Drain the connection pool if an auth error occurs

Divjot Arora · Divjot Arora · commit 95b9288acd45 · 2018-06-05T18:26:43.000Z
GODRIVER-442 Change-Id: I9f304471a89d4a770e43db7488311933b0b38960
diff --git a/core/auth/auth.go b/core/auth/auth.go
@@ -37,7 +37,7 @@ func CreateAuthenticator(name string, cred *Cred) (Authenticator, error) {
 		return f(cred)
 	}
 
-	return nil, fmt.Errorf("unknown authenticator: %s", name)
+	return nil, newAuthError(fmt.Sprintf("unknown authenticator: %s", name), nil)
 }
 
 // RegisterAuthenticatorFactory registers the authenticator factory.
@@ -96,12 +96,12 @@ func Handshaker(appName string, h connection.Handshaker, authenticator Authentic
 	return connection.HandshakerFunc(func(ctx context.Context, addr address.Address, rw wiremessage.ReadWriter) (description.Server, error) {
 		desc, err := (&command.Handshake{Client: command.ClientDoc(appName)}).Handshake(ctx, addr, rw)
 		if err != nil {
-			return description.Server{}, err
+			return description.Server{}, newAuthError("handshake failure", err)
 		}
 
 		err = authenticator.Auth(ctx, desc, rw)
 		if err != nil {
-			return description.Server{}, err
+			return description.Server{}, newAuthError("auth error", err)
 		}
 		if h == nil {
 			return desc, nil
@@ -116,6 +116,13 @@ type Authenticator interface {
 	Auth(context.Context, description.Server, wiremessage.ReadWriter) error
 }
 
+func newAuthError(msg string, inner error) error {
+	return &Error{
+		message: msg,
+		inner:   inner,
+	}
+}
+
 func newError(err error, mech string) error {
 	return &Error{
 		message: fmt.Sprintf("unable to authenticate using mechanism \"%s\"", mech),
@@ -130,6 +137,9 @@ type Error struct {
 }
 
 func (e *Error) Error() string {
+	if e.inner == nil {
+		return e.message
+	}
 	return fmt.Sprintf("%s: %s", e.message, e.inner)
 }
 
diff --git a/core/auth/default.go b/core/auth/default.go
@@ -36,7 +36,7 @@ func (a *DefaultAuthenticator) Auth(ctx context.Context, desc description.Server
 	}
 
 	if err != nil {
-		return err
+		return newAuthError("error creating authenticator", err)
 	}
 
 	return actual.Auth(ctx, desc, rw)
diff --git a/core/auth/gssapi.go b/core/auth/gssapi.go
@@ -11,8 +11,6 @@ package auth
 
 import (
 	"context"
-	"fmt"
-
 	"github.com/mongodb/mongo-go-driver/core/auth/internal/gssapi"
 	"github.com/mongodb/mongo-go-driver/core/description"
 	"github.com/mongodb/mongo-go-driver/core/wiremessage"
@@ -23,7 +21,7 @@ const GSSAPI = "GSSAPI"
 
 func newGSSAPIAuthenticator(cred *Cred) (Authenticator, error) {
 	if cred.Source != "" && cred.Source != "$external" {
-		return nil, fmt.Errorf("GSSAPI source must be empty or $external")
+		return nil, newAuthError("GSSAPI source must be empty or $external", nil)
 	}
 
 	return &GSSAPIAuthenticator{
@@ -47,7 +45,7 @@ func (a *GSSAPIAuthenticator) Auth(ctx context.Context, desc description.Server,
 	client, err := gssapi.New(desc.Addr.String(), a.Username, a.Password, a.PasswordSet, a.Props)
 
 	if err != nil {
-		return err
+		return newAuthError("error creating gssapi", err)
 	}
 	return ConductSaslConversation(ctx, desc, rw, "$external", client)
 }
diff --git a/core/auth/gssapi_not_enabled.go b/core/auth/gssapi_not_enabled.go
@@ -8,11 +8,9 @@
 
 package auth
 
-import "fmt"
-
 // GSSAPI is the mechanism name for GSSAPI.
 const GSSAPI = "GSSAPI"
 
