sensu-plugins-mongodb-mrtrotl 1.4.0

data/lib/pymongo/encryption_options.py

@@ -0,0 +1,221 @@
+# Copyright 2019-present MongoDB, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Support for automatic client-side field level encryption."""
+
+from typing import TYPE_CHECKING, Any, List, Mapping, Optional
+
+try:
+    import pymongocrypt  # noqa: F401
+
+    _HAVE_PYMONGOCRYPT = True
+except ImportError:
+    _HAVE_PYMONGOCRYPT = False
+
+from pymongo.common import validate_is_mapping
+from pymongo.errors import ConfigurationError
+from pymongo.uri_parser import _parse_kms_tls_options
+
+if TYPE_CHECKING:
+    from pymongo.mongo_client import MongoClient
+
+
+class AutoEncryptionOpts(object):
+    """Options to configure automatic client-side field level encryption."""
+
+    def __init__(
+        self,
+        kms_providers: Mapping[str, Any],
+        key_vault_namespace: str,
+        key_vault_client: Optional["MongoClient"] = None,
+        schema_map: Optional[Mapping[str, Any]] = None,
+        bypass_auto_encryption: bool = False,
+        mongocryptd_uri: str = "mongodb://localhost:27020",
+        mongocryptd_bypass_spawn: bool = False,
+        mongocryptd_spawn_path: str = "mongocryptd",
+        mongocryptd_spawn_args: Optional[List[str]] = None,
+        kms_tls_options: Optional[Mapping[str, Any]] = None,
+        crypt_shared_lib_path: Optional[str] = None,
+        crypt_shared_lib_required: bool = False,
+        bypass_query_analysis: bool = False,
+        encrypted_fields_map: Optional[Mapping] = None,
+    ) -> None:
+        """Options to configure automatic client-side field level encryption.
+
+        Automatic client-side field level encryption requires MongoDB 4.2
+        enterprise or a MongoDB 4.2 Atlas cluster. Automatic encryption is not
+        supported for operations on a database or view and will result in
+        error.
+
+        Although automatic encryption requires MongoDB 4.2 enterprise or a
+        MongoDB 4.2 Atlas cluster, automatic *decryption* is supported for all
+        users. To configure automatic *decryption* without automatic
+        *encryption* set ``bypass_auto_encryption=True``. Explicit
+        encryption and explicit decryption is also supported for all users
+        with the :class:`~pymongo.encryption.ClientEncryption` class.
+
+        See :ref:`automatic-client-side-encryption` for an example.
+
+        :Parameters:
+          - `kms_providers`: Map of KMS provider options. The `kms_providers`
+            map values differ by provider:
+
+              - `aws`: Map with "accessKeyId" and "secretAccessKey" as strings.
+                These are the AWS access key ID and AWS secret access key used
+                to generate KMS messages. An optional "sessionToken" may be
+                included to support temporary AWS credentials.
+              - `azure`: Map with "tenantId", "clientId", and "clientSecret" as
+                strings. Additionally, "identityPlatformEndpoint" may also be
+                specified as a string (defaults to 'login.microsoftonline.com').
+                These are the Azure Active Directory credentials used to
+                generate Azure Key Vault messages.
+              - `gcp`: Map with "email" as a string and "privateKey"
+                as `bytes` or a base64 encoded string.
+                Additionally, "endpoint" may also be specified as a string
+                (defaults to 'oauth2.googleapis.com'). These are the
+                credentials used to generate Google Cloud KMS messages.
+              - `kmip`: Map with "endpoint" as a host with required port.
+                For example: ``{"endpoint": "example.com:443"}``.
+              - `local`: Map with "key" as `bytes` (96 bytes in length) or
+                a base64 encoded string which decodes
+                to 96 bytes. "key" is the master key used to encrypt/decrypt
+                data keys. This key should be generated and stored as securely
+                as possible.
+
+          - `key_vault_namespace`: The namespace for the key vault collection.
+            The key vault collection contains all data keys used for encryption
+            and decryption. Data keys are stored as documents in this MongoDB
+            collection. Data keys are protected with encryption by a KMS
+            provider.
