RUBY-1744 When handshake/auth fails, indicate which server authentication was attempted against and whether ssl was used (#1282)

p-mongo · web-flow · commit c9238ba5a77e · 2019-02-25T18:30:34.000-05:00
diff --git a/lib/mongo/socket.rb b/lib/mongo/socket.rb
@@ -34,6 +34,7 @@ class Socket
     # Error message for timeouts on socket calls.
     #
     # @since 2.0.0
+    # @deprecated
     TIMEOUT_ERROR = 'Socket request timed out'.freeze
 
     # The pack directive for timeouts.
@@ -293,13 +294,17 @@ def set_socket_options(sock)
     def handle_errors
       begin
         yield
-      rescue Errno::ETIMEDOUT
-        raise Error::SocketTimeoutError, TIMEOUT_ERROR
+      rescue Errno::ETIMEDOUT => e
+        raise Error::SocketTimeoutError, "#{e.class}: #{e} (for #{address})"
       rescue IOError, SystemCallError => e
-        raise Error::SocketError, "#{e.class}: #{e}"
+        raise Error::SocketError, "#{e.class}: #{e} (for #{address})"
       rescue OpenSSL::SSL::SSLError => e
-        raise Error::SocketError, "#{e.class}: #{e} (#{SSL_ERROR})"
+        raise Error::SocketError, "#{e.class}: #{e} (for #{address}) (#{SSL_ERROR})"
       end
     end
+
+    def address
+      raise NotImplementedError
+    end
   end
 end
diff --git a/lib/mongo/socket/ssl.rb b/lib/mongo/socket/ssl.rb
@@ -202,6 +202,10 @@ def read_buffer_size
         # Capped at 16k due to https://linux.die.net/man/3/ssl_read
         16384
       end
+
+      def address
+        "#{host}:#{port} (#{host_name}:#{port}, TLS)"
+      end
     end
   end
 end
diff --git a/lib/mongo/socket/tcp.rb b/lib/mongo/socket/tcp.rb
@@ -69,6 +69,12 @@ def initialize(host, port, timeout, family, options = {})
         super(family)
         connect!
       end
+
+      private
+
+      def address
+        "#{host}:#{port} (no TLS)"
+      end
     end
   end
 end
diff --git a/lib/mongo/socket/unix.rb b/lib/mongo/socket/unix.rb
@@ -43,6 +43,12 @@ def initialize(path, timeout, options = {})
         @socket = ::UNIXSocket.new(path)
         set_socket_options(@socket)
       end
+
+      private
+
+      def address
+        path
+      end
     end
   end
 end
diff --git a/spec/integration/auth_spec.rb b/spec/integration/auth_spec.rb
@@ -118,5 +118,43 @@
         end
       end
     end
+
+    context 'attempting to connect to a non-tls server with tls' do
+      require_no_ssl
+
+      let(:options) { {ssl: true} }
+
+      it 'reports host, port and tls status' do
+        begin
+          connection.connect!
+        rescue Mongo::Error::SocketError => exc
+        end
+        expect(exc).not_to be nil
+        expect(exc.message).to include('OpenSSL::SSL::SSLError')
+        expect(exc.message).to include(server.address.to_s)
+        expect(exc.message).to include('TLS')
+        expect(exc.message).not_to include('no TLS')
+      end
+    end
+
+    context 'attempting to connect to a tls server without tls' do
+      require_ssl
+
+      let(:options) { {} }
+
+      it 'reports host, port and tls status' do
+        begin
+          connection.connect!
+        rescue Mongo::Error::SocketError => exc
+        end
+        expect(exc).not_to be nil
+        expect(exc.message).not_to include('OpenSSL::SSL::SSLError')
+        addresses = Socket.getaddrinfo(server.address.host, nil)
+        expect(addresses.any? do |address|
+          exc.message.include?("#{address[2]}:#{server.address.port}")
+        end).to be true
+        expect(exc.message).to include('no TLS')
+      end
+    end
   end
 end
diff --git a/spec/mongo/socket/ssl_spec.rb b/spec/mongo/socket/ssl_spec.rb
@@ -49,6 +49,13 @@
     OpenSSL::PKey.read(key_string)
   end
 
