PYTHON-1926 Raise an error for unsupported encryption operations

ShaneHarvey · ShaneHarvey · commit ef8d1e2f2174 · 2019-08-13T09:36:32.000-07:00
diff --git a/.evergreen/config.yml b/.evergreen/config.yml
@@ -1119,9 +1119,8 @@ buildvariants:
   display_name: "Encryption ${platform} ${auth-ssl}"
   tasks: &encryption-server-versions
     - ".4.2"
-    # TODO:	PYTHON-1926
-    # - ".4.0"
-    # - ".2.6"
+    - ".4.0"
+    - ".2.6"
 
 - matrix_name: "tests-no-36-plus"
   matrix_spec:
diff --git a/pymongo/collection.py b/pymongo/collection.py
@@ -40,6 +40,7 @@
 from pymongo.errors import (BulkWriteError,
                             ConfigurationError,
                             InvalidName,
+                            InvalidOperation,
                             OperationFailure)
 from pymongo.helpers import (_check_write_command_response,
                              _raise_last_error)
@@ -1474,7 +1475,8 @@ def find_raw_batches(self, *args, **kwargs):
           >>> for batch in cursor:
           ...     print(bson.decode_all(batch))
 
-        .. note:: find_raw_batches does not support sessions.
+        .. note:: find_raw_batches does not support sessions or auto
+           encryption.
 
         .. versionadded:: 3.6
         """
@@ -1483,6 +1485,12 @@ def find_raw_batches(self, *args, **kwargs):
         if "session" in kwargs:
             raise ConfigurationError(
                 "find_raw_batches does not support sessions")
+
+        # OP_MSG is required to support encryption.
+        if self.__database.client._encrypter:
+            raise InvalidOperation(
+                "find_raw_batches does not support auto encryption")
+
         return RawBatchCursor(self, *args, **kwargs)
 
     def parallel_scan(self, num_cursors, session=None, **kwargs):
@@ -2388,7 +2396,8 @@ def aggregate_raw_batches(self, pipeline, **kwargs):
           >>> for batch in cursor:
           ...     print(bson.decode_all(batch))
 
-        .. note:: aggregate_raw_batches does not support sessions.
+        .. note:: aggregate_raw_batches does not support sessions or auto
+           encryption.
 
         .. versionadded:: 3.6
         """
@@ -2398,6 +2407,11 @@ def aggregate_raw_batches(self, pipeline, **kwargs):
             raise ConfigurationError(
                 "aggregate_raw_batches does not support sessions")
 
+        # OP_MSG is required to support encryption.
+        if self.__database.client._encrypter:
+            raise InvalidOperation(
+                "aggregate_raw_batches does not support auto encryption")
+
         return self._aggregate(_CollectionRawAggregationCommand,
                                pipeline,
                                RawBatchCommandCursor,
diff --git a/pymongo/cursor.py b/pymongo/cursor.py
@@ -944,6 +944,10 @@ def __send_message(self, operation):
         Can raise ConnectionFailure.
         """
         client = self.__collection.database.client
+        # OP_MSG is required to support exhaust cursors with encryption.
+        if client._encrypter and self.__exhaust:
+            raise InvalidOperation(
+                "exhaust cursors do not support auto encryption")
 
         try:
             response = client._run_operation_with_response(
diff --git a/pymongo/mongo_client.py b/pymongo/mongo_client.py
@@ -1222,6 +1222,12 @@ def _get_socket(self, server, session, exhaust=False):
             with server.get_socket(
                     self.__all_credentials, checkout=exhaust) as sock_info:
                 err_handler.contribute_socket(sock_info)
+                if (self._encrypter and
+                        not self._encrypter._bypass_auto_encryption and
+                        sock_info.max_wire_version < 8):
+                    raise ConfigurationError(
+                        'Auto-encryption requires a minimum MongoDB version '
+                        'of 4.2')
                 yield sock_info
 
     def _select_server(self, server_selector, session, address=None):
diff --git a/test/test_encryption.py b/test/test_encryption.py
@@ -33,6 +33,7 @@
 from bson.json_util import JSONOptions
 from bson.son import SON
 
+from pymongo.cursor import CursorType
 from pymongo.errors import (ConfigurationError,
                             EncryptionError,
                             InvalidOperation,
@@ -41,6 +42,7 @@
                                 ClientEncryption)
 from pymongo.encryption_options import AutoEncryptionOpts, _HAVE_PYMONGOCRYPT
 from pymongo.mongo_client import MongoClient
+from pymongo.operations import InsertOne
 from pymongo.write_concern import WriteConcern
 
 from test import unittest, IntegrationTest, PyMongoTestCase, client_context
@@ -256,6 +258,48 @@ def test_use_after_close(self):
             client.admin.command('isMaster')
 
 
+class TestClientMaxWireVersion(IntegrationTest):
+
+    @classmethod
+    @unittest.skipUnless(_HAVE_PYMONGOCRYPT, 'pymongocrypt is not installed')
+    def setUpClass(cls):
+        super(TestClientMaxWireVersion, cls).setUpClass()
+
+    @client_context.require_version_max(4, 0, 99)
+    def test_raise_max_wire_version_error(self):
+        opts = AutoEncryptionOpts(KMS_PROVIDERS, 'admin.datakeys')
+        client = rs_or_single_client(auto_encryption_opts=opts)
+        self.addCleanup(client.close)
+        msg = 'Auto-encryption requires a minimum MongoDB version of 4.2'
+        with self.assertRaisesRegex(ConfigurationError, msg):
+            client.test.test.insert_one({})
+        with self.assertRaisesRegex(ConfigurationError, msg):
+            client.admin.command('isMaster')
+        with self.assertRaisesRegex(ConfigurationError, msg):
+            client.test.test.find_one({})
+        with self.assertRaisesRegex(ConfigurationError, msg):
+            client.test.test.bulk_write([InsertOne({})])
+
+    def test_raise_unsupported_error(self):
+        opts = AutoEncryptionOpts(KMS_PROVIDERS, 'admin.datakeys')
+        client = rs_or_single_client(auto_encryption_opts=opts)
+        self.addCleanup(client.close)
+        msg = 'find_raw_batches does not support auto encryption'
+        with self.assertRaisesRegex(InvalidOperation, msg):
+            client.test.test.find_raw_batches({})
+
+        msg = 'aggregate_raw_batches does not support auto encryption'
+        with self.assertRaisesRegex(InvalidOperation, msg):
+            client.test.test.aggregate_raw_batches([])
+
+        if client_context.is_mongos:
+            msg = 'Exhaust cursors are not supported by mongos'
+        else:
+            msg = 'exhaust cursors do not support auto encryption'
+        with self.assertRaisesRegex(InvalidOperation, msg):
+            next(client.test.test.find(cursor_type=CursorType.EXHAUST))
+
+
 class TestExplicitSimple(EncryptionIntegrationTest):
 
     def test_encrypt_decrypt(self):
@@ -403,6 +447,7 @@ class TestSpec(SpecRunner):
 
     @classmethod
     @unittest.skipUnless(_HAVE_PYMONGOCRYPT, 'pymongocrypt is not installed')
+    @client_context.require_version_min(3, 6)  # SpecRunner requires sessions.
     def setUpClass(cls):
         super(TestSpec, cls).setUpClass()
 
