mongo 2.11.6 → 2.12.0.rc0

data/spec/mongo/crypt/encryption_io_spec.rb

@@ -0,0 +1,136 @@
+require 'mongo'
+require 'spec_helper'
+
+describe Mongo::Crypt::EncryptionIO do
+  let(:subject) do
+    described_class.new(
+      key_vault_namespace: 'foo.bar',
+      key_vault_client: authorized_client,
+      mongocryptd_options: mongocryptd_options,
+    )
+  end
+
+  describe '#spawn_mongocryptd' do
+    context 'no spawn path' do
+      let(:mongocryptd_options) do
+        {
+          mongocryptd_spawn_args: ['test'],
+        }
+      end
+
+      it 'fails with an exception' do
+        lambda do
+          subject.send(:spawn_mongocryptd)
+        end.should raise_error(ArgumentError, /Cannot spawn mongocryptd process when no.*mongocryptd_spawn_path/)
+      end
+    end
+
+    context 'no spawn args' do
+      let(:mongocryptd_options) do
+        {
+          mongocryptd_spawn_path: 'echo',
+        }
+      end
+
+      it 'fails with an exception' do
+        lambda do
+          subject.send(:spawn_mongocryptd)
+        end.should raise_error(ArgumentError, /Cannot spawn mongocryptd process when no.*mongocryptd_spawn_args/)
+      end
+    end
+
+    context 'empty array for spawn args' do
+      let(:mongocryptd_options) do
+        {
+          mongocryptd_spawn_path: 'echo',
+          mongocryptd_spawn_args: [],
+        }
+      end
+
+      it 'fails with an exception' do
+        lambda do
+          subject.send(:spawn_mongocryptd)
+        end.should raise_error(ArgumentError, /Cannot spawn mongocryptd process when no.*mongocryptd_spawn_args/)
+      end
+    end
+
+    context 'good spawn path and args' do
+      let(:mongocryptd_options) do
+        {
+          mongocryptd_spawn_path: 'echo',
+          mongocryptd_spawn_args: ['hi'],
+        }
+      end
+
+      it 'spawns' do
+        subject.send(:spawn_mongocryptd)
+      end
+    end
+
+    context '-- for args to emulate no args' do
+      let(:mongocryptd_options) do
+        {
+          mongocryptd_spawn_path: 'echo',
+          mongocryptd_spawn_args: ['--'],
+        }
+      end
+
+      it 'spawns' do
+        subject.send(:spawn_mongocryptd)
+      end
+    end
+  end
+
+  describe '#mark_command' do
+    let(:mock_client) do
+      double('mongocryptd client').tap do |client|
+        database = double('mock database')
+        expect(database).to receive(:command).and_raise(Mongo::Error::NoServerAvailable.new(Mongo::ServerSelector::Primary.new, nil, 'test message'))
+        allow(database).to receive(:command).and_return([])
+        expect(client).to receive(:database).at_least(:once).and_return(database)
+      end
+    end
+
+    let(:base_options) do
+      {
+        mongocryptd_spawn_path: 'echo',
+        mongocryptd_spawn_args: ['--'],
+      }
+    end
+
+    let(:subject) do
+      described_class.new(
+        mongocryptd_client: mock_client,
+        key_vault_namespace: 'foo.bar',
+        key_vault_client: authorized_client,
+        mongocryptd_options: mongocryptd_options,
+      )
+    end
+
+    context ':mongocryptd_bypass_spawn not given' do
+      let(:mongocryptd_options) do
+        base_options
+      end
+
+      it 'spawns' do
+        expect(subject).to receive(:spawn_mongocryptd)
+        subject.mark_command({})
+      end
+    end
+
+    context ':mongocryptd_bypass_spawn given' do
+      let(:mongocryptd_options) do
+        base_options.merge(
+          mongocryptd_bypass_spawn: true,
+        )
+      end
+
+      it 'does not spawn' do
+        expect(subject).not_to receive(:spawn_mongocryptd)
+        lambda do
+          subject.mark_command({})
+        end.should raise_error(Mongo::Error::NoServerAvailable, /test message/)
+      end
+    end
+  end
+end

