RubyGems - mongo - Versions diffs - 2.17.2 → 2.18.1 - Mend

mongo 2.17.2 → 2.18.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (689) hide show

data/spec/integration/client_side_encryption/kms_tls_options_spec.rb ADDED Viewed

@@ -0,0 +1,436 @@
+# frozen_string_literal: true
+# encoding: utf-8
+require 'spec_helper'
+describe 'Client-Side Encryption' do
+  describe 'Prose tests: KMS TLS Options Tests' do
+    require_libmongocrypt
+    require_enterprise
+    min_server_fcv '4.2'
+    include_context 'define shared FLE helpers'
+    let(:client) do
+      new_local_client(
+        SpecConfig.instance.addresses,
+        SpecConfig.instance.test_options
+      )
+    end
+    let(:client_encryption_no_client_cert) do
+      Mongo::ClientEncryption.new(
+        client,
+        {
+          kms_providers: {
+            aws: {
+              access_key_id: SpecConfig.instance.fle_aws_key,
+              secret_access_key: SpecConfig.instance.fle_aws_secret
+            },
+            azure: {
+              tenant_id: SpecConfig.instance.fle_azure_tenant_id,
+              client_id: SpecConfig.instance.fle_azure_client_id,
+              client_secret: SpecConfig.instance.fle_azure_client_secret,
+              identity_platform_endpoint: "127.0.0.1:8002"
+            },
+            gcp: {
+              email: SpecConfig.instance.fle_gcp_email,
+              private_key: SpecConfig.instance.fle_gcp_private_key,
+              endpoint: "127.0.0.1:8002"
+            },
+            kmip: {
+              endpoint: "127.0.0.1:5698"
+            }
+          },
+          kms_tls_options: {
+            aws: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            },
+            azure: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            },
+            gcp: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            },
+            kmip: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            }
+          },
+          key_vault_namespace: 'keyvault.datakeys',
+        },
+      )
+    end
+    let(:client_encryption_with_tls) do
+      Mongo::ClientEncryption.new(
+        client,
+        {
+          kms_providers: {
+            aws: {
+              access_key_id: SpecConfig.instance.fle_aws_key,
+              secret_access_key: SpecConfig.instance.fle_aws_secret
+            },
+            azure: {
+              tenant_id: SpecConfig.instance.fle_azure_tenant_id,
+              client_id: SpecConfig.instance.fle_azure_client_id,
+              client_secret: SpecConfig.instance.fle_azure_client_secret,
+              identity_platform_endpoint: "127.0.0.1:8002"
+            },
+            gcp: {
+              email: SpecConfig.instance.fle_gcp_email,
+              private_key: SpecConfig.instance.fle_gcp_private_key,
+              endpoint: "127.0.0.1:8002"
+            },
+            kmip: {
+              endpoint: "127.0.0.1:5698"
+            }
+          },
+          kms_tls_options: {
+            aws: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file,
+              ssl_cert: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+              ssl_key: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+            },
+            azure: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file,
+              ssl_cert: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+              ssl_key: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+            },
+            gcp: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file,
+              ssl_cert: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+              ssl_key: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+            },
+            kmip: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file,
+              ssl_cert: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+              ssl_key: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+            }
+          },
+          key_vault_namespace: 'keyvault.datakeys',
+        },
+      )
+    end
+    let(:client_encryption_expired) do
+      Mongo::ClientEncryption.new(
+        client,
+        {
+          kms_providers: {
+            aws: {
+              access_key_id: SpecConfig.instance.fle_aws_key,
+              secret_access_key: SpecConfig.instance.fle_aws_secret
+            },
+            azure: {
+              tenant_id: SpecConfig.instance.fle_azure_tenant_id,
+              client_id: SpecConfig.instance.fle_azure_client_id,
+              client_secret: SpecConfig.instance.fle_azure_client_secret,
+              identity_platform_endpoint: "127.0.0.1:8000"
+            },
+            gcp: {
+              email: SpecConfig.instance.fle_gcp_email,
+              private_key: SpecConfig.instance.fle_gcp_private_key,
+              endpoint: "127.0.0.1:8000"
+            },
+            kmip: {
+              endpoint: "127.0.0.1:8000"
+            }
+          },
+          kms_tls_options: {
+            aws: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            },
+            azure: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            },
+            gcp: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            },
+            kmip: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            }
+          },
+          key_vault_namespace: 'keyvault.datakeys',
+        },
+      )
+    end
+    let(:client_encryption_invalid_hostname) do
+      Mongo::ClientEncryption.new(
+        client,
+        {
+          kms_providers: {
+            aws: {
+              access_key_id: SpecConfig.instance.fle_aws_key,
+              secret_access_key: SpecConfig.instance.fle_aws_secret
+            },
+            azure: {
+              tenant_id: SpecConfig.instance.fle_azure_tenant_id,
+              client_id: SpecConfig.instance.fle_azure_client_id,
+              client_secret: SpecConfig.instance.fle_azure_client_secret,
+              identity_platform_endpoint: "127.0.0.1:8001"
+            },
+            gcp: {
+              email: SpecConfig.instance.fle_gcp_email,
+              private_key: SpecConfig.instance.fle_gcp_private_key,
+              endpoint: "127.0.0.1:8001"
+            },
+            kmip: {
+              endpoint: "127.0.0.1:8001"
+            }
+          },
+          kms_tls_options: {
+            aws: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            },
+            azure: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            },
+            gcp: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            },
