mongo 2.11.6 → 2.12.0.rc0

data/spec/integration/auth_spec.rb

@@ -190,4 +190,57 @@ describe 'Auth' do
       end
     end
   end
+
+  describe 'scram-sha-1 client key caching' do
+    clean_slate
+    min_server_version '3.0'
+    require_no_x509_auth
+
+    let(:client) { authorized_client.with(max_pool_size: 2) }
+
+    it 'caches' do
+      client.close
+      Mongo::Auth::CredentialCache.clear
+
+      RSpec::Mocks.with_temporary_scope do
+        expect_any_instance_of(Mongo::Auth::SCRAM::Conversation).to receive(:hi).exactly(:once).and_call_original
+
+        client.reconnect
+        server = client.cluster.next_primary
+        server.with_connection do
+          server.with_connection do
+            # nothing
+          end
+        end
+      end
+    end
+  end
+
+  context 'when only auth source is specified' do
+    require_no_auth
+
+    let(:client) do
+      new_local_client(SpecConfig.instance.addresses, SpecConfig.instance.ssl_options.merge(
+        auth_source: 'foo'))
+    end
+
+    it 'does not authenticate' do
+      expect(Mongo::Auth::User).not_to receive(:new)
+      client.database.command(ping: 1)
+    end
+  end
+
+  context 'when only auth mechanism is specified' do
+    require_x509_auth
+
+    let(:client) do
+      new_local_client(SpecConfig.instance.addresses, SpecConfig.instance.ssl_options.merge(
+        auth_mech: :mongodb_x509))
+    end
+
+    it 'authenticates' do
+      expect(Mongo::Auth::User).to receive(:new).and_call_original
+      client.database.command(ping: 1)
+    end
+  end
 end

data/spec/integration/{client_options_spec.rb → client_authentication_options_spec.rb}

@@ -1,6 +1,6 @@
-require 'spec_helper'
+require 'lite_spec_helper'
 
-describe 'Client options' do
+describe 'Client authentication options' do
   let(:uri) { "mongodb://#{credentials}127.0.0.1:27017/#{options}" }
 
   let(:credentials) { nil }
@@ -299,9 +299,9 @@ describe 'Client options' do
         let(:credentials) { "#{user}:password@" }
 
         it 'raises an exception on client creation' do
-          expect {
+          expect do
             client
-          }.to raise_error(Mongo::Auth::InvalidConfiguration, /password is not supported/)
+          end.to raise_error(Mongo::Auth::InvalidConfiguration, /Password is not supported/)
         end
       end
     end
@@ -325,9 +325,9 @@ describe 'Client options' do
         let(:client_opts) { { auth_mech: :mongodb_x509, user: user, password: 'password' } }
 
         it 'raises an exception on client creation' do
-          expect {
+          expect do
             client
-          }.to raise_error(Mongo::Auth::InvalidConfiguration, /password is not supported/)
+          end.to raise_error(Mongo::Auth::InvalidConfiguration, /Password is not supported/)
         end
       end
     end
@@ -346,9 +346,9 @@ describe 'Client options' do
         let(:credentials) { '@' }
 
         it 'raises an exception' do
-          expect {
+          expect do
             client
-          }.to raise_error(Mongo::Auth::InvalidConfiguration, /empty username is not supported/)
+          end.to raise_error(Mongo::Auth::InvalidConfiguration, /Empty username is not supported/)
         end
       end
     end
@@ -365,9 +365,9 @@ describe 'Client options' do
         let(:client_opts) { { user: '', password: '' } }
 
         it 'raises an exception' do
-          expect {
+          expect do
             client
-          }.to raise_error(Mongo::Auth::InvalidConfiguration, /empty username is not supported/)
+          end.to raise_error(Mongo::Auth::InvalidConfiguration, /Empty username is not supported/)
         end
       end
     end

data/spec/integration/client_construction_spec.rb

@@ -36,7 +36,7 @@ describe 'Client construction' do
 
     it 'creates connection pool and keeps it populated' do
       client = ClientRegistry.instance.new_local_client([SpecConfig.instance.addresses.first],
-        base_options.merge(min_pool_size: 1))
+        base_options.merge(min_pool_size: 1, max_pool_size: 1))
       # allow connection pool to populate
       sleep 0.1
 
