mongo 2.18.0.beta1 → 2.18.0

data/spec/integration/client_side_encryption/auto_encryption_command_monitoring_spec.rb

@@ -32,7 +32,7 @@ describe 'Auto Encryption' do
         database: db_name
       ),
     ).tap do |client|
-      client.encrypter.key_vault_client.subscribe(Mongo::Monitoring::COMMAND, subscriber)
+      client.subscribe(Mongo::Monitoring::COMMAND, subscriber)
     end
   end
 
@@ -41,19 +41,14 @@ describe 'Auto Encryption' do
     key_vault_collection.insert_one(data_key)
 
     encryption_client['users'].drop
-    result = encryption_client['users'].insert_one(ssn: ssn, age: 23)
   end
 
   let(:started_event) do
-    subscriber.started_events.find do |event|
-      event.command_name == command_name && event.database_name == db_name
-    end
+    subscriber.single_command_started_event(command_name, database_name: db_name)
   end
 
   let(:succeeded_event) do
-    subscriber.succeeded_events.find do |event|
-      event.command_name == command_name && event.database_name == db_name
-    end
+    subscriber.single_command_succeeded_event(command_name, database_name: db_name)
   end
 
   let(:key_vault_list_collections_event) do
@@ -68,236 +63,242 @@ describe 'Auto Encryption' do
     end
   end
 
-  describe '#aggregate' do
-    let(:command_name) { 'aggregate' }
-
+  context 'when performing operations that need a document in the database' do
     before do
-      encryption_client['users'].aggregate([{ '$match' => { 'ssn' => ssn } }]).first
+      result = encryption_client['users'].insert_one(ssn: ssn, age: 23)
     end
 
-    it 'has encrypted data in command monitoring' do
-      # Command started event occurs after ssn is encrypted
-      expect(
-        started_event.command["pipeline"].first["$match"]["ssn"]["$eq"]
-      ).to be_ciphertext
+    describe '#aggregate' do
+      let(:command_name) { 'aggregate' }
 
-      # Command succeeded event occurs before ssn is decrypted
-      expect(succeeded_event.reply["cursor"]["firstBatch"].first["ssn"]).to be_ciphertext
-    end
+      before do
+        encryption_client['users'].aggregate([{ '$match' => { 'ssn' => ssn } }]).first
+      end
 
-    it_behaves_like 'it has a non-encrypted key_vault_client'
-  end
+      it 'has encrypted data in command monitoring' do
+        # Command started event occurs after ssn is encrypted
+        expect(
+          started_event.command["pipeline"].first["$match"]["ssn"]["$eq"]
+        ).to be_ciphertext
 
-  describe '#count' do
-    let(:command_name) { 'count' }
+        # Command succeeded event occurs before ssn is decrypted
+        expect(succeeded_event.reply["cursor"]["firstBatch"].first["ssn"]).to be_ciphertext
+      end
 
-    before do
-      encryption_client['users'].count(ssn: ssn)
+      it_behaves_like 'it has a non-encrypted key_vault_client'
     end
 
-    it 'has encrypted data in command monitoring' do
-      # Command started event occurs after ssn is encrypted
-      # Command succeeded event does not contain any data to be decrypted
-      expect(started_event.command["query"]["ssn"]["$eq"]).to be_ciphertext
-    end
+    describe '#count' do
+      let(:command_name) { 'count' }
 
-    it_behaves_like 'it has a non-encrypted key_vault_client'
-  end
+      before do
+        encryption_client['users'].count(ssn: ssn)
+      end
 
-  describe '#distinct' do
-    let(:command_name) { 'distinct' }
+      it 'has encrypted data in command monitoring' do
+        # Command started event occurs after ssn is encrypted
+        # Command succeeded event does not contain any data to be decrypted
+        expect(started_event.command["query"]["ssn"]["$eq"]).to be_ciphertext
+      end
 
-    before do
-      encryption_client['users'].distinct(:ssn)
+      it_behaves_like 'it has a non-encrypted key_vault_client'
     end
 
