RubyGems - mongo - Versions diffs - 2.20.1 → 2.21.0 - Mend

mongo 2.20.1 → 2.21.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (246) hide show

data/spec/integration/client_side_encryption/auto_encryption_spec.rb CHANGED Viewed

@@ -30,7 +30,8 @@ describe 'Auto Encryption' do
           extra_options: extra_options,
         },
         database: 'auto_encryption',
-        max_pool_size: max_pool_size
+        max_pool_size: max_pool_size,
+        timeout_ms: timeout_ms
       ),
     )
   end
@@ -97,27 +98,84 @@ describe 'Auto Encryption' do
   end
   shared_examples 'an encrypted command' do
-    context 'with AWS KMS provider' do
-      include_context 'with AWS kms_providers'
+    # context 'with AWS KMS provider' do
+    #   include_context 'with AWS kms_providers'
+    #   context 'with validator' do
+    #     include_context 'jsonSchema validator on collection'
+    #     it_behaves_like 'it performs an encrypted command'
+    #   end
+    #   context 'with schema map' do
+    #     include_context 'schema map in client options'
+    #     it_behaves_like 'it performs an encrypted command'
+    #     context 'with limited connection pool' do
+    #       include_context 'limited connection pool'
+    #       it_behaves_like 'it performs an encrypted command'
+    #     end
+    #   end
+    # end
+    # context 'with Azure KMS provider' do
+    #   include_context 'with Azure kms_providers'
+    #   context 'with validator' do
+    #     include_context 'jsonSchema validator on collection'
+    #     it_behaves_like 'it performs an encrypted command'
+    #   end
+    #   context 'with schema map' do
+    #     include_context 'schema map in client options'
+    #     it_behaves_like 'it performs an encrypted command'
+    #     context 'with limited connection pool' do
+    #       include_context 'limited connection pool'
+    #       it_behaves_like 'it performs an encrypted command'
+    #     end
+    #   end
+    # end
+    # context 'with GCP KMS provider' do
+    #   include_context 'with GCP kms_providers'
+    #   context 'with validator' do
+    #     include_context 'jsonSchema validator on collection'
+    #     it_behaves_like 'it performs an encrypted command'
+    #   end
+    #   context 'with schema map' do
+    #     include_context 'schema map in client options'
+    #     it_behaves_like 'it performs an encrypted command'
+    #     context 'with limited connection pool' do
+    #       include_context 'limited connection pool'
+    #       it_behaves_like 'it performs an encrypted command'
+    #     end
+    #   end
+    # end
+    # context 'with KMIP KMS provider' do
+    #   include_context 'with KMIP kms_providers'
+    #   context 'with validator' do
+    #     include_context 'jsonSchema validator on collection'
+    #     it_behaves_like 'it performs an encrypted command'
+    #   end
+    #   context 'with schema map' do
+    #     include_context 'schema map in client options'
+    #     it_behaves_like 'it performs an encrypted command'
+    #     context 'with limited connection pool' do
+    #       include_context 'limited connection pool'
+    #       it_behaves_like 'it performs an encrypted command'
+    #     end
+    #   end
+    # end
-      context 'with validator' do
-        include_context 'jsonSchema validator on collection'
-        it_behaves_like 'it performs an encrypted command'
-      end
-      context 'with schema map' do
-        include_context 'schema map in client options'
-        it_behaves_like 'it performs an encrypted command'
-        context 'with limited connection pool' do
-          include_context 'limited connection pool'
-          it_behaves_like 'it performs an encrypted command'
-        end
-      end
-    end
-    context 'with Azure KMS provider' do
-      include_context 'with Azure kms_providers'
+    context 'with local KMS provider' do
+      include_context 'with local kms_providers'
       context 'with validator' do
         include_context 'jsonSchema validator on collection'
@@ -134,614 +192,563 @@ describe 'Auto Encryption' do
         end
       end
     end
+  end
-    context 'with GCP KMS provider' do
-      include_context 'with GCP kms_providers'
+  [nil, 0].each do |timeout_ms|
+    context "with timeout_ms #{timeout_ms}" do
+      let(:timeout_ms) { timeout_ms }
-      context 'with validator' do
-        include_context 'jsonSchema validator on collection'
-        it_behaves_like 'it performs an encrypted command'
-      end
+      describe '#aggregate' do
+        shared_examples 'it performs an encrypted command' do
+          include_context 'encrypted document in collection'
-      context 'with schema map' do
-        include_context 'schema map in client options'
-        it_behaves_like 'it performs an encrypted command'
+          let(:result) do
+            encryption_client['users'].aggregate([
+              { '$match' => { 'ssn' => ssn } }
+            ]).first
+          end
-        context 'with limited connection pool' do
-          include_context 'limited connection pool'
-          it_behaves_like 'it performs an encrypted command'
-        end
-      end
-    end
+          it 'encrypts the command and decrypts the response' do
+            result.should_not be_nil
+            result['ssn'].should == ssn
+          end
-    context 'with KMIP KMS provider' do
-      include_context 'with KMIP kms_providers'
+          context 'when bypass_auto_encryption=true' do
+            include_context 'bypass auto encryption'
-      context 'with validator' do
-        include_context 'jsonSchema validator on collection'
-        it_behaves_like 'it performs an encrypted command'
-      end
+            it 'does not encrypt the command' do
+              result.should be_nil
+            end
-      context 'with schema map' do
-        include_context 'schema map in client options'
-        it_behaves_like 'it performs an encrypted command'
+            it 'does auto decrypt the response' do
+              result = encryption_client['users'].aggregate([
+                { '$match' => { 'ssn' => encrypted_ssn_binary } }
+              ]).first
-        context 'with limited connection pool' do
-          include_context 'limited connection pool'
-          it_behaves_like 'it performs an encrypted command'
+              result.should_not be_nil
+              result['ssn'].should == ssn
+            end
+          end
         end
-      end
-    end
-    context 'with local KMS provider' do
-      include_context 'with local kms_providers'
-      context 'with validator' do
-        include_context 'jsonSchema validator on collection'
-        it_behaves_like 'it performs an encrypted command'
+        it_behaves_like 'an encrypted command'
       end
-      context 'with schema map' do
-        include_context 'schema map in client options'
-        it_behaves_like 'it performs an encrypted command'
+      describe '#count' do
+        shared_examples 'it performs an encrypted command' do
+          include_context 'multