mongo 2.17.4 → 2.18.0.beta1

data/spec/integration/client_side_encryption/external_key_vault_spec.rb

@@ -39,11 +39,11 @@ describe 'Client-Side Encryption' do
     end
 
     before do
-      client.use('admin')['datakeys'].drop
+      client.use('keyvault')['datakeys'].drop
       client.use('db')['coll'].drop
 
       data_key = BSON::ExtJSON.parse(File.read('spec/support/crypt/external/external-key.json'))
-      client.use('admin')['datakeys', write_concern: { w: :majority }].insert_one(data_key)
+      client.use('keyvault')['datakeys', write_concern: { w: :majority }].insert_one(data_key)
     end
 
     context 'with default key vault client' do
@@ -53,7 +53,7 @@ describe 'Client-Side Encryption' do
           SpecConfig.instance.test_options.merge(
             auto_encryption_options: {
               kms_providers: local_kms_providers,
-              key_vault_namespace: 'admin.datakeys',
+              key_vault_namespace: 'keyvault.datakeys',
               schema_map: test_schema_map,
               # Spawn mongocryptd on non-default port for sharded cluster tests
               extra_options: extra_options,
@@ -68,7 +68,7 @@ describe 'Client-Side Encryption' do
           client,
           {
             kms_providers: local_kms_providers,
-            key_vault_namespace: 'admin.datakeys',
+            key_vault_namespace: 'keyvault.datakeys',
           }
         )
       end
@@ -101,7 +101,7 @@ describe 'Client-Side Encryption' do
           SpecConfig.instance.test_options.merge(
             auto_encryption_options: {
               kms_providers: local_kms_providers,
-              key_vault_namespace: 'admin.datakeys',
+              key_vault_namespace: 'keyvault.datakeys',
               schema_map: test_schema_map,
               key_vault_client: external_key_vault_client,
               # Spawn mongocryptd on non-default port for sharded cluster tests
@@ -117,7 +117,7 @@ describe 'Client-Side Encryption' do
           external_key_vault_client,
           {
             kms_providers: local_kms_providers,
-            key_vault_namespace: 'admin.datakeys',
+            key_vault_namespace: 'keyvault.datakeys',
           }
         )
       end