-    it 'has encrypted data in command monitoring' do
-      # Command started event does not contain any data to be encrypted
-      # Command succeeded event occurs before ssn is decrypted
-      expect(succeeded_event.reply["values"].first).to be_ciphertext
-    end
+    describe '#distinct' do
+      let(:command_name) { 'distinct' }
 
-    it_behaves_like 'it has a non-encrypted key_vault_client'
-  end
+      before do
+        encryption_client['users'].distinct(:ssn)
+      end
 
-  describe '#delete_one' do
-    let(:command_name) { 'delete' }
+      it 'has encrypted data in command monitoring' do
+        # Command started event does not contain any data to be encrypted
+        # Command succeeded event occurs before ssn is decrypted
+        expect(succeeded_event.reply["values"].first).to be_ciphertext
+      end
 
-    before do
-      encryption_client['users'].delete_one(ssn: ssn)
+      it_behaves_like 'it has a non-encrypted key_vault_client'
     end
 
-    it 'has encrypted data in command monitoring' do
-      # Command started event occurs after ssn is encrypted
-      # Command succeeded event does not contain any data to be decrypted
-      expect(started_event.command["deletes"].first["q"]["ssn"]["$eq"]).to be_ciphertext
-    end
+    describe '#delete_one' do
+      let(:command_name) { 'delete' }
 
-    it_behaves_like 'it has a non-encrypted key_vault_client'
-  end
+      before do
+        encryption_client['users'].delete_one(ssn: ssn)
+      end
 
-  describe '#delete_many' do
-    let(:command_name) { 'delete' }
+      it 'has encrypted data in command monitoring' do
+        # Command started event occurs after ssn is encrypted
+        # Command succeeded event does not contain any data to be decrypted
+        expect(started_event.command["deletes"].first["q"]["ssn"]["$eq"]).to be_ciphertext
+      end
 
-    before do
-      encryption_client['users'].delete_many(ssn: ssn)
+      it_behaves_like 'it has a non-encrypted key_vault_client'
     end
 
-    it 'has encrypted data in command monitoring' do
-      # Command started event occurs after ssn is encrypted
-      # Command succeeded event does not contain any data to be decrypted
-      expect(started_event.command["deletes"].first["q"]["ssn"]["$eq"]).to be_ciphertext
-    end
+    describe '#delete_many' do
+      let(:command_name) { 'delete' }
 
-    it_behaves_like 'it has a non-encrypted key_vault_client'
-  end
+      before do
+        encryption_client['users'].delete_many(ssn: ssn)
+      end
 
-  describe '#find' do
-    let(:command_name) { 'find' }
+      it 'has encrypted data in command monitoring' do
+        # Command started event occurs after ssn is encrypted
+        # Command succeeded event does not contain any data to be decrypted
+        expect(started_event.command["deletes"].first["q"]["ssn"]["$eq"]).to be_ciphertext
+      end
 
-    before do
-      encryption_client['users'].find(ssn: ssn).first
+      it_behaves_like 'it has a non-encrypted key_vault_client'
     end
 
-    it 'has encrypted data in command monitoring' do
-      # Command started event occurs after ssn is encrypted
-      expect(started_event.command["filter"]["ssn"]["$eq"]).to be_ciphertext
+    describe '#find' do
+      let(:command_name) { 'find' }
 
-      # Command succeeded event occurs before ssn is decrypted
-      expect(succeeded_event.reply["cursor"]["firstBatch"].first["ssn"]).to be_ciphertext
-    end
+      before do
+        encryption_client['users'].find(ssn: ssn).first
+      end
 
-    it_behaves_like 'it has a non-encrypted key_vault_client'
-  end
+      it 'has encrypted data in command monitoring' do
+        # Command started event occurs after ssn is encrypted
+        expect(started_event.command["filter"]["ssn"]["$eq"]).to be_ciphertext
 