+          - `key_vault_client` (optional): By default the key vault collection
+            is assumed to reside in the same MongoDB cluster as the encrypted
+            MongoClient. Use this option to route data key queries to a
+            separate MongoDB cluster.
+          - `schema_map` (optional): Map of collection namespace ("db.coll") to
+            JSON Schema.  By default, a collection's JSONSchema is periodically
+            polled with the listCollections command. But a JSONSchema may be
+            specified locally with the schemaMap option.
+
+            **Supplying a `schema_map` provides more security than relying on
+            JSON Schemas obtained from the server. It protects against a
+            malicious server advertising a false JSON Schema, which could trick
+            the client into sending unencrypted data that should be
+            encrypted.**
+
+            Schemas supplied in the schemaMap only apply to configuring
+            automatic encryption for client side encryption. Other validation
+            rules in the JSON schema will not be enforced by the driver and
+            will result in an error.
+          - `bypass_auto_encryption` (optional): If ``True``, automatic
+            encryption will be disabled but automatic decryption will still be
+            enabled. Defaults to ``False``.
+          - `mongocryptd_uri` (optional): The MongoDB URI used to connect
+            to the *local* mongocryptd process. Defaults to
+            ``'mongodb://localhost:27020'``.
+          - `mongocryptd_bypass_spawn` (optional): If ``True``, the encrypted
+            MongoClient will not attempt to spawn the mongocryptd process.
+            Defaults to ``False``.
+          - `mongocryptd_spawn_path` (optional): Used for spawning the
+            mongocryptd process. Defaults to ``'mongocryptd'`` and spawns
+            mongocryptd from the system path.
+          - `mongocryptd_spawn_args` (optional): A list of string arguments to
+            use when spawning the mongocryptd process. Defaults to
+            ``['--idleShutdownTimeoutSecs=60']``. If the list does not include
+            the ``idleShutdownTimeoutSecs`` option then
+            ``'--idleShutdownTimeoutSecs=60'`` will be added.
+          - `kms_tls_options` (optional):  A map of KMS provider names to TLS
+            options to use when creating secure connections to KMS providers.
+            Accepts the same TLS options as
+            :class:`pymongo.mongo_client.MongoClient`. For example, to
+            override the system default CA file::
+
+              kms_tls_options={'kmip': {'tlsCAFile': certifi.where()}}
+
+            Or to supply a client certificate::
+
+              kms_tls_options={'kmip': {'tlsCertificateKeyFile': 'client.pem'}}
+          - `crypt_shared_lib_path` (optional): Override the path to load the crypt_shared library.
+          - `crypt_shared_lib_required` (optional): If True, raise an error if libmongocrypt is
+            unable to load the crypt_shared library.
+          - `bypass_query_analysis` (optional): **(BETA)** If ``True``, disable automatic analysis
+            of outgoing commands. Set `bypass_query_analysis` to use explicit
+            encryption on indexed fields without the MongoDB Enterprise Advanced
+            licensed crypt_shared library.
+          - `encrypted_fields_map`: **(BETA)** Map of collection namespace ("db.coll") to documents
+            that described the encrypted fields for Queryable Encryption. For example::
+
+                {
+                  "db.encryptedCollection": {
+                      "escCollection": "enxcol_.encryptedCollection.esc",
+                      "eccCollection": "enxcol_.encryptedCollection.ecc",
+                      "ecocCollection": "enxcol_.encryptedCollection.ecoc",
+                      "fields": [
+                          {
+                              "path": "firstName",
+                              "keyId": Binary.from_uuid(UUID('00000000-0000-0000-0000-000000000000')),
+                              "bsonType": "string",
+                              "queries": {"queryType": "equality"}
+                          },
+                          {
+                              "path": "ssn",
+                              "keyId": Binary.from_uuid(UUID('04104104-1041-0410-4104-104104104104')),
+                              "bsonType": "string"
+                          }
+                      ]
+                  }
+                }
+
+        .. note:: `bypass_query_analysis` and `encrypted_fields_map` are part of the
+           Queryable Encryption beta. Backwards-breaking changes may be made before the
+           final release.
+
+        .. versionchanged:: 4.2
+           Added `encrypted_fields_map` `crypt_shared_lib_path`, `crypt_shared_lib_required`,
+           and `bypass_query_analysis` parameters.