 func newGSSAPIAuthenticator(cred *Cred) (Authenticator, error) {
-	return nil, fmt.Errorf("GSSAPI support not enabled during build (-tags gssapi)")
+	return nil, newAuthError("GSSAPI support not enabled during build (-tags gssapi)", nil)
 }
diff --git a/core/auth/gssapi_not_supported.go b/core/auth/gssapi_not_supported.go
@@ -17,5 +17,5 @@ import (
 const GSSAPI = "GSSAPI"
 
 func newGSSAPIAuthenticator(cred *Cred) (Authenticator, error) {
-	return nil, fmt.Errorf("GSSAPI is not supported on %s", runtime.GOOS)
+	return nil, newAuthError(fmt.Sprintf("GSSAPI is not supported on %s", runtime.GOOS), nil)
 }
diff --git a/core/auth/mongodbcr.go b/core/auth/mongodbcr.go
@@ -69,7 +69,7 @@ func (a *MongoDBCRAuthenticator) Auth(ctx context.Context, desc description.Serv
 
 	err = bson.Unmarshal(rdr, &getNonceResult)
 	if err != nil {
-		return err
+		return newAuthError("unmarshal error", err)
 	}
 
 	cmd = command.Command{
diff --git a/core/auth/plain.go b/core/auth/plain.go
@@ -8,8 +8,6 @@ package auth
 
 import (
 	"context"
-	"fmt"
-
 	"github.com/mongodb/mongo-go-driver/core/description"
 	"github.com/mongodb/mongo-go-driver/core/wiremessage"
 )
@@ -19,7 +17,7 @@ const PLAIN = "PLAIN"
 
 func newPlainAuthenticator(cred *Cred) (Authenticator, error) {
 	if cred.Source != "" && cred.Source != "$external" {
-		return nil, fmt.Errorf("PLAIN source must be empty or $external")
+		return nil, newAuthError("PLAIN source must be empty or $external", nil)
 	}
 
 	return &PlainAuthenticator{
@@ -53,7 +51,7 @@ func (c *plainSaslClient) Start() (string, []byte, error) {
 }
 
 func (c *plainSaslClient) Next(challenge []byte) ([]byte, error) {
-	return nil, fmt.Errorf("unexpected server challenge")
+	return nil, newAuthError("unexpected server challenge", nil)
 }
 
 func (c *plainSaslClient) Completed() bool {
diff --git a/core/auth/sasl.go b/core/auth/sasl.go
@@ -75,7 +75,7 @@ func ConductSaslConversation(ctx context.Context, desc description.Server, rw wi
 
 	err = bson.Unmarshal(rdr, &saslResp)
 	if err != nil {
-		return err
+		return newAuthError("unmarshall error", err)
 	}
 
 	cid := saslResp.ConversationID
@@ -114,7 +114,7 @@ func ConductSaslConversation(ctx context.Context, desc description.Server, rw wi
 
 		err = bson.Unmarshal(rdr, &saslResp)
 		if err != nil {
-			return err
+			return newAuthError("unmarshal error", err)
 		}
 	}
 }
diff --git a/core/auth/scramsha1.go b/core/auth/scramsha1.go
@@ -11,7 +11,6 @@ import (
 	"context"
 	"crypto/hmac"
 	"crypto/sha1"
-	"fmt"
 	"io"
 	"math/rand"
 	"strconv"
@@ -60,7 +59,7 @@ func (a *ScramSHA1Authenticator) Auth(ctx context.Context, desc description.Serv
 
 	err := ConductSaslConversation(ctx, desc, rw, a.DB, client)
 	if err != nil {
-		return err
+		return newAuthError("sasl conversation error", err)
 	}
 
 	a.clientKey = client.clientKey
@@ -82,7 +81,7 @@ type scramSaslClient struct {
 
 func (c *scramSaslClient) Start() (string, []byte, error) {
 	if err := c.generateClientNonce(scramSHA1NonceLen); err != nil {
-		return SCRAMSHA1, nil, err
+		return SCRAMSHA1, nil, newAuthError("generate nonce error", err)
 	}
 
 	c.clientFirstMessageBare = "n=" + usernameSanitizer.Replace(c.username) + ",r=" + string(c.clientNonce)
@@ -98,7 +97,7 @@ func (c *scramSaslClient) Next(challenge []byte) ([]byte, error) {
 	case 2:
 		return c.step2(challenge)
 	default:
-		return nil, fmt.Errorf("unexpected server challenge")
+		return nil, newAuthError("unexpected server challenge", nil)
 	}
 }
 
