mongo 2.11.6 → 2.12.0.rc0

data/spec/mongo/auth/x509_spec.rb

@@ -48,6 +48,10 @@ describe Mongo::Auth::X509 do
 
     context 'when the user is not authorized for the database' do
 
+      before do
+        connection.connect!
+      end
+
       let(:x509) do
         described_class.new(user)
       end
@@ -56,7 +60,7 @@ describe Mongo::Auth::X509 do
         x509.login(connection).documents[0]
       end
 
-      it 'logs the user into the connection' do
+      it 'attempts to log the user into the connection' do
         expect {
           x509.login(connection)
         }.to raise_error(Mongo::Auth::Unauthorized)

data/spec/mongo/client_construction_spec.rb

@@ -167,8 +167,212 @@ describe Mongo::Client do
   end
 
   describe '#initialize' do
-
     context 'when providing options' do
+      context 'with auto_encryption_options' do
+        require_libmongocrypt
+
+        include_context 'define shared FLE helpers'
+
+        let(:client) do
+          new_local_client_nmio(
+            SpecConfig.instance.addresses,
+            SpecConfig.instance.test_options.merge(client_opts)
+          )
+        end
+
+        let(:client_opts) { { auto_encryption_options: auto_encryption_options } }
+
+        let(:auto_encryption_options) do
+          {
+            key_vault_client: key_vault_client,
+            key_vault_namespace: key_vault_namespace,
+            kms_providers: kms_providers,
+            schema_map: schema_map,
+            bypass_auto_encryption: bypass_auto_encryption,
+            extra_options: extra_options,
+          }
+        end
+
+        let(:key_vault_client) { new_local_client_nmio(SpecConfig.instance.addresses) }
+
+        let(:bypass_auto_encryption) { true }
+
+        let(:extra_options) do
+          {
+            mongocryptd_uri: mongocryptd_uri,
+            mongocryptd_bypass_spawn: mongocryptd_bypass_spawn,
+            mongocryptd_spawn_path: mongocryptd_spawn_path,
+            mongocryptd_spawn_args: mongocryptd_spawn_args,
+          }
+        end
+
+        let(:mongocryptd_uri) { 'mongodb://localhost:27021' }
+        let(:mongocryptd_bypass_spawn) { true }
+        let(:mongocryptd_spawn_path) { '/spawn/path' }
+        let(:mongocryptd_spawn_args) { ['--idleShutdownTimeoutSecs=100'] }
+
+        shared_examples 'a functioning auto encryption client' do
+          let(:encryption_options) { client.encrypter.options }
+
+          context 'when auto_encrypt_opts are nil' do
+            let(:auto_encryption_options) { nil }
+
+            it 'does not raise an exception' do
+              expect { client }.not_to raise_error
+            end
+          end
+
+          context 'when key_vault_namespace is nil' do
+            let(:key_vault_namespace) { nil }
+
+            it 'raises an exception' do
+              expect { client }.to raise_error(ArgumentError, /key_vault_namespace option cannot be nil/)
+            end
+          end
+
+          context 'when key_vault_namespace is incorrectly formatted' do
+            let(:key_vault_namespace) { 'not.good.formatting' }
+
+            it 'raises an exception' do
+              expect { client }.to raise_error(ArgumentError, /key_vault_namespace option must be in the format database.collection/)
+            end
+          end
+
+          context 'when kms_providers is nil' do
+            let(:kms_providers) { nil }
+
+            it 'raises an exception' do
+              expect { client }.to raise_error(ArgumentError, /kms_providers option must not be nil/)
+            end
+          end
+
+          context 'when kms_providers doesn\'t have local or aws keys' do
+            let(:kms_providers) { { random_key: 'hello' } }
+
+            it 'raises an exception' do
+              expect { client }.to raise_error(ArgumentError, /kms_providers option must have one of the following keys: :aws, :local/)
+            end
+          end
+
+          context 'when local kms_provider is incorrectly formatted' do
+            let(:kms_providers) { { local: { wrong_key: 'hello' } } }
+
+            it 'raises an exception' do
+              expect { client }.to raise_error(ArgumentError, /kms_providers with :local key must be in the format: { local: { key: 'MASTER-KEY' } }/)
+            end
+          end
+
+          context 'when aws kms_provider is incorrectly formatted' do
+            let(:kms_providers) { { aws: { wrong_key: 'hello' } } }
+
+            it 'raises an exception' do
+              expect { client }.to raise_error(ArgumentError, /kms_providers with :aws key must be in the format: { aws: { access_key_id: 'YOUR-ACCESS-KEY-ID', secret_access_key: 'SECRET-ACCESS-KEY' } }/)
+            end
