mongo 2.18.0.beta1 → 2.18.0

data/lib/mongo/crypt/binding.rb

@@ -475,6 +475,38 @@ module Mongo
         end
       end
 
+      # @!method self.mongocrypt_ctx_setopt_key_material(ctx, binary)
+      #   @api private
+      #
+      #   When creating a data key, set a custom key material to use for
+      #     encrypting data.
+      #   @param [ FFI::Pointer ] ctx A pointer to a mongocrypt_ctx_t object.
+      #   @param [ FFI::Pointer ] binary A pointer to a mongocrypt_binary_t
+      #     object that references the data encryption key to use.
+      #   @return [ Boolean ] Whether the custom key material was successfully set.
+      #   @note Do not initialize ctx before calling this method.
+      attach_function(
+        :mongocrypt_ctx_setopt_key_material,
+        [:pointer, :pointer],
+        :bool
+      )
+
+      # Set set a custom key material to use for
+      #     encrypting data.
+      #
+      # @param [ Mongo::Crypt::Context ] context A DataKeyContext
+      # @param [ BSON::Binary ] key_material 96 bytes of custom key material
+      #
+      # @raise [ Mongo::Error::CryptError ] If the key material is not 96 bytes.
+      def self.ctx_setopt_key_material(context, key_material)
+        data = {'keyMaterial' => key_material}.to_bson.to_s
+        Binary.wrap_string(data) do |data_p|
+          check_ctx_status(context) do
+            mongocrypt_ctx_setopt_key_material(context.ctx_p, data_p)
+          end
+        end
+      end
+
       # @!method self.mongocrypt_ctx_setopt_algorithm(ctx, algorithm, len)
       #   @api private
       #
@@ -562,6 +594,40 @@ module Mongo
         end
       end
 
+      # @!method self.mongocrypt_ctx_datakey_init(ctx, filter)
+      #   @api private
+      #
+      # Initialize a context to rewrap datakeys.
+      #
+      # @param [ FFI::Pointer ] ctx A pointer to a mongocrypt_ctx_t object.
+      # @param [ FFI::Pointer ] filter A pointer to a  mongocrypt_binary_t object
+      #   that represents filter to use for the find command on the key vault
+      #   collection to retrieve datakeys to rewrap.
+      #
+      # @return [ Boolean ] Whether the initialization was successful.
+      attach_function(
+        :mongocrypt_ctx_rewrap_many_datakey_init,
+        [:pointer, :pointer],
+        :bool
+      )
+
+      # Initialize a context to rewrap datakeys.
+      #
+      # @param [ Mongo::Crypt::Context ] context
+      # @param [ BSON::Document ] filter BSON Document
+      #   that represents filter to use for the find command on the key vault
+      #   collection to retrieve datakeys to rewrap.
+      #
+      # @return [ Boolean ] Whether the initialization was successful.
+      def self.ctx_rewrap_many_datakey_init(context, filter)
+        filter_data = filter.to_bson.to_s
+        Binary.wrap_string(filter_data) do |data_p|
+          check_ctx_status(context) do
+            mongocrypt_ctx_rewrap_many_datakey_init(context.ctx_p, data_p)
+          end
+        end
+      end
+
       # @!method self.mongocrypt_ctx_encrypt_init(ctx, db, db_len, cmd)
       #   @api private
       #
@@ -974,7 +1040,7 @@ module Mongo
           status = Status.new
 
           mongocrypt_kms_ctx_status(kms_context.kms_ctx_p, status.ref)
-          status.raise_crypt_error
+          status.raise_crypt_error(kms: true)
         end
       end
 