data/spec/mongo/crypt/explicit_decryption_context_spec.rb

@@ -0,0 +1,72 @@
+require 'mongo'
+require 'lite_spec_helper'
+
+describe Mongo::Crypt::ExplicitDecryptionContext do
+  require_libmongocrypt
+  include_context 'define shared FLE helpers'
+
+  let(:mongocrypt) { Mongo::Crypt::Handle.new(kms_providers, logger: logger) }
+  let(:context) { described_class.new(mongocrypt, io, value) }
+  let(:logger) { nil }
+  let(:io) { double("Mongo::ClientEncryption::IO") }
+
+  # A binary string representing a value previously encrypted by libmongocrypt
+  let(:encrypted_data) do
+    "\x01\xDF2~\x89\xD2+N}\x84;i(\xE5\xF4\xBF \x024\xE5\xD2\n\x9E\x97\x9F\xAF\x9D\xC7\xC9\x1A\a\x87z\xAE_;r\xAC\xA9\xF6n\x1D\x0F\xB5\xB1#O\xB7\xCA\xEE$/\xF1\xFA\b\xA7\xEC\xDB\xB6\xD4\xED\xEAMw3+\xBBv\x18\x97\xF9\x99\xD5\x13@\x80y\n{\x19R\xD3\xF0\xA1C\x05\xF7)\x93\x9Bh\x8AA.\xBB\xD3&\xEA"
+  end
+
+  let(:value) do
+    { 'v': BSON::Binary.new(encrypted_data, :ciphertext) }
+  end
+
+  describe '#initialize' do
+    context 'when mongocrypt is initialized with local KMS provider options' do
+      include_context 'with local kms_providers'
+
+      it 'initializes context' do
+        expect do
+          context
+        end.not_to raise_error
+      end
+    end
+
+    context 'when mongocrypt is initialized with AWS KMS provider options' do
+      include_context 'with AWS kms_providers'
+
+      it 'initializes context' do
+        expect do
+          context
+        end.not_to raise_error
+      end
+    end
+
+    context 'with verbose logging' do
+      include_context 'with local kms_providers'
+
+      before(:all) do
+        # Logging from libmongocrypt requires the C library to be built with the -DENABLE_TRACE=ON
+        # option; none of the pre-built packages on Evergreen have been built with logging enabled.
+        #
+        # It is still useful to be able to run these tests locally to confirm that logging is working
+        # while debugging any problems.
+        #
+        # For now, skip this test by default and revisit once we have determined how we want to
+        # package libmongocrypt with the Ruby driver (see: https://jira.mongodb.org/browse/RUBY-1966)
+        skip "These tests require libmongocrypt to be built with the '-DENABLE_TRACE=ON' cmake option." +
+          " They also require the MONGOCRYPT_TRACE environment variable to be set to 'ON'."
+      end
+
+      let(:logger) do
+        ::Logger.new($stdout).tap do |logger|
+          logger.level = ::Logger::DEBUG
+        end
+      end
+
+      it 'receives log messages from libmongocrypt' do
+        expect(logger).to receive(:debug).with(/mongocrypt_ctx_explicit_decrypt_init/)
+
+        context
+      end
+    end
+  end
+end