+          end
+
+          context 'with an invalid schema map' do
+            let(:schema_map) { '' }
+
+            it 'raises an exception' do
+              expect { client }.to raise_error(ArgumentError, /schema_map must be a Hash or nil/)
+            end
+          end
+
+          context 'with valid options' do
+            it 'does not raise an exception' do
+              expect { client }.not_to raise_error
+            end
+
+            context 'with a nil schema_map' do
+              let(:schema_map) { nil }
+
+              it 'does not raise an exception' do
+                expect { client }.not_to raise_error
+              end
+            end
+
+            it 'sets options on the client' do
+              expect(encryption_options[:key_vault_client]).to eq(key_vault_client)
+              expect(encryption_options[:key_vault_namespace]).to eq(key_vault_namespace)
+              # Don't explicitly expect kms_providers to avoid accidentally exposing
+              # sensitive data in evergreen logs
+              expect(encryption_options[:kms_providers]).to be_a_kind_of(Hash)
+              expect(encryption_options[:schema_map]).to eq(schema_map)
+              expect(encryption_options[:bypass_auto_encryption]).to eq(bypass_auto_encryption)
+              expect(encryption_options[:extra_options][:mongocryptd_uri]).to eq(mongocryptd_uri)
+              expect(encryption_options[:extra_options][:mongocryptd_bypass_spawn]).to eq(mongocryptd_bypass_spawn)
+              expect(encryption_options[:extra_options][:mongocryptd_spawn_path]).to eq(mongocryptd_spawn_path)
+              expect(encryption_options[:extra_options][:mongocryptd_spawn_args]).to eq(mongocryptd_spawn_args)
+
+              expect(client.encrypter.mongocryptd_client.options[:monitoring_io]).to be false
+            end
+
+            context 'with default extra options' do
+              let(:auto_encryption_options) do
+                {
+                  key_vault_namespace: key_vault_namespace,
+                  kms_providers: kms_providers,
+                  schema_map: schema_map,
+                }
+              end
+
+              it 'sets key_vault_client as a clone of self with no encryption options' do
+                key_vault_client = client.encrypter.key_vault_client
+                expect(key_vault_client).to eq(client)
+              end
+
+              it 'sets bypass_auto_encryption to false' do
+                expect(encryption_options[:bypass_auto_encryption]).to be false
+              end
+
+              it 'sets extra options to defaults' do
+                expect(encryption_options[:extra_options][:mongocryptd_uri]).to eq('mongodb://localhost:27020')
+                expect(encryption_options[:extra_options][:mongocryptd_bypass_spawn]).to be false
+                expect(encryption_options[:extra_options][:mongocryptd_spawn_path]).to eq('mongocryptd')
+                expect(encryption_options[:extra_options][:mongocryptd_spawn_args]).to eq(['--idleShutdownTimeoutSecs=60'])
+              end
+            end
+
+            context 'with mongocryptd_spawn_args that don\'t include idleShutdownTimeoutSecs' do
+              let(:mongocryptd_spawn_args) { ['--otherArgument=true'] }
+
+              it 'adds a default value to mongocryptd_spawn_args' do
+                expect(encryption_options[:extra_options][:mongocryptd_spawn_args]).to eq(mongocryptd_spawn_args + ['--idleShutdownTimeoutSecs=60'])
+              end
+            end
+
+            context 'with mongocryptd_spawn_args that has idleShutdownTimeoutSecs as two arguments' do
+              let(:mongocryptd_spawn_args) { ['--idleShutdownTimeoutSecs', 100] }
+
+              it 'does not modify mongocryptd_spawn_args' do
+                expect(encryption_options[:extra_options][:mongocryptd_spawn_args]).to eq(mongocryptd_spawn_args)
+              end
+            end
+
+            context 'with default key_vault_client' do
+              let(:key_vault_client) { nil }
+
+              it 'creates a key_vault_client' do
+                key_vault_client = encryption_options[:key_vault_client]
+
+                expect(key_vault_client).to be_a_kind_of(Mongo::Client)
+              end
+            end
+          end
+        end
+
+        context 'with AWS KMS providers' do
+          include_context 'with AWS kms_providers' do
+            it_behaves_like 'a functioning auto encryption client'
+          end
+        end
+
+        context 'with local KMS providers' do
+          include_context 'with local kms_providers' do
+            it_behaves_like 'a functioning auto encryption client'
+          end
+        end
+      end
 
