RubyGems - mongo - Versions diffs - 2.17.4 → 2.18.0.beta1 - Mend

mongo 2.17.4 → 2.18.0.beta1

Files changed (624) hide show

data/spec/integration/client_side_encryption/corpus_spec.rb CHANGED Viewed

@@ -15,7 +15,7 @@ describe 'Client-Side Encryption' do
     let(:key_vault_client) do
       client.with(
-        database: 'admin',
+        database: 'keyvault',
         write_concern: { w: :majority }
       )['datakeys']
     end
@@ -23,6 +23,9 @@ describe 'Client-Side Encryption' do
     let(:test_schema_map) { BSON::ExtJSON.parse(File.read('spec/support/crypt/corpus/corpus-schema.json')) }
     let(:local_data_key) { BSON::ExtJSON.parse(File.read('spec/support/crypt/corpus/corpus-key-local.json')) }
     let(:aws_data_key) { BSON::ExtJSON.parse(File.read('spec/support/crypt/corpus/corpus-key-aws.json')) }
+    let(:azure_data_key) { BSON::ExtJSON.parse(File.read('spec/support/crypt/corpus/corpus-key-azure.json')) }
+    let(:gcp_data_key) { BSON::ExtJSON.parse(File.read('spec/support/crypt/corpus/corpus-key-gcp.json')) }
+    let(:kmip_data_key) { BSON::ExtJSON.parse(File.read('spec/support/crypt/corpus/corpus-key-kmip.json')) }
     let(:client_encrypted) do
       new_local_client(
@@ -35,8 +38,27 @@ describe 'Client-Side Encryption' do
                 access_key_id: SpecConfig.instance.fle_aws_key,
                 secret_access_key: SpecConfig.instance.fle_aws_secret,
               },
+              azure: {
+                tenant_id: SpecConfig.instance.fle_azure_tenant_id,
+                client_id: SpecConfig.instance.fle_azure_client_id,
+                client_secret: SpecConfig.instance.fle_azure_client_secret,
+              },
+              gcp: {
+                email: SpecConfig.instance.fle_gcp_email,
+                private_key: SpecConfig.instance.fle_gcp_private_key,
+              },
+              kmip: {
+                endpoint: SpecConfig.instance.fle_kmip_endpoint,
+              }
+            },
+            kms_tls_options: {
+              kmip: {
+                ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file,
+                ssl_cert: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+                ssl_key: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+              }
             },
-            key_vault_namespace: 'admin.datakeys',
+            key_vault_namespace: 'keyvault.datakeys',
             schema_map: local_schema_map,
             # Spawn mongocryptd on non-default port for sharded cluster tests
             extra_options: extra_options,
@@ -55,9 +77,28 @@ describe 'Client-Side Encryption' do
             aws: {
               access_key_id: SpecConfig.instance.fle_aws_key,
               secret_access_key: SpecConfig.instance.fle_aws_secret,
+            },
+            azure: {
+              tenant_id: SpecConfig.instance.fle_azure_tenant_id,
+              client_id: SpecConfig.instance.fle_azure_client_id,
+              client_secret: SpecConfig.instance.fle_azure_client_secret,
+            },
+            gcp: {
+              email: SpecConfig.instance.fle_gcp_email,
+              private_key: SpecConfig.instance.fle_gcp_private_key,
+            },
+            kmip: {
+              endpoint: SpecConfig.instance.fle_kmip_endpoint,
+            }
+          },
+          kms_tls_options: {
+            kmip: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file,
+              ssl_cert: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+              ssl_key: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
             }
           },
-          key_vault_namespace: 'admin.datakeys',
+          key_vault_namespace: 'keyvault.datakeys',
         },
       )
     end
@@ -67,7 +108,7 @@ describe 'Client-Side Encryption' do
     end
     let(:corpus_encrypted_expected) do
-      BSON::ExtJSON.parse(File.read('spec/support/crypt/corpus/corpus_encrypted.json'))
+      BSON::ExtJSON.parse(File.read('spec/support/crypt/corpus/corpus-encrypted.json'))