-  describe '#find_one_and_delete' do
-    let(:command_name) { 'findAndModify' }
+        # Command succeeded event occurs before ssn is decrypted
+        expect(succeeded_event.reply["cursor"]["firstBatch"].first["ssn"]).to be_ciphertext
+      end
 
-    before do
-      encryption_client['users'].find_one_and_delete(ssn: ssn)
+      it_behaves_like 'it has a non-encrypted key_vault_client'
     end
 
-    it 'has encrypted data in command monitoring' do
-      # Command started event occurs after ssn is encrypted
-      expect(started_event.command["query"]["ssn"]["$eq"]).to be_ciphertext
+    describe '#find_one_and_delete' do
+      let(:command_name) { 'findAndModify' }
 
-      # Command succeeded event occurs before ssn is decrypted
-      expect(succeeded_event.reply["value"]["ssn"]).to be_ciphertext
-    end
+      before do
+        encryption_client['users'].find_one_and_delete(ssn: ssn)
+      end
 
-    it_behaves_like 'it has a non-encrypted key_vault_client'
-  end
+      it 'has encrypted data in command monitoring' do
+        # Command started event occurs after ssn is encrypted
+        expect(started_event.command["query"]["ssn"]["$eq"]).to be_ciphertext
 
-  describe '#find_one_and_replace' do
-    let(:command_name) { 'findAndModify' }
+        # Command succeeded event occurs before ssn is decrypted
+        expect(succeeded_event.reply["value"]["ssn"]).to be_ciphertext
+      end
 
-    before do
-      encryption_client['users'].find_one_and_replace(
-        { ssn: ssn },
-        { ssn: '555-555-5555' }
-      )
+      it_behaves_like 'it has a non-encrypted key_vault_client'
     end
 
-    it 'has encrypted data in command monitoring' do
-      # Command started event occurs after ssn is encrypted
-      expect(started_event.command["query"]["ssn"]["$eq"]).to be_ciphertext
-      expect(started_event.command["update"]["ssn"]).to be_ciphertext
+    describe '#find_one_and_replace' do
+      let(:command_name) { 'findAndModify' }
 
-      # Command succeeded event occurs before ssn is decrypted
-      expect(succeeded_event.reply["value"]["ssn"]).to be_ciphertext
-    end
+      before do
+        encryption_client['users'].find_one_and_replace(
+          { ssn: ssn },
+          { ssn: '555-555-5555' }
+        )
+      end
 
-    it_behaves_like 'it has a non-encrypted key_vault_client'
-  end
+      it 'has encrypted data in command monitoring' do
+        # Command started event occurs after ssn is encrypted
+        expect(started_event.command["query"]["ssn"]["$eq"]).to be_ciphertext
+        expect(started_event.command["update"]["ssn"]).to be_ciphertext
 
-  describe '#find_one_and_update' do
-    let(:command_name) { 'findAndModify' }
+        # Command succeeded event occurs before ssn is decrypted
+        expect(succeeded_event.reply["value"]["ssn"]).to be_ciphertext
+      end
 
-    before do
-      encryption_client['users'].find_one_and_update(
-        { ssn: ssn },
-        { ssn: '555-555-5555' }
-      )
+      it_behaves_like 'it has a non-encrypted key_vault_client'
     end
 
-    it 'has encrypted data in command monitoring' do
+    describe '#find_one_and_update' do
+      let(:command_name) { 'findAndModify' }
 
-      # Command started event occurs after ssn is encrypted
-      expect(started_event.command["query"]["ssn"]["$eq"]).to be_ciphertext
-      expect(started_event.command["update"]["ssn"]).to be_ciphertext
+      before do
+        encryption_client['users'].find_one_and_update(
+          { ssn: ssn },
+          { ssn: '555-555-5555' }
+        )
+      end
 
-      # Command succeeded event occurs before ssn is decrypted
-      expect(succeeded_event.reply["value"]["ssn"]).to be_ciphertext
-    end
+      it 'has encrypted data in command monitoring' do
 