       context 'retry_writes option' do
         let(:client) do
@@ -235,8 +439,7 @@ describe Mongo::Client do
             min_server_fcv '3.6'
 
             it 'uses compression for messages' do
-              # A Compressed object will be created for both the request and the response
-              expect(Mongo::Protocol::Compressed).to receive(:new).twice.and_call_original
+              expect(Mongo::Protocol::Compressed).to receive(:new).at_least(:once).and_call_original
               client[TEST_COLL].find({}, limit: 1).first
             end
           end

data/spec/mongo/client_encryption_spec.rb

@@ -0,0 +1,408 @@
+require 'mongo'
+require 'base64'
+require 'lite_spec_helper'
+
+describe Mongo::ClientEncryption do
+  require_libmongocrypt
+  include_context 'define shared FLE helpers'
+
+  let(:client) do
+    ClientRegistry.instance.new_local_client(
+      [SpecConfig.instance.addresses.first]
+    )
+  end
+
+  let(:client_encryption) do
+    described_class.new(client, {
+      key_vault_namespace: key_vault_namespace,
+      kms_providers: kms_providers
+    })
+  end
+
+  describe '#initialize' do
+    shared_examples 'a functioning ClientEncryption' do
+      context 'with nil key_vault_namespace' do
+        let(:key_vault_namespace) { nil }
+
+        it 'raises an exception' do
+          expect do
+            client_encryption
+          end.to raise_error(ArgumentError, /:key_vault_namespace option cannot be nil/)
+        end
+      end
+
+      context 'with invalid key_vault_namespace' do
+        let(:key_vault_namespace) { 'three.word.namespace' }
+
+        it 'raises an exception' do
+          expect do
+            client_encryption
+          end.to raise_error(ArgumentError, /invalid key vault namespace/)
+        end
+      end
+
+      context 'with valid options' do
+        it 'creates a ClientEncryption object' do
+          expect do
+            client_encryption
+          end.not_to raise_error
+        end
+      end
+    end
+
+    context 'with local KMS providers' do
+      include_context 'with local kms_providers'
+      it_behaves_like 'a functioning ClientEncryption'
+    end
+
+    context 'with AWS KMS providers' do
+      include_context 'with AWS kms_providers'
+      it_behaves_like 'a functioning ClientEncryption'
+    end
+
+    context 'with invalid KMS provider information' do
+      let(:kms_providers) { { random_key: {} } }
+
+      it 'raises an exception' do
+        expect do
+          client_encryption
+        end.to raise_error(ArgumentError, /kms_providers option must have one of the following keys/)
+      end
+    end
+  end
+
+  describe '#create_data_key' do
+    let(:data_key_id) { client_encryption.create_data_key(kms_provider_name, options) }
+    let(:key_alt_names) { nil }
+
+    shared_examples 'it creates a data key' do |with_key_alt_names: false|
+      it 'returns the data key id and inserts it into the key vault collection' do
+        expect(data_key_id).to be_uuid
+
+        documents = client.use(key_vault_db)[key_vault_coll].find(_id: data_key_id)
+
+        expect(documents.count).to eq(1)
+
+        if with_key_alt_names
+          expect(documents.first['keyAltNames']).to match_array(key_alt_names)
+        else
+          expect(documents.first['keyAltNames']).to be_nil
+        end
+      end
+    end
+
+    shared_examples 'it supports key_alt_names' do
+      let(:options) { base_options.merge(key_alt_names: key_alt_names) }
+
+      context 'with one value in key_alt_names' do
+        let(:key_alt_names) { ['keyAltName1'] }
+        it_behaves_like 'it creates a data key', **{ with_key_alt_names: true }
+      end
+
+      context 'with multiple values in key_alt_names' do
+        let(:key_alt_names) { ['keyAltName1', 'keyAltName2'] }
+        it_behaves_like 'it creates a data key', **{ with_key_alt_names: true }
+      end
+
+      context 'with empty key_alt_names' do
+        let(:key_alt_names) { [] }
+        it_behaves_like 'it creates a data key'
+      end
+
+      context 'with invalid key_alt_names option' do
+        let(:key_alt_names) { 'keyAltName1' }
+
+        it 'raises an exception' do
+          expect do
+            data_key_id
