MONGOCRYPT-791 Remove trace logging

CMakeLists.txt

@@ -184,12 +184,6 @@ else ()
    message (FATAL_ERROR "Unknown crypto provider ${MONGOCRYPT_CRYPTO}")
 endif ()
 
-set (MONGOCRYPT_ENABLE_TRACE 0)
-if (ENABLE_TRACE)
-   message (WARNING "Building with trace logging. This is highly insecure. Do not use in a production environment")
-   set (MONGOCRYPT_ENABLE_TRACE 1)
-endif ()
-
 set (BUILD_VERSION "0.0.0" CACHE STRING "Library version")
 if (BUILD_VERSION STREQUAL "0.0.0")
    if (EXISTS ${CMAKE_BINARY_DIR}/VERSION_CURRENT)

bindings/python/pymongocrypt/binding.py

@@ -260,7 +260,6 @@ def _parse_version(version):
     MONGOCRYPT_LOG_LEVEL_ERROR = 1,
     MONGOCRYPT_LOG_LEVEL_WARNING = 2,
     MONGOCRYPT_LOG_LEVEL_INFO = 3,
-    MONGOCRYPT_LOG_LEVEL_TRACE = 4
 } mongocrypt_log_level_t;
 
 /**

integrating.md

@@ -72,8 +72,6 @@ executable included with libmongocrypt. It uses mock responses from
 mongod, mongocryptd, and KMS. Reimplement the state machine loop
 (`_run_state_machine`) in example-state-machine with your binding.
 
-To debug, configure with the cmake option `-DENABLE_TRACE=ON`, and set the environment variable `MONGOCRYPT_TRACE=ON` to log the arguments to mongocrypt functions. Note, this is insecure and should only be used for debugging.
-
 Seek help in the slack channel \#drivers-fle.
 
 ## Part 2: Integrate into Driver ##

src/mongocrypt-config.h.in

@@ -73,14 +73,10 @@
 
 
 /*
- * MONGOCRYPT_ENABLE_TRACE is set from configure to determine if we are
- * compiled with tracing support.
+ * MONGOCRYPT_ENABLE_TRACE is automatically disabled as 
+ * trace logging is no longer supported.
  */
-#define MONGOCRYPT_ENABLE_TRACE @MONGOCRYPT_ENABLE_TRACE@
-
-#if MONGOCRYPT_ENABLE_TRACE != 1
-#  undef MONGOCRYPT_ENABLE_TRACE
-#endif
+#define MONGOCRYPT_ENABLE_TRACE 0
 
 /* clang-format on */
 

src/mongocrypt-ctx-decrypt.c

@@ -778,14 +778,6 @@ bool mongocrypt_ctx_explicit_decrypt_init(mongocrypt_ctx_t *ctx, mongocrypt_bina
         return _mongocrypt_ctx_fail_w_msg(ctx, "invalid msg");
     }
 
-    if (ctx->crypt->log.trace_enabled) {
-        char *msg_val;
-        msg_val = _mongocrypt_new_json_string_from_binary(msg);
-        _mongocrypt_log(&ctx->crypt->log, MONGOCRYPT_LOG_LEVEL_TRACE, "%s (%s=\"%s\")", BSON_FUNC, "msg", msg_val);
-
-        bson_free(msg_val);
-    }
-
     /* Expect msg to be the BSON a document of the form:
        { "v" : (BSON BINARY value of subtype 6) }
     */
@@ -866,12 +858,6 @@ bool mongocrypt_ctx_decrypt_init(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *doc
         return _mongocrypt_ctx_fail_w_msg(ctx, "invalid doc");
     }
 
-    if (ctx->crypt->log.trace_enabled) {
-        char *doc_val;
-        doc_val = _mongocrypt_new_json_string_from_binary(doc);
-        _mongocrypt_log(&ctx->crypt->log, MONGOCRYPT_LOG_LEVEL_TRACE, "%s (%s=\"%s\")", BSON_FUNC, "doc", doc_val);
-        bson_free(doc_val);
-    }
     dctx = (_mongocrypt_ctx_decrypt_t *)ctx;
     ctx->type = _MONGOCRYPT_TYPE_DECRYPT;
     ctx->vtable.finalize = _finalize;

src/mongocrypt-ctx-encrypt.c

@@ -2026,13 +2026,6 @@ static bool explicit_encrypt_init(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *ms
         return _mongocrypt_ctx_fail_w_msg(ctx, "msg must be bson");
     }
 