data/spec/integration/client_side_encryption/kms_tls_options_spec.rb

@@ -0,0 +1,394 @@
+# frozen_string_literal: true
+# encoding: utf-8
+
+require 'spec_helper'
+
+describe 'Client-Side Encryption' do
+  describe 'Prose tests: KMS TLS Options Tests' do
+    require_libmongocrypt
+    require_enterprise
+    min_server_fcv '4.2'
+
+    include_context 'define shared FLE helpers'
+
+    let(:client) do
+      new_local_client(
+        SpecConfig.instance.addresses,
+        SpecConfig.instance.test_options
+      )
+    end
+
+    let(:client_encryption_no_client_cert) do
+      Mongo::ClientEncryption.new(
+        client,
+        {
+          kms_providers: {
+            aws: {
+              access_key_id: SpecConfig.instance.fle_aws_key,
+              secret_access_key: SpecConfig.instance.fle_aws_secret
+            },
+            azure: {
+              tenant_id: SpecConfig.instance.fle_azure_tenant_id,
+              client_id: SpecConfig.instance.fle_azure_client_id,
+              client_secret: SpecConfig.instance.fle_azure_client_secret,
+              identity_platform_endpoint: "127.0.0.1:8002"
+            },
+            gcp: {
+              email: SpecConfig.instance.fle_gcp_email,
+              private_key: SpecConfig.instance.fle_gcp_private_key,
+              endpoint: "127.0.0.1:8002"
+            },
+            kmip: {
+              endpoint: "127.0.0.1:5698"
+            }
+          },
+          kms_tls_options: {
+            aws: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            },
+            azure: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            },
+            gcp: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            },
+            kmip: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            }
+          },
+          key_vault_namespace: 'keyvault.datakeys',
+        },
+      )
+    end
+
+    let(:client_encryption_with_tls) do
+      Mongo::ClientEncryption.new(
+        client,
+        {
+          kms_providers: {
+            aws: {
+              access_key_id: SpecConfig.instance.fle_aws_key,
+              secret_access_key: SpecConfig.instance.fle_aws_secret
+            },
+            azure: {
+              tenant_id: SpecConfig.instance.fle_azure_tenant_id,
+              client_id: SpecConfig.instance.fle_azure_client_id,
+              client_secret: SpecConfig.instance.fle_azure_client_secret,
+              identity_platform_endpoint: "127.0.0.1:8002"
+            },
+            gcp: {
+              email: SpecConfig.instance.fle_gcp_email,
+              private_key: SpecConfig.instance.fle_gcp_private_key,
+              endpoint: "127.0.0.1:8002"
+            },
+            kmip: {
+              endpoint: "127.0.0.1:5698"
+            }
+          },
+          kms_tls_options: {
+            aws: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file,
+              ssl_cert: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+              ssl_key: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+            },
+            azure: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file,
+              ssl_cert: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+              ssl_key: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+            },
+            gcp: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file,
+              ssl_cert: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+              ssl_key: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+            },
+            kmip: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file,
+              ssl_cert: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+              ssl_key: SpecConfig.instance.fle_kmip_tls_certificate_key_file,
+            }
+          },
+          key_vault_namespace: 'keyvault.datakeys',
+        },
+      )
+    end
+
+    let(:client_encryption_expired) do
+      Mongo::ClientEncryption.new(
+        client,
+        {
+          kms_providers: {
+            aws: {
+              access_key_id: SpecConfig.instance.fle_aws_key,
+              secret_access_key: SpecConfig.instance.fle_aws_secret
+            },
+            azure: {
+              tenant_id: SpecConfig.instance.fle_azure_tenant_id,
+              client_id: SpecConfig.instance.fle_azure_client_id,
+              client_secret: SpecConfig.instance.fle_azure_client_secret,
+              identity_platform_endpoint: "127.0.0.1:8000"
+            },
+            gcp: {
+              email: SpecConfig.instance.fle_gcp_email,
+              private_key: SpecConfig.instance.fle_gcp_private_key,
+              endpoint: "127.0.0.1:8000"
+            },
+            kmip: {
+              endpoint: "127.0.0.1:8000"
+            }
+          },
+          kms_tls_options: {
+            aws: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            },
+            azure: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            },
+            gcp: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            },
+            kmip: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            }
+          },
+          key_vault_namespace: 'keyvault.datakeys',
+        },
+      )
+    end
+
+    let(:client_encryption_invalid_hostname) do
+      Mongo::ClientEncryption.new(
+        client,
+        {
+          kms_providers: {
+            aws: {
+              access_key_id: SpecConfig.instance.fle_aws_key,
+              secret_access_key: SpecConfig.instance.fle_aws_secret
+            },
+            azure: {
+              tenant_id: SpecConfig.instance.fle_azure_tenant_id,
+              client_id: SpecConfig.instance.fle_azure_client_id,
+              client_secret: SpecConfig.instance.fle_azure_client_secret,
+              identity_platform_endpoint: "127.0.0.1:8001"
+            },
+            gcp: {
+              email: SpecConfig.instance.fle_gcp_email,