+
+        .. versionchanged:: 4.0
+           Added the `kms_tls_options` parameter and the "kmip" KMS provider.
+
+        .. versionadded:: 3.9
+        """
+        if not _HAVE_PYMONGOCRYPT:
+            raise ConfigurationError(
+                "client side encryption requires the pymongocrypt library: "
+                "install a compatible version with: "
+                "python -m pip install 'pymongo[encryption]'"
+            )
+        if encrypted_fields_map:
+            validate_is_mapping("encrypted_fields_map", encrypted_fields_map)
+        self._encrypted_fields_map = encrypted_fields_map
+        self._bypass_query_analysis = bypass_query_analysis
+        self._crypt_shared_lib_path = crypt_shared_lib_path
+        self._crypt_shared_lib_required = crypt_shared_lib_required
+        self._kms_providers = kms_providers
+        self._key_vault_namespace = key_vault_namespace
+        self._key_vault_client = key_vault_client
+        self._schema_map = schema_map
+        self._bypass_auto_encryption = bypass_auto_encryption
+        self._mongocryptd_uri = mongocryptd_uri
+        self._mongocryptd_bypass_spawn = mongocryptd_bypass_spawn
+        self._mongocryptd_spawn_path = mongocryptd_spawn_path
+        if mongocryptd_spawn_args is None:
+            mongocryptd_spawn_args = ["--idleShutdownTimeoutSecs=60"]
+        self._mongocryptd_spawn_args = mongocryptd_spawn_args
+        if not isinstance(self._mongocryptd_spawn_args, list):
+            raise TypeError("mongocryptd_spawn_args must be a list")
+        if not any("idleShutdownTimeoutSecs" in s for s in self._mongocryptd_spawn_args):
+            self._mongocryptd_spawn_args.append("--idleShutdownTimeoutSecs=60")
+        # Maps KMS provider name to a SSLContext.
+        self._kms_ssl_contexts = _parse_kms_tls_options(kms_tls_options)
+        self._bypass_query_analysis = bypass_query_analysis

data/lib/pymongo/errors.py

@@ -0,0 +1,365 @@
+# Copyright 2009-present MongoDB, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Exceptions raised by PyMongo."""
+from typing import Any, Iterable, List, Mapping, Optional, Sequence, Tuple, Union
+
+from bson.errors import InvalidDocument
+
+try:
+    # CPython 3.7+
+    from ssl import SSLCertVerificationError as _CertificateError
+except ImportError:
+    try:
+        from ssl import CertificateError as _CertificateError
+    except ImportError:
+
+        class _CertificateError(ValueError):  # type: ignore
+            pass
+
+
+class PyMongoError(Exception):
+    """Base class for all PyMongo exceptions."""
+
+    def __init__(self, message: str = "", error_labels: Optional[Iterable[str]] = None) -> None:
+        super(PyMongoError, self).__init__(message)
+        self._message = message
+        self._error_labels = set(error_labels or [])
+
+    def has_error_label(self, label: str) -> bool:
+        """Return True if this error contains the given label.
+
+        .. versionadded:: 3.7
+        """
+        return label in self._error_labels
+
+    def _add_error_label(self, label):
+        """Add the given label to this error."""
+        self._error_labels.add(label)
+
+    def _remove_error_label(self, label):
+        """Remove the given label from this error."""
+        self._error_labels.discard(label)
+
+    @property
+    def timeout(self) -> bool:
+        """True if this error was caused by a timeout.
+
+        .. versionadded:: 4.2
+        """
+        return False
+
+
+class ProtocolError(PyMongoError):
+    """Raised for failures related to the wire protocol."""
+
+
+class ConnectionFailure(PyMongoError):
+    """Raised when a connection to the database cannot be made or is lost."""
+
+
+class WaitQueueTimeoutError(ConnectionFailure):
+    """Raised when an operation times out waiting to checkout a connection from the pool.
+
+    Subclass of :exc:`~pymongo.errors.ConnectionFailure`.