@@ -109,33 +108,33 @@ func (c *scramSaslClient) Completed() bool {
 func (c *scramSaslClient) step1(challenge []byte) ([]byte, error) {
 	fields := bytes.Split(challenge, []byte{','})
 	if len(fields) != 3 {
-		return nil, fmt.Errorf("invalid server response")
+		return nil, newAuthError("invalid server response", nil)
 	}
 
 	if !bytes.HasPrefix(fields[0], []byte("r=")) || len(fields[0]) < 2 {
-		return nil, fmt.Errorf("invalid nonce")
+		return nil, newAuthError("invalid nonce", nil)
 	}
 	r := fields[0][2:]
 	if !bytes.HasPrefix(r, c.clientNonce) {
-		return nil, fmt.Errorf("invalid nonce")
+		return nil, newAuthError("invalid nonce", nil)
 	}
 
 	if !bytes.HasPrefix(fields[1], []byte("s=")) || len(fields[1]) < 6 {
-		return nil, fmt.Errorf("invalid salt")
+		return nil, newAuthError("invalid salt", nil)
 	}
 	s := make([]byte, base64.StdEncoding.DecodedLen(len(fields[1][2:])))
 	n, err := base64.StdEncoding.Decode(s, fields[1][2:])
 	if err != nil {
-		return nil, fmt.Errorf("invalid salt")
+		return nil, newAuthError("invalid salt", nil)
 	}
 	s = s[:n]
 
 	if !bytes.HasPrefix(fields[2], []byte("i=")) || len(fields[2]) < 3 {
-		return nil, fmt.Errorf("invalid iteration count")
+		return nil, newAuthError("invalid iteration count", nil)
 	}
 	i, err := strconv.Atoi(string(fields[2][2:]))
 	if err != nil {
-		return nil, fmt.Errorf("invalid iteration count")
+		return nil, newAuthError("invalid iteration count", nil)
 	}
 
 	clientFinalMessageWithoutProof := "c=biws,r=" + string(r)
@@ -167,21 +166,21 @@ func (c *scramSaslClient) step2(challenge []byte) ([]byte, error) {
 		hasE = bytes.HasPrefix(fields[0], []byte("e="))
 	}
 	if hasE {
-		return nil, fmt.Errorf(string(fields[0][2:]))
+		return nil, newAuthError(string(fields[0][2:]), nil)
 	}
 	if !hasV {
-		return nil, fmt.Errorf("invalid final message")
+		return nil, newAuthError("invalid final message", nil)
 	}
 
 	v := make([]byte, base64.StdEncoding.DecodedLen(len(fields[0][2:])))
 	n, err := base64.StdEncoding.Decode(v, fields[0][2:])
 	if err != nil {
-		return nil, fmt.Errorf("invalid server verification")
+		return nil, newAuthError("invalid server verification", nil)
 	}
 	v = v[:n]
 
 	if !bytes.Equal(c.serverSignature, v) {
-		return nil, fmt.Errorf("invalid server signature")
+		return nil, newAuthError("invalid server signature", nil)
 	}
 
 	return nil, nil
diff --git a/core/auth/scramsha1_test.go b/core/auth/scramsha1_test.go
@@ -47,8 +47,8 @@ func TestScramSHA1Authenticator_Fails(t *testing.T) {
 	err := authenticator.Auth(context.Background(), description.Server{}, c)
 	require.Error(t, err)
 
-	errPrefix := "unable to authenticate using mechanism \"SCRAM-SHA-1\""
-	require.True(t, strings.HasPrefix(err.Error(), errPrefix))
+	errSubstring := "unable to authenticate using mechanism \"SCRAM-SHA-1\""
+	require.True(t, strings.Contains(err.Error(), errSubstring))
 	require.True(t, authenticator.IsClientKeyNil())
 }
 
@@ -81,8 +81,8 @@ func TestScramSHA1Authenticator_Missing_challenge_fields(t *testing.T) {
 	err := authenticator.Auth(context.Background(), description.Server{}, c)
 	require.Error(t, err)
 
-	errPrefix := "unable to authenticate using mechanism \"SCRAM-SHA-1\": invalid server response"
-	require.True(t, strings.HasPrefix(err.Error(), errPrefix))
+	errSubstring := "unable to authenticate using mechanism \"SCRAM-SHA-1\": invalid server response"
+	require.True(t, strings.Contains(err.Error(), errSubstring))
 
 	require.True(t, authenticator.IsClientKeyNil())
 }
@@ -115,8 +115,8 @@ func TestScramSHA1Authenticator_Invalid_server_nonce1(t *testing.T) {
 
 	err := authenticator.Auth(context.Background(), description.Server{}, c)
 
