PYTHON-2560 Add prose test

ShaneHarvey · ShaneHarvey · commit e413334ac669 · 2024-12-02T18:41:56.000-08:00
diff --git a/.evergreen/run-tests.sh b/.evergreen/run-tests.sh
@@ -158,7 +158,7 @@ if [ -n "$TEST_ENCRYPTION" ] || [ -n "$TEST_FLE_AZURE_AUTO" ] || [ -n "$TEST_FLE
 
     # TODO: Test with 'pip install pymongocrypt'
     if [ ! -d "libmongocrypt_git" ]; then
-      git clone https://github.com/mongodb/libmongocrypt.git libmongocrypt_git
+      git clone https://github.com/ShaneHarvey/libmongocrypt.git --branch PYTHON-4992 libmongocrypt_git
     fi
     python -m pip install -U setuptools
     python -m pip install ./libmongocrypt_git/bindings/python
diff --git a/.evergreen/scripts/prepare-resources.sh b/.evergreen/scripts/prepare-resources.sh
@@ -7,6 +7,6 @@ if [ "$PROJECT" = "drivers-tools" ]; then
     # If this was a patch build, doing a fresh clone would not actually test the patch
     cp -R $PROJECT_DIRECTORY/ $DRIVERS_TOOLS
 else
-    git clone https://github.com/mongodb-labs/drivers-evergreen-tools.git $DRIVERS_TOOLS
+    git clone https://github.com/ShaneHarvey/drivers-evergreen-tools.git --branch DRIVERS-1541 $DRIVERS_TOOLS
 fi
 echo "{ \"releases\": { \"default\": \"$MONGODB_BINARIES\" }}" >$MONGO_ORCHESTRATION_HOME/orchestration.config
diff --git a/pymongo/asynchronous/encryption.py b/pymongo/asynchronous/encryption.py
@@ -72,6 +72,7 @@
     EncryptedCollectionError,
     EncryptionError,
     InvalidOperation,
+    NetworkTimeout,
     ServerSelectionTimeoutError,
 )
 from pymongo.network_layer import BLOCKING_IO_ERRORS, async_sendall
@@ -165,8 +166,8 @@ async def kms_request(self, kms_context: MongoCryptKmsContext) -> None:
                 None,  # crlfile
                 False,  # allow_invalid_certificates
                 False,  # allow_invalid_hostnames
-                False,
-            )  # disable_ocsp_endpoint_check
+                False,  # disable_ocsp_endpoint_check
+            )
         # CSOT: set timeout for socket creation.
         connect_timeout = max(_csot.clamp_remaining(_KMS_CONNECT_TIMEOUT), 0.001)
         opts = PoolOptions(
@@ -207,7 +208,9 @@ async def kms_request(self, kms_context: MongoCryptKmsContext) -> None:
             raise  # Propagate MongoCryptError errors directly.
         except Exception as exc:
             remaining = _csot.remaining()
-            if remaining is not None and remaining <= 0:
+            if isinstance(exc, (socket.timeout, NetworkTimeout)) or (
+                remaining is not None and remaining <= 0
+            ):
                 # Wrap I/O errors in PyMongo exceptions.
                 _raise_connection_failure((host, port), exc)
             # Mark this attempt as failed and defer to libmongocrypt to retry.
diff --git a/pymongo/synchronous/encryption.py b/pymongo/synchronous/encryption.py
@@ -67,6 +67,7 @@
     EncryptedCollectionError,
     EncryptionError,
     InvalidOperation,
+    NetworkTimeout,
     ServerSelectionTimeoutError,
 )
 from pymongo.network_layer import BLOCKING_IO_ERRORS, sendall
@@ -165,8 +166,8 @@ def kms_request(self, kms_context: MongoCryptKmsContext) -> None:
                 None,  # crlfile
                 False,  # allow_invalid_certificates
                 False,  # allow_invalid_hostnames
-                False,
-            )  # disable_ocsp_endpoint_check
+                False,  # disable_ocsp_endpoint_check
+            )
         # CSOT: set timeout for socket creation.
         connect_timeout = max(_csot.clamp_remaining(_KMS_CONNECT_TIMEOUT), 0.001)
         opts = PoolOptions(
@@ -207,7 +208,9 @@ def kms_request(self, kms_context: MongoCryptKmsContext) -> None:
             raise  # Propagate MongoCryptError errors directly.
         except Exception as exc:
             remaining = _csot.remaining()
-            if remaining is not None and remaining <= 0:
+            if isinstance(exc, (socket.timeout, NetworkTimeout)) or (
+                remaining is not None and remaining <= 0
+            ):
                 # Wrap I/O errors in PyMongo exceptions.
                 _raise_connection_failure((host, port), exc)
             # Mark this attempt as failed and defer to libmongocrypt to retry.
diff --git a/test/asynchronous/test_encryption.py b/test/asynchronous/test_encryption.py
@@ -17,6 +17,8 @@
 