+            kmip: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            }
+          },
+          key_vault_namespace: 'keyvault.datakeys',
+        },
+      )
+    end
+    # We do noy use shared examples for AWS because of the way we pass endpoint.
+    context 'AWS' do
+      let(:master_key_template) do
+        {
+          region: "us-east-1",
+          key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0",
+        }
+      end
+      context 'with no client certificate' do
+        it 'TLS handshake failed' do
+          expect do
+            client_encryption_no_client_cert.create_data_key(
+              'aws',
+              {
+                master_key: master_key_template.merge({endpoint: "127.0.0.1:8002"})
+              }
+            )
+          end.to raise_error(Mongo::Error::KmsError, /(SocketError|ECONNRESET)/)
+        end
+      end
+      context 'with valid certificate' do
+        it 'TLS handshake passes' do
+          expect do
+            client_encryption_with_tls.create_data_key(
+              'aws',
+              {
+                master_key: master_key_template.merge({endpoint: "127.0.0.1:8002"})
+             }
+            )
+          end.to raise_error(Mongo::Error::KmsError, /libmongocrypt error code/)
+        end
+      end
+      context 'with expired server certificate' do
+        let(:error_regex) do
+          if BSON::Environment.jruby?
+            /certificate verify failed/
+          else
+            /certificate has expired/
+          end
+        end
+        it 'TLS handshake failed' do
+          expect do
+            client_encryption_expired.create_data_key(
+              'aws',
+              {
+                master_key: master_key_template.merge({endpoint: "127.0.0.1:8000"})
+              }
+            )
+          end.to raise_error(Mongo::Error::KmsError, error_regex)
+        end
+      end
+      context 'with server certificate with invalid hostname' do
+        let(:error_regex) do
+          if BSON::Environment.jruby?
+            /TLS handshake failed due to a hostname mismatch/
+          else
+            /certificate verify failed/
+          end
+        end
+        it 'TLS handshake failed' do
+          expect do
+            client_encryption_invalid_hostname.create_data_key(
+              'aws',
+              {
+                master_key: master_key_template.merge({endpoint: "127.0.0.1:8001"})
+              }
+            )
+          end.to raise_error(Mongo::Error::KmsError, error_regex)
+        end
+      end
+    end
+    shared_examples 'it respect KMS TLS options' do
+      context 'with no client certificate' do
+        it 'TLS handshake failed' do
+          expect do
+            client_encryption_no_client_cert.create_data_key(
+              kms_provider,
+              {
+                master_key: master_key
+             }
+            )
+          end.to raise_error(Mongo::Error::KmsError, /(SocketError|ECONNRESET)/)
+        end
+      end
+      context 'with valid certificate' do
+        it 'TLS handshake passes' do
+          if should_raise_with_tls
+            expect do
+              client_encryption_with_tls.create_data_key(
+                kms_provider,
+                {
+                  master_key: master_key
+              }
+              )
+            end.to raise_error(Mongo::Error::KmsError, /libmongocrypt error code/)
+          else
+            expect do
+              client_encryption_with_tls.create_data_key(
+                kms_provider,
+                {
+                  master_key: master_key
+              }
+              )
+            end.not_to raise_error
+          end
+        end
+        it 'raises KmsError directly without wrapping CryptError' do
+          if should_raise_with_tls
+            begin
+              client_encryption_with_tls.create_data_key(
+                kms_provider,
+                {
+                  master_key: master_key
+              }
+              )
+            rescue Mongo::Error::KmsError => exc
+              exc.message.should =~ /Error when connecting to KMS provider/
+              exc.message.should =~ /libmongocrypt error code/
+              exc.message.should_not =~ /CryptError/
+            else
+              fail 'Expected to raise KmsError'
+            end
+          end
+        end
+      end
+      context 'with expired server certificate' do
+        let(:error_regex) do
+          if BSON::Environment.jruby?
+            /certificate verify failed/
+          else
+            /certificate has expired/
+          end
+        end
+        it 'TLS handshake failed' do
+          expect do
+            client_encryption_expired.create_data_key(
+              kms_provider,
+              {
+                master_key: master_key
+            }
+            )
+          end.to raise_error(Mongo::Error::KmsError, error_regex)
+        end
+      end
+      context 'with server certificate with invalid hostname' do
+        let(:error_regex) do
+          if BSON::Environment.jruby?
+            /TLS handshake failed due to a hostname mismatch/
+          else
+            /certificate verify failed/
+          end
+        end
+        it 'TLS handshake failed' do
+          expect do
+            client_encryption_invalid_hostname.create_data_key(
+              kms_provider,
+              {
+                master_key: master_key
+              }
+            )
+          end.to raise_error(Mongo::Error::KmsError, error_regex)
+        end
+      end
+    end
+    context 'Azure' do
+      let(:kms_provider) do
+        'azure'
+      end
+      let(:master_key) do
+        {
+          key_vault_endpoint: 'doesnotexist.local',
+          key_name: 'foo'
+        }
+      end
+      let(:should_raise_with_tls) do
+        true
+      end
+      it_behaves_like 'it respect KMS TLS options'
+    end
+    context 'GCP' do
+      let(:kms_provider) do
+        'gcp'
+      end
+      let(:master_key) do
+        {
+          project_id: 'foo',
+          location: 'bar',
+          key_ring: 'baz',
+          key_name: 'foo'
+        }
+      end
+      let(:should_raise_with_tls) do
+        true
+      end
+      it_behaves_like 'it respect KMS TLS options'
+    end
+    context 'KMIP' do
+      let(:kms_provider) do
+        'kmip'
+      end
+      let(:master_key) do
+        {}
+      end
+      let(:should_raise_with_tls) do
+        false
+      end
+      it_behaves_like 'it respect KMS TLS options'
+    end
+  end
+end