-    it_behaves_like 'it has a non-encrypted key_vault_client'
-  end
+        # Command started event occurs after ssn is encrypted
+        expect(started_event.command["query"]["ssn"]["$eq"]).to be_ciphertext
+        expect(started_event.command["update"]["ssn"]).to be_ciphertext
 
-  describe '#insert_one' do
-    let(:command_name) { 'insert' }
+        # Command succeeded event occurs before ssn is decrypted
+        expect(succeeded_event.reply["value"]["ssn"]).to be_ciphertext
+      end
 
-    before do
-      encryption_client['users'].insert_one(ssn: ssn)
+      it_behaves_like 'it has a non-encrypted key_vault_client'
     end
 
-    it 'has encrypted data in command monitoring' do
-      # Command started event occurs after ssn is encrypted
-      # Command succeeded event does not contain any data to be decrypted
-      expect(started_event.command["documents"].first["ssn"]).to be_ciphertext
-    end
+    describe '#replace_one' do
+      let(:command_name) { 'update' }
 
-    it_behaves_like 'it has a non-encrypted key_vault_client'
-  end
+      before do
+        encryption_client['users'].replace_one(
+          { ssn: ssn },
+          { ssn: '555-555-5555' }
+        )
+      end
 
-  describe '#replace_one' do
-    let(:command_name) { 'update' }
+      it 'has encrypted data in command monitoring' do
+        # Command started event occurs after ssn is encrypted
+        # Command succeeded event does not contain any data to be decrypted
+        expect(started_event.command["updates"].first["q"]["ssn"]["$eq"]).to be_ciphertext
+        expect(started_event.command["updates"].first["u"]["ssn"]).to be_ciphertext
+      end
 
-    before do
-      encryption_client['users'].replace_one(
-        { ssn: ssn },
-        { ssn: '555-555-5555' }
-      )
+      it_behaves_like 'it has a non-encrypted key_vault_client'
     end
 
-    it 'has encrypted data in command monitoring' do
-      # Command started event occurs after ssn is encrypted
-      # Command succeeded event does not contain any data to be decrypted
-      expect(started_event.command["updates"].first["q"]["ssn"]["$eq"]).to be_ciphertext
-      expect(started_event.command["updates"].first["u"]["ssn"]).to be_ciphertext
-    end
+    describe '#update_one' do
+      let(:command_name) { 'update' }
 
-    it_behaves_like 'it has a non-encrypted key_vault_client'
-  end
+      before do
+        encryption_client['users'].replace_one({ ssn: ssn }, { ssn: '555-555-5555' })
+      end
 
-  describe '#update_one' do
-    let(:command_name) { 'update' }
+      it 'has encrypted data in command monitoring' do
+        # Command started event occurs after ssn is encrypted
+        # Command succeeded event does not contain any data to be decrypted
+        expect(started_event.command["updates"].first["q"]["ssn"]["$eq"]).to be_ciphertext
+        expect(started_event.command["updates"].first["u"]["ssn"]).to be_ciphertext
+      end
 
-    before do
-      encryption_client['users'].replace_one({ ssn: ssn }, { ssn: '555-555-5555' })
+      it_behaves_like 'it has a non-encrypted key_vault_client'
     end
 
-    it 'has encrypted data in command monitoring' do
-      # Command started event occurs after ssn is encrypted
-      # Command succeeded event does not contain any data to be decrypted
-      expect(started_event.command["updates"].first["q"]["ssn"]["$eq"]).to be_ciphertext
-      expect(started_event.command["updates"].first["u"]["ssn"]).to be_ciphertext
-    end
+    describe '#update_many' do
+      let(:command_name) { 'update' }
 
-    it_behaves_like 'it has a non-encrypted key_vault_client'
+      before do
+        # update_many does not support replacement-style updates
+        encryption_client['users'].update_many({ ssn: ssn }, { "$inc" => { :age => 1 } })
+      end
+
+      it 'has encrypted data in command monitoring' do
+        # Command started event occurs after ssn is encrypted
+        # Command succeeded event does not contain any data to be decrypted
+        expect(started_event.command["updates"].first["q"]["ssn"]["$eq"]).to be_ciphertext
+      end
+
+      it_behaves_like 'it has a non-encrypted key_vault_client'
+    end
   end
 
