mongo 2.15.0 → 2.18.1

data/lib/mongo/crypt/context.rb

@@ -35,13 +35,14 @@ module Mongo
       #   that implements driver I/O methods required to run the
       #   state machine.
       def initialize(mongocrypt_handle, io)
+        @mongocrypt_handle = mongocrypt_handle
         # Ideally, this level of the API wouldn't be passing around pointer
         # references between objects, so this method signature is subject to change.
 
         # FFI::AutoPointer uses a custom release strategy to automatically free
         # the pointer once this object goes out of scope
         @ctx_p = FFI::AutoPointer.new(
-          Binding.mongocrypt_ctx_new(mongocrypt_handle.ref),
+          Binding.mongocrypt_ctx_new(@mongocrypt_handle.ref),
           Binding.method(:mongocrypt_ctx_destroy)
         )
 
@@ -103,7 +104,9 @@ module Mongo
             mongocrypt_done
           when :need_kms
             while kms_context = Binding.ctx_next_kms_ctx(self) do
-              @encryption_io.feed_kms(kms_context)
+              provider = Binding.kms_ctx_get_kms_provider(kms_context)
+              tls_options = @mongocrypt_handle.kms_tls_options(provider)
+              @encryption_io.feed_kms(kms_context, tls_options)
             end
 
             Binding.ctx_kms_done(self)

data/lib/mongo/crypt/data_key_context.rb

@@ -19,7 +19,7 @@ module Mongo
   module Crypt
 
     # A Context object initialized specifically for the purpose of creating
-    # a data key in the key managemenet system.
+    # a data key in the key management system.
     #
     # @api private
     class DataKeyContext < Context
@@ -30,116 +30,24 @@ module Mongo
       #   wraps a mongocrypt_t object used to create a new mongocrypt_ctx_t
       # @param [ Mongo::Crypt::EncryptionIO ] io An object that performs all
       #   driver I/O on behalf of libmongocrypt
-      # @param [ String ] kms_provider The KMS provider to use. Options are
-      #   "aws" and "local".
-      # @param [ Hash ] options Data key creation options.
-      #
-      # @option options [ Hash ] :master_key A Hash of options related to the AWS
-      #   KMS provider option. Required if kms_provider is "aws".
-      #   - :region [ String ] The The AWS region of the master key (required).
-      #   - :key [ String ] The Amazon Resource Name (ARN) of the master key (required).
-      #   - :endpoint [ String ] An alternate host to send KMS requests to (optional).
-      # @option options [ Array<String> ] :key_alt_names An optional array of strings specifying
+      # @param [ Mongo::Crypt::KMS::MasterKeyDocument ] master_key_document The master
+      #   key document that contains master encryption key parameters.
+      # @param [ Array<String> | nil ] key_alt_names An optional array of strings specifying
       #   alternate names for the new data key.
-      def initialize(mongocrypt, io, kms_provider, options={})
+      # @param [ String | nil ] :key_material Optional
+      #   96 bytes to use as custom key material for the data key being created.
+      #   If :key_material option is given, the custom key material is used
+      #   for encrypting and decrypting data.
+      def initialize(mongocrypt, io, master_key_document, key_alt_names, key_material)
         super(mongocrypt, io)
-
-        case kms_provider
-        when 'local'
-          Binding.ctx_setopt_master_key_local(self)
-        when 'aws'
-          unless options
-            raise ArgumentError.new(
-              'When "aws" is specified as the KMS provider, options cannot be nil'
-            )
-          end
-
-          unless options.key?(:master_key)
-            raise ArgumentError.new(
-              'When "aws" is specified as the KMS provider, the options Hash ' +
-              'must contain a key named :master_key with a Hash value in the ' +
-              '{ region: "AWS-REGION", key: "AWS-KEY-ARN" }'
-            )
-          end
-
-          master_key_opts = options[:master_key]
-
-          set_aws_master_key(master_key_opts)
-          set_aws_endpoint(master_key_opts[:endpoint]) if master_key_opts[:endpoint]
-        else
-          raise ArgumentError.new(
-            "#{kms_provider} is an invalid kms provider. " +
-            "Valid options are 'aws' and 'local'"
-          )
-        end
-
-        set_key_alt_names(options[:key_alt_names]) if options[:key_alt_names]
+        Binding.ctx_setopt_key_encryption_key(self, master_key_document.to_document)
+        set_key_alt_names(key_alt_names) if key_alt_names
+        Binding.ctx_setopt_key_material(self, BSON::Binary.new(key_material)) if key_material
         initialize_ctx
       end
 
