterK
     auto field = obj["__type"];
 
     if (!field.eoo()) {
-        auto awsResponse = AwsKMSError::parse(IDLParserErrorContext("root"), obj);
+        AwsKMSError awsResponse;
+        try {
+            awsResponse = AwsKMSError::parse(IDLParserErrorContext("awsDecryptError"), obj);
+        } catch (DBException& dbe) {
+            uasserted(51275,
+                      str::stream() << "AWS KMS failed to parse error message: " << dbe.toString()
+                                    << ", Response : " << obj);
+        }
 
         uasserted(51225,
                   str::stream() << "AWS KMS failed to decrypt: " << awsResponse.getType() << " : "
                                 << awsResponse.getMessage());
     }
 
-    auto awsResponse = AwsDecryptResponse::parse(IDLParserErrorContext("root"), obj);
+    auto awsResponse = AwsDecryptResponse::parse(IDLParserErrorContext("awsDecryptResponse"), obj);
 
     auto blobStr = base64::decode(awsResponse.getPlaintext().toString());