     end
     let(:corpus_copied) do
@@ -78,7 +119,7 @@ describe 'Client-Side Encryption' do
       # to encrypt that value.
       corpus_copied = BSON::Document.new
       corpus.each do |key, doc|
-        if ['_id', 'altname_aws', 'altname_local'].include?(key)
+        if ['_id', 'altname_aws', 'altname_azure', 'altname_gcp', 'altname_kmip', 'altname_local'].include?(key)
           corpus_copied[key] = doc
           next
         end
@@ -89,8 +130,14 @@ describe 'Client-Side Encryption' do
           options = if doc['identifier'] == 'id'
             key_id = if doc['kms'] == 'local'
               'LOCALAAAAAAAAAAAAAAAAA=='
-            else
+            elsif doc['kms'] == 'azure'
+              'AZUREAAAAAAAAAAAAAAAAA=='
+            elsif doc['kms'] == 'gcp'
+              'GCPAAAAAAAAAAAAAAAAAAA=='
+            elsif doc['kms'] == 'aws'
               'AWSAAAAAAAAAAAAAAAAAAA=='
+            elsif doc['kms'] == 'kmip'
+              'KMIPAAAAAAAAAAAAAAAAAA=='
             end
             { key_id: BSON::Binary.new(Base64.decode64(key_id), :uuid) }
@@ -117,7 +164,7 @@ describe 'Client-Side Encryption' do
             # If doc['allowed'] is false, this error was expected and the value
             # should be copied over without being encrypted.
             if doc['allowed']
-              raise "Unexpected error occured in client-side encryption " +
+              raise "Unexpected error occurred in client-side encryption " +
                 "corpus tests: #{e.class}: #{e.message}"
             end
@@ -132,10 +179,13 @@ describe 'Client-Side Encryption' do
     before do
       client.use('db')['coll'].drop
-      key_vault_collection = client.use('admin')['datakeys', write_concern: { w: :majority }]
+      key_vault_collection = client.use('keyvault')['datakeys', write_concern: { w: :majority }]
       key_vault_collection.drop
       key_vault_collection.insert_one(local_data_key)
       key_vault_collection.insert_one(aws_data_key)
+      key_vault_collection.insert_one(azure_data_key)
+      key_vault_collection.insert_one(gcp_data_key)
+      key_vault_collection.insert_one(kmip_data_key)
     end
     shared_context 'with jsonSchema collection validator' do
@@ -178,9 +228,6 @@ describe 'Client-Side Encryption' do
           .find(_id: corpus_encrypted_id)
           .first
-        # Check that the actual encrypted document matches the expected
-        # encrypted document.
-        expect(corpus_encrypted_actual.keys).to eq(corpus_encrypted_expected.keys)
         corpus_encrypted_actual.each do |key, value|
           # If it was deterministically encrypted, test the encrypted values
@@ -205,32 +252,14 @@ describe 'Client-Side Encryption' do
       end
     end
-    context 'with local KMS provider' do
-      include_context 'with local kms_providers'
-      context 'with collection validator' do
-        include_context 'with jsonSchema collection validator'
-        it_behaves_like 'a functioning encrypter'
-      end
-      context 'with schema map' do
-        include_context 'with local schema map'
-        it_behaves_like 'a functioning encrypter'
-      end
+    context 'with collection validator' do
+      include_context 'with jsonSchema collection validator'
+      it_behaves_like 'a functioning encrypter'
     end
-    context 'with AWS KMS provider' do
-      include_context 'with AWS kms_providers'
-      context 'with collection validator' do
-        include_context 'with jsonSchema collection validator'
-        it_behaves_like 'a functioning encrypter'
-      end
-      context 'with schema map' do
-        include_context 'with local schema map'
-        it_behaves_like 'a functioning encrypter'
-      end
+    context 'with schema map' do
+      include_context 'with local schema map'
+      it_behaves_like 'a functioning encrypter'
     end
   end
 end

data/spec/integration/client_side_encryption/custom_endpoint_spec.rb CHANGED Viewed