       private
 
-      # Configure the underlying mongocrypt_ctx_t object to accept AWS
-      # KMS options
-      def set_aws_master_key(master_key_opts)
-        unless master_key_opts
-          raise ArgumentError.new('The :master_key option cannot be nil')
-        end
-
-        unless master_key_opts.is_a?(Hash)
-          raise ArgumentError.new(
-            "#{master_key_opts} is an invalid :master_key option. " +
-            "The :master_key option must be a Hash in the format " +
-            "{ region: 'AWS-REGION', key: 'AWS-KEY-ARN' }"
-          )
-        end
-
-        region = master_key_opts[:region]
-        unless region
-          raise ArgumentError.new(
-            'The value of :region option of the :master_key options hash cannot be nil'
-          )
-        end
-
-        unless region.is_a?(String)
-          raise ArgumentError.new(
-            "#{master_key_opts[:region]} is an invalid AWS master_key region. " +
-            "The value of :region option of the :master_key options hash must be a String"
-          )
-        end
-
-        key = master_key_opts[:key]
-        unless key
-          raise ArgumentError.new(
-            'The value of :key option of the :master_key options hash cannot be nil'
-          )
-        end
-
-        unless key.is_a?(String)
-          raise ArgumentError.new(
-            "#{master_key_opts[:key]} is an invalid AWS master_key key. " +
-            "The value of :key option of the :master_key options hash must be a String"
-          )
-        end
-
-        Binding.ctx_setopt_master_key_aws(
-          self,
-          region,
-          key,
-        )
-      end
-
-      def set_aws_endpoint(endpoint)
-        unless endpoint.is_a?(String)
-          raise ArgumentError.new(
-            "#{endpoint} is an invalid AWS master_key endpoint. " +
-            "The value of :endpoint option of the :master_key options hash must be a String"
-          )
-        end
-
-        Binding.ctx_setopt_master_key_aws_endpoint(self, endpoint)
-      end
-
       # Set the alt names option on the context
       def set_key_alt_names(key_alt_names)
         unless key_alt_names.is_a?(Array)

data/lib/mongo/crypt/encryption_io.rb

@@ -38,6 +38,8 @@ module Mongo
       #   defaults to nil.
       # @param [ Mongo::Client ] key_vault_client The client connected to the
       #   key vault collection.
+      # @param [ Mongo::Client | nil ] metadata_client The client to be used to
+      #   obtain collection metadata.
       # @param [ String ] key_vault_namespace The key vault namespace in the format
       #   db_name.collection_name.
       # @param [ Hash ] mongocryptd_options Options related to mongocryptd.
@@ -54,7 +56,7 @@ module Mongo
       #   options are not nil and are in the correct format.
       def initialize(
         client: nil, mongocryptd_client: nil, key_vault_namespace:,
-        key_vault_client:, mongocryptd_options: {}
+        key_vault_client:, metadata_client:, mongocryptd_options: {}
       )
         validate_key_vault_client!(key_vault_client)
         validate_key_vault_namespace!(key_vault_namespace)
@@ -63,6 +65,7 @@ module Mongo
         @mongocryptd_client = mongocryptd_client
         @key_vault_db_name, @key_vault_collection_name = key_vault_namespace.split('.')
         @key_vault_client = key_vault_client
+        @metadata_client = metadata_client
         @options = mongocryptd_options
       end
 
@@ -91,11 +94,11 @@ module Mongo
       #
       # @return [ Hash ] The collection information
       def collection_info(db_name, filter)
-        unless @client
-          raise ArgumentError, 'collection_info requires client to have been passed to the constructor, but it was not'
+        unless @metadata_client
+          raise ArgumentError, 'collection_info requires metadata_client to have been passed to the constructor, but it was not'
         end
 
-        @client.use(db_name).database.list_collections(filter: filter).first
+        @metadata_client.use(db_name).database.list_collections(filter: filter).first
       end
 
       # Send the command to mongocryptd to be marked with intent-to-encrypt markings
@@ -124,16 +127,17 @@ module Mongo
         return response.first
       end
 