@@ -133,4 +133,79 @@ describe 'Client construction' do
       expect(client.cluster.topology).not_to be_a(Mongo::Cluster::Topology::Unknown)
     end
   end
+
+  context 'with auto encryption options'do
+    require_libmongocrypt
+    require_enterprise
+    min_server_fcv '4.2'
+
+    # Diagnostics of leaked background threads only, these tests do not
+    # actually require a clean slate. https://jira.mongodb.org/browse/RUBY-2138
+    clean_slate
+
+    include_context 'define shared FLE helpers'
+    include_context 'with local kms_providers'
+
+    let(:options) { { auto_encryption_options: auto_encryption_options } }
+
+    let(:auto_encryption_options) do
+      {
+        key_vault_client: key_vault_client,
+        key_vault_namespace: key_vault_namespace,
+        kms_providers: kms_providers
+      }
+    end
+
+    context 'with default key vault client' do
+      let(:key_vault_client) { nil }
+
+      let(:client) do
+        ClientRegistry.instance.new_local_client([SpecConfig.instance.addresses.first], options)
+      end
+
+      it 'creates a working key vault client' do
+        key_vault_client = client.encrypter.key_vault_client
+
+        result = key_vault_client[:test].insert_one(test: 1)
+        expect(result).to be_ok
+      end
+
+      it 'creates a key vault client with the same cluster as the existing client' do
+        key_vault_client = client.encrypter.key_vault_client
+        expect(key_vault_client.cluster).to eq(client.cluster)
+      end
+    end
+  end
+
+  context 'when seed addresses are repeated in host list' do
+    require_topology :single
+
+    let(:primary_address) do
+      ClusterConfig.instance.primary_address_host
+    end
+
+    let(:client) do
+      new_local_client([primary_address, primary_address], SpecConfig.instance.test_options)
+    end
+
+    it 'deduplicates the addresses' do
+      expect(client.cluster.addresses).to eq([Mongo::Address.new(primary_address)])
+    end
+  end
+
+  context 'when seed addresses are repeated in URI' do
+    require_topology :single
+
+    let(:primary_address) do
+      ClusterConfig.instance.primary_address_host
+    end
+
+    let(:client) do
+      new_local_client("mongodb://#{primary_address},#{primary_address}", SpecConfig.instance.test_options)
+    end
+
+    it 'deduplicates the addresses' do
+      expect(client.cluster.addresses).to eq([Mongo::Address.new(primary_address)])
+    end
+  end
 end

