PR - feedback

Author: nhachicha

driver-core/src/main/com/mongodb/internal/connection/BackpressureErrorLabeler.java

@@ -45,21 +45,21 @@ static void applyLabelsIfEligible(final Throwable t) {
         if (!(t instanceof MongoSocketException)) {
             return;
         }
-        if (isDnsLookupFailure(t)) {
+        MongoSocketException socketException = (MongoSocketException) t;
+        if (isDnsLookupFailure(socketException)) {
             return;
         }
-        if (isTlsConfigurationError(t)) {
+        if (isTlsConfigurationError(socketException)) {
             return;
         }
         // TODO-BACKPRESSURE Nabil - SOCKS5 Revisit alongside JAVA-5205 (SOCKS5 in async) so both sync and
         // async proxy error surfaces can be handled together — likely via a dedicated internal
         // exception thrown from the proxy code path.
-        MongoException mongoException = (MongoException) t;
-        mongoException.addLabel(MongoException.SYSTEM_OVERLOADED_ERROR_LABEL);
-        mongoException.addLabel(MongoException.RETRYABLE_ERROR_LABEL);
+        socketException.addLabel(MongoException.SYSTEM_OVERLOADED_ERROR_LABEL);
+        socketException.addLabel(MongoException.RETRYABLE_ERROR_LABEL);
     }
 
-    private static boolean isDnsLookupFailure(final Throwable t) {
+    private static boolean isDnsLookupFailure(final MongoSocketException t) {
         Throwable cause = t.getCause();
         while (cause != null) {
             if (cause instanceof UnknownHostException) {
@@ -70,7 +70,7 @@ private static boolean isDnsLookupFailure(final Throwable t) {
         return false;
     }
 
-    private static boolean isTlsConfigurationError(final MongoSocketException t) {
+    static boolean isTlsConfigurationError(final MongoSocketException t) {
         Throwable cause = t.getCause();
         while (cause != null) {
             if (cause instanceof CertificateException
@@ -90,7 +90,14 @@ private static boolean isTlsConfigurationError(final MongoSocketException t) {
                             || lowerMessage.contains("hostname")
                             || lowerMessage.contains("protocol")
                             || lowerMessage.contains("cipher")
-                            || lowerMessage.contains("handshake_failure")) {
+                            || lowerMessage.contains("handshake_failure")
+                            // PKIX path building/validation failures surface as SSLHandshakeException
+                            // when the underlying CertPath* cause is not in the chain.
+                            || lowerMessage.contains("pkix")
+                            // Any "Received fatal alert: X" from OpenJDK's JSSE provider means the
+                            // server actively answered with a TLS protocol error — not an overload
+                            // signal. Catches all 25 RFC handshake alert descriptions in one rule.
+                            || lowerMessage.contains("received fatal alert")) {
                         return true;
                     }
                 }

driver-core/src/main/com/mongodb/internal/connection/SdamServerDescriptionManager.java

@@ -163,7 +163,7 @@ boolean relatedToWriteConcern() {
             return exception instanceof MongoWriteConcernWithResponseException;
         }
 
-        boolean hasBackpressureLabel() {
+        boolean hasSystemOverloadedLabel() {
             return exception instanceof MongoException
                     && ((MongoException) exception).hasErrorLabel(MongoException.SYSTEM_OVERLOADED_ERROR_LABEL);
         }

driver-core/src/test/unit/com/mongodb/internal/connection/BackpressureErrorLabelerTest.java

@@ -23,14 +23,21 @@
 import com.mongodb.MongoSocketOpenException;
 import com.mongodb.MongoSocketReadTimeoutException;
 import com.mongodb.ServerAddress;
-import org.bson.BsonDocument;
-import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.Named;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.MethodSource;
+import org.junit.jupiter.params.provider.ValueSource;
 
 import javax.net.ssl.SSLHandshakeException;
 import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLProtocolException;
+import java.io.EOFException;
 import java.io.IOException;
 import java.net.UnknownHostException;
+import java.security.cert.CertPathBuilderException;
+import java.security.cert.CertPathValidatorException;
 import java.security.cert.CertificateException;
+import java.util.stream.Stream;
 
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -39,105 +46,125 @@ class BackpressureErrorLabelerTest {
 
     private static final ServerAddress ADDRESS = new ServerAddress();
 
-    @Test
-    void mongoSocketExceptionIsLabeled() {
-        MongoSocketException e = new MongoSocketException("boom", ADDRESS);
-        BackpressureErrorLabeler.applyLabelsIfEligible(e);
-        assertHasBackpressureLabels(e);
+    static Stream<Named<MongoSocketException>> networkErrorShouldBeLabeled() {
+        return Stream.of(
+                named(new MongoSocketException("boom", ADDRESS)),
+                named(new MongoSocketReadTimeoutException("slow", ADDRESS, new IOException("read timed out"))),
+                named(new MongoSocketOpenException("open failed", ADDRESS, new IOException("connection refused"))),
+                // FIN-during-handshake: server closed the TCP connection while the client was mid-handshake
+                // (no protocol-level alert). I/O failure → must be labeled per CMAP "I/O error during TLS handshake".
+                named(new MongoSocketException("tls", ADDRESS, initCause(
+                        new SSLHandshakeException("Remote host terminated the handshake"),
+                        new EOFException("SSL peer shut down incorrectly"))))
+        );
     }
 