@@ -1319,48 +1385,6 @@ module Mongo
         end
       end
 
-      enum :mongocrypt_index_type, [
-        :none, 1,
-        :equality
-      ]
-
-      # @!method self.mongocrypt_ctx_setopt_index_type(ctx, mongocrypt_index_type)
-      #   @api private
-      #
-      # Set the index type used for explicit encryption.
-      # The index type is only used for FLE 2 encryption.
-      #
-      # @param [ FFI::Pointer ] ctx A pointer to a mongocrypt_ctx_t object.
-      # @param[ mongocrypt_index_type ] index_type Type of the index.
-      #
-      # @return [ Boolean ] Whether setting this option succeeded.
-      attach_function(
-        :mongocrypt_ctx_setopt_index_type,
-        [
-          :pointer,
-          :mongocrypt_index_type
-        ],
-        :bool
-      )
-
-      # Set the index type used for explicit encryption.
-      # The index type is only used for FLE 2 encryption.
-      #
-      # @param [ Mongo::Crypt::Context ] context Explicit encryption context.
-      # @param [ Symbol ] :mongocrypt_index_type index_type Type of the index.
-      #   Allowed values are :none, :equality.
-      #
-      # @raise [ Mongo::Error::CryptError ] If the operation failed.
-      def self.ctx_setopt_index_type(context, index_type)
-        check_ctx_status(context) do
-          mongocrypt_ctx_setopt_index_type(context.ctx_p, index_type)
-        end
-      end
-
-      enum :mongocrypt_query_type, [
-        :equality, 1
-      ]
-
       # @!method self.mongocrypt_ctx_setopt_query_type(ctx, mongocrypt_query_type)
       #   @api private
       #
@@ -1368,14 +1392,16 @@ module Mongo
       # The query type is only used for indexed FLE 2 encryption.
       #
       # @param [ FFI::Pointer ] ctx A pointer to a mongocrypt_ctx_t object.
-      # @param [ mongocrypt_query_type ] query_type Type of the query.
+      # @param [ String ] query_type Type of the query.
+      # @param [ Integer ] len The length of the query type string.
       #
       # @return [ Boolean ] Whether setting this option succeeded.
       attach_function(
         :mongocrypt_ctx_setopt_query_type,
         [
           :pointer,
-          :mongocrypt_query_type
+          :string,
+          :int
         ],
         :bool
       )
@@ -1384,13 +1410,12 @@ module Mongo
       # The query type is only used for indexed FLE 2 encryption.
       #
       # @param [ Mongo::Crypt::Context ] context Explicit encryption context.
-      # @param [ Symbol ] :mongocrypt_query_type query_type Type of the query.
-      #   Allowed value is :equality.
+      # @param [ String ] :mongocrypt_query_type query_type Type of the query.
       #
       # @raise [ Mongo::Error::CryptError ] If the operation failed.
       def self.ctx_setopt_query_type(context, query_type)
         check_ctx_status(context) do
-          mongocrypt_ctx_setopt_query_type(context.ctx_p, query_type)
+          mongocrypt_ctx_setopt_query_type(context.ctx_p, query_type, -1)
         end
       end
 

data/lib/mongo/crypt/data_key_context.rb

@@ -34,10 +34,15 @@ module Mongo
       #   key document that contains master encryption key parameters.
       # @param [ Array<String> | nil ] key_alt_names An optional array of strings specifying
       #   alternate names for the new data key.
-      def initialize(mongocrypt, io, master_key_document, key_alt_names = nil)
+      # @param [ String | nil ] :key_material Optional
+      #   96 bytes to use as custom key material for the data key being created.
+      #   If :key_material option is given, the custom key material is used
+      #   for encrypting and decrypting data.
+      def initialize(mongocrypt, io, master_key_document, key_alt_names, key_material)
         super(mongocrypt, io)
         Binding.ctx_setopt_key_encryption_key(self, master_key_document.to_document)
         set_key_alt_names(key_alt_names) if key_alt_names
+        Binding.ctx_setopt_key_material(self, BSON::Binary.new(key_material)) if key_material
         initialize_ctx
       end
 

data/lib/mongo/crypt/encryption_io.rb

@@ -158,6 +158,72 @@ module Mongo
         end
       end
 
+      # Adds a key_alt_name to the key_alt_names array of the key document
+      # in the key vault collection with the given id.
+      def add_key_alt_name(id, key_alt_name)
+        key_vault_collection.find_one_and_update(
+          { _id: id },
+          { '$addToSet' => { keyAltNames: key_alt_name } },
+        )
+      end
+
+      # Removes the key document with the given id
+      # from the key vault collection.
+      def delete_key(id)
+        key_vault_collection.delete_one(_id: id)
+      end
+
+      # Finds a single key document with the given id.
+      def get_key(id)
+        key_vault_collection.find(_id: id).first
+      end
+
+      # Returns a key document in the key vault collection with
+      # the given key_alt_name.
+      def get_key_by_alt_name(key_alt_name)
+        key_vault_collection.find(keyAltNames: key_alt_name).first
+      end
+
+      # Finds all documents in the key vault collection.
+      def get_keys
+        key_vault_collection.find
+      end
+
+      # Removes a key_alt_name from the key_alt_names array of the key document
+      # in the key vault collection with the given id.
+      def remove_key_alt_name(id, key_alt_name)
+        key_vault_collection.find_one_and_update(
+          { _id: id },
+          [
+            {
+              '$set' => {
+                keyAltNames: {
+                  '$cond' => [
+                    { '$eq' => [ '$keyAltNames', [ key_alt_name ] ] },
+                    '$$REMOVE',
+                    {
+                      '$filter' => {
+                        input: '$keyAltNames',
+                        cond: { '$ne' =>  [ '$$this', key_alt_name ] }
+                      }
+                    }
+                  ]
+                }
+              }
+            }
+          ]
+        )
+      end
+
+      # Apply given requests to the key vault collection using bulk write.
+      #
+      # @param [ Array<Hash> ] requests The bulk write requests.
+      #
+      # @return [ BulkWrite::Result ] The result of the operation.
+      def update_data_keys(updates)
+        key_vault_collection.bulk_write(updates)
+      end
+
       private
 