+          end.to raise_error(ArgumentError, /key_alt_names option must be an Array/)
+        end
+      end
+
+      context 'with invalid key_alt_names values' do
+        let(:key_alt_names) { ['keyAltNames1', 3] }
+
+        it 'raises an exception' do
+          expect do
+            data_key_id
+          end.to raise_error(ArgumentError, /values of the :key_alt_names option Array must be Strings/)
+        end
+      end
+    end
+
+    context 'with AWS KMS provider' do
+      include_context 'with AWS kms_providers'
+
+      let(:base_options) { { master_key: { region: aws_region, key: aws_arn } } }
+      it_behaves_like 'it supports key_alt_names'
+
+      context 'with nil options' do
+        let(:options) { nil }
+
+        it 'raises an exception' do
+          expect do
+            data_key_id
+          end.to raise_error(ArgumentError, /options cannot be nil/)
+        end
+      end
+
+      context 'with empty options' do
+        let(:options) { {} }
+
+        it 'raises an exception' do
+          expect do
+            data_key_id
+          end.to raise_error(ArgumentError, /options Hash must contain a key named :master_key/)
+        end
+      end
+
+      context 'with nil master key' do
+        let(:options) { { master_key: nil } }
+
+        it 'raises an exception' do
+          expect do
+            data_key_id
+          end.to raise_error(ArgumentError, /The :master_key option cannot be nil/)
+        end
+      end
+
+      context 'with invalid master key' do
+        let(:options) { { master_key: 'master-key' } }
+
+        it 'raises an exception' do
+          expect do
+            data_key_id
+          end.to raise_error(ArgumentError, /master-key is an invalid :master_key option/)
+        end
+      end
+
+      context 'with empty master key' do
+        let(:options) { { master_key: {} } }
+
+        it 'raises an exception' do
+          expect do
+            data_key_id
+          end.to raise_error(ArgumentError, /The value of :region option of the :master_key options hash cannot be nil/)
+        end
+      end
+
+      context 'with nil region' do
+        let(:options) { { master_key: { region: nil, key: aws_arn } } }
+
+        it 'raises an exception' do
+          expect do
+            data_key_id
+          end.to raise_error(ArgumentError, /The value of :region option of the :master_key options hash cannot be nil/)
+        end
+      end
+
+      context 'with invalid region' do
+        let(:options) { { master_key: { region: 5, key: aws_arn } } }
+
+        it 'raises an exception' do
+          expect do
+            data_key_id
+          end.to raise_error(ArgumentError, /5 is an invalid AWS master_key region. The value of :region option of the :master_key options hash must be a String/)
+        end
+      end
+
+      context 'with nil key' do
+        let(:options) { { master_key: { key: nil, region: aws_region } } }
+
+        it 'raises an exception' do
+          expect do
+            data_key_id
+          end.to raise_error(ArgumentError, /The value of :key option of the :master_key options hash cannot be nil/)
+        end
+      end
+
+      context 'with invalid key' do
+        let(:options) { { master_key: { key: 5, region: aws_region } } }
+
+        it 'raises an exception' do
+          expect do
+            data_key_id
+          end.to raise_error(ArgumentError, /5 is an invalid AWS master_key key. The value of :key option of the :master_key options hash must be a String/)
+        end
+      end
+
+      context 'with invalid endpoint' do
+        let(:options) { { master_key: { key: aws_arn, region: aws_region, endpoint: 5 } } }
+
+        it 'raises an exception' do
+          expect do
+            data_key_id
+          end.to raise_error(ArgumentError, /5 is an invalid AWS master_key endpoint. The value of :endpoint option of the :master_key options hash must be a String/)
+        end
+      end
+
+      context 'with nil endpoint' do
+        let(:options) do
+          {
+            master_key: {
+              key: aws_arn,
+              region: aws_region,
+              endpoint: nil
+            }
+          }
+        end
+
+        it_behaves_like 'it creates a data key'
+      end
+