-      # Get information about the AWS encryption key and feed it to the the
+      # Get information about the remote KMS encryption key and feed it to the the
       # KmsContext object
       #
       # @param [ Mongo::Crypt::KmsContext ] kms_context A KmsContext object
-      #   corresponding to one AWS KMS data key. Contains information about
+      #   corresponding to one remote KMS data key. Contains information about
       #   the endpoint at which to establish a TLS connection and the message
       #   to send on that connection.
-      def feed_kms(kms_context)
-        with_ssl_socket(kms_context.endpoint) do |ssl_socket|
-
+      # @param [ Hash ] tls_options. TLS options to connect to KMS provider.
+      #   The options are same as for Mongo::Client.
+      def feed_kms(kms_context, tls_options)
+        with_ssl_socket(kms_context.endpoint, tls_options) do |ssl_socket|
           Timeout.timeout(SOCKET_TIMEOUT, Error::SocketTimeoutError,
             'Socket write operation timed out'
           ) do
@@ -154,6 +158,72 @@ module Mongo
         end
       end
 
+      # Adds a key_alt_name to the key_alt_names array of the key document
+      # in the key vault collection with the given id.
+      def add_key_alt_name(id, key_alt_name)
+        key_vault_collection.find_one_and_update(
+          { _id: id },
+          { '$addToSet' => { keyAltNames: key_alt_name } },
+        )
+      end
+
+      # Removes the key document with the given id
+      # from the key vault collection.
+      def delete_key(id)
+        key_vault_collection.delete_one(_id: id)
+      end
+
+      # Finds a single key document with the given id.
+      def get_key(id)
+        key_vault_collection.find(_id: id).first
+      end
+
+      # Returns a key document in the key vault collection with
+      # the given key_alt_name.
+      def get_key_by_alt_name(key_alt_name)
+        key_vault_collection.find(keyAltNames: key_alt_name).first
+      end
+
+      # Finds all documents in the key vault collection.
+      def get_keys
+        key_vault_collection.find
+      end
+
+      # Removes a key_alt_name from the key_alt_names array of the key document
+      # in the key vault collection with the given id.
+      def remove_key_alt_name(id, key_alt_name)
+        key_vault_collection.find_one_and_update(
+          { _id: id },
+          [
+            {
+              '$set' => {
+                keyAltNames: {
+                  '$cond' => [
+                    { '$eq' => [ '$keyAltNames', [ key_alt_name ] ] },
+                    '$$REMOVE',
+                    {
+                      '$filter' => {
+                        input: '$keyAltNames',
+                        cond: { '$ne' =>  [ '$$this', key_alt_name ] }
+                      }
+                    }
+                  ]
+                }
+              }
+            }
+          ]
+        )
+      end
+
+      # Apply given requests to the key vault collection using bulk write.
+      #
+      # @param [ Array<Hash> ] requests The bulk write requests.
+      #
+      # @return [ BulkWrite::Result ] The result of the operation.
+      def update_data_keys(updates)
+        key_vault_collection.bulk_write(updates)
+      end
+
       private
 