+              private_key: SpecConfig.instance.fle_gcp_private_key,
+              endpoint: "127.0.0.1:8001"
+            },
+            kmip: {
+              endpoint: "127.0.0.1:8001"
+            }
+          },
+          kms_tls_options: {
+            aws: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            },
+            azure: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            },
+            gcp: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            },
+            kmip: {
+              ssl_ca_cert: SpecConfig.instance.fle_kmip_tls_ca_file
+            }
+          },
+          key_vault_namespace: 'keyvault.datakeys',
+        },
+      )
+    end
+
+    # We do noy use shared examples for AWS because of the way we pass endpoint.
+    context 'AWS' do
+      let(:master_key_template) do
+        {
+          region: "us-east-1",
+          key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0",
+        }
+      end
+
+      context 'with no client certificate' do
+        it 'TLS handshake failed' do
+          expect do
+            client_encryption_no_client_cert.create_data_key(
+              'aws',
+              {
+                master_key: master_key_template.merge({endpoint: "127.0.0.1:8002"})
+              }
+            )
+          end.to raise_error(Mongo::Error::KmsError, /(SocketError|ECONNRESET)/)
+        end
+      end
+
+      context 'with valid certificate' do
+        it 'TLS handshake passes' do
+          expect do
+            client_encryption_with_tls.create_data_key(
+              'aws',
+              {
+                master_key: master_key_template.merge({endpoint: "127.0.0.1:8002"})
+             }
+            )
+          end.to raise_error(Mongo::Error::KmsError, /libmongocrypt error code/)
+        end
+      end
+
+      context 'with expired server certificate' do
+        let(:error_regex) do
+          if BSON::Environment.jruby?
+            /certificate verify failed/
+          else
+            /certificate has expired/
+          end
+        end
+
+        it 'TLS handshake failed' do
+          expect do
+            client_encryption_expired.create_data_key(
+              'aws',
+              {
+                master_key: master_key_template.merge({endpoint: "127.0.0.1:8000"})
+              }
+            )
+          end.to raise_error(Mongo::Error::KmsError, error_regex)
+        end
+      end
+
+      context 'with server certificate with invalid hostname' do
+        let(:error_regex) do
+          if BSON::Environment.jruby?
+            /TLS handshake failed due to a hostname mismatch/
+          else
+            /certificate verify failed/
+          end
+        end
+
+        it 'TLS handshake failed' do
+          expect do
+            client_encryption_invalid_hostname.create_data_key(
+              'aws',
+              {
+                master_key: master_key_template.merge({endpoint: "127.0.0.1:8001"})
+              }
+            )
+          end.to raise_error(Mongo::Error::KmsError, error_regex)
+        end
+      end
+    end
+
+    shared_examples 'it respect KMS TLS options' do
+      context 'with no client certificate' do
+        it 'TLS handshake failed' do
+          expect do
+            client_encryption_no_client_cert.create_data_key(
+              kms_provider,
+              {
+                master_key: master_key
+             }
+            )
+          end.to raise_error(Mongo::Error::KmsError, /(SocketError|ECONNRESET)/)
+        end
+      end
+
+      context 'with valid certificate' do
+        it 'TLS handshake passes' do
+          expect do
+            client_encryption_with_tls.create_data_key(
+              kms_provider,
+              {
+                master_key: master_key
+             }
+            )
+          end.to raise_error(Mongo::Error::KmsError, /libmongocrypt error code/)
+        end
+      end
+
+      context 'with expired server certificate' do
+        let(:error_regex) do
+          if BSON::Environment.jruby?
+            /certificate verify failed/
+          else
+            /certificate has expired/
+          end
+        end
+
+        it 'TLS handshake failed' do
+          expect do
+            client_encryption_expired.create_data_key(
+              kms_provider,
+              {
+                master_key: master_key
+            }
+            )
+          end.to raise_error(Mongo::Error::KmsError, error_regex)
+        end
+      end
+
+      context 'with server certificate with invalid hostname' do
+        let(:error_regex) do
+          if BSON::Environment.jruby?
+            /TLS handshake failed due to a hostname mismatch/
+          else
+            /certificate verify failed/
+          end
+        end
+
+        it 'TLS handshake failed' do
+          expect do
+            client_encryption_invalid_hostname.create_data_key(
+              kms_provider,
+              {
+                master_key: master_key
+              }
+            )
+          end.to raise_error(Mongo::Error::KmsError, error_regex)
+        end
+      end
+    end
+
+    context 'Azure' do
+      let(:kms_provider) do
+        'azure'
+      end
+
+      let(:master_key) do
+        {
+          key_vault_endpoint: 'doesnotexist.local',
+          key_name: 'foo'
+        }
+      end
+
+      it_behaves_like 'it respect KMS TLS options'
+    end
+
+    context 'GCP' do
+      let(:kms_provider) do
+        'gcp'
+      end
+
+      let(:master_key) do
+        {
+          project_id: 'foo',
+          location: 'bar',
+          key_ring: 'baz',
+          key_name: 'foo'
+        }
+      end
+
+      it_behaves_like 'it respect KMS TLS options'
+    end
+
+    context 'KMIP' do
+      let(:kms_provider) do
+        'kmip'
+      end
+
+      let(:master_key) do
+        {}
+      end
+
+      it_behaves_like 'it respect KMS TLS options'
+    end
+
+  end
+end