-  describe '#update_many' do
-    let(:command_name) { 'update' }
+  describe '#insert_one' do
+    let(:command_name) { 'insert' }
 
     before do
-      # update_many does not support replacement-style updates
-      encryption_client['users'].update_many({ ssn: ssn }, { "$inc" => { :age => 1 } })
+      encryption_client['users'].insert_one(ssn: ssn)
     end
 
     it 'has encrypted data in command monitoring' do
       # Command started event occurs after ssn is encrypted
       # Command succeeded event does not contain any data to be decrypted
-      expect(started_event.command["updates"].first["q"]["ssn"]["$eq"]).to be_ciphertext
+      expect(started_event.command["documents"].first["ssn"]).to be_ciphertext
     end
 
     it_behaves_like 'it has a non-encrypted key_vault_client'

data/spec/integration/client_side_encryption/decryption_events_prose_spec.rb

@@ -0,0 +1,158 @@
+# frozen_string_literal: true
+# encoding: utf-8
+
+require 'spec_helper'
+
+describe 'Decryption events' do
+  require_enterprise
+  min_server_fcv '4.2'
+  require_libmongocrypt
+  include_context 'define shared FLE helpers'
+  require_topology :replica_set
+
+
+  let(:setup_client) do
+    ClientRegistry.instance.new_local_client(
+      SpecConfig.instance.addresses,
+      SpecConfig.instance.test_options.merge(
+        database: SpecConfig.instance.test_db,
+      )
+    )
+  end
+
+  let(:collection_name) do
+    'decryption_event'
+  end
+
+  let(:client_encryption) do
+    Mongo::ClientEncryption.new(
+      setup_client,
+      key_vault_namespace: "#{key_vault_db}.#{key_vault_coll}",
+      kms_providers: local_kms_providers
+    )
+  end
+
+  let(:key_id) do
+    client_encryption.create_data_key('local')
+  end
+
+  let(:unencrypted_value) do
+    'hello'
+  end
+
+  let(:ciphertext) do
+    client_encryption.encrypt(
+      unencrypted_value,
+      key_id: key_id,
+      algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'
+    )
+  end
+
+  let(:malformed_ciphertext) do
+    ciphertext.dup.tap do |obj|
+      obj.data[-1] = 0.chr
+    end
+  end
+
+  let(:encrypted_client) do
+    ClientRegistry.instance.new_local_client(
+      SpecConfig.instance.addresses,
+      SpecConfig.instance.test_options.merge(
+        auto_encryption_options: {
+          key_vault_namespace: "#{key_vault_db}.#{key_vault_coll}",
+          kms_providers: local_kms_providers,
+          extra_options: extra_options,
+        },
+        database: SpecConfig.instance.test_db,
+        retry_reads: false,
+        max_read_retries: 0,
+      )
+    )
+  end
+
+  let(:collection) do
+    encrypted_client[collection_name]
+  end
+
+  let(:subscriber) { Mrss::EventSubscriber.new }
+
+  before(:each) do
+    setup_client[collection_name].drop
+    setup_client[collection_name].create
+
+    encrypted_client.subscribe(Mongo::Monitoring::COMMAND, subscriber)
+  end
+
+  it 'tests command error' do
+    setup_client.use(:admin).command(
+      {
+        "configureFailPoint" => "failCommand",
+        "mode" => {
+            "times" => 1
+        },
+        "data" => {
+            "errorCode" => 123,
+            "failCommands" => [
+                "aggregate"
+            ]
+        }
+      }
+    )
+
+    expect do
+      collection.aggregate([]).to_a
+    end.to raise_error(Mongo::Error::OperationFailure, /Failing command (?:via|due to) 'failCommand' failpoint/)
+    expect(subscriber.failed_events.length).to eql(1)
+  end
+
+  it 'tests network error' do
+    setup_client.use(:admin).command(
+      {
+        "configureFailPoint" => "failCommand",
+        "mode" => {
+            "times" => 1
+        },
+        "data" => {
+            "errorCode" => 123,
+            "closeConnection": true,
+            "failCommands" => [
+                "aggregate"
+            ]
+        }
+      }
+    )
+
+    expect do
+      collection.aggregate([]).to_a
+    end.to raise_error(Mongo::Error::SocketError)
+    expect(subscriber.failed_events.length).to eql(1)
+  end
+
+  it 'tests decrypt error' do
+    collection.insert_one(encrypted: malformed_ciphertext)
+    expect do
+      collection.aggregate([]).to_a
+    end.to raise_error(Mongo::Error::CryptError)
+    aggregate_event = subscriber.succeeded_events.detect do |evt|
+      evt.command_name == 'aggregate'
+    end
+    expect(aggregate_event).not_to be_nil
+    expect(
+      aggregate_event.reply.dig('cursor', 'firstBatch')&.first&.dig('encrypted')
+    ).to be_a_kind_of(BSON::Binary)
+  end
+
+  it 'tests decrypt success' do
+    collection.insert_one(encrypted: ciphertext)
+    expect do
+      collection.aggregate([]).to_a
+    end.not_to raise_error
+    aggregate_event = subscriber.succeeded_events.detect do |evt|
+      evt.command_name == 'aggregate'
+    end
+    expect(aggregate_event).not_to be_nil
+    expect(
+      aggregate_event.reply.dig('cursor', 'firstBatch')&.first&.dig('encrypted')
+    ).to be_a_kind_of(BSON::Binary)
+  end
+end