-	errPrefix := "unable to authenticate using mechanism \"SCRAM-SHA-1\": invalid nonce"
-	require.True(t, strings.HasPrefix(err.Error(), errPrefix))
+	errSubstring := "unable to authenticate using mechanism \"SCRAM-SHA-1\": invalid nonce"
+	require.True(t, strings.Contains(err.Error(), errSubstring))
 
 	require.True(t, authenticator.IsClientKeyNil())
 }
@@ -150,8 +150,8 @@ func TestScramSHA1Authenticator_Invalid_server_nonce2(t *testing.T) {
 	err := authenticator.Auth(context.Background(), description.Server{}, c)
 	require.Error(t, err)
 
-	errPrefix := "unable to authenticate using mechanism \"SCRAM-SHA-1\": invalid nonce"
-	require.True(t, strings.HasPrefix(err.Error(), errPrefix))
+	errSubstring := "unable to authenticate using mechanism \"SCRAM-SHA-1\": invalid nonce"
+	require.True(t, strings.Contains(err.Error(), errSubstring))
 
 	require.True(t, authenticator.IsClientKeyNil())
 }
@@ -185,8 +185,8 @@ func TestScramSHA1Authenticator_No_salt(t *testing.T) {
 	err := authenticator.Auth(context.Background(), description.Server{}, c)
 	require.Error(t, err)
 
-	errPrefix := "unable to authenticate using mechanism \"SCRAM-SHA-1\": invalid salt"
-	require.True(t, strings.HasPrefix(err.Error(), errPrefix))
+	errSubstring := "unable to authenticate using mechanism \"SCRAM-SHA-1\": invalid salt"
+	require.True(t, strings.Contains(err.Error(), errSubstring))
 
 	require.True(t, authenticator.IsClientKeyNil())
 }
@@ -220,8 +220,8 @@ func TestScramSHA1Authenticator_No_iteration_count(t *testing.T) {
 	err := authenticator.Auth(context.Background(), description.Server{}, c)
 	require.Error(t, err)
 
-	errPrefix := "unable to authenticate using mechanism \"SCRAM-SHA-1\": invalid iteration count"
-	require.True(t, strings.HasPrefix(err.Error(), errPrefix))
+	errSubstring := "unable to authenticate using mechanism \"SCRAM-SHA-1\": invalid iteration count"
+	require.True(t, strings.Contains(err.Error(), errSubstring))
 
 	require.True(t, authenticator.IsClientKeyNil())
 }
@@ -255,8 +255,8 @@ func TestScramSHA1Authenticator_Invalid_iteration_count(t *testing.T) {
 	err := authenticator.Auth(context.Background(), description.Server{}, c)
 	require.Error(t, err)
 
-	errPrefix := "unable to authenticate using mechanism \"SCRAM-SHA-1\": invalid iteration count"
-	require.True(t, strings.HasPrefix(err.Error(), errPrefix))
+	errSubstring := "unable to authenticate using mechanism \"SCRAM-SHA-1\": invalid iteration count"
+	require.True(t, strings.Contains(err.Error(), errSubstring))
 
 	require.True(t, authenticator.IsClientKeyNil())
 }
@@ -297,8 +297,8 @@ func TestScramSHA1Authenticator_Invalid_server_signature(t *testing.T) {
 	err := authenticator.Auth(context.Background(), description.Server{}, c)
 	require.Error(t, err)
 
-	errPrefix := "unable to authenticate using mechanism \"SCRAM-SHA-1\": invalid server signature"
-	require.True(t, strings.HasPrefix(err.Error(), errPrefix))
+	errSubstring := "unable to authenticate using mechanism \"SCRAM-SHA-1\": invalid server signature"
+	require.True(t, strings.Contains(err.Error(), errSubstring))
 
 	require.True(t, authenticator.IsClientKeyNil())
 }
@@ -339,8 +339,8 @@ func TestScramSHA1Authenticator_Server_provided_error(t *testing.T) {
 	err := authenticator.Auth(context.Background(), description.Server{}, c)
 	require.Error(t, err)
 