data/spec/mongo/crypt/explicit_encryption_context_spec.rb

@@ -0,0 +1,170 @@
+require 'mongo'
+require 'lite_spec_helper'
+
+describe Mongo::Crypt::ExplicitEncryptionContext do
+  require_libmongocrypt
+  include_context 'define shared FLE helpers'
+
+  let(:mongocrypt) { Mongo::Crypt::Handle.new(kms_providers, logger: logger) }
+  let(:context) { described_class.new(mongocrypt, io, value, options) }
+
+  let(:logger) { nil }
+
+  let(:io) { double("Mongo::ClientEncryption::IO") }
+  let(:value) { { 'v': 'Hello, world!' } }
+
+  let(:options) do
+    {
+      key_id: key_id,
+      key_alt_name: key_alt_name,
+      algorithm: algorithm
+    }
+  end
+
+  describe '#initialize' do
+    shared_examples 'a functioning ExplicitEncryptionContext' do
+      context 'with nil key_id and key_alt_name options' do
+        let(:key_id) { nil }
+        let(:key_alt_name) { nil }
+
+        it 'raises an exception' do
+          expect do
+            context
+          end.to raise_error(ArgumentError, /:key_id and :key_alt_name options cannot both be nil/)
+        end
+      end
+
+      context 'with both key_id and key_alt_name options' do
+        it 'raises an exception' do
+          expect do
+            context
+          end.to raise_error(ArgumentError, /:key_id and :key_alt_name options cannot both be present/)
+        end
+      end
+
+      context 'with invalid key_id' do
+        let(:key_id) { 'random string' }
+        let(:key_alt_name) { nil }
+
+        it 'raises an exception' do
+          expect do
+            context
+          end.to raise_error(ArgumentError, /Expected the :key_id option to be a BSON::Binary object/)
+        end
+      end
+
+      context 'with invalid key_alt_name' do
+        let(:key_id) { nil }
+        let(:key_alt_name) { 5 }
+
+        it 'raises an exception' do
+          expect do
+            context
+          end.to raise_error(ArgumentError, /key_alt_name option must be a String/)
+        end
+      end
+
+      context 'with valid key_alt_name' do
+        let(:key_id) { nil }
+
+        context 'with nil algorithm' do
+          let(:algorithm) { nil }
+
+          it 'raises exception' do
+            expect do
+              context
+            end.to raise_error(Mongo::Error::CryptError, /passed null algorithm/)
+          end
+        end
+
+        context 'with invalid algorithm' do
+          let(:algorithm) { 'unsupported-algorithm' }
+
+          it 'raises an exception' do
+            expect do
+              context
+            end.to raise_error(Mongo::Error::CryptError, /unsupported algorithm/)
+          end
+        end
+
+        it 'initializes context' do
+          expect do
+            context
+          end.not_to raise_error
+        end
+      end
+
+      context 'with valid key_id' do
+        let(:key_alt_name) { nil }
+
+        context 'with nil algorithm' do
+          let(:algorithm) { nil }
+
+          it 'raises exception' do
+            expect do
+              context
+            end.to raise_error(Mongo::Error::CryptError, /passed null algorithm/)
+          end
+        end
+
+        context 'with invalid algorithm' do
+          let(:algorithm) { 'unsupported-algorithm' }
+
+          it 'raises an exception' do
+            expect do
+              context
+            end.to raise_error(Mongo::Error::CryptError, /unsupported algorithm/)
+          end
+        end
+
+        it 'initializes context' do
+          expect do
+            context
+          end.not_to raise_error
+        end
+      end
+    end
+
+    context 'when mongocrypt is initialized with AWS KMS provider options' do
+      include_context 'with AWS kms_providers'
+      it_behaves_like 'a functioning ExplicitEncryptionContext'
+    end
+
+    context 'when mongocrypt is initialized with local KMS provider options' do
+      include_context 'with local kms_providers'
+      it_behaves_like 'a functioning ExplicitEncryptionContext'
+    end
+
+    context 'with verbose logging' do
+      include_context 'with local kms_providers'
+
+      before(:all) do
+        # Logging from libmongocrypt requires the C library to be built with the -DENABLE_TRACE=ON
+        # option; none of the pre-built packages on Evergreen have been built with logging enabled.
+        #
+        # It is still useful to be able to run these tests locally to confirm that logging is working
+        # while debugging any problems.
+        #
+        # For now, skip this test by default and revisit once we have determined how we want to
+        # package libmongocrypt with the Ruby driver (see: https://jira.mongodb.org/browse/RUBY-1966)
+        skip "These tests require libmongocrypt to be built with the '-DENABLE_TRACE=ON' cmake option." +
+          " They also require the MONGOCRYPT_TRACE environment variable to be set to 'ON'."
+      end
+
+      let(:key_alt_name) { nil }
+      let(:logger) do
+        ::Logger.new($stdout).tap do |logger|
+          logger.level = ::Logger::DEBUG
+        end
+      end
+
+      it 'receives log messages from libmongocrypt' do
+        expect(logger).to receive(:debug).with(/mongocrypt_ctx_setopt_key_id/)
+        expect(logger).to receive(:debug).with(/mongocrypt_ctx_setopt_algorithm/)
+        expect(logger).to receive(:debug).with(/mongocrypt_ctx_explicit_encrypt_init/)
+
+        context
+      end
+    end
+  end
+end