       def validate_key_vault_client!(key_vault_client)

data/lib/mongo/crypt/explicit_encrypter.rb

@@ -40,7 +40,7 @@ module Mongo
         @encryption_io = EncryptionIO.new(
           key_vault_client: key_vault_client,
           metadata_client: nil,
-          key_vault_namespace: key_vault_namespace
+          key_vault_namespace: key_vault_namespace,
         )
       end
 
@@ -52,15 +52,20 @@ module Mongo
       #   key document that contains master encryption key parameters.
       # @param [ Array<String> | nil ] key_alt_names An optional array of strings specifying
       #   alternate names for the new data key.
+      # @param [ String | nil ] key_material Optional 96 bytes to use as
+      #   custom key material for the data key being created.
+      #   If key_material option is given, the custom key material is used
+      #   for encrypting and decrypting data.
       #
       # @return [ BSON::Binary ] The 16-byte UUID of the new data key as a
       #   BSON::Binary object with type :uuid.
-      def create_and_insert_data_key(master_key_document, key_alt_names)
+      def create_and_insert_data_key(master_key_document, key_alt_names, key_material = nil)
         data_key_document = Crypt::DataKeyContext.new(
           @crypt_handle,
           @encryption_io,
           master_key_document,
-          key_alt_names
+          key_alt_names,
+          key_material
         ).run_state_machine
 
