PYTHON-2769 Test redaction of replies to security-sensitive commands (mongodb#676)

Resync command monitoring and unified test format tests. Redact entire hello response when the command started contained speculativeAuthenticate. Make OP_REPLY cursor.cursor_id always be an Int64.

Author: ShaneHarvey

pymongo/message.py

@@ -33,6 +33,7 @@
  _dict_to_bson,
  _make_c_string)
 from bson.codec_options import DEFAULT_CODEC_OPTIONS
+from bson.int64 import Int64
 from bson.raw_bson import (_inflate_bson, DEFAULT_RAW_BSON_OPTIONS,
  RawBSONDocument)
 from bson.son import SON
@@ -1503,7 +1504,7 @@ class _OpReply(object):
 
  def __init__(self, flags, cursor_id, number_returned, documents):
  self.flags = flags
- self.cursor_id = cursor_id
+ self.cursor_id = Int64(cursor_id)
  self.number_returned = number_returned
  self.documents = documents
 

pymongo/monitoring.py

@@ -1350,7 +1350,8 @@ def publish_command_start(self, command, database_name,
 
  def publish_command_success(self, duration, reply, command_name,
  request_id, connection_id, op_id=None,
- service_id=None):
+ service_id=None,
+ speculative_hello=False):
  """Publish a CommandSucceededEvent to all command listeners.
 
  :Parameters:
@@ -1362,9 +1363,14 @@ def publish_command_success(self, duration, reply, command_name,
  command was sent to.
  - `op_id`: The (optional) operation id for this operation.
  - `service_id`: The service_id this command was sent to, or ``None``.
+ - `speculative_hello`: Was the command sent with speculative auth?
  """
  if op_id is None:
  op_id = request_id
+ if speculative_hello:
+ # Redact entire response when the command started contained
+ # speculativeAuthenticate.
+ reply = {}
  event = CommandSucceededEvent(
  duration, reply, command_name, request_id, connection_id, op_id,
  service_id)

pymongo/network.py

@@ -31,6 +31,7 @@
  ProtocolError,
  _OperationCancelled)
 from pymongo.message import _UNPACK_REPLY, _OpMsg
+from pymongo.monitoring import _is_speculative_authenticate
 from pymongo.socket_checker import _errno_from_exception
 
 
@@ -82,6 +83,7 @@ def command(sock_info, dbname, spec, slave_ok, is_mongos,
  name = next(iter(spec))
  ns = dbname + '.$cmd'
  flags = 4 if slave_ok else 0
+ speculative_hello = False
 
  # Publish the original command document, perhaps with lsid and $clusterTime.
  orig = spec
@@ -98,6 +100,7 @@ def command(sock_info, dbname, spec, slave_ok, is_mongos,
  publish = listeners is not None and listeners.enabled_for_commands
  if publish:
  start = datetime.datetime.now()
+ speculative_hello = _is_speculative_authenticate(name, spec)
 
  if compression_ctx and name.lower() in _NO_COMPRESSION:
  compression_ctx = None
@@ -170,7 +173,8 @@ def command(sock_info, dbname, spec, slave_ok, is_mongos,
  duration = (datetime.datetime.now() - start) + encoding_duration
  listeners.publish_command_success(
  duration, response_doc, name, request_id, address,
- service_id=sock_info.service_id)
+ service_id=sock_info.service_id,
+ speculative_hello=speculative_hello)
 
  if client and client._encrypter and reply:
  decrypted = client._encrypter.decrypt(reply.raw_command_response())

test/command_monitoring/legacy/bulkWrite.json

@@ -86,9 +86,7 @@
  "$set": {
  "x": 333
  }
- },
- "upsert": false,
- "multi": false
+ }
  }
  ],
  "ordered": true

test/command_monitoring/legacy/insertMany.json

@@ -32,9 +32,7 @@
  "x": 22
  }
  ],
- "options": {
- "ordered": true
- }
+ "ordered": true
  },
  "command_name": "insert",
  "database_name": "command-monitoring-tests"
@@ -75,9 +73,7 @@
  "x": 11
  }
  ],
- "options": {
- "ordered": true
- }
+ "ordered": true
  },
  "command_name": "insert",
  "database_name": "command-monitoring-tests"
@@ -128,9 +124,7 @@
  "x": 22
  }
  ],
- "options": {
- "ordered": false
- }
+ "ordered": false
  },
  "command_name": "insert",
  "database_name": "command-monitoring-tests"

test/command_monitoring/legacy/updateMany.json

@@ -51,8 +51,7 @@
  "x": 1
  }
  },
- "multi": true,
- "upsert": false
+ "multi": true
  }
  ]
  },
@@ -106,8 +105,7 @@
  "x": 1
  }
  },
- "multi": true,
- "upsert": false
+ "multi": true
  }
  ]
  },

test/command_monitoring/legacy/updateOne.json

@@ -50,9 +50,7 @@
  "$inc": {
  "x": 1
  }
- },
- "multi": false,
- "upsert": false
+ }
  }
  ]
  },
@@ -103,7 +101,6 @@
  "x": 1
  }
  },
- "multi": false,
  "upsert": true
  }
  ]
@@ -163,9 +160,7 @@
  "$nothing": {
  "x": 1
  }
- },
- "multi": false,
- "upsert": false
+ }
  }
  ]
  },