data/spec/integration/client_side_encryption/kms_tls_spec.rb ADDED Viewed

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+# encoding: utf-8
+require 'spec_helper'
+describe 'Client-Side Encryption' do
+  describe 'Prose tests: KMS TLS Tests' do
+    require_libmongocrypt
+    require_enterprise
+    min_server_fcv '4.2'
+    include_context 'define shared FLE helpers'
+    let(:client) do
+      new_local_client(
+        SpecConfig.instance.addresses,
+        SpecConfig.instance.test_options
+      )
+    end
+    let(:client_encryption) do
+      Mongo::ClientEncryption.new(
+        client,
+        {
+          kms_providers: aws_kms_providers,
+          kms_tls_options: {
+            aws: default_kms_tls_options_for_provider
+          },
+          key_vault_namespace: 'keyvault.datakeys',
+        },
+      )
+    end
+    context 'invalid KMS certificate' do
+      it 'raises an error when creating data key' do
+        expect do
+          client_encryption.create_data_key(
+            'aws',
+            {
+              master_key: {
+                region: "us-east-1",
+                key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0",
+                endpoint: "127.0.0.1:8000",
+              }
+           }
+          )
+        end.to raise_error(Mongo::Error::KmsError, /certificate verify failed/)
+      end
+    end
+    context 'Invalid Hostname in KMS Certificate' do
+      context 'MRI' do
+        require_mri
+        it 'raises an error when creating data key' do
+          expect do
+            client_encryption.create_data_key(
+              'aws',
+              {
+                master_key: {
+                  region: "us-east-1",
+                  key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0",
+                  endpoint: "127.0.0.1:8001",
+                }
+            }
+            )
+          end.to raise_error(Mongo::Error::KmsError, /certificate verify failed/)
+        end
+      end
+      context 'JRuby' do
+        require_jruby
+        it 'raises an error when creating data key' do
+          expect do
+            client_encryption.create_data_key(
+              'aws',
+              {
+                master_key: {
+                  region: "us-east-1",
+                  key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0",
+                  endpoint: "127.0.0.1:8001",
+                }
+            }
+            )
+          end.to raise_error(Mongo::Error::KmsError, /hostname mismatch/)
+        end
+      end
+    end
+  end
+end