data/spec/integration/client_side_encryption/auto_encryption_bulk_writes_spec.rb

@@ -0,0 +1,351 @@
+require 'spec_helper'
+
+describe 'Bulk writes with auto-encryption enabled' do
+  require_libmongocrypt
+  require_enterprise
+  min_server_fcv '4.2'
+
+  include_context 'define shared FLE helpers'
+  include_context 'with local kms_providers'
+
+  let(:subscriber) { EventSubscriber.new }
+
+  let(:client) do
+    new_local_client(
+      SpecConfig.instance.addresses,
+      SpecConfig.instance.test_options.merge(
+        auto_encryption_options: {
+          kms_providers: kms_providers,
+          key_vault_namespace: key_vault_namespace,
+          schema_map: { "auto_encryption.users" => schema_map },
+        },
+        database: 'auto_encryption'
+      ),
+    ).tap do |client|
+      client.subscribe(Mongo::Monitoring::COMMAND, subscriber)
+    end
+  end
+
+  let(:size_limit) { Mongo::Server::ConnectionBase::REDUCED_MAX_BSON_SIZE }
+
+  before do
+    authorized_client.use('auto_encryption')['users'].drop
+
+    authorized_client.use('admin')['datakeys'].drop
+    authorized_client.use('admin')['datakeys'].insert_one(data_key)
+  end
+
+  let(:command_succeeded_events) do
+    subscriber.succeeded_events.select do |event|
+      event.command_name == command_name
+    end
+  end
+
+  shared_examples 'a functioning encrypted bulk write' do |options={}|
+    num_writes = options[:num_writes]
+
+    before do
+      perform_bulk_write
+    end
+
+    it 'executes an encrypted bulk write' do
+      documents = authorized_client.use(:auto_encryption)[:users].find
+      ssns = documents.map { |doc| doc['ssn'] }
+      expect(ssns).to all(be_ciphertext)
+    end
+
+    it 'executes the correct number of writes' do
+      expect(command_succeeded_events.length).to eq(num_writes)
+    end
+  end
+
+  context 'using BulkWrite' do
+    let(:collection) { client['users'] }
+    let(:bulk_write) { Mongo::BulkWrite.new(collection, requests, {}) }
+    let(:perform_bulk_write) { bulk_write.execute }
+
+    context 'with insert operations' do
+      let(:command_name) { 'insert' }
+
+      context 'when total request size does not exceed 2MiB' do
+        let(:requests) do
+          [
+            { insert_one: { ssn: 'a' * (size_limit/2) } },
+            { insert_one: { ssn: 'a' * (size_limit/2) } }
+          ]
+        end
+
+        it_behaves_like 'a functioning encrypted bulk write', num_writes: 1
+      end
+
+      context 'when each operation is smaller than 2MiB, but the total request size is greater than 2MiB' do
+        let(:requests) do
+          [
+            { insert_one: { ssn: 'a' * (size_limit - 2000) } },
+            { insert_one: { ssn: 'a' * (size_limit - 2000) } }
+          ]
+        end
+
+        it_behaves_like 'a functioning encrypted bulk write', num_writes: 2
+      end
+
+      context 'when each operation is larger than 2MiB' do
+        let(:requests) do
+          [
+            { insert_one: { ssn: 'a' * (size_limit * 2) } },
+            { insert_one: { ssn: 'a' * (size_limit * 2) } }
+          ]
+        end
+
+        it_behaves_like 'a functioning encrypted bulk write', num_writes: 2
+      end
+
+      context 'when one operation is larger than 16MiB' do
+        let(:requests) do
+          [
+            { insert_one: { ssn: 'a' * (Mongo::Server::ConnectionBase::DEFAULT_MAX_BSON_OBJECT_SIZE + 1000) } },
+            { insert_one: { ssn: 'a' * size_limit } }
+          ]
+        end
+
+        it 'raises an exception' do
+          expect do
+            bulk_write.execute
+          end.to raise_error(Mongo::Error::MaxBSONSize, /maximum allowed size: 16777216 bytes/)
+        end
+      end
+    end
+
+    context 'with update operations' do
+      let(:command_name) { 'update' }
+
+      before do
+        client['users'].insert_one(_id: 1)
+        client['users'].insert_one(_id: 2)
+      end
+
+      context 'when total request size does not exceed 2MiB' do
+        let(:requests) do
+          [
+            { update_one: { filter: { _id: 1 }, update: { ssn: 'a' * (size_limit/2) } } },
+            { update_one: { filter: { _id: 2 }, update: { ssn: 'a' * (size_limit/2) } } },
+          ]
+        end
+
+        it_behaves_like 'a functioning encrypted bulk write', num_writes: 1
+      end
+
+      context 'when each operation is smaller than 2MiB, but the total request size is greater than 2MiB' do
+        let(:requests) do
+          [
+            { update_one: { filter: { _id: 1 }, update: { ssn: 'a' * (size_limit - 2000) } } },
+            { update_one: { filter: { _id: 2 }, update: { ssn: 'a' * (size_limit - 2000) } } },
+          ]
+        end
+
+        it_behaves_like 'a functioning encrypted bulk write', num_writes: 2
+      end
+
+      context 'when each operation is larger than 2MiB' do
+        let(:requests) do
+          [
+            { update_one: { filter: { _id: 1 }, update: { ssn: 'a' * (size_limit * 2) } } },
+            { update_one: { filter: { _id: 2 }, update: { ssn: 'a' * (size_limit * 2) } } },
+          ]
+        end
+
+        it_behaves_like 'a functioning encrypted bulk write', num_writes: 2
+      end
+
+      context 'when one operation is larger than 16MiB' do
+        let(:requests) do
+          [
+            { update_one: { filter: { _id: 1 }, update: { ssn: 'a' * (Mongo::Server::ConnectionBase::DEFAULT_MAX_BSON_OBJECT_SIZE - 100) } } },
+            { update_one: { filter: { _id: 2 }, update: { ssn: 'a' * size_limit } } },
+          ]
+        end
+
+        it 'raises an exception' do
+          expect do
+            bulk_write.execute
+          end.to raise_error(Mongo::Error::MaxBSONSize, /maximum allowed size: 16777216 bytes/)
+        end
+      end
+    end