-	errPrefix := "unable to authenticate using mechanism \"SCRAM-SHA-1\": server passed error"
-	require.True(t, strings.HasPrefix(err.Error(), errPrefix))
+	errSubstring := "unable to authenticate using mechanism \"SCRAM-SHA-1\": server passed error"
+	require.True(t, strings.Contains(err.Error(), errSubstring))
 
 	require.True(t, authenticator.IsClientKeyNil())
 }
@@ -381,8 +381,8 @@ func TestScramSHA1Authenticator_Invalid_final_message(t *testing.T) {
 	err := authenticator.Auth(context.Background(), description.Server{}, c)
 	require.Error(t, err)
 
-	errPrefix := "unable to authenticate using mechanism \"SCRAM-SHA-1\": invalid final message"
-	require.True(t, strings.HasPrefix(err.Error(), errPrefix))
+	errSubstring := "unable to authenticate using mechanism \"SCRAM-SHA-1\": invalid final message"
+	require.True(t, strings.Contains(err.Error(), errSubstring))
 
 	require.True(t, authenticator.IsClientKeyNil())
 }
@@ -429,8 +429,8 @@ func TestScramSHA1Authenticator_Extra_message(t *testing.T) {
 	err := authenticator.Auth(context.Background(), description.Server{}, c)
 	require.Error(t, err)
 
-	errPrefix := "unable to authenticate using mechanism \"SCRAM-SHA-1\": unexpected server challenge"
-	require.True(t, strings.HasPrefix(err.Error(), errPrefix))
+	errSubstring := "unable to authenticate using mechanism \"SCRAM-SHA-1\": unexpected server challenge"
+	require.True(t, strings.Contains(err.Error(), errSubstring))
 
 	require.True(t, authenticator.IsClientKeyNil())
 }
diff --git a/core/auth/x509.go b/core/auth/x509.go
@@ -42,7 +42,7 @@ func (a *MongoDBX509Authenticator) Auth(ctx context.Context, desc description.Se
 	ssdesc := description.SelectedServer{Server: desc}
 	_, err := authCmd.RoundTrip(ctx, ssdesc, rw)
 	if err != nil {
-		return err
+		return newAuthError("round trip error", err)
 	}
 
 	return nil
diff --git a/core/topology/server.go b/core/topology/server.go
diff --git a/core/topology/server_test.go b/core/topology/server_test.go