         @encryption_io.insert_data_key(data_key_document).inserted_id
@@ -83,10 +88,10 @@ module Mongo
       #   to be applied if encryption algorithm is set to "Indexed". If not
       #   provided, it defaults to a value of 0. Contention factor should be set
       #   only if encryption algorithm is set to "Indexed".
-      # @option options [ Symbol ] query_type Query type to be applied
+      # @option options [ String | nil ] query_type Query type to be applied
       # if encryption algorithm is set to "Indexed". Query type should be set
       #   only if encryption algorithm is set to "Indexed". The only allowed
-      #   value is :equality.
+      #   value is "equality".
       #
       # @note The :key_id and :key_alt_name options are mutually exclusive. Only
       #   one is required to perform explicit encryption.
@@ -117,6 +122,112 @@ module Mongo
           { 'v': value },
         ).run_state_machine['v']
       end
+
+      # Adds a key_alt_name for the key in the key vault collection with the given id.
+      #
+      # @param [ BSON::Binary ] id Id of the key to add new key alt name.
+      # @param [ String ] key_alt_name New key alt name to add.
+      #
+      # @return [ BSON::Document | nil ] Document describing the identified key
+      #   before adding the key alt name, or nil if no such key.
+      def add_key_alt_name(id, key_alt_name)
+        @encryption_io.add_key_alt_name(id, key_alt_name)
+      end
+
+      # Removes the key with the given id from the key vault collection.
+      #
+      # @param [ BSON::Binary ] id Id of the key to delete.
+      #
+      # @return [ Operation::Result ] The response from the database for the delete_one
+      #   operation that deletes the key.
+      def delete_key(id)
+        @encryption_io.delete_key(id)
+      end
+
+      # Finds a single key with the given id.
+      #
+      # @param [ BSON::Binary ] id Id of the key to get.
+      #
+      # @return [ BSON::Document | nil ] The found key document or nil
+      #   if not found.
+      def get_key(id)
+        @encryption_io.get_key(id)
+      end
+
+      # Returns a key in the key vault collection with the given key_alt_name.
+      #
+      # @param [ String ] key_alt_name Key alt name to find a key.
+      #
+      # @return [ BSON::Document | nil ] The found key document or nil
+      #   if not found.
+      def get_key_by_alt_name(key_alt_name)
+        @encryption_io.get_key_by_alt_name(key_alt_name)
+      end
+
+      # Returns all keys in the key vault collection.
+      #
+      # @return [ Collection::View ] Keys in the key vault collection.
+      def get_keys
+        @encryption_io.get_keys
+      end
+
+      # Removes a key_alt_name from a key in the key vault collection with the given id.
+      #
+      # @param [ BSON::Binary ] id Id of the key to remove key alt name.
+      # @param [ String ] key_alt_name Key alt name to remove.
+      #
+      # @return [ BSON::Document | nil ] Document describing the identified key
+      #   before removing the key alt name, or nil if no such key.
+      def remove_key_alt_name(id, key_alt_name)
+        @encryption_io.remove_key_alt_name(id, key_alt_name)
+      end
+
+      # Decrypts multiple data keys and (re-)encrypts them with a new master_key,
+      #   or with their current master_key if a new one is not given.
+      #
+      # @param [ Hash ] filter Filter used to find keys to be updated.
+      # @param [ Hash ] options
+      #
+      # @option options [ String ] :provider KMS provider to encrypt keys.
+      # @option options [ Hash | nil ] :master_key Document describing master key
+      #   to encrypt keys.
+      #
+      # @return [ Crypt::RewrapManyDataKeyResult ] Result of the operation.
+      def rewrap_many_data_key(filter, opts = {})
+        master_key_document = if opts[:provider]
+          options = opts.dup
+          provider = options.delete(:provider)
+          KMS::MasterKeyDocument.new(provider, options)
+        end
+
+        rewrap_result = Crypt::RewrapManyDataKeyContext.new(
+          @crypt_handle,
+          @encryption_io,
+          filter,
+          master_key_document
+        ).run_state_machine
+        if rewrap_result.nil?
+          return RewrapManyDataKeyResult.new(nil)
+        end
+        data_key_documents = rewrap_result.fetch('v')
+        updates = data_key_documents.map do |doc|
+          {
+            update_one: {
+              filter: { _id: doc[:_id] },
+              update: {
+                '$set' => {
+                  masterKey: doc[:masterKey],
+                  keyMaterial: doc[:keyMaterial]
+                },
+                '$currentDate' => { updateDate: true },
+              },
+            }
+          }
+        end
+        RewrapManyDataKeyResult.new(
+          @encryption_io.update_data_keys(updates)
+        )
+      end
     end
   end
 end

data/lib/mongo/crypt/explicit_encryption_context.rb

@@ -44,10 +44,10 @@ module Mongo
       #   to be applied if encryption algorithm is set to "Indexed". If not
       #   provided, it defaults to a value of 0. Contention factor should be set
       #   only if encryption algorithm is set to "Indexed".
-      # @option options [ Symbol ] query_type Query type to be applied
+      # @option options [ String | nil ] query_type Query type to be applied
       # if encryption algorithm is set to "Indexed". Query type should be set
       #   only if encryption algorithm is set to "Indexed".  The only allowed
-      #   value is :equality.
+      #   value is "equality".
       #
       # @raise [ ArgumentError|Mongo::Error::CryptError ] If invalid options are provided
       def initialize(mongocrypt, io, doc, options={})
@@ -89,6 +89,7 @@ module Mongo
 
         # Set the algorithm option on the mongocrypt_ctx_t object and raises
         # an exception if the algorithm is invalid.
+        Binding.ctx_setopt_algorithm(self, options[:algorithm])
         if options[:algorithm] == 'Indexed'
           if options[:contention_factor]
             Binding.ctx_setopt_contention_factor(self, options[:contention_factor])
@@ -96,7 +97,6 @@ module Mongo
           if options[:query_type]
             Binding.ctx_setopt_query_type(self, options[:query_type])
           end
-          Binding.ctx_setopt_index_type(self, :equality)
         else
           if options[:contention_factor]
             raise ArgumentError.new(':contention_factor is allowed only for "Indexed" algorithm')
@@ -104,11 +104,6 @@ module Mongo
           if options[:query_type]
             raise ArgumentError.new(':query_type is allowed only for "Indexed" algorithm')
           end
-          if options[:algorithm] == 'Unindexed'
-            Binding.ctx_setopt_index_type(self, :none)
-          else
-            Binding.ctx_setopt_algorithm(self, options[:algorithm])
-          end
         end
 