@@ -23,11 +23,18 @@ describe 'Client-Side Encryption' do
         client,
         {
           kms_providers: aws_kms_providers,
-          key_vault_namespace: 'admin.datakeys',
+          key_vault_namespace: 'keyvault.datakeys',
         },
       )
     end
+    let(:master_key_template) do
+      {
+        region: "us-east-1",
+        key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0"
+      }
+    end
     let(:data_key_id) do
       client_encryption.create_data_key('aws', master_key: master_key)
     end
@@ -51,10 +58,7 @@ describe 'Client-Side Encryption' do
     context 'with region and key options' do
       let(:master_key) do
-        {
-          region: "us-east-1",
-          key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0"
-        }
+        master_key_template
       end
       it_behaves_like 'a functioning data key'
@@ -62,11 +66,7 @@ describe 'Client-Side Encryption' do
     context 'with region, key, and endpoint options' do
       let(:master_key) do
-        {
-          region: "us-east-1",
-          key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0",
-          endpoint: "kms.us-east-1.amazonaws.com"
-        }
+        master_key_template.merge({endpoint: "kms.us-east-1.amazonaws.com"})
       end
       it_behaves_like 'a functioning data key'
@@ -74,62 +74,59 @@ describe 'Client-Side Encryption' do
     context 'with region, key, and endpoint with valid port' do
       let(:master_key) do
-        {
-          region: "us-east-1",
-          key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0",
-          endpoint: "kms.us-east-1.amazonaws.com:443"
-        }
+        master_key_template.merge({endpoint: "kms.us-east-1.amazonaws.com:443"})
       end
       it_behaves_like 'a functioning data key'
     end
+    shared_examples 'raising a KMS error' do
+      it 'throws an exception' do
+        expect do
+          data_key_id
+        end.to raise_error(Mongo::Error::KmsError, error_regex)
+      end
+    end
     context 'with region, key, and endpoint with invalid port' do
       let(:master_key) do
-        {
-          region: "us-east-1",
-          key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0",
-          endpoint: "kms.us-east-1.amazonaws.com:12345"
-        }
+        master_key_template.merge({endpoint: "kms.us-east-1.amazonaws.com:12345"})
       end
-      it 'throws an exception' do
-        expect do
-          data_key_id
-        end.to raise_error(Mongo::Error::KmsError, /Connection refused/)
+      let(:error_regex) do
+        if BSON::Environment.jruby?
+          /SocketError/
+        else
+          /Connection refused/
+        end
       end
+      it_behaves_like 'raising a KMS error'
     end
     context 'with region, key, and endpoint with invalid region' do
       let(:master_key) do
-        {
-          region: "us-east-1",
-          key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0",
-          endpoint: "kms.us-east-2.amazonaws.com"
-        }
+        master_key_template.merge({endpoint: "kms.us-east-2.amazonaws.com"})
       end
-      it 'throws an exception' do
-        expect do
-          data_key_id
-        end.to raise_error(Mongo::Error::KmsError, /us-east-1/)
+      let(:error_regex) do
+        //
       end
+      it_behaves_like 'raising a KMS error'
     end
     context 'with region, key, and endpoint at incorrect domain' do
       let(:master_key) do
-        {
-          region: "us-east-1",
-          key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0",
-          endpoint: "example.com"
-        }
+        master_key_template.merge({endpoint: "example.com"})
       end
-      it 'throws an exception' do
-        expect do
-          data_key_id
-        end.to raise_error(Mongo::Error::KmsError, /parse error/)
+      let(:error_regex) do
+        /parse error/
       end
+      it_behaves_like 'raising a KMS error'
     end
   end
 end