data/spec/mongo/crypt/handle_spec.rb

@@ -0,0 +1,198 @@
+require 'mongo'
+require 'base64'
+require 'lite_spec_helper'
+
+describe Mongo::Crypt::Handle do
+  require_libmongocrypt
+  include_context 'define shared FLE helpers'
+
+  describe '#initialize' do
+    let(:handle) { described_class.new(kms_providers, schema_map: schema_map) }
+    let(:schema_map) { nil }
+
+    shared_examples 'a functioning Mongo::Crypt::Handle' do
+      context 'with valid schema map' do
+        it 'does not raise an exception' do
+          expect { handle }.not_to raise_error
+        end
+      end
+
+      context 'with invalid schema map' do
+        let(:schema_map) { '' }
+
+        it 'raises an exception' do
+          expect { handle }.to raise_error(ArgumentError, /schema_map must be a Hash or nil/)
+        end
+      end
+
+      context 'with nil schema map' do
+        let(:schema_map) { nil }
+
+        it 'does not raise an exception' do
+          expect { handle }.not_to raise_error
+        end
+      end
+    end
+
+    context 'with empty kms_providers' do
+      let(:kms_providers) { {} }
+
+      it 'raises an exception' do
+        expect { handle }.to raise_error(ArgumentError, /must have one of the following keys: :aws, :local/)
+      end
+    end
+
+    context 'with invalid aws kms_providers' do
+      let(:kms_providers) { { aws: {} } }
+
+      it 'raises an exception' do
+        expect { handle }.to raise_error(ArgumentError, /kms_providers with :aws key must be in the format: { aws: { access_key_id: 'YOUR-ACCESS-KEY-ID', secret_access_key: 'SECRET-ACCESS-KEY' } }/)
+      end
+    end
+
+    context 'with invalid kms_providers key' do
+      let(:kms_providers) { { random_kms_provider: {} } }
+
+      it 'raises an exception' do
+        expect { handle }.to raise_error(ArgumentError, /must have one of the following keys: :aws, :local/)
+      end
+    end
+
+    context 'with empty local kms_providers' do
+      let(:kms_providers) { { local: {} } }
+
+      it 'raises an exception' do
+        expect { handle }.to raise_error(ArgumentError, /kms_providers with :local key must be in the format: { local: { key: 'MASTER-KEY' } }/)
+      end
+    end
+
+    context 'with invalid local kms_providers' do
+      let(:kms_providers) { { local: { invalid_key: 'Some stuff' } } }
+
+      it 'raises an exception' do
+        expect { handle }.to raise_error(ArgumentError, /kms_providers with :local key must be in the format: { local: { key: 'MASTER-KEY' } }/)
+      end
+    end
+
+    context 'with invalid local kms master key' do
+      let(:kms_providers) do
+        {
+          local: {
+            key: 'ruby' * 23 # NOT 96 bytes
+          }
+        }
+      end
+
+      it 'raises an exception' do
+        expect { handle }.to raise_error(Mongo::Error::CryptError, 'local key must be 96 bytes (libmongocrypt error code 1)')
+      end
+    end
+
+    context 'with valid local kms_providers' do
+      include_context 'with local kms_providers'
+      it_behaves_like 'a functioning Mongo::Crypt::Handle'
+    end
+
+    context 'with nil AWS kms_provider' do
+      let(:kms_providers) {
+        {
+          aws: nil
+        }
+      }
+
+      it 'raises an exception' do
+        expect do
+          handle
+        end.to raise_error(ArgumentError, /The :aws KMS provider must not be nil/)
+      end
+    end
+
+    context 'with empty AWS kms_provider' do
+      let(:kms_providers) {
+        {
+          aws: {}
+        }
+      }
+
+      it 'raises an exception' do
+        expect do
+          handle
+        end.to raise_error(ArgumentError, /The specified aws kms_providers option is invalid/)
+      end
+    end
+
+    context 'with nil AWS access_key_id' do
+      let(:kms_providers) {
+        {
+          aws: {
+            access_key_id: nil,
+            secret_access_key: SpecConfig.instance.fle_aws_secret
+          }
+        }
+      }
+
+      it 'raises an exception' do
+        expect do
+          handle
+        end.to raise_error(ArgumentError, /The specified aws kms_providers option is invalid/)
+      end
+    end
+
+    context 'with non-string AWS access_key_id' do
+      let(:kms_providers) {
+        {
+          aws: {
+            access_key_id: 5,
+            secret_access_key: SpecConfig.instance.fle_aws_secret
+          }
+        }
+      }
+
+      it 'raises an exception' do
+        expect do
+          handle
+        end.to raise_error(ArgumentError, /The specified aws kms_providers option is invalid/)
+      end
+    end
+
+
+    context 'with nil AWS secret_access_key' do
+      let(:kms_providers) {
+        {
+          aws: {
+            access_key_id: SpecConfig.instance.fle_aws_key,
+            secret_access_key: nil
+          }
+        }
+      }
+
+      it 'raises an exception' do
+        expect do
+          handle
+        end.to raise_error(ArgumentError, /The specified aws kms_providers option is invalid/)
+      end
+    end
+
+    context 'with non-string AWS secret_access_key' do
+      let(:kms_providers) {
+        {
+          aws: {
+            access_key_id: SpecConfig.instance.fle_aws_key,
+            secret_access_key: 5
+          }
+        }
+      }
+
+      it 'raises an exception' do
+        expect do
+          handle
+        end.to raise_error(ArgumentError, /The specified aws kms_providers option is invalid/)
+      end
+    end
+
+    context 'with valid AWS kms_providers' do
+      include_context 'with AWS kms_providers'
+      it_behaves_like 'a functioning Mongo::Crypt::Handle'
+    end
+  end
+end