data/spec/integration/client_side_encryption/queryable_encryption_examples_spec.rb ADDED Viewed

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+# encoding: utf-8
+require 'spec_helper'
+describe 'Queryable encryption examples' do
+  require_libmongocrypt
+  min_server_version '6.0.0-rc8'
+  require_topology :replica_set, :sharded, :load_balanced
+  require_enterprise
+  include_context 'define shared FLE helpers'
+  it 'uses queryable encryption' do
+    #  Drop data from prior test runs.
+    authorized_client.use('docs_examples').database.drop
+    authorized_client.use('keyvault')['datakeys'].drop
+    # Create two data keys.
+    # Note for docs team: remove the test_options argument when copying
+    # this example into public documentation.
+    key_vault_client = ClientRegistry.instance.new_local_client(
+      SpecConfig.instance.addresses,
+      SpecConfig.instance.test_options
+    )
+    client_encryption = Mongo::ClientEncryption.new(
+      key_vault_client,
+      key_vault_namespace: 'keyvault.datakeys',
+      kms_providers: {
+        local: {
+          key: local_master_key
+        }
+      }
+    )
+    data_key_1_id = client_encryption.create_data_key('local')
+    data_key_2_id = client_encryption.create_data_key('local')
+    # Create an encryptedFieldsMap.
+    encrypted_fields_map = {
+      'docs_examples.encrypted' => {
+        fields: [
+          {
+            path: 'encrypted_indexed',
+            bsonType: 'string',
+            keyId: data_key_1_id,
+            queries: {
+              queryType: 'equality'
+            }
+          },
+          {
+            path: 'encrypted_unindexed',
+            bsonType: 'string',
+            keyId: data_key_2_id,
+          }
+        ]
+      }
+    }
+    # Create client with automatic queryable encryption enabled.
+    # Note for docs team: remove the test_options argument when copying
+    # this example into public documentation.
+    encrypted_client = ClientRegistry.instance.new_local_client(
+      SpecConfig.instance.addresses,
+      SpecConfig.instance.test_options.merge(
+        auto_encryption_options: {
+          key_vault_namespace: "keyvault.datakeys",
+          kms_providers: {
+            local: {
+              key: local_master_key
+            }
+          },
+          encrypted_fields_map: encrypted_fields_map,
+          # Spawn mongocryptd on non-default port for sharded cluster tests
+          # Note for docs team: remove the extra_options argument when copying
+          # this example into public documentation.
+          extra_options: extra_options,
+        },
+        database: 'docs_examples'
+      )
+    )
+    # Create collection with queryable encryption enabled.
+    encrypted_client['encrypted'].create
+    # Auto encrypt an insert and find.
+    encrypted_client['encrypted'].insert_one(
+      _id: 1,
+      encrypted_indexed: "indexed_value",
+			encrypted_unindexed: "unindexed_value",
+    )
+    find_results = encrypted_client['encrypted'].find(
+      encrypted_indexed: "indexed_value"
+    ).to_a
+    expect(find_results.size).to eq(1)
+    expect(find_results.first[:encrypted_indexed]).to eq("indexed_value")
+    expect(find_results.first[:encrypted_unindexed]).to eq("unindexed_value")
+    # Find documents without decryption.
+    find_results = authorized_client
+      .use('docs_examples')['encrypted']
+      .find(_id: 1)
+      .to_a
+    expect(find_results.size).to eq(1)
+    expect(find_results.first[:encrypted_indexed]).to be_a(BSON::Binary)
+    expect(find_results.first[:encrypted_unindexed]).to be_a(BSON::Binary)
+    # Cleanup
+    authorized_client.use('docs_examples').database.drop
+    authorized_client.use('keyvault')['datakeys'].drop
+  end
+end