data/spec/integration/client_side_encryption/kms_tls_spec.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+# encoding: utf-8
+
+require 'spec_helper'
+
+describe 'Client-Side Encryption' do
+  describe 'Prose tests: KMS TLS Tests' do
+    require_libmongocrypt
+    require_enterprise
+    min_server_fcv '4.2'
+
+    include_context 'define shared FLE helpers'
+
+    let(:client) do
+      new_local_client(
+        SpecConfig.instance.addresses,
+        SpecConfig.instance.test_options
+      )
+    end
+
+    let(:client_encryption) do
+      Mongo::ClientEncryption.new(
+        client,
+        {
+          kms_providers: aws_kms_providers,
+          kms_tls_options: {
+            aws: default_kms_tls_options_for_provider
+          },
+          key_vault_namespace: 'keyvault.datakeys',
+        },
+      )
+    end
+
+    context 'invalid KMS certificate' do
+      it 'raises an error when creating data key' do
+        expect do
+          client_encryption.create_data_key(
+            'aws',
+            {
+              master_key: {
+                region: "us-east-1",
+                key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0",
+                endpoint: "127.0.0.1:8000",
+              }
+           }
+          )
+        end.to raise_error(Mongo::Error::KmsError, /certificate verify failed/)
+      end
+    end
+
+    context 'Invalid Hostname in KMS Certificate' do
+      context 'MRI' do
+        require_mri
+
+        it 'raises an error when creating data key' do
+          expect do
+            client_encryption.create_data_key(
+              'aws',
+              {
+                master_key: {
+                  region: "us-east-1",
+                  key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0",
+                  endpoint: "127.0.0.1:8001",
+                }
+            }
+            )
+          end.to raise_error(Mongo::Error::KmsError, /certificate verify failed/)
+        end
+      end
+
+      context 'JRuby' do
+        require_jruby
+
+        it 'raises an error when creating data key' do
+          expect do
+            client_encryption.create_data_key(
+              'aws',
+              {
+                master_key: {
+                  region: "us-east-1",
+                  key: "arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0",
+                  endpoint: "127.0.0.1:8001",
+                }
+            }
+            )
+          end.to raise_error(Mongo::Error::KmsError, /hostname mismatch/)
+        end
+      end
+    end
+
+  end
+end