         # Initializes the mongocrypt_ctx_t object for explicit encryption and

data/lib/mongo/crypt/handle.rb

@@ -39,7 +39,11 @@ module Mongo
       #
       # @param [ Hash ] options A hash of options.
       # @option options [ Hash | nil ] :schema_map A hash representing the JSON schema
-      #   of the collection that stores auto encrypted documents.
+      #   of the collection that stores auto encrypted documents. This option is
+      #   mutually exclusive with :schema_map_path.
+      # @option options [ String | nil ] :schema_map_path A path to a file contains the JSON schema
+      #   of the collection that stores auto encrypted documents. This option is
+      #   mutually exclusive with :schema_map.
       # @option options [ Hash | nil ] :encrypted_fields_map maps a collection
       #   namespace to an encryptedFields.
       #   - Note: If a collection is present on both the encryptedFieldsMap
@@ -58,8 +62,7 @@ module Mongo
 
         @kms_tls_options =  kms_tls_options
 
-        @schema_map = options[:schema_map]
-        set_schema_map if @schema_map
+        maybe_set_schema_map(options)
 
         @encrypted_fields_map = options[:encrypted_fields_map]
         set_encrypted_fields_map if @encrypted_fields_map
@@ -96,14 +99,29 @@ module Mongo
       private
 
       # Set the schema map option on the underlying mongocrypt_t object
-      def set_schema_map
-        unless @schema_map.is_a?(Hash)
+      def maybe_set_schema_map(options)
+        if !options[:schema_map] && !options[:schema_map_path]
+          @schema_map = nil
+        elsif options[:schema_map] && options[:schema_map_path]
           raise ArgumentError.new(
-            "#{@schema_map} is an invalid schema_map; schema_map must be a Hash or nil"
+            "Cannot set both schema_map and schema_map_path options."
           )
+        elsif options[:schema_map]
+          unless options[:schema_map].is_a?(Hash)
+            raise ArgumentError.new(
+              "#{@schema_map} is an invalid schema_map; schema_map must be a Hash or nil."
+            )
+          end
+          @schema_map = options[:schema_map]
+          Binding.setopt_schema_map(self, @schema_map)
+        elsif options[:schema_map_path]
+          @schema_map = BSON::ExtJSON.parse(File.read(options[:schema_map_path]))
+          Binding.setopt_schema_map(self, @schema_map)
         end
-
-        Binding.setopt_schema_map(self, @schema_map)
+      rescue Errno::ENOENT
+        raise ArgumentError.new(
+          "#{@schema_map_path} is an invalid path to a file contains schema_map."
+        )
       end
 
       def set_encrypted_fields_map

data/lib/mongo/crypt/kms/aws.rb

@@ -24,6 +24,7 @@ module Mongo
         #
         # @api private
         class Credentials
+          extend Forwardable
           include KMS::Validations
 
           # @return [ String ] AWS access key.
@@ -35,6 +36,9 @@ module Mongo
           # @return [ String | nil ] AWS session token.
           attr_reader :session_token
 
+          # @api private
+          def_delegator :@opts, :empty?
+
           FORMAT_HINT = "AWS KMS provider options must be in the format: " +
                         "{ access_key_id: 'YOUR-ACCESS-KEY-ID', secret_access_key: 'SECRET-ACCESS-KEY' }"
 
@@ -49,15 +53,19 @@ module Mongo
           # @raise [ ArgumentError ] If required options are missing or incorrectly
           #   formatted.
           def initialize(opts)
-            @access_key_id = validate_param(:access_key_id, opts, FORMAT_HINT)
-            @secret_access_key = validate_param(:secret_access_key, opts, FORMAT_HINT)
-            @session_token = validate_param(:session_token, opts, FORMAT_HINT, required: false)
+            @opts = opts
+            unless empty?
+              @access_key_id = validate_param(:access_key_id, opts, FORMAT_HINT)
+              @secret_access_key = validate_param(:secret_access_key, opts, FORMAT_HINT)
+              @session_token = validate_param(:session_token, opts, FORMAT_HINT, required: false)
+            end
           end
 