+      context 'with valid endpoint, no port' do
+        let(:options) do
+          {
+            master_key: {
+              key: aws_arn,
+              region: aws_region,
+              endpoint: aws_endpoint_host
+            }
+          }
+        end
+
+        it_behaves_like 'it creates a data key'
+      end
+
+      context 'with valid endpoint' do
+        let(:options) { data_key_options }
+        it_behaves_like 'it creates a data key'
+      end
+
+      context 'with invalid endpoint' do
+        let(:options) do
+          {
+            master_key: {
+              key: aws_arn,
+              region: aws_region,
+              endpoint: "https://#{aws_endpoint_host}:#{aws_endpoint_port}"
+            }
+          }
+        end
+
+        let(:expected_message) do
+          # RUBY-2129: This error message could be more specific and inform the user
+          # that there is a problem with their KMS endpoint
+          if BSON::Environment.jruby?
+            /getservbyname.* failed/
+          else
+            /SocketError/
+          end
+        end
+
+        it 'raises an exception' do
+          expect do
+            data_key_id
+          end.to raise_error(Mongo::Error::KmsError, expected_message)
+        end
+      end
+
+      context 'when socket connect errors out' do
+        let(:options) { data_key_options }
+
+        before do
+          allow_any_instance_of(OpenSSL::SSL::SSLSocket)
+            .to receive(:connect)
+            .and_raise('Error while connecting to socket')
+        end
+
+        it 'raises a KmsError' do
+          expect do
+            data_key_id
+          end.to raise_error(Mongo::Error::KmsError, /Error while connecting to socket/)
+        end
+      end
+
+      context 'when socket connect errors out' do
+        let(:options) { data_key_options }
+
+        before do
+          allow_any_instance_of(OpenSSL::SSL::SSLSocket)
+            .to receive(:sysclose)
+            .and_raise('Error while closing socket')
+        end
+
+        it 'does not raise an exception' do
+          expect do
+            data_key_id
+          end.not_to raise_error
+        end
+      end
+    end
+
+    context 'with local KMS provider' do
+      include_context 'with local kms_providers'
+      let(:options) { {} }
+      let(:base_options) { {} }
+
+      it_behaves_like 'it supports key_alt_names'
+      it_behaves_like 'it creates a data key'
+    end
+  end
+
+  describe '#encrypt/decrypt' do
+    let(:value) { ssn }
+    let(:encrypted_value) { encrypted_ssn }
+
+    before do
+      key_vault_collection = client.use(key_vault_db)[key_vault_coll]
+      key_vault_collection.drop
+
+      key_vault_collection.insert_one(data_key)
+    end
+
+    shared_examples 'an encrypter' do
+      let(:encrypted) do
+        client_encryption.encrypt(
+          value,
+          {
+            key_id: key_id,
+            key_alt_name: key_alt_name,
+            algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'
+          }
+        )
+      end
+
+      context 'with key_id option' do
+        let(:key_alt_name) { nil }
+
+        it 'correctly encrypts a string' do
+          expect(encrypted).to be_ciphertext
+          expect(encrypted.data).to eq(Base64.decode64(encrypted_value))
+        end
+      end
+
+      context 'with key_alt_name option' do
+        let(:key_id) { nil }
+
+        it 'correctly encrypts a string' do
+          expect(encrypted).to be_ciphertext
+          expect(encrypted.data).to eq(Base64.decode64(encrypted_value))
+        end
+      end
+    end
+
+    shared_examples 'a decrypter' do
+      it 'correctly decrypts a string' do
+        encrypted = BSON::Binary.new(Base64.decode64(encrypted_value), :ciphertext)
+
+        result = client_encryption.decrypt(encrypted)
+        expect(result).to eq(value)
+      end
+    end
+
+    context 'with local KMS providers' do
+      include_context 'with local kms_providers'
+
+      it_behaves_like 'an encrypter'
+      it_behaves_like 'a decrypter'
+    end
+
+    context 'with AWS KMS providers' do
+      include_context 'with AWS kms_providers'
+
+      it_behaves_like 'an encrypter'
+      it_behaves_like 'a decrypter'
+    end
+  end
+end