data/spec/integration/client_side_encryption/queryable_encryption_examples_spec.rb

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+# encoding: utf-8
+
+require 'spec_helper'
+
+describe 'Queryable encryption examples' do
+  require_libmongocrypt
+  min_server_version '6.0.0-rc8'
+  require_topology :replica_set, :sharded, :load_balanced
+  require_enterprise
+
+  include_context 'define shared FLE helpers'
+
+  it 'uses queryable encryption' do
+    #  Drop data from prior test runs.
+    authorized_client.use('docs_examples').database.drop
+    authorized_client.use('keyvault')['datakeys'].drop
+
+    # Create two data keys.
+    # Note for docs team: remove the test_options argument when copying
+    # this example into public documentation.
+    key_vault_client = ClientRegistry.instance.new_local_client(
+      SpecConfig.instance.addresses,
+      SpecConfig.instance.test_options
+    )
+    client_encryption = Mongo::ClientEncryption.new(
+      key_vault_client,
+      key_vault_namespace: 'keyvault.datakeys',
+      kms_providers: {
+        local: {
+          key: local_master_key
+        }
+      }
+    )
+    data_key_1_id = client_encryption.create_data_key('local')
+    data_key_2_id = client_encryption.create_data_key('local')
+
+    # Create an encryptedFieldsMap.
+    encrypted_fields_map = {
+      'docs_examples.encrypted' => {
+        fields: [
+          {
+            path: 'encrypted_indexed',
+            bsonType: 'string',
+            keyId: data_key_1_id,
+            queries: {
+              queryType: 'equality'
+            }
+          },
+          {
+            path: 'encrypted_unindexed',
+            bsonType: 'string',
+            keyId: data_key_2_id,
+          }
+        ]
+      }
+    }
+
+    # Create client with automatic queryable encryption enabled.
+    # Note for docs team: remove the test_options argument when copying
+    # this example into public documentation.
+    encrypted_client = ClientRegistry.instance.new_local_client(
+      SpecConfig.instance.addresses,
+      SpecConfig.instance.test_options.merge(
+        auto_encryption_options: {
+          key_vault_namespace: "keyvault.datakeys",
+          kms_providers: {
+            local: {
+              key: local_master_key
+            }
+          },
+          encrypted_fields_map: encrypted_fields_map,
+          # Spawn mongocryptd on non-default port for sharded cluster tests
+          # Note for docs team: remove the extra_options argument when copying
+          # this example into public documentation.
+          extra_options: extra_options,
+        },
+        database: 'docs_examples'
+      )
+    )
+    # Create collection with queryable encryption enabled.
+    encrypted_client['encrypted'].create
+
+    # Auto encrypt an insert and find.
+    encrypted_client['encrypted'].insert_one(
+      _id: 1,
+      encrypted_indexed: "indexed_value",
+			encrypted_unindexed: "unindexed_value",
+    )
+
+    find_results = encrypted_client['encrypted'].find(
+      encrypted_indexed: "indexed_value"
+    ).to_a
+    expect(find_results.size).to eq(1)
+    expect(find_results.first[:encrypted_indexed]).to eq("indexed_value")
+    expect(find_results.first[:encrypted_unindexed]).to eq("unindexed_value")
+
+    # Find documents without decryption.
+    find_results = authorized_client
+      .use('docs_examples')['encrypted']
+      .find(_id: 1)
+      .to_a
+    expect(find_results.size).to eq(1)
+    expect(find_results.first[:encrypted_indexed]).to be_a(BSON::Binary)
+    expect(find_results.first[:encrypted_unindexed]).to be_a(BSON::Binary)
+
+    # Cleanup
+    authorized_client.use('docs_examples').database.drop
+    authorized_client.use('keyvault')['datakeys'].drop
+  end
+end

data/spec/integration/client_side_encryption/views_spec.rb

@@ -24,7 +24,7 @@ describe 'Client-Side Encryption' do
         SpecConfig.instance.test_options.merge(
           auto_encryption_options: {
             kms_providers: local_kms_providers,
-            key_vault_namespace: 'admin.datakeys',
+            key_vault_namespace: 'keyvault.datakeys',
             # Spawn mongocryptd on non-default port for sharded cluster tests
             extra_options: extra_options,
           },

data/spec/integration/client_update_spec.rb

@@ -15,8 +15,8 @@ describe Mongo::Client do
     include_context 'with local kms_providers'
 
     before do
-      authorized_client.use(:admin)[:datakeys].drop
-      authorized_client.use(:admin)[:datakeys].insert_one(data_key)
+      authorized_client.use(:keyvault)[:datakeys].drop
+      authorized_client.use(:keyvault)[:datakeys].insert_one(data_key)
       authorized_client.use(:auto_encryption)[:users].drop
       authorized_client.use(:auto_encryption)[:users,
         {

data/spec/integration/crud_spec.rb

@@ -240,6 +240,18 @@ describe 'CRUD operations' do
   end
 
   describe 'insert' do
+    context 'user documents' do
+      let(:doc) do
+        IceNine.deep_freeze(test: 42)
+      end
+
+      it 'does not mutate user documents' do
+        lambda do
+          collection.insert_one(doc)
+        end.should_not raise_error
+      end
+    end
+
     context 'inserting a BSON::Int64' do
       before do
         collection.insert_one(int64: BSON::Int64.new(42))