data/spec/integration/client_side_encryption/data_key_spec.rb CHANGED Viewed

@@ -50,8 +50,27 @@ describe 'Client-Side Encryption' do
                 access_key_id: SpecConfig.instance.fle_aws_key,
                 secret_access_key: SpecConfig.instance.fle_aws_secret,
               },
+              azure: {
+                tenant_id: SpecConfig.instance.fle_azure_tenant_id,
+                client_id: SpecConfig.instance.fle_azure_client_id,
+                client_secret: SpecConfig.instance.fle_azure_client_secret,
+              },
+              gcp: {
+                email: SpecConfig.instance.fle_gcp_email,
+                private_key: SpecConfig.instance.fle_gcp_private_key,
+              },
+              kmip: {
+                endpoint: SpecConfig.instance.fle_kmip_endpoint
+              }
             },
-            key_vault_namespace: 'admin.datakeys',
+            kms_tls_options: {
+              kmip: {
+                ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file,
+                ssl_cert: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+                ssl_key: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+              }
+            },
+            key_vault_namespace: 'keyvault.datakeys',
             schema_map: test_schema_map,
             # Spawn mongocryptd on non-default port for sharded cluster tests
             extra_options: extra_options,
@@ -70,15 +89,34 @@ describe 'Client-Side Encryption' do
             aws: {
               access_key_id: SpecConfig.instance.fle_aws_key,
               secret_access_key: SpecConfig.instance.fle_aws_secret,
+            },
+            azure: {
+              tenant_id: SpecConfig.instance.fle_azure_tenant_id,
+              client_id: SpecConfig.instance.fle_azure_client_id,
+              client_secret: SpecConfig.instance.fle_azure_client_secret,
+            },
+            gcp: {
+              email: SpecConfig.instance.fle_gcp_email,
+              private_key: SpecConfig.instance.fle_gcp_private_key,
+            },
+            kmip: {
+              endpoint: SpecConfig.instance.fle_kmip_endpoint
             }
           },
-          key_vault_namespace: 'admin.datakeys',
+          kms_tls_options: {
+            kmip: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file,
+              ssl_cert: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+              ssl_key: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+            }
+          },
+          key_vault_namespace: 'keyvault.datakeys',
         },
       )
     end
     before do
-      client.use('admin')['datakeys'].drop
+      client.use('keyvault')['datakeys'].drop
       client.use('db')['coll'].drop
     end
@@ -91,7 +129,7 @@ describe 'Client-Side Encryption' do
         expect(data_key_id).to be_uuid
-        keys = client.use('admin')['datakeys'].find(_id: data_key_id)
+        keys = client.use('keyvault')['datakeys'].find(_id: data_key_id)
         expect(keys.count).to eq(1)
         expect(keys.first['masterKey']['provider']).to eq(kms_provider_name)
@@ -134,7 +172,7 @@ describe 'Client-Side Encryption' do
         expect do
           client_encrypted['coll'].insert_one(encrypted_placeholder: encrypted)
-        end.to raise_error(Mongo::Error::OperationFailure, /Cannot encrypt element of type binData/)
+        end.to raise_error(Mongo::Error::OperationFailure, /Cannot encrypt element of type(: encrypted binary data| binData)/)
       end
     end
@@ -156,8 +194,60 @@ describe 'Client-Side Encryption' do
       let(:data_key_options) do
         {
           master_key: {
-            region: "us-east-1",
-            key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0"
+            region: SpecConfig.instance.fle_aws_region,
+            key: SpecConfig.instance.fle_aws_arn,
+          }
+        }
+      end
+      it_behaves_like 'can create and use a data key'
+    end
+    context 'with Azure KMS options' do
+      include_context 'with Azure kms_providers'
+      let(:key_alt_name) { 'azure_altname' }
+      let(:value_to_encrypt) { 'hello azure' }
+      let(:data_key_options) do
+        {
+          master_key: {
+            key_vault_endpoint: SpecConfig.instance.fle_azure_key_vault_endpoint,
+            key_name: SpecConfig.instance.fle_azure_key_name,
+          }
+        }
+      end
+      it_behaves_like 'can create and use a data key'
+    end
+    context 'with GCP KMS options' do
+      include_context 'with GCP kms_providers'
+      let(:key_alt_name) { 'gcp_altname' }
+      let(:value_to_encrypt) { 'hello gcp' }
+      let(:data_key_options) do
+        {
+          master_key: {
+            project_id: SpecConfig.instance.fle_gcp_project_id,
+            location: SpecConfig.instance.fle_gcp_location,
+            key_ring: SpecConfig.instance.fle_gcp_key_ring,
+            key_name: SpecConfig.instance.fle_gcp_key_name,
+          }
+        }
+      end
+      it_behaves_like 'can create and use a data key'
+    end
+    context 'with KMIP KMS options' do
+      include_context 'with KMIP kms_providers'
+      let(:key_alt_name) { 'kmip_altname' }
+      let(:value_to_encrypt) { 'hello kmip' }
+      let(:data_key_options) do
+        {
+          master_key: {
+            key_id: "1"
           }
         }
       end

data/spec/integration/client_side_encryption/explicit_encryption_spec.rb CHANGED Viewed