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ func CreateAuthenticator(name string, cred *Cred) (Authenticator, error) {`
`37`	`37`	`return f(cred)`
`38`	`38`	`}`
`39`	`39`
`40`		`- return nil, fmt.Errorf("unknown authenticator: %s", name)`
	`40`	`+ return nil, newAuthError(fmt.Sprintf("unknown authenticator: %s", name), nil)`
`41`	`41`	`}`
`42`	`42`
`43`	`43`	`// RegisterAuthenticatorFactory registers the authenticator factory.`
`@@ -96,12 +96,12 @@ func Handshaker(appName string, h connection.Handshaker, authenticator Authentic`
`96`	`96`	`return connection.HandshakerFunc(func(ctx context.Context, addr address.Address, rw wiremessage.ReadWriter) (description.Server, error) {`
`97`	`97`	`desc, err := (&command.Handshake{Client: command.ClientDoc(appName)}).Handshake(ctx, addr, rw)`
`98`	`98`	`if err != nil {`
`99`		`- return description.Server{}, err`
	`99`	`+ return description.Server{}, newAuthError("handshake failure", err)`
`100`	`100`	`}`
`101`	`101`
`102`	`102`	`err = authenticator.Auth(ctx, desc, rw)`
`103`	`103`	`if err != nil {`
`104`		`- return description.Server{}, err`
	`104`	`+ return description.Server{}, newAuthError("auth error", err)`
`105`	`105`	`}`
`106`	`106`	`if h == nil {`
`107`	`107`	`return desc, nil`
`@@ -116,6 +116,13 @@ type Authenticator interface {`
`116`	`116`	`Auth(context.Context, description.Server, wiremessage.ReadWriter) error`
`117`	`117`	`}`
`118`	`118`
	`119`	`+func newAuthError(msg string, inner error) error {`
	`120`	`+ return &Error{`
	`121`	`+ message: msg,`
	`122`	`+ inner: inner,`
	`123`	`+ }`
	`124`	`+}`
	`125`	`+`
`119`	`126`	`func newError(err error, mech string) error {`
`120`	`127`	`return &Error{`
`121`	`128`	`message: fmt.Sprintf("unable to authenticate using mechanism \"%s\"", mech),`
`@@ -130,6 +137,9 @@ type Error struct {`
`130`	`137`	`}`
`131`	`138`
`132`	`139`	`func (e *Error) Error() string {`
	`140`	`+ if e.inner == nil {`
	`141`	`+ return e.message`
	`142`	`+ }`
`133`	`143`	`return fmt.Sprintf("%s: %s", e.message, e.inner)`
`134`	`144`	`}`
`135`	`145`
Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ func (a *DefaultAuthenticator) Auth(ctx context.Context, desc description.Server`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`if err != nil {`
`39`		`- return err`
	`39`	`+ return newAuthError("error creating authenticator", err)`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`return actual.Auth(ctx, desc, rw)`
Original file line number	Diff line number	Diff line change
`@@ -17,5 +17,5 @@ import (`
`17`	`17`	`const GSSAPI = "GSSAPI"`
`18`	`18`
`19`	`19`	`func newGSSAPIAuthenticator(cred *Cred) (Authenticator, error) {`
`20`		`- return nil, fmt.Errorf("GSSAPI is not supported on %s", runtime.GOOS)`
	`20`	`+ return nil, newAuthError(fmt.Sprintf("GSSAPI is not supported on %s", runtime.GOOS), nil)`
`21`	`21`	`}`
Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ func (a *MongoDBCRAuthenticator) Auth(ctx context.Context, desc description.Serv`
`69`	`69`
`70`	`70`	`err = bson.Unmarshal(rdr, &getNonceResult)`
`71`	`71`	`if err != nil {`
`72`		`- return err`
	`72`	`+ return newAuthError("unmarshal error", err)`
`73`	`73`	`}`
`74`	`74`
`75`	`75`	`cmd = command.Command{`
Original file line number	Diff line number	Diff line change
`@@ -8,8 +8,6 @@ package auth`
`8`	`8`
`9`	`9`	`import (`
`10`	`10`	`"context"`
`11`		`- "fmt"`
`12`		`-`
`13`	`11`	`"github.com/mongodb/mongo-go-driver/core/description"`
`14`	`12`	`"github.com/mongodb/mongo-go-driver/core/wiremessage"`
`15`	`13`	`)`
`@@ -19,7 +17,7 @@ const PLAIN = "PLAIN"`
`19`	`17`
`20`	`18`	`func newPlainAuthenticator(cred *Cred) (Authenticator, error) {`
`21`	`19`	`if cred.Source != "" && cred.Source != "$external" {`
`22`		`- return nil, fmt.Errorf("PLAIN source must be empty or $external")`
	`20`	`+ return nil, newAuthError("PLAIN source must be empty or $external", nil)`
`23`	`21`	`}`
`24`	`22`
`25`	`23`	`return &PlainAuthenticator{`
`@@ -53,7 +51,7 @@ func (c *plainSaslClient) Start() (string, []byte, error) {`
`53`	`51`	`}`
`54`	`52`
`55`	`53`	`func (c *plainSaslClient) Next(challenge []byte) ([]byte, error) {`
`56`		`- return nil, fmt.Errorf("unexpected server challenge")`
	`54`	`+ return nil, newAuthError("unexpected server challenge", nil)`
`57`	`55`	`}`
`58`	`56`
`59`	`57`	`func (c *plainSaslClient) Completed() bool {`
Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,7 @@ func ConductSaslConversation(ctx context.Context, desc description.Server, rw wi`
`75`	`75`
`76`	`76`	`err = bson.Unmarshal(rdr, &saslResp)`
`77`	`77`	`if err != nil {`
`78`		`- return err`
	`78`	`+ return newAuthError("unmarshall error", err)`
`79`	`79`	`}`
`80`	`80`
`81`	`81`	`cid := saslResp.ConversationID`
`@@ -114,7 +114,7 @@ func ConductSaslConversation(ctx context.Context, desc description.Server, rw wi`
`114`	`114`
`115`	`115`	`err = bson.Unmarshal(rdr, &saslResp)`
`116`	`116`	`if err != nil {`
`117`		`- return err`
	`117`	`+ return newAuthError("unmarshal error", err)`
`118`	`118`	`}`
`119`	`119`	`}`
`120`	`120`	`}`