           # Convert credentials object to a BSON document in libmongocrypt format.
           #
           # @return [ BSON::Document ] AWS KMS credentials in libmongocrypt format.
           def to_document
+            return BSON::Document.new if empty?
             BSON::Document.new({
               accessKeyId: access_key_id,
               secretAccessKey: secret_access_key,

data/lib/mongo/crypt/kms/azure.rb

@@ -23,6 +23,7 @@ module Mongo
         #
         # @api private
         class Credentials
+          extend Forwardable
           include KMS::Validations
 
           # @return [ String ] Azure tenant id.
@@ -37,6 +38,9 @@ module Mongo
           # @return [ String | nil ] Azure identity platform endpoint.
           attr_reader :identity_platform_endpoint
 
+          # @api private
+          def_delegator :@opts, :empty?
+
           FORMAT_HINT = "Azure KMS provider options must be in the format: " +
               "{ tenant_id: 'TENANT-ID', client_id: 'TENANT_ID', client_secret: 'CLIENT_SECRET' }"
 
@@ -53,18 +57,22 @@ module Mongo
           # @raise [ ArgumentError ] If required options are missing or incorrectly
           #   formatted.
           def initialize(opts)
-            @tenant_id = validate_param(:tenant_id, opts, FORMAT_HINT)
-            @client_id = validate_param(:client_id, opts, FORMAT_HINT)
-            @client_secret = validate_param(:client_secret, opts, FORMAT_HINT)
-            @identity_platform_endpoint = validate_param(
-              :identity_platform_endpoint, opts, FORMAT_HINT, required: false
-            )
+            @opts = opts
+            unless empty?
+              @tenant_id = validate_param(:tenant_id, opts, FORMAT_HINT)
+              @client_id = validate_param(:client_id, opts, FORMAT_HINT)
+              @client_secret = validate_param(:client_secret, opts, FORMAT_HINT)
+              @identity_platform_endpoint = validate_param(
+                :identity_platform_endpoint, opts, FORMAT_HINT, required: false
+              )
+            end
           end
 
           # Convert credentials object to a BSON document in libmongocrypt format.
           #
           # @return [ BSON::Document ] Azure KMS credentials in libmongocrypt format.
           def to_document
+            return BSON::Document.new if empty?
             BSON::Document.new({
               tenantId: @tenant_id,
               clientId: @client_id,

data/lib/mongo/crypt/kms/gcp.rb

@@ -24,6 +24,7 @@ module Mongo
         #
         # @api private
         class Credentials
+          extend Forwardable
           include KMS::Validations
 
           # @return [ String ] GCP email to authenticate with.
@@ -35,6 +36,9 @@ module Mongo
           # @return [ String | nil ] GCP KMS endpoint.
           attr_reader :endpoint
 
+          # @api private
+          def_delegator :@opts, :empty?
+
           FORMAT_HINT = "GCP KMS provider options must be in the format: " +
               "{ email: 'EMAIL', private_key: 'PRIVATE-KEY' }"
 
@@ -50,8 +54,10 @@ module Mongo
           # @raise [ ArgumentError ] If required options are missing or incorrectly
           #   formatted.
           def initialize(opts)
-            @email = validate_param(:email, opts, FORMAT_HINT)
+            @opts = opts
+            return if empty?
 
+            @email = validate_param(:email, opts, FORMAT_HINT)
             @private_key = begin
               private_key_opt = validate_param(:private_key, opts, FORMAT_HINT)
               if BSON::Environment.jruby?
@@ -91,6 +97,7 @@ module Mongo
           #
           # @return [ BSON::Document ] Azure KMS credentials in libmongocrypt format.
           def to_document
+            return BSON::Document.new if empty?
             BSON::Document.new({
               email: email,
               privateKey: BSON::Binary.new(private_key, :generic),
@@ -143,10 +150,9 @@ module Mongo
         #
         # @raise [ ArgumentError ] If required options are missing or incorrectly.
           def initialize(opts)
-            unless opts.is_a?(Hash)
-              raise ArgumentError.new(
-                'Key document options must contain a key named :master_key with a Hash value'
-              )
+            if opts.empty?
+              @empty = true
+              return
             end
             @project_id = validate_param(:project_id, opts, FORMAT_HINT)
             @location = validate_param(:location, opts, FORMAT_HINT)
@@ -160,6 +166,7 @@ module Mongo
           #
           # @return [ BSON::Document ] GCP KMS credentials in libmongocrypt format.
           def to_document
+            return BSON::Document.new({}) if @empty
             BSON::Document.new({
               provider: 'gcp',
               projectId: project_id,