-    @Test
-    void mongoSocketReadTimeoutIsLabeled() {
-        MongoSocketReadTimeoutException e = new MongoSocketReadTimeoutException("slow", ADDRESS, new IOException("read timed out"));
+    @ParameterizedTest
+    @MethodSource
+    void networkErrorShouldBeLabeled(final MongoSocketException e) {
         BackpressureErrorLabeler.applyLabelsIfEligible(e);
         assertHasBackpressureLabels(e);
     }
 
-    @Test
-    void mongoSocketOpenExceptionIsLabeled() {
-        MongoSocketOpenException e = new MongoSocketOpenException("open failed", ADDRESS, new IOException("connection refused"));
-        BackpressureErrorLabeler.applyLabelsIfEligible(e);
-        assertHasBackpressureLabels(e);
+    static Stream<Named<MongoSocketException>> dnsFailureShouldNotBeLabeled() {
+        return Stream.of(
+                named(new MongoSocketException("lookup failed", ADDRESS, new UnknownHostException("nope"))),
+                named(new MongoSocketException("wrap", ADDRESS, new IOException("wrap", new UnknownHostException("nope"))))
+        );
     }
 
-    @Test
-    void dnsFailureIsNotLabeled() {
-        MongoSocketException e = new MongoSocketException("lookup failed", ADDRESS, new UnknownHostException("nope"));
+    @ParameterizedTest
+    @MethodSource
+    void dnsFailureShouldNotBeLabeled(final MongoSocketException e) {
         BackpressureErrorLabeler.applyLabelsIfEligible(e);
         assertLacksBackpressureLabels(e);
     }
 
-    @Test
-    void dnsFailureDeepInCauseChainIsNotLabeled() {
-        Throwable dns = new UnknownHostException("nope");
-        IOException wrap1 = new IOException("wrap1", dns);
-        MongoSocketException e = new MongoSocketException("wrap2", ADDRESS, wrap1);
-        BackpressureErrorLabeler.applyLabelsIfEligible(e);
-        assertLacksBackpressureLabels(e);
+    static Stream<Named<Throwable>> localTlsConfigErrorShouldNotBeLabeled() {
+        return Stream.of(
+                named(new CertificateException("bad cert")),
+                named(new CertPathBuilderException("path build failed")),
+                named(new CertPathValidatorException("validation failed")),
+                named(new SSLPeerUnverifiedException("peer not verified")),
+                named(new SSLProtocolException("protocol error")),
+                named(new SSLHandshakeException("PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: "
+                        + "unable to find valid certification path to requested target"))
+        );
     }
 
-    @Test
-    void tlsCertificateErrorIsNotLabeled() {
-        CertificateException cert = new CertificateException("bad cert");
-        MongoSocketException e = new MongoSocketException("tls", ADDRESS, cert);
-        BackpressureErrorLabeler.applyLabelsIfEligible(e);
-        assertLacksBackpressureLabels(e);
-    }
-
-    @Test
-    void tlsPeerUnverifiedIsNotLabeled() {
-        SSLPeerUnverifiedException tls = new SSLPeerUnverifiedException("peer not verified");
-        MongoSocketException e = new MongoSocketException("tls", ADDRESS, tls);
+    @ParameterizedTest
+    @MethodSource
+    void localTlsConfigErrorShouldNotBeLabeled(final Throwable cause) {
+        MongoSocketException e = new MongoSocketException("tls", ADDRESS, cause);
         BackpressureErrorLabeler.applyLabelsIfEligible(e);
         assertLacksBackpressureLabels(e);
     }
 
-    @Test
-    void sslHandshakeWithCertificateMessageIsNotLabeled() {
-        SSLHandshakeException tls = new SSLHandshakeException("PKIX path building failed: certificate chain invalid");
+    /**
+     * "Received fatal alert: <description>" means the peer actively answered with a TLS protocol
+     * error — definitively a config/protocol issue, not an overload signal. Covers all 25
+     * handshake-only RFC alert descriptions emitted by OpenJDK's JSSE provider.
+     */
+    @ParameterizedTest(name = "Received fatal alert: {0}")
+    @ValueSource(strings = {
+            "handshake_failure",
+            "no_certificate",
+            "bad_certificate",
+            "unsupported_certificate",
+            "certificate_revoked",
+            "certificate_expired",
+            "certificate_unknown",
+            "illegal_parameter",
+            "unknown_ca",
+            "access_denied",
+            "decode_error",
+            "decrypt_error",
+            "export_restriction",
+            "protocol_version",
+            "insufficient_security",
+            "no_renegotiation",
+            "missing_extension",
+            "unsupported_extension",
+            "certificate_unobtainable",
+            "unrecognized_name",
+            "bad_certificate_status_response",
+            "bad_certificate_hash_value",
+            "unknown_psk_identity",
+            "certificate_required",
+            "no_application_protocol"
+    })
+    void receivedTlsAlertShouldNotBeLabeled(final String alertDescription) {
+        SSLHandshakeException tls = new SSLHandshakeException("Received fatal alert: " + alertDescription);
         MongoSocketException e = new MongoSocketException("tls", ADDRESS, tls);
         BackpressureErrorLabeler.applyLabelsIfEligible(e);
         assertLacksBackpressureLabels(e);
     }
 