@@ -12,6 +12,7 @@ describe 'Explicit Encryption' do
   let(:client_encryption_opts) do
     {
       kms_providers: kms_providers,
+      kms_tls_options: kms_tls_options,
       key_vault_namespace: key_vault_namespace
     }
   end
@@ -72,6 +73,28 @@ describe 'Explicit Encryption' do
     context 'with AWS KMS provider' do
       include_context 'with AWS kms_providers'
+      retry_test
+      it_behaves_like 'an explicit encrypter'
+    end
+    context 'with Azure KMS provider' do
+      include_context 'with Azure kms_providers'
+      retry_test
+      it_behaves_like 'an explicit encrypter'
+    end
+    context 'with GCP KMS provider' do
+      include_context 'with GCP kms_providers'
+      retry_test
+      it_behaves_like 'an explicit encrypter'
+    end
+    context 'with KMIP KMS provider' do
+      include_context 'with KMIP kms_providers'
+      retry_test
       it_behaves_like 'an explicit encrypter'
     end
@@ -92,6 +115,24 @@ describe 'Explicit Encryption' do
       it_behaves_like 'an explicit encrypter'
     end
+    context 'with Azure KMS provider' do
+      include_context 'with Azure kms_providers'
+      it_behaves_like 'an explicit encrypter'
+    end
+    context 'with GCP KMS provider' do
+      include_context 'with GCP kms_providers'
+      it_behaves_like 'an explicit encrypter'
+    end
+    context 'with KMIP KMS provider' do
+      include_context 'with KMIP kms_providers'
+      it_behaves_like 'an explicit encrypter'
+    end
     context 'with local KMS provider' do
       include_context 'with local kms_providers'
@@ -108,6 +149,24 @@ describe 'Explicit Encryption' do
       it_behaves_like 'an explicit encrypter'
     end
+    context 'with Azure KMS provider' do
+      include_context 'with Azure kms_providers'
+      it_behaves_like 'an explicit encrypter'
+    end
+    context 'with GCP KMS provider' do
+      include_context 'with GCP kms_providers'
+      it_behaves_like 'an explicit encrypter'
+    end
+    context 'with KMIP KMS provider' do
+      include_context 'with KMIP kms_providers'
+      it_behaves_like 'an explicit encrypter'
+    end
     context 'with local KMS provider' do
       include_context 'with local kms_providers'

data/spec/integration/client_side_encryption/explicit_queryable_encryption_spec.rb ADDED Viewed