       def validate_key_vault_client!(key_vault_client)
@@ -242,6 +312,8 @@ module Mongo
       # Provide a TLS socket to be used for KMS calls in a block API
       #
       # @param [ String ] endpoint The URI at which to connect the TLS socket.
+      # @param [ Hash ] tls_options. TLS options to connect to KMS provider.
+      #   The options are same as for Mongo::Client.
       # @yieldparam [ OpenSSL::SSL::SSLSocket ] ssl_socket Yields a TLS socket
       #   connected to the specified endpoint.
       #
@@ -250,59 +322,21 @@ module Mongo
       #
       # @note The socket is always closed when the provided block has finished
       #   executing
-      def with_ssl_socket(endpoint)
-        host, port = endpoint.split(':')
-        port ||= 443 # Default port for AWS KMS API
-
-        # Create TCPSocket and set nodelay option
-        tcp_socket = TCPSocket.open(host, port)
-        begin
-          tcp_socket.setsockopt(::Socket::IPPROTO_TCP, ::Socket::TCP_NODELAY, 1)
-
-          ssl_socket = OpenSSL::SSL::SSLSocket.new(tcp_socket)
-          begin
-            # tcp_socket will be closed when ssl_socket is closed
-            ssl_socket.sync_close = true
-            # perform SNI
-            ssl_socket.hostname = "#{host}:#{port}"
-
-            Timeout.timeout(
-              SOCKET_TIMEOUT,
-              Error::SocketTimeoutError,
-              "KMS socket connection timed out after #{SOCKET_TIMEOUT} seconds",
-            ) do
-              ssl_socket.connect
-            end
-
-            yield(ssl_socket)
-          ensure
-            begin
-              Timeout.timeout(
-                SOCKET_TIMEOUT,
-                Error::SocketTimeoutError,
-                'KMS TLS socket close timed out'
-              ) do
-                ssl_socket.sysclose
-              end
-            rescue
-            end
-          end
-        ensure
-          # Still close tcp socket manually in case TLS socket creation
-          # fails.
-          begin
-            Timeout.timeout(
-              SOCKET_TIMEOUT,
-              Error::SocketTimeoutError,
-              'KMS TCP socket close timed out'
-            ) do
-              tcp_socket.close
-            end
-          rescue
-          end
+      def with_ssl_socket(endpoint, tls_options)
+        address = begin
+          host, port = endpoint.split(':')
+          port ||= 443 # All supported KMS APIs use this port by default.
+          Address.new([host, port].join(':'))
         end
+        mongo_socket = address.socket(
+          SOCKET_TIMEOUT,
+          tls_options.merge(ssl: true)
+        )
+        yield(mongo_socket.socket)
       rescue => e
-        raise Error::KmsError, "Error decrypting data key: #{e.class}: #{e.message}"
+        raise Error::KmsError, "Error when connecting to KMS provider: #{e.class}: #{e.message}"
+      ensure
+        mongo_socket&.close
       end
     end
   end

data/lib/mongo/crypt/explicit_encrypter.rb

@@ -29,15 +29,22 @@ module Mongo
       #   to connect to the key vault collection.
       # @param [ String ] key_vault_namespace The namespace of the key vault
       #   collection in the format "db_name.collection_name".
-      # @option options [ Hash ] :kms_providers A hash of key management service
-      #   configuration information. Valid hash keys are :local or :aws. There
-      #   may be more than one KMS provider specified.
-      def initialize(key_vault_client, key_vault_namespace, kms_providers)
-        @crypt_handle = Handle.new(kms_providers)
-
+      # @param [ Crypt::KMS::Credentials ] kms_providers A hash of key management service
+      #   configuration information.
+      # @param [ Hash ] kms_tls_options TLS options to connect to KMS
+      #   providers. Keys of the hash should be KSM provider names; values
+      #   should be hashes of TLS connection options. The options are equivalent
+      #   to TLS connection options of Mongo::Client.
+      def initialize(key_vault_client, key_vault_namespace, kms_providers, kms_tls_options)
+        @crypt_handle = Handle.new(
+          kms_providers,
+          kms_tls_options,
+          explicit_encryption_only: true
+        )
         @encryption_io = EncryptionIO.new(
           key_vault_client: key_vault_client,
-          key_vault_namespace: key_vault_namespace
+          metadata_client: nil,
+          key_vault_namespace: key_vault_namespace,
         )
       end
 
@@ -45,30 +52,24 @@ module Mongo
       # that key in the KMS collection. The generated key is encrypted with
       # the KMS master key.
       #
-      # @param [ String ] kms_provider The KMS provider to use. Valid values are
-      #   "aws" and "local".
-      # @param [ Hash ] options
-      #
-      # @option options [ Hash ] :master_key Information about the AWS master key. Required
-      #   if kms_provider is "aws".
-      #   - :region [ String ] The The AWS region of the master key (required).
-      #   - :key [ String ] The Amazon Resource Name (ARN) of the master key (required).
-      #   - :endpoint [ String ] An alternate host to send KMS requests to (optional).
-      #     endpoint should be a host name with an optional port number separated
-      #     by a colon (e.g. "kms.us-east-1.amazonaws.com" or
-      #     "kms.us-east-1.amazonaws.com:443"). An endpoint in any other format
-      #     will not be properly parsed.
-      # @option options [ Array<String> ] :key_alt_names An optional array of strings specifying
+      # @param [ Mongo::Crypt::KMS::MasterKeyDocument ] master_key_document The master
+      #   key document that contains master encryption key parameters.
+      # @param [ Array<String> | nil ] key_alt_names An optional array of strings specifying
       #   alternate names for the new data key.
+      # @param [ String | nil ] key_material Optional 96 bytes to use as
+      #   custom key material for the data key being created.
+      #   If key_material option is given, the custom key material is used
+      #   for encrypting and decrypting data.
       #
       # @return [ BSON::Binary ] The 16-byte UUID of the new data key as a
       #   BSON::Binary object with type :uuid.
-      def create_and_insert_data_key(kms_provider, options)
+      def create_and_insert_data_key(master_key_document, key_alt_names, key_material = nil)
         data_key_document = Crypt::DataKeyContext.new(
           @crypt_handle,
           @encryption_io,
-          kms_provider,
-          options
+          master_key_document,
+          key_alt_names,
+          key_material
         ).run_state_machine
 