-    @Test
-    void sslHandshakeWithoutConfigKeywordIsLabeled() {
-        SSLHandshakeException tls = new SSLHandshakeException("remote host closed connection during handshake");
-        MongoSocketException e = new MongoSocketException("tls", ADDRESS, tls);
-        BackpressureErrorLabeler.applyLabelsIfEligible(e);
-        assertHasBackpressureLabels(e);
+    static Stream<Named<Throwable>> nonSocketErrorShouldNotBeLabeled() {
+        return Stream.of(
+                named(new MongoSecurityException(
+                        MongoCredential.createCredential("user", "db", "pwd".toCharArray()), "auth failed")),
+                named(new MongoException(42, "some command error")),
+                named(new IOException("raw"))
+        );
     }
 
-    @Test
-    void authErrorIsNotLabeled() {
-        MongoCredential credential = MongoCredential.createCredential("user", "db", "pwd".toCharArray());
-        MongoSecurityException e = new MongoSecurityException(credential, "auth failed");
+    @ParameterizedTest
+    @MethodSource
+    void nonSocketErrorShouldNotBeLabeled(final Throwable e) {
         BackpressureErrorLabeler.applyLabelsIfEligible(e);
-        assertLacksBackpressureLabels(e);
+        if (e instanceof MongoException) {
+            assertLacksBackpressureLabels((MongoException) e);
+        }
     }
 
-    @Test
-    void commandExceptionIsNotLabeled() {
-        MongoException e = new MongoException(42, "some command error");
-        BackpressureErrorLabeler.applyLabelsIfEligible(e);
-        assertLacksBackpressureLabels(e);
+    private static <T extends Throwable> Named<T> named(final T e) {
+        return Named.of(e.getClass().getSimpleName(), e);
     }
 
-    @Test
-    void nonMongoThrowableIsNotLabeled() {
-        IOException e = new IOException("raw");
-        BackpressureErrorLabeler.applyLabelsIfEligible(e);
-    }
-
-    @Test
-    void sdamIssueTlsCheckDelegatesToHelper() {
-        MongoSocketException tlsException = new MongoSocketException("tls", ADDRESS, new CertificateException("bad cert"));
-        assertTrue(BackpressureErrorLabeler.isTlsConfigurationError(tlsException));
-
-        MongoSocketException plainException = new MongoSocketException("plain", ADDRESS);
-        assertFalse(BackpressureErrorLabeler.isTlsConfigurationError(plainException));
-
-        assertFalse(BackpressureErrorLabeler.isTlsConfigurationError(new MongoException(0, "not socket", new BsonDocument())));
+    private static <T extends Throwable> T initCause(final T exception, final Throwable cause) {
+        exception.initCause(cause);
+        return exception;
     }
 
     private static void assertHasBackpressureLabels(final MongoException e) {

driver-core/src/test/unit/com/mongodb/internal/connection/DefaultServerSpecification.groovy

@@ -263,7 +263,6 @@ class DefaultServerSpecification extends Specification {
         def exceptionToThrow = new MongoSocketException('DNS lookup failed', new ServerAddress(),
                 new UnknownHostException('no such host'))
         BackpressureErrorLabeler.applyLabelsIfEligible(exceptionToThrow)
-        assert !exceptionToThrow.hasErrorLabel(MongoException.SYSTEM_OVERLOADED_ERROR_LABEL)
 
         def connectionPool = Mock(ConnectionPool)
         connectionPool.get(_) >> { throw exceptionToThrow }
@@ -276,6 +275,7 @@ class DefaultServerSpecification extends Specification {
         then:
         def e = thrown(MongoException)
         e.is(exceptionToThrow)
+        !e.hasErrorLabel(MongoException.SYSTEM_OVERLOADED_ERROR_LABEL)
         1 * connectionPool.invalidate(exceptionToThrow)
         1 * serverMonitor.cancelCurrentCheck()
     }

driver-sync/src/test/functional/com/mongodb/client/unified/UnifiedTestModifications.java

@@ -439,6 +439,7 @@ public static void applyCustomizations(final TestDef def) {
                 .file("server-discovery-and-monitoring", "pool-clear-on-error-checkout");
         def.skipJira("https://jira.mongodb.org/browse/JAVA-5664")
                 .file("server-discovery-and-monitoring", "pool-cleared-on-min-pool-size-population-error");
+        // TODO-BACKPRESSURE Nabil - This issue is unrelated to backpressure but consider fixing it before merging to main
         def.skipJira("https://jira.mongodb.org/browse/JAVA-6174")
                 .file("server-discovery-and-monitoring", "backpressure-server-description-unchanged-on-min-pool-size-population-error");