-    if (ctx->crypt->log.trace_enabled) {
-        char *cmd_val;
-        cmd_val = _mongocrypt_new_json_string_from_binary(msg);
-        _mongocrypt_log(&ctx->crypt->log, MONGOCRYPT_LOG_LEVEL_TRACE, "%s (%s=\"%s\")", BSON_FUNC, "msg", cmd_val);
-        bson_free(cmd_val);
-    }
-
     if (!bson_iter_init_find(&iter, &as_bson, "v")) {
         return _mongocrypt_ctx_fail_w_msg(ctx, "invalid msg, must contain 'v'");
     }
@@ -2577,22 +2570,6 @@ bool mongocrypt_ctx_encrypt_init(mongocrypt_ctx_t *ctx, const char *db, int32_t
         return _mongocrypt_ctx_fail_w_msg(ctx, "algorithm must not be set for auto encryption");
     }
 
-    if (ctx->crypt->log.trace_enabled) {
-        char *cmd_val;
-        cmd_val = _mongocrypt_new_json_string_from_binary(cmd);
-        _mongocrypt_log(&ctx->crypt->log,
-                        MONGOCRYPT_LOG_LEVEL_TRACE,
-                        "%s (%s=\"%s\", %s=%d, %s=\"%s\")",
-                        BSON_FUNC,
-                        "db",
-                        ectx->cmd_db,
-                        "db_len",
-                        db_len,
-                        "cmd",
-                        cmd_val);
-        bson_free(cmd_val);
-    }
-
     // Check if an isMaster request to mongocryptd is needed to detect feature support:
     if (needs_ismaster_check(ctx)) {
         ectx->ismaster.needed = true;

src/mongocrypt-ctx.c

@@ -77,20 +77,6 @@ bool mongocrypt_ctx_setopt_key_id(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *ke
         return false;
     }
 
-    if (ctx->crypt->log.trace_enabled && key_id && key_id->data) {
-        char *key_id_val;
-        /* this should never happen, so assert rather than return false */
-        BSON_ASSERT(key_id->len <= INT_MAX);
-        key_id_val = _mongocrypt_new_string_from_bytes(key_id->data, (int)key_id->len);
-        _mongocrypt_log(&ctx->crypt->log,
-                        MONGOCRYPT_LOG_LEVEL_TRACE,
-                        "%s (%s=\"%s\")",
-                        BSON_FUNC,
-                        "key_id",
-                        key_id_val);
-        bson_free(key_id_val);
-    }
-
     return _set_binary_opt(ctx, key_id, &ctx->opts.key_id, BSON_SUBTYPE_UUID);
 }
 
@@ -241,15 +227,6 @@ bool mongocrypt_ctx_setopt_algorithm(mongocrypt_ctx_t *ctx, const char *algorith
     }
 
     const size_t calculated_len = len == -1 ? strlen(algorithm) : (size_t)len;
-    if (ctx->crypt->log.trace_enabled) {
-        _mongocrypt_log(&ctx->crypt->log,
-                        MONGOCRYPT_LOG_LEVEL_TRACE,
-                        "%s (%s=\"%.*s\")",
-                        BSON_FUNC,
-                        "algorithm",
-                        calculated_len <= (size_t)INT_MAX ? (int)calculated_len : INT_MAX,
-                        algorithm);
-    }
 
     mstr_view algo_str = mstrv_view_data(algorithm, calculated_len);
     if (mstr_eq_ignore_case(algo_str, mstrv_lit(MONGOCRYPT_ALGORITHM_DETERMINISTIC_STR))) {
@@ -443,14 +420,6 @@ bool mongocrypt_ctx_mongo_feed(mongocrypt_ctx_t *ctx, mongocrypt_binary_t *in) {
         return _mongocrypt_ctx_fail_w_msg(ctx, "invalid NULL input");
     }
 