 import base64
 import copy
+import http.client
+import json
 import os
 import pathlib
 import re
@@ -91,6 +93,7 @@
     WriteError,
 )
 from pymongo.operations import InsertOne, ReplaceOne, UpdateOne
+from pymongo.ssl_support import get_ssl_context
 from pymongo.write_concern import WriteConcern
 
 _IS_SYNC = False
@@ -2853,6 +2856,86 @@ async def test_accepts_trim_factor_0(self):
         assert len(payload) > len(self.payload_defaults)
 
 
+# https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/tests/README.md#24-kms-retry-tests
+class TestKmsRetryProse(AsyncEncryptionIntegrationTest):
+    @unittest.skipUnless(any(AWS_CREDS.values()), "AWS environment credentials are not set")
+    async def asyncSetUp(self):
+        await super().asyncSetUp()
+        # 1, create client with only tlsCAFile.
+        providers: dict = copy.deepcopy(ALL_KMS_PROVIDERS)
+        providers["azure"]["identityPlatformEndpoint"] = "127.0.0.1:9003"
+        providers["gcp"]["endpoint"] = "127.0.0.1:9003"
+        kms_tls_opts = {
+            p: {"tlsCAFile": CA_PEM, "tlsCertificateKeyFile": CLIENT_PEM} for p in providers
+        }
+        self.client_encryption = self.create_client_encryption(
+            providers, "keyvault.datakeys", self.client, OPTS, kms_tls_options=kms_tls_opts
+        )
+
+    async def http_post(self, path, data=None):
+        # Note, the connection to the mock server needs to be closed after
+        # each request because the server is single threaded.
+        ctx = get_ssl_context(
+            CLIENT_PEM,  # certfile
+            None,  # passphrase
+            CA_PEM,  # ca_certs
+            None,  # crlfile
+            False,  # allow_invalid_certificates
+            False,  # allow_invalid_hostnames
+            False,  # disable_ocsp_endpoint_check
+        )
+        conn = http.client.HTTPSConnection("127.0.0.1:9003", context=ctx)
+        try:
+            if data is not None:
+                headers = {"Content-type": "application/json"}
+                body = json.dumps(data)
+            else:
+                headers = {}
+                body = None
+            conn.request("POST", path, body, headers)
+            res = conn.getresponse()
+            res.read()
+        finally:
+            conn.close()
+
+    async def _test(self, provider, master_key):
+        await self.http_post("/reset")
+        # Case 1: createDataKey and encrypt with TCP retry
+        await self.http_post("/set_failpoint/network", {"count": 1})
+        key_id = await self.client_encryption.create_data_key(provider, master_key=master_key)
+        await self.http_post("/set_failpoint/network", {"count": 1})
+        await self.client_encryption.encrypt(
+            123, Algorithm.AEAD_AES_256_CBC_HMAC_SHA_512_Deterministic, key_id
+        )
+
+        # Case 2: createDataKey and encrypt with HTTP retry
+        await self.http_post("/set_failpoint/http", {"count": 1})
+        key_id = await self.client_encryption.create_data_key(provider, master_key=master_key)
+        await self.http_post("/set_failpoint/http", {"count": 1})
+        await self.client_encryption.encrypt(
+            123, Algorithm.AEAD_AES_256_CBC_HMAC_SHA_512_Deterministic, key_id
+        )
+
+        # Case 3: createDataKey fails after too many retries
+        await self.http_post("/set_failpoint/network", {"count": 4})
+        with self.assertRaisesRegex(EncryptionError, "KMS request failed after"):
+            await self.client_encryption.create_data_key(provider, master_key=master_key)
+
+    async def test_kms_retry(self):
+        await self._test("aws", {"region": "foo", "key": "bar", "endpoint": "127.0.0.1:9003"})
+        await self._test("azure", {"keyVaultEndpoint": "127.0.0.1:9003", "keyName": "foo"})
+        await self._test(
+            "gcp",
+            {
+                "projectId": "foo",
+                "location": "bar",
+                "keyRing": "baz",
+                "keyName": "qux",
+                "endpoint": "127.0.0.1:9003",
+            },
+        )
+
+
 # https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/tests/README.md#automatic-data-encryption-keys
 class TestAutomaticDecryptionKeys(AsyncEncryptionIntegrationTest):
     @async_client_context.require_no_standalone
diff --git a/test/test_encryption.py b/test/test_encryption.py
@@ -17,6 +17,8 @@
 