+  describe '#address' do
+    it 'returns the address and tls indicator' do
+      addr = socket.instance_variable_get(:@tcp_socket).remote_address
+      expect(socket.send(:address)).to eq("#{addr.ip_address}:#{addr.ip_port} (#{default_address}, TLS)")
+    end
+  end
+
   describe '#connect!' do
 
     context 'when a certificate is provided' do
@@ -563,9 +570,13 @@
 
       let(:socket_content) { "" }
 
+      let(:remote_address) { socket.instance_variable_get(:@tcp_socket).remote_address }
+      let(:address_str) { "#{remote_address.ip_address}:#{remote_address.ip_port} (#{default_address}, TLS)" }
+
       it 'should raise EOFError' do
-        expect { socket.readbyte }
-          .to raise_error(Mongo::Error::SocketError).with_message("EOFError: EOFError")
+        expect do
+          socket.readbyte
+        end.to raise_error(Mongo::Error::SocketError).with_message("EOFError: EOFError (for #{address_str})")
       end
     end
   end
diff --git a/spec/mongo/socket/tcp_spec.rb b/spec/mongo/socket/tcp_spec.rb
@@ -0,0 +1,22 @@
+require 'spec_helper'
+
+describe Mongo::Socket::TCP do
+  require_no_ssl
+
+  let(:address) { default_address }
+
+  let!(:resolver) do
+    address.send(:create_resolver, {})
+  end
+
+  let(:socket) do
+    resolver.socket(5, {})
+  end
+
+  describe '#address' do
+    it 'returns the address and tls indicator' do
+      addr = socket.send(:socket).remote_address
+      expect(socket.send(:address)).to eq("#{addr.ip_address}:#{addr.ip_port} (no TLS)")
+    end
+  end
+end
diff --git a/spec/mongo/socket/unix_spec.rb b/spec/mongo/socket/unix_spec.rb
@@ -2,8 +2,16 @@
 
 describe Mongo::Socket::Unix do
 
+  let(:path) { "/tmp/mongodb-#{SpecConfig.instance.any_port}.sock" }
+
   let(:socket) do
-    described_class.new("/tmp/mongodb-#{SpecConfig.instance.any_port}.sock", 5)
+    described_class.new(path, 5)
+  end
+
+  describe '#address' do
+    it 'returns the path' do
+      expect(socket.send(:address)).to eq(path)
+    end
   end
 
   describe '#connect!' do
diff --git a/spec/mongo/socket_spec.rb b/spec/mongo/socket_spec.rb
@@ -6,7 +6,19 @@
     described_class.new(Socket::PF_INET)
   end
 
+  describe '#address' do
+    it 'raises NotImplementedError' do
+      expect do
+        socket.send(:address)
+      end.to raise_error(NotImplementedError)
+    end
+  end
+
   describe '#handle_errors' do
+    before do
+      expect(socket).to receive(:address).and_return('fake-address')
+    end
+
     it 'maps timeout exception' do
       expect do
         socket.send(:handle_errors) do
@@ -20,23 +32,23 @@
         socket.send(:handle_errors) do
           raise SystemCallError.new('Test error', Errno::ENFILE::Errno)
         end
-      end.to raise_error(Mongo::Error::SocketError, 'Errno::ENFILE: Too many open files in system - Test error')
+      end.to raise_error(Mongo::Error::SocketError, 'Errno::ENFILE: Too many open files in system - Test error (for fake-address)')
     end
 
     it 'maps IOError and preserves message' do
       expect do
         socket.send(:handle_errors) do
           raise IOError.new('Test error')
         end
-      end.to raise_error(Mongo::Error::SocketError, 'IOError: Test error')
+      end.to raise_error(Mongo::Error::SocketError, 'IOError: Test error (for fake-address)')
     end
 
     it 'maps SSLError and preserves message' do
       expect do
         socket.send(:handle_errors) do
           raise OpenSSL::SSL::SSLError.new('Test error')
         end
-      end.to raise_error(Mongo::Error::SocketError, 'OpenSSL::SSL::SSLError: Test error (MongoDB may not be configured with SSL support)')
+      end.to raise_error(Mongo::Error::SocketError, 'OpenSSL::SSL::SSLError: Test error (for fake-address) (MongoDB may not be configured with SSL support)')
     end
   end
 end
diff --git a/spec/support/constraints.rb b/spec/support/constraints.rb
@@ -80,6 +80,14 @@ def require_ssl
     end
   end
 
+  def require_no_ssl
+    before do
+      if SpecConfig.instance.ssl?
+        skip "SSL enabled"
+      end
+    end
+  end
+
   def require_local_tls
     before do
       unless SpecConfig.instance.ssl? && !SpecConfig.instance.ci?