         @encryption_io.insert_data_key(data_key_document).inserted_id
@@ -85,14 +86,24 @@ module Mongo
       # @option options [ String ] :key_alt_name The alternate name for the
       #   encryption key.
       # @option options [ String ] :algorithm The algorithm used to encrypt the value.
-      #   Valid algorithms are "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
-      #   or "AEAD_AES_256_CBC_HMAC_SHA_512-Random".
+      #   Valid algorithms are "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
+      #   "AEAD_AES_256_CBC_HMAC_SHA_512-Random", "Indexed", "Unindexed".
+      # @option options [ Integer | nil ] :contention_factor Contention factor
+      #   to be applied if encryption algorithm is set to "Indexed". If not
+      #   provided, it defaults to a value of 0. Contention factor should be set
+      #   only if encryption algorithm is set to "Indexed".
+      # @option options [ String | nil ] query_type Query type to be applied
+      # if encryption algorithm is set to "Indexed". Query type should be set
+      #   only if encryption algorithm is set to "Indexed". The only allowed
+      #   value is "equality".
       #
       # @note The :key_id and :key_alt_name options are mutually exclusive. Only
       #   one is required to perform explicit encryption.
       #
       # @return [ BSON::Binary ] A BSON Binary object of subtype 6 (ciphertext)
       #   representing the encrypted value
+      # @raise [ ArgumentError ] if either contention_factor or query_type
+      #   is set, and algorithm is not "Indexed".
       def encrypt(value, options)
         Crypt::ExplicitEncryptionContext.new(
           @crypt_handle,
@@ -115,6 +126,112 @@ module Mongo
           { 'v': value },
         ).run_state_machine['v']
       end
+
+      # Adds a key_alt_name for the key in the key vault collection with the given id.
+      #
+      # @param [ BSON::Binary ] id Id of the key to add new key alt name.
+      # @param [ String ] key_alt_name New key alt name to add.
+      #
+      # @return [ BSON::Document | nil ] Document describing the identified key
+      #   before adding the key alt name, or nil if no such key.
+      def add_key_alt_name(id, key_alt_name)
+        @encryption_io.add_key_alt_name(id, key_alt_name)
+      end
+
+      # Removes the key with the given id from the key vault collection.
+      #
+      # @param [ BSON::Binary ] id Id of the key to delete.
+      #
+      # @return [ Operation::Result ] The response from the database for the delete_one
+      #   operation that deletes the key.
+      def delete_key(id)
+        @encryption_io.delete_key(id)
+      end
+
+      # Finds a single key with the given id.
+      #
+      # @param [ BSON::Binary ] id Id of the key to get.
+      #
+      # @return [ BSON::Document | nil ] The found key document or nil
+      #   if not found.
+      def get_key(id)
+        @encryption_io.get_key(id)
+      end
+
+      # Returns a key in the key vault collection with the given key_alt_name.
+      #
+      # @param [ String ] key_alt_name Key alt name to find a key.
+      #
+      # @return [ BSON::Document | nil ] The found key document or nil
+      #   if not found.
+      def get_key_by_alt_name(key_alt_name)
+        @encryption_io.get_key_by_alt_name(key_alt_name)
+      end
+
+      # Returns all keys in the key vault collection.
+      #
+      # @return [ Collection::View ] Keys in the key vault collection.
+      def get_keys
+        @encryption_io.get_keys
+      end
+
+      # Removes a key_alt_name from a key in the key vault collection with the given id.
+      #
+      # @param [ BSON::Binary ] id Id of the key to remove key alt name.
+      # @param [ String ] key_alt_name Key alt name to remove.
+      #
+      # @return [ BSON::Document | nil ] Document describing the identified key
+      #   before removing the key alt name, or nil if no such key.
+      def remove_key_alt_name(id, key_alt_name)
+        @encryption_io.remove_key_alt_name(id, key_alt_name)
+      end
+
+      # Decrypts multiple data keys and (re-)encrypts them with a new master_key,
+      #   or with their current master_key if a new one is not given.
+      #
+      # @param [ Hash ] filter Filter used to find keys to be updated.
+      # @param [ Hash ] options
+      #
+      # @option options [ String ] :provider KMS provider to encrypt keys.
+      # @option options [ Hash | nil ] :master_key Document describing master key
+      #   to encrypt keys.
+      #
+      # @return [ Crypt::RewrapManyDataKeyResult ] Result of the operation.
+      def rewrap_many_data_key(filter, opts = {})
+        master_key_document = if opts[:provider]
+          options = opts.dup
+          provider = options.delete(:provider)
+          KMS::MasterKeyDocument.new(provider, options)
+        end
+
+        rewrap_result = Crypt::RewrapManyDataKeyContext.new(
+          @crypt_handle,
+          @encryption_io,
+          filter,
+          master_key_document
+        ).run_state_machine
+        if rewrap_result.nil?
+          return RewrapManyDataKeyResult.new(nil)
+        end
+        data_key_documents = rewrap_result.fetch('v')
+        updates = data_key_documents.map do |doc|
+          {
+            update_one: {
+              filter: { _id: doc[:_id] },
+              update: {
+                '$set' => {
+                  masterKey: doc[:masterKey],
+                  keyMaterial: doc[:keyMaterial]
+                },
+                '$currentDate' => { updateDate: true },
+              },
+            }
+          }
+        end
+        RewrapManyDataKeyResult.new(
+          @encryption_io.update_data_keys(updates)
+        )
+      end
     end
   end
 end