 import base64
 import copy
+import http.client
+import json
 import os
 import pathlib
 import re
@@ -88,6 +90,7 @@
     WriteError,
 )
 from pymongo.operations import InsertOne, ReplaceOne, UpdateOne
+from pymongo.ssl_support import get_ssl_context
 from pymongo.synchronous import encryption
 from pymongo.synchronous.encryption import Algorithm, ClientEncryption, QueryType
 from pymongo.synchronous.mongo_client import MongoClient
@@ -2835,6 +2838,86 @@ def test_accepts_trim_factor_0(self):
         assert len(payload) > len(self.payload_defaults)
 
 
+# https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/tests/README.md#24-kms-retry-tests
+class TestKmsRetryProse(EncryptionIntegrationTest):
+    @unittest.skipUnless(any(AWS_CREDS.values()), "AWS environment credentials are not set")
+    def setUp(self):
+        super().setUp()
+        # 1, create client with only tlsCAFile.
+        providers: dict = copy.deepcopy(ALL_KMS_PROVIDERS)
+        providers["azure"]["identityPlatformEndpoint"] = "127.0.0.1:9003"
+        providers["gcp"]["endpoint"] = "127.0.0.1:9003"
+        kms_tls_opts = {
+            p: {"tlsCAFile": CA_PEM, "tlsCertificateKeyFile": CLIENT_PEM} for p in providers
+        }
+        self.client_encryption = self.create_client_encryption(
+            providers, "keyvault.datakeys", self.client, OPTS, kms_tls_options=kms_tls_opts
+        )
+
+    def http_post(self, path, data=None):
+        # Note, the connection to the mock server needs to be closed after
+        # each request because the server is single threaded.
+        ctx = get_ssl_context(
+            CLIENT_PEM,  # certfile
+            None,  # passphrase
+            CA_PEM,  # ca_certs
+            None,  # crlfile
+            False,  # allow_invalid_certificates
+            False,  # allow_invalid_hostnames
+            False,  # disable_ocsp_endpoint_check
+        )
+        conn = http.client.HTTPSConnection("127.0.0.1:9003", context=ctx)
+        try:
+            if data is not None:
+                headers = {"Content-type": "application/json"}
+                body = json.dumps(data)
+            else:
+                headers = {}
+                body = None
+            conn.request("POST", path, body, headers)
+            res = conn.getresponse()
+            res.read()
+        finally:
+            conn.close()
+
+    def _test(self, provider, master_key):
+        self.http_post("/reset")
+        # Case 1: createDataKey and encrypt with TCP retry
+        self.http_post("/set_failpoint/network", {"count": 1})
+        key_id = self.client_encryption.create_data_key(provider, master_key=master_key)
+        self.http_post("/set_failpoint/network", {"count": 1})
+        self.client_encryption.encrypt(
+            123, Algorithm.AEAD_AES_256_CBC_HMAC_SHA_512_Deterministic, key_id
+        )
+
+        # Case 2: createDataKey and encrypt with HTTP retry
+        self.http_post("/set_failpoint/http", {"count": 1})
+        key_id = self.client_encryption.create_data_key(provider, master_key=master_key)
+        self.http_post("/set_failpoint/http", {"count": 1})
+        self.client_encryption.encrypt(
+            123, Algorithm.AEAD_AES_256_CBC_HMAC_SHA_512_Deterministic, key_id
+        )
+
+        # Case 3: createDataKey fails after too many retries
+        self.http_post("/set_failpoint/network", {"count": 4})
+        with self.assertRaisesRegex(EncryptionError, "KMS request failed after"):
+            self.client_encryption.create_data_key(provider, master_key=master_key)
+
+    def test_kms_retry(self):
+        self._test("aws", {"region": "foo", "key": "bar", "endpoint": "127.0.0.1:9003"})
+        self._test("azure", {"keyVaultEndpoint": "127.0.0.1:9003", "keyName": "foo"})
+        self._test(
+            "gcp",
+            {
+                "projectId": "foo",
+                "location": "bar",
+                "keyRing": "baz",
+                "keyName": "qux",
+                "endpoint": "127.0.0.1:9003",
+            },
+        )
+
+
 # https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/tests/README.md#automatic-data-encryption-keys
 class TestAutomaticDecryptionKeys(EncryptionIntegrationTest):
     @client_context.require_no_standalone