data/spec/integration/client_side_encryption/explicit_queryable_encryption_spec.rb

@@ -71,13 +71,13 @@ describe 'Explicit Queryable Encryption' do
 
   it 'can insert encrypted indexed and find' do
     insert_payload = client_encryption.encrypt(
-      value, key_id: key1_id, algorithm: "Indexed"
+      value, key_id: key1_id, algorithm: "Indexed", contention_factor: 0
     )
     encrypted_client[encrypted_coll].insert_one(
       "encryptedIndexed" => insert_payload
     )
     find_payload = client_encryption.encrypt(
-      value, key_id: key1_id, algorithm: "Indexed", query_type: :equality
+      value, key_id: key1_id, algorithm: "Indexed", query_type: "equality", contention_factor: 0
     )
     find_results = encrypted_client[encrypted_coll]
       .find("encryptedIndexed" => find_payload)
@@ -96,7 +96,7 @@ describe 'Explicit Queryable Encryption' do
       )
     end
     find_payload = client_encryption.encrypt(
-      value, key_id: key1_id, algorithm: "Indexed", query_type: :equality
+      value, key_id: key1_id, algorithm: "Indexed", query_type: "equality", contention_factor: 0
     )
     find_results = encrypted_client[encrypted_coll]
       .find("encryptedIndexed" => find_payload)
@@ -106,7 +106,7 @@ describe 'Explicit Queryable Encryption' do
       expect(doc["encryptedIndexed"]).to eq(value)
     end
     find_payload_2 = client_encryption.encrypt(
-      value, key_id: key1_id, algorithm: "Indexed", query_type: :equality, contention_factor: 10
+      value, key_id: key1_id, algorithm: "Indexed", query_type: "equality", contention_factor: 10
     )
     find_results_2 = encrypted_client[encrypted_coll]
       .find("encryptedIndexed" => find_payload_2)
@@ -131,7 +131,7 @@ describe 'Explicit Queryable Encryption' do
 
   it 'can roundtrip encrypted indexed' do
     payload = client_encryption.encrypt(
-      value, key_id: key1_id, algorithm: "Indexed"
+      value, key_id: key1_id, algorithm: "Indexed", contention_factor: 0
     )
     decrypted_value = client_encryption.decrypt(payload)
     expect(decrypted_value).to eq(value)