+
+    .. versionadded:: 4.2
+    """
+
+    @property
+    def timeout(self) -> bool:
+        return True
+
+
+class AutoReconnect(ConnectionFailure):
+    """Raised when a connection to the database is lost and an attempt to
+    auto-reconnect will be made.
+
+    In order to auto-reconnect you must handle this exception, recognizing that
+    the operation which caused it has not necessarily succeeded. Future
+    operations will attempt to open a new connection to the database (and
+    will continue to raise this exception until the first successful
+    connection is made).
+
+    Subclass of :exc:`~pymongo.errors.ConnectionFailure`.
+    """
+
+    errors: Union[Mapping[str, Any], Sequence]
+    details: Union[Mapping[str, Any], Sequence]
+
+    def __init__(
+        self, message: str = "", errors: Optional[Union[Mapping[str, Any], Sequence]] = None
+    ) -> None:
+        error_labels = None
+        if errors is not None:
+            if isinstance(errors, dict):
+                error_labels = errors.get("errorLabels")
+        super(AutoReconnect, self).__init__(message, error_labels)
+        self.errors = self.details = errors or []
+
+
+class NetworkTimeout(AutoReconnect):
+    """An operation on an open connection exceeded socketTimeoutMS.
+
+    The remaining connections in the pool stay open. In the case of a write
+    operation, you cannot know whether it succeeded or failed.
+
+    Subclass of :exc:`~pymongo.errors.AutoReconnect`.
+    """
+
+    @property
+    def timeout(self) -> bool:
+        return True
+
+
+def _format_detailed_error(message, details):
+    if details is not None:
+        message = "%s, full error: %s" % (message, details)
+    return message
+
+
+class NotPrimaryError(AutoReconnect):
+    """The server responded "not primary" or "node is recovering".
+
+    These errors result from a query, write, or command. The operation failed
+    because the client thought it was using the primary but the primary has
+    stepped down, or the client thought it was using a healthy secondary but
+    the secondary is stale and trying to recover.
+
+    The client launches a refresh operation on a background thread, to update
+    its view of the server as soon as possible after throwing this exception.
+
+    Subclass of :exc:`~pymongo.errors.AutoReconnect`.
+
+    .. versionadded:: 3.12
+    """
+
+    def __init__(
+        self, message: str = "", errors: Optional[Union[Mapping[str, Any], List]] = None
+    ) -> None:
+        super(NotPrimaryError, self).__init__(
+            _format_detailed_error(message, errors), errors=errors
+        )
+
+
+class ServerSelectionTimeoutError(AutoReconnect):
+    """Thrown when no MongoDB server is available for an operation
+
+    If there is no suitable server for an operation PyMongo tries for
+    ``serverSelectionTimeoutMS`` (default 30 seconds) to find one, then
+    throws this exception. For example, it is thrown after attempting an
+    operation when PyMongo cannot connect to any server, or if you attempt
+    an insert into a replica set that has no primary and does not elect one
+    within the timeout window, or if you attempt to query with a Read
+    Preference that the replica set cannot satisfy.
+    """
+
+    @property
+    def timeout(self) -> bool:
+        return True
+
+
+class ConfigurationError(PyMongoError):
+    """Raised when something is incorrectly configured."""
+
+
+class OperationFailure(PyMongoError):
+    """Raised when a database operation fails.
+
+    .. versionadded:: 2.7
+       The :attr:`details` attribute.
+    """
+
+    def __init__(
+        self,
+        error: str,
+        code: Optional[int] = None,
+        details: Optional[Mapping[str, Any]] = None,
+        max_wire_version: Optional[int] = None,
+    ) -> None:
+        error_labels = None
+        if details is not None:
+            error_labels = details.get("errorLabels")
+        super(OperationFailure, self).__init__(
+            _format_detailed_error(error, details), error_labels=error_labels
+        )
+        self.__code = code
+        self.__details = details
+        self.__max_wire_version = max_wire_version
+
+    @property
+    def _max_wire_version(self):
+        return self.__max_wire_version
+
+    @property
+    def code(self) -> Optional[int]:
+        """The error code returned by the server, if any."""
+        return self.__code
+
+    @property
+    def details(self) -> Optional[Mapping[str, Any]]:
+        """The complete error document returned by the server.