-    if (ctx->crypt->log.trace_enabled) {
-        char *in_val;
-
-        in_val = _mongocrypt_new_json_string_from_binary(in);
-        _mongocrypt_log(&ctx->crypt->log, MONGOCRYPT_LOG_LEVEL_TRACE, "%s (%s=\"%s\")", BSON_FUNC, "in", in_val);
-        bson_free(in_val);
-    }
-
     switch (ctx->state) {
     case MONGOCRYPT_CTX_NEED_MONGO_COLLINFO_WITH_DB:
     case MONGOCRYPT_CTX_NEED_MONGO_COLLINFO: CHECK_AND_CALL(mongo_feed_collinfo, ctx, in);
@@ -729,21 +698,6 @@ bool mongocrypt_ctx_setopt_masterkey_aws(mongocrypt_ctx_t *ctx,
     mongocrypt_binary_destroy(bin);
     bson_destroy(&as_bson);
 
-    if (ctx->crypt->log.trace_enabled) {
-        _mongocrypt_log(&ctx->crypt->log,
-                        MONGOCRYPT_LOG_LEVEL_TRACE,
-                        "%s (%s=\"%s\", %s=%d, %s=\"%s\", %s=%d)",
-                        BSON_FUNC,
-                        "region",
-                        ctx->opts.kek.provider.aws.region,
-                        "region_len",
-                        region_len,
-                        "cmk",
-                        ctx->opts.kek.provider.aws.cmk,
-                        "cmk_len",
-                        cmk_len);
-    }
-
     return ret;
 }
 
@@ -1012,12 +966,6 @@ bool mongocrypt_ctx_setopt_key_encryption_key(mongocrypt_ctx_t *ctx, mongocrypt_
         return _mongocrypt_ctx_fail(ctx);
     }
 
-    if (ctx->crypt->log.trace_enabled) {
-        char *bin_str = bson_as_canonical_extended_json(&as_bson, NULL);
-        _mongocrypt_log(&ctx->crypt->log, MONGOCRYPT_LOG_LEVEL_TRACE, "%s (%s=\"%s\")", BSON_FUNC, "bin", bin_str);
-        bson_free(bin_str);
-    }
-
     return true;
 }
 

src/mongocrypt-kms-ctx.c

@@ -1194,16 +1194,6 @@ bool mongocrypt_kms_ctx_feed(mongocrypt_kms_ctx_t *kms, mongocrypt_binary_t *byt
         return false;
     }
 
-    if (kms->log && kms->log->trace_enabled) {
-        _mongocrypt_log(kms->log,
-                        MONGOCRYPT_LOG_LEVEL_TRACE,
-                        "%s (%s=\"%.*s\")",
-                        BSON_FUNC,
-                        "bytes",
-                        mongocrypt_binary_len(bytes),
-                        mongocrypt_binary_data(bytes));
-    }
-
     if (!kms_response_parser_feed(kms->parser, bytes->data, bytes->len)) {
         if (is_kms(kms->req_type)) {
             /* The KMIP response parser does not suport kms_response_parser_status.

src/mongocrypt-log-private.h

@@ -24,7 +24,6 @@ typedef struct {
     mongocrypt_mutex_t mutex; /* protects fn and ctx. */
     mongocrypt_log_fn_t fn;
     void *ctx;
-    bool trace_enabled;
 } _mongocrypt_log_t;
 
 void _mongocrypt_stdout_log_fn(mongocrypt_log_level_t level, const char *message, uint32_t message_len, void *ctx);
@@ -38,42 +37,11 @@ void _mongocrypt_log_cleanup(_mongocrypt_log_t *log);
 
 void _mongocrypt_log_set_fn(_mongocrypt_log_t *log, mongocrypt_log_fn_t fn, void *ctx);
 