@@ -0,0 +1,147 @@
+# frozen_string_literal: true
+# encoding: utf-8
+require 'spec_helper'
+describe 'Explicit Queryable Encryption' do
+  require_libmongocrypt
+  min_server_version '6.0.0-rc8'
+  require_topology :replica_set, :sharded, :load_balanced
+  include_context 'define shared FLE helpers'
+  let(:key1_id) do
+    key1_document['_id']
+  end
+  let(:encrypted_coll) do
+    'explicit_encryption'
+  end
+  let(:value) do
+    "encrypted indexed value"
+  end
+  let(:unindexed_value) do
+    "encrypted unindexed value"
+  end
+  let(:key_vault_client) do
+    ClientRegistry.instance.new_local_client(SpecConfig.instance.addresses)
+  end
+  let(:client_encryption_opts) do
+    {
+      kms_providers: local_kms_providers,
+      kms_tls_options: kms_tls_options,
+      key_vault_namespace: key_vault_namespace
+    }
+  end
+  let(:client_encryption) do
+    Mongo::ClientEncryption.new(
+      key_vault_client,
+      client_encryption_opts
+    )
+  end
+  let(:encrypted_client) do
+    ClientRegistry.instance.new_local_client(
+      SpecConfig.instance.addresses,
+      auto_encryption_options: {
+        key_vault_namespace: "#{key_vault_db}.#{key_vault_coll}",
+        kms_providers: local_kms_providers,
+        bypass_query_analysis: true
+      },
+      database: SpecConfig.instance.test_db
+    )
+  end
+  before(:each) do
+    authorized_client[encrypted_coll].drop(encrypted_fields: encrypted_fields)
+    authorized_client[encrypted_coll].create(encrypted_fields: encrypted_fields)
+    authorized_client.use(key_vault_db)[key_vault_coll].drop
+    authorized_client.use(key_vault_db)[key_vault_coll, write_concern: {w: :majority}].insert_one(key1_document)
+  end
+  after(:each) do
+    authorized_client[encrypted_coll].drop(encrypted_fields: encrypted_fields)
+    authorized_client.use(key_vault_db)[key_vault_coll].drop
+  end
+  it 'can insert encrypted indexed and find' do
+    insert_payload = client_encryption.encrypt(
+      value, key_id: key1_id, algorithm: "Indexed"
+    )
+    encrypted_client[encrypted_coll].insert_one(
+      "encryptedIndexed" => insert_payload
+    )
+    find_payload = client_encryption.encrypt(
+      value, key_id: key1_id, algorithm: "Indexed", query_type: :equality
+    )
+    find_results = encrypted_client[encrypted_coll]
+      .find("encryptedIndexed" => find_payload)
+      .to_a
+    expect(find_results.size).to eq(1)
+    expect(find_results.first["encryptedIndexed"]).to eq(value)
+  end
+  it 'can insert encrypted indexed and find with non-zero contention' do
+    10.times do
+      insert_payload = client_encryption.encrypt(
+        value, key_id: key1_id, algorithm: "Indexed", contention_factor: 10
+      )
+      encrypted_client[encrypted_coll].insert_one(
+        "encryptedIndexed" => insert_payload
+      )
+    end
+    find_payload = client_encryption.encrypt(
+      value, key_id: key1_id, algorithm: "Indexed", query_type: :equality
+    )
+    find_results = encrypted_client[encrypted_coll]
+      .find("encryptedIndexed" => find_payload)
+      .to_a
+    expect(find_results.size).to be < 10
+    find_results.each do |doc|
+      expect(doc["encryptedIndexed"]).to eq(value)
+    end
+    find_payload_2 = client_encryption.encrypt(
+      value, key_id: key1_id, algorithm: "Indexed", query_type: :equality, contention_factor: 10
+    )
+    find_results_2 = encrypted_client[encrypted_coll]
+      .find("encryptedIndexed" => find_payload_2)
+      .to_a
+    expect(find_results_2.size).to eq(10)
+    find_results_2.each do |doc|
+      expect(doc["encryptedIndexed"]).to eq(value)
+    end
+  end
+  it 'can insert encrypted unindexed' do
+    insert_payload = client_encryption.encrypt(
+      unindexed_value, key_id: key1_id, algorithm: "Unindexed"
+    )
+    encrypted_client[encrypted_coll].insert_one(
+      "_id" => 1, "encryptedUnindexed" => insert_payload
+    )
+    find_results = encrypted_client[encrypted_coll].find("_id" => 1).to_a
+    expect(find_results.size).to eq(1)
+    expect(find_results.first["encryptedUnindexed"]).to eq(unindexed_value)
+  end
+  it 'can roundtrip encrypted indexed' do
+    payload = client_encryption.encrypt(
+      value, key_id: key1_id, algorithm: "Indexed"
+    )
+    decrypted_value = client_encryption.decrypt(payload)
+    expect(decrypted_value).to eq(value)
+  end
+  it 'can roundtrip encrypted unindexed' do
+    payload = client_encryption.encrypt(
+      unindexed_value, key_id: key1_id, algorithm: "Unindexed"
+    )
+    decrypted_value = client_encryption.decrypt(payload)
+    expect(decrypted_value).to eq(unindexed_value)
+  end
+end