diff options
author | Mark Benvenuto <mark.benvenuto@mongodb.com> | 2019-11-19 16:37:56 +0000 |
---|---|---|
committer | evergreen <evergreen@mongodb.com> | 2019-11-19 16:37:56 +0000 |
commit | 60c957304e503dbca360838627cf0f8402764929 (patch) | |
tree | 4a64f564ef82b6f190657fec3387a5a7c80e73ae /src | |
parent | 880ae5c3e068ec57bbd54262b227953657b533da (diff) | |
download | mongo-60c957304e503dbca360838627cf0f8402764929.tar.gz |
SERVER-44721 Parse AWS responses as non-strict, ignore unexpected fields
Diffstat (limited to 'src')
-rw-r--r-- | src/mongo/shell/kms.idl | 6 | ||||
-rw-r--r-- | src/mongo/shell/kms_aws.cpp | 24 |
2 files changed, 24 insertions, 6 deletions
diff --git a/src/mongo/shell/kms.idl b/src/mongo/shell/kms.idl index 0f37073f351..5cd0f6284a7 100644 --- a/src/mongo/shell/kms.idl +++ b/src/mongo/shell/kms.idl @@ -43,11 +43,12 @@ enums: structs: awsKMSError: description: "AWS KMS error" + strict: false fields: __type: type: string cpp_name: type - message: string + Message: string # Options passed to Mongo() javascript constructor awsKMS: @@ -97,6 +98,7 @@ structs: awsEncryptResponse: description: "Response from AWS KMS Encrypt request, i.e. TrentService.Encrypt" + strict: false fields: CiphertextBlob: type: string @@ -105,6 +107,8 @@ structs: awsDecryptResponse: description: "Response from AWS KMS Decrypt request, i.e. TrentService.Decrypt" + # Nov 13, 2019 they added EncryptionAlgorithm but it is not documented + strict: false fields: Plaintext: type: string diff --git a/src/mongo/shell/kms_aws.cpp b/src/mongo/shell/kms_aws.cpp index 56a71f11ae4..1087d632ed0 100644 --- a/src/mongo/shell/kms_aws.cpp +++ b/src/mongo/shell/kms_aws.cpp @@ -219,14 +219,21 @@ std::vector<uint8_t> AWSKMSService::encrypt(ConstDataRange cdr, StringData kmsKe auto field = obj["__type"]; if (!field.eoo()) { - auto awsResponse = AwsKMSError::parse(IDLParserErrorContext("root"), obj); + AwsKMSError awsResponse; + try { + awsResponse = AwsKMSError::parse(IDLParserErrorContext("awsEncryptError"), obj); + } catch (DBException& dbe) { + uasserted(51274, + str::stream() << "AWS KMS failed to parse error message: " << dbe.toString() + << ", Response : " << obj); + } uasserted(51224, str::stream() << "AWS KMS failed to encrypt: " << awsResponse.getType() << " : " << awsResponse.getMessage()); } - auto awsResponse = AwsEncryptResponse::parse(IDLParserErrorContext("root"), obj); + auto awsResponse = AwsEncryptResponse::parse(IDLParserErrorContext("awsEncryptResponse"), obj); auto blobStr = base64::decode(awsResponse.getCiphertextBlob().toString()); @@ -249,7 +256,7 @@ BSONObj AWSKMSService::encryptDataKey(ConstDataRange cdr, StringData keyId) { } SecureVector<uint8_t> AWSKMSService::decrypt(ConstDataRange cdr, BSONObj masterKey) { - auto awsMasterKey = AwsMasterKey::parse(IDLParserErrorContext("root"), masterKey); + auto awsMasterKey = AwsMasterKey::parse(IDLParserErrorContext("awsMasterKey"), masterKey); auto request = UniqueKmsRequest(kms_decrypt_request_new( reinterpret_cast<const uint8_t*>(cdr.data()), cdr.length(), nullptr)); @@ -272,14 +279,21 @@ SecureVector<uint8_t> AWSKMSService::decrypt(ConstDataRange cdr, BSONObj masterK auto field = obj["__type"]; if (!field.eoo()) { - auto awsResponse = AwsKMSError::parse(IDLParserErrorContext("root"), obj); + AwsKMSError awsResponse; + try { + awsResponse = AwsKMSError::parse(IDLParserErrorContext("awsDecryptError"), obj); + } catch (DBException& dbe) { + uasserted(51275, + str::stream() << "AWS KMS failed to parse error message: " << dbe.toString() + << ", Response : " << obj); + } uasserted(51225, str::stream() << "AWS KMS failed to decrypt: " << awsResponse.getType() << " : " << awsResponse.getMessage()); } - auto awsResponse = AwsDecryptResponse::parse(IDLParserErrorContext("root"), obj); + auto awsResponse = AwsDecryptResponse::parse(IDLParserErrorContext("awsDecryptResponse"), obj); auto blobStr = base64::decode(awsResponse.getPlaintext().toString()); |