-#ifdef MONGOCRYPT_ENABLE_TRACE
-
-#define CRYPT_TRACEF(log, fmt, ...)                                                                                    \
-    _mongocrypt_log(log, MONGOCRYPT_LOG_LEVEL_TRACE, "(%s:%d) " fmt, BSON_FUNC, __LINE__, __VA_ARGS__)
-
-#define CRYPT_TRACE(log, msg) CRYPT_TRACEF(crypt, "%s", msg)
-
-#define CRYPT_ENTRY(log) _mongocrypt_log(crypt, MONGOCRYPT_LOG_LEVEL_TRACE, "entry (%s:%d)", BSON_FUNC, __LINE__)
-
-#define CRYPT_EXIT(log)                                                                                                \
-    do {                                                                                                               \
-        _mongocrypt_log(crypt, MONGOCRYPT_LOG_LEVEL_TRACE, "exit (%s:%d)", BSON_FUNC, __LINE__);                       \
-        return;                                                                                                        \
-    } while (0)
-
-#define CRYPT_RETURN(log, x)                                                                                           \
-    do {                                                                                                               \
-        _mongocrypt_log(log, MONGOCRYPT_LOG_LEVEL_TRACE, "return (%s:%d)", BSON_FUNC, __LINE__);                       \
-        return (x);                                                                                                    \
-    } while (0)
-
-#define CRYPT_GOTO(log, x)                                                                                             \
-    do {                                                                                                               \
-        _mongocrypt_log(log, MONGOCRYPT_LOG_LEVEL_TRACE, "goto (%s:%d)", BSON_FUNC, __LINE__);                         \
-        goto x;                                                                                                        \
-    } while (0)
-
-#else
-
 #define CRYPT_TRACEF(log, fmt, ...)
 #define CRYPT_TRACE(log, msg)
 #define CRYPT_ENTRY(log)
 #define CRYPT_EXIT(log)
 #define CRYPT_RETURN(log, x) return (x);
 #define CRYPT_GOTO(log, x) goto x;
 
-#endif /* MONGOCRYPT_ENABLE_TRACE */
-
 #endif /* MONGOCRYPT_LOG_PRIVATE_H */

src/mongocrypt-log.c

@@ -26,9 +26,6 @@ void _mongocrypt_log_init(_mongocrypt_log_t *log) {
     _mongocrypt_mutex_init(&log->mutex);
     /* Initially, no log function is set. */
     _mongocrypt_log_set_fn(log, NULL, NULL);
-#ifdef MONGOCRYPT_ENABLE_TRACE
-    log->trace_enabled = (getenv("MONGOCRYPT_TRACE") != NULL);
-#endif
 }
 
 void _mongocrypt_log_cleanup(_mongocrypt_log_t *log) {
@@ -47,7 +44,7 @@ void _mongocrypt_stdout_log_fn(mongocrypt_log_level_t level, const char *message
     case MONGOCRYPT_LOG_LEVEL_ERROR: printf("ERROR"); break;
     case MONGOCRYPT_LOG_LEVEL_WARNING: printf("WARNING"); break;
     case MONGOCRYPT_LOG_LEVEL_INFO: printf("INFO"); break;
-    case MONGOCRYPT_LOG_LEVEL_TRACE: printf("TRACE"); break;
+    case MONGOCRYPT_LOG_LEVEL_TRACE: printf("TRACE"); break; /* UNUSED */
     default: printf("UNKNOWN"); break;
     }
     printf(" %s\n", message);
@@ -69,10 +66,6 @@ void _mongocrypt_log(_mongocrypt_log_t *log, mongocrypt_log_level_t level, const
     BSON_ASSERT_PARAM(log);
     BSON_ASSERT_PARAM(format);
 
-    if (level == MONGOCRYPT_LOG_LEVEL_TRACE && !log->trace_enabled) {
-        return;
-    }
-
     va_start(args, format);
     message = bson_strdupv_printf(format, args);
     va_end(args);

src/mongocrypt-opts.c

@@ -988,11 +988,5 @@ bool _mongocrypt_parse_kms_providers(mongocrypt_binary_t *kms_providers_definiti
         }
     }
 