data/lib/mongo/crypt/explicit_encryption_context.rb

@@ -38,8 +38,16 @@ module Mongo
       # @option options [ String ] :key_alt_name The alternate name of the data key
       #   that will be used to encrypt the value.
       # @option options [ String ] :algorithm The algorithm used to encrypt the
-      #   value. Valid algorithms are "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
-      #   or "AEAD_AES_256_CBC_HMAC_SHA_512-Random"
+      #   value. Valid algorithms are "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
+      #   "AEAD_AES_256_CBC_HMAC_SHA_512-Random", "Indexed", "Unindexed".
+      # @option options [ Integer | nil ] :contention_factor Contention factor
+      #   to be applied if encryption algorithm is set to "Indexed". If not
+      #   provided, it defaults to a value of 0. Contention factor should be set
+      #   only if encryption algorithm is set to "Indexed".
+      # @option options [ String | nil ] query_type Query type to be applied
+      # if encryption algorithm is set to "Indexed". Query type should be set
+      #   only if encryption algorithm is set to "Indexed".  The only allowed
+      #   value is "equality".
       #
       # @raise [ ArgumentError|Mongo::Error::CryptError ] If invalid options are provided
       def initialize(mongocrypt, io, doc, options={})
@@ -82,6 +90,21 @@ module Mongo
         # Set the algorithm option on the mongocrypt_ctx_t object and raises
         # an exception if the algorithm is invalid.
         Binding.ctx_setopt_algorithm(self, options[:algorithm])
+        if options[:algorithm] == 'Indexed'
+          if options[:contention_factor]
+            Binding.ctx_setopt_contention_factor(self, options[:contention_factor])
+          end
+          if options[:query_type]
+            Binding.ctx_setopt_query_type(self, options[:query_type])
+          end
+        else
+          if options[:contention_factor]
+            raise ArgumentError.new(':contention_factor is allowed only for "Indexed" algorithm')
+          end
+          if options[:query_type]
+            raise ArgumentError.new(':query_type is allowed only for "Indexed" algorithm')
+          end
+        end
 
         # Initializes the mongocrypt_ctx_t object for explicit encryption and
         # passes in the value to be encrypted.