+
+    context 'with delete operations' do
+      let(:command_name) { 'delete' }
+
+      context 'when total request size does not exceed 2MiB' do
+        before do
+          client['users'].insert_one(ssn: 'a' * (size_limit/2))
+          client['users'].insert_one(ssn: 'b' * (size_limit/2))
+        end
+
+        let(:requests) do
+          [
+            { delete_one: { filter: { ssn: 'a' * (size_limit/2) } } },
+            { delete_one: { filter: { ssn: 'b' * (size_limit/2) } } }
+          ]
+        end
+
+        it 'performs one delete' do
+          bulk_write.execute
+
+          documents = authorized_client.use('auto_encryption')['users'].find.to_a
+          expect(documents.length).to eq(0)
+          expect(command_succeeded_events.length).to eq(1)
+        end
+      end
+
+      context 'when each operation is smaller than 2MiB, but the total request size is greater than 2MiB' do
+        before do
+          client['users'].insert_one(ssn: 'a' * (size_limit - 2000))
+          client['users'].insert_one(ssn: 'b' * (size_limit - 2000))
+        end
+
+        let(:requests) do
+          [
+            { delete_one: { filter: { ssn: 'a' * (size_limit - 2000) } } },
+            { delete_one: { filter: { ssn: 'b' * (size_limit - 2000) } } }
+          ]
+        end
+
+        it 'performs two deletes' do
+          bulk_write.execute
+
+          documents = authorized_client.use('auto_encryption')['users'].find.to_a
+          expect(documents.length).to eq(0)
+          expect(command_succeeded_events.length).to eq(2)
+        end
+      end
+
+      context 'when each operation is larger than 2MiB' do
+        before do
+          client['users'].insert_one(ssn: 'a' * (size_limit * 2))
+          client['users'].insert_one(ssn: 'b' * (size_limit * 2))
+        end
+
+        let(:requests) do
+          [
+            { delete_one: { filter: { ssn: 'a' * (size_limit * 2) } } },
+            { delete_one: { filter: { ssn: 'b' * (size_limit * 2) } } }
+          ]
+        end
+
+        it 'performs two deletes' do
+          bulk_write.execute
+
+          documents = authorized_client.use('auto_encryption')['users'].find.to_a
+          expect(documents.length).to eq(0)
+          expect(command_succeeded_events.length).to eq(2)
+        end
+      end
+
+      context 'when one operation is larger than 16MiB' do
+        let(:requests) do
+          [
+            { delete_one: { filter: { ssn: 'a' * (Mongo::Server::ConnectionBase::DEFAULT_MAX_BSON_OBJECT_SIZE + 1000) } } },
+            { delete_one: { filter: { ssn: 'b' * (size_limit * 2) } } }
+          ]
+        end
+
+        it 'raises an exception' do
+          expect do
+            bulk_write.execute
+          end.to raise_error(Mongo::Error::MaxBSONSize, /maximum allowed size: 16777216 bytes/)
+        end
+      end
+    end
+
+    context 'with insert, update, and delete operations' do
+      context 'when total request size does not exceed 2MiB' do
+        let(:requests) do
+          [
+            { insert_one: { _id: 1, ssn: 'a' * (size_limit/3) } },
+            { update_one: { filter: { _id: 1 }, update: { ssn: 'b' * (size_limit/3) } } },
+            { delete_one: { filter: { ssn: 'b' * (size_limit/3) } } }
+          ]
+        end
+
+        it 'successfully performs the bulk write' do
+          bulk_write.execute
+
+          documents = authorized_client.use('auto_encryption')['users'].find.to_a
+          expect(documents.length).to eq(0)
+        end
+
+        # Bulk writes with different types of operations should
+        it 'performs 1 insert, 1 update, and 1 delete' do
+          bulk_write.execute
+
+          command_succeeded_events = subscriber.succeeded_events
+
+          inserts = command_succeeded_events.select { |event| event.command_name == 'insert' }
+          updates = command_succeeded_events.select { |event| event.command_name == 'update' }
+          deletes = command_succeeded_events.select { |event| event.command_name == 'delete' }
+
+          expect(inserts.length).to eq(1)
+          expect(updates.length).to eq(1)
+          expect(deletes.length).to eq(1)
+        end
+      end
+    end
+  end
+
+  context '#insert_many' do
+    let(:perform_bulk_write) do
+      client[:users].insert_many(documents)
+    end
+
+    let(:command_name) { 'insert' }
+
+    context 'when total request size does not exceed 2MiB' do
+      let(:documents) do
+        [
+          { ssn: 'a' * (size_limit/2) },
+          { ssn: 'a' * (size_limit/2) },
+        ]
+      end
+
+      it_behaves_like 'a functioning encrypted bulk write', num_writes: 1
+    end
+
+    context 'when each operation is smaller than 2MiB, but the total request size is greater than 2MiB' do
+      let(:documents) do
+        [
+          { ssn: 'a' * (size_limit - 2000) },
+          { ssn: 'a' * (size_limit - 2000) },
+        ]
+      end
+
+      it_behaves_like 'a functioning encrypted bulk write', num_writes: 2
+    end
+
+    context 'when each operation is larger than 2MiB' do
+      let(:documents) do
+        [
+          { ssn: 'a' * (size_limit * 2) },
+          { ssn: 'a' * (size_limit * 2) },
+        ]
+      end
+
+      it_behaves_like 'a functioning encrypted bulk write', num_writes: 2
+    end
+
+    context 'when one operation is larger than 16MiB' do
+      let(:documents) do
+        [
+          { ssn: 'a' * (Mongo::Server::ConnectionBase::DEFAULT_MAX_BSON_OBJECT_SIZE + 1000) },
+          { ssn: 'a' * size_limit },
+        ]
+      end
+
+      it 'raises an exception' do
+        expect do
+          perform_bulk_write
+        end.to raise_error(Mongo::Error::MaxBSONSize, /maximum allowed size: 16777216 bytes/)
+      end
+    end
+  end
+end