search

micronaut-projects / micronaut-mongodb

Integrations between Micronaut and MongoDB
Apache License 2.0
34 stars 15 forks source link

MongoHealthIndicator does not function for encrypted MongoClient #269

Open j1m-renwick opened 2 years ago

j1m-renwick commented 2 years ago

Expected Behavior

Application starts up no errors

Actual Behaviour

Then the following error appears in the logs:

[default-nioEventLoopGroup-1-3] ERROR i.m.m.health.indicator.HealthResult - Health indicator [mongodb (Primary)] reported exception: com.mongodb.MongoClientException: Exception in encryption library: command not supported for auto encryption: buildinfo

This seems to be because MongoHealthIndicator uses the "buildinfo" command, which isn't a command that the mongocrypt library currently considers bypassable (https://jira.mongodb.org/projects/MONGOCRYPT/issues/MONGOCRYPT-308; https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/client-side-encryption.rst#libmongocrypt-auto-encryption-allow-list).

In order to support encryption, either the hardcoded command needs to be a bypassable one, or users should be able to configure the command to run in their YAML.

Steps To Reproduce

Specify an encrypted MongoClient bean to be eagerly created at startup, i.e.:

@Factory
class MongoFactory {

    @Context
    MongoClient mongoClient() {
           (...create the CSFLE client here)
   }

Start application and observe logs

Environment Information

Example Application

No response

Version

2.3.1

j1m-renwick commented 1 year ago

UPDATE - https://jira.mongodb.org/projects/MONGOCRYPT/issues/MONGOCRYPT-308 has added buildInfo to the list of bypassable commands, but I think that because the MongoHealthIndicator class calls buildinfo instead (note the lower case), it isn't passing the check as per https://github.com/mongodb/libmongocrypt/commit/591bcfa3c43ead619cc3cbe72f1bd5d8fb8ad2da. So I think the fix is now just a matter of changing the buildinfo call to buildInfo. Happy to raise a PR if needed.

graemerocher commented 1 year ago

can be disabled with:

endpoints.health.mongodb.enabled=false
j1m-renwick commented 1 year ago

I still wanted to use the health indicator, I just wanted it to work for encrypted client. Currently we're just replacing the class with our own that uses ping (which is flagged as bypassable) instead of buildinfo, but would be nice to not have to do this.

j1m-renwick commented 1 year ago

should I raise a PR for this change (buildinfo -> buildInfo) ?

graemerocher commented 1 year ago

sure, contributions welcome