-    if (log && log->trace_enabled) {
-        char *as_str = bson_as_relaxed_extended_json(&as_bson, NULL);
-        _mongocrypt_log(log, MONGOCRYPT_LOG_LEVEL_TRACE, "%s (%s=\"%s\")", BSON_FUNC, "kms_providers", as_str);
-        bson_free(as_str);
-    }
-
     return true;
 }

src/mongocrypt.c

@@ -203,20 +203,6 @@ bool mongocrypt_setopt_kms_provider_aws(mongocrypt_t *crypt,
         return false;
     }
 
-    if (crypt->log.trace_enabled) {
-        _mongocrypt_log(&crypt->log,
-                        MONGOCRYPT_LOG_LEVEL_TRACE,
-                        "%s (%s=\"%s\", %s=%d, %s=\"%s\", %s=%d)",
-                        BSON_FUNC,
-                        "aws_access_key_id",
-                        kms_providers->aws_mut.access_key_id,
-                        "aws_access_key_id_len",
-                        aws_access_key_id_len,
-                        "aws_secret_access_key",
-                        kms_providers->aws_mut.secret_access_key,
-                        "aws_secret_access_key_len",
-                        aws_secret_access_key_len);
-    }
     kms_providers->configured_providers |= MONGOCRYPT_KMS_PROVIDER_AWS;
     return true;
 }
@@ -360,15 +346,6 @@ bool mongocrypt_setopt_kms_provider_local(mongocrypt_t *crypt, mongocrypt_binary
         return false;
     }
 
-    if (crypt->log.trace_enabled) {
-        char *key_val;
-        BSON_ASSERT(key->len <= (uint32_t)INT_MAX);
-        key_val = _mongocrypt_new_string_from_bytes(key->data, (int)key->len);
-
-        _mongocrypt_log(&crypt->log, MONGOCRYPT_LOG_LEVEL_TRACE, "%s (%s=\"%s\")", BSON_FUNC, "key", key_val);
-        bson_free(key_val);
-    }
-
     _mongocrypt_buffer_copy_from_binary(&kms_providers->local_mut.key, key);
     kms_providers->configured_providers |= MONGOCRYPT_KMS_PROVIDER_LOCAL;
     return true;
@@ -409,9 +386,6 @@ static _loaded_csfle _try_load_csfle(const char *filepath, mongocrypt_status_t *
         return (_loaded_csfle){.okay = false};
     }
 
-    // Successfully opened DLL
-    _mongocrypt_log(log, MONGOCRYPT_LOG_LEVEL_TRACE, "Loading crypt_shared dynamic library [%s]", filepath);
-
     // Construct the library vtable
     _mongo_crypt_v1_vtable vtable = {.okay = true};
 #define X_FUNC(Name, RetType, ...)                                                                                     \
@@ -796,7 +770,6 @@ static bool _csfle_replace_or_take_validate_singleton(mongocrypt_t *crypt, _load
         // Reset the library in the caller so they can't unload the DLL. The DLL
         // is now managed in the global variable.
         found->lib = MCR_DLL_NULL;
-        _mongocrypt_log(&crypt->log, MONGOCRYPT_LOG_LEVEL_TRACE, "Loading new csfle library for the application.");
         have_csfle = true;
         break;
     case LIB_CREATE_FAILED:

test/example-state-machine.c

@@ -28,7 +28,7 @@ static void _log_to_stderr(mongocrypt_log_level_t level, const char *message, ui
     case MONGOCRYPT_LOG_LEVEL_ERROR: fprintf(stderr, "ERROR"); break;
     case MONGOCRYPT_LOG_LEVEL_WARNING: fprintf(stderr, "WARNING"); break;
     case MONGOCRYPT_LOG_LEVEL_INFO: fprintf(stderr, "INFO"); break;
-    case MONGOCRYPT_LOG_LEVEL_TRACE: fprintf(stderr, "TRACE"); break;
+    case MONGOCRYPT_LOG_LEVEL_TRACE: fprintf(stderr, "TRACE"); break; /* UNUSED */
     default: fprintf(stderr, "UNKNOWN"); break;
     }
     fprintf(stderr, " %s\n", message);