+
+        Depending on the error that occurred, the error document
+        may include useful information beyond just the error
+        message. When connected to a mongos the error document
+        may contain one or more subdocuments if errors occurred
+        on multiple shards.
+        """
+        return self.__details
+
+    @property
+    def timeout(self) -> bool:
+        return self.__code in (50,)
+
+
+class CursorNotFound(OperationFailure):
+    """Raised while iterating query results if the cursor is
+    invalidated on the server.
+
+    .. versionadded:: 2.7
+    """
+
+
+class ExecutionTimeout(OperationFailure):
+    """Raised when a database operation times out, exceeding the $maxTimeMS
+    set in the query or command option.
+
+    .. note:: Requires server version **>= 2.6.0**
+
+    .. versionadded:: 2.7
+    """
+
+    @property
+    def timeout(self) -> bool:
+        return True
+
+
+class WriteConcernError(OperationFailure):
+    """Base exception type for errors raised due to write concern.
+
+    .. versionadded:: 3.0
+    """
+
+
+class WriteError(OperationFailure):
+    """Base exception type for errors raised during write operations.
+
+    .. versionadded:: 3.0
+    """
+
+
+class WTimeoutError(WriteConcernError):
+    """Raised when a database operation times out (i.e. wtimeout expires)
+    before replication completes.
+
+    With newer versions of MongoDB the `details` attribute may include
+    write concern fields like 'n', 'updatedExisting', or 'writtenTo'.
+
+    .. versionadded:: 2.7
+    """
+
+    @property
+    def timeout(self) -> bool:
+        return True
+
+
+class DuplicateKeyError(WriteError):
+    """Raised when an insert or update fails due to a duplicate key error."""
+
+
+def _wtimeout_error(error: Any) -> bool:
+    """Return True if this writeConcernError doc is a caused by a timeout."""
+    return error.get("code") == 50 or ("errInfo" in error and error["errInfo"].get("wtimeout"))
+
+
+class BulkWriteError(OperationFailure):
+    """Exception class for bulk write errors.
+
+    .. versionadded:: 2.7
+    """
+
+    details: Mapping[str, Any]
+
+    def __init__(self, results: Mapping[str, Any]) -> None:
+        super(BulkWriteError, self).__init__("batch op errors occurred", 65, results)
+
+    def __reduce__(self) -> Tuple[Any, Any]:
+        return self.__class__, (self.details,)
+
+    @property
+    def timeout(self) -> bool:
+        # Check the last writeConcernError and last writeError to determine if this
+        # BulkWriteError was caused by a timeout.
+        wces = self.details.get("writeConcernErrors", [])
+        if wces and _wtimeout_error(wces[-1]):
+            return True
+
+        werrs = self.details.get("writeErrors", [])
+        if werrs and werrs[-1].get("code") == 50:
+            return True
+        return False
+
+
+class InvalidOperation(PyMongoError):
+    """Raised when a client attempts to perform an invalid operation."""
+
+
+class InvalidName(PyMongoError):
+    """Raised when an invalid name is used."""
+
+
+class CollectionInvalid(PyMongoError):
+    """Raised when collection validation fails."""
+
+
+class InvalidURI(ConfigurationError):
+    """Raised when trying to parse an invalid mongodb URI."""
+
+
+class DocumentTooLarge(InvalidDocument):
+    """Raised when an encoded document is too large for the connected server."""
+
+    pass
+
+
+class EncryptionError(PyMongoError):
+    """Raised when encryption or decryption fails.
+
+    This error always wraps another exception which can be retrieved via the
+    :attr:`cause` property.
+
+    .. versionadded:: 3.9
+    """
+
+    def __init__(self, cause: Exception) -> None:
+        super(EncryptionError, self).__init__(str(cause))
+        self.__cause = cause
+
+    @property
+    def cause(self) -> Exception:
+        """The exception that caused this encryption or decryption error."""
+        return self.__cause
+
+    @property
+    def timeout(self) -> bool:
+        if isinstance(self.__cause, PyMongoError):
+            return self.__cause.timeout
+        return False
+
+
+class _OperationCancelled(AutoReconnect):
+    """Internal error raised when a socket operation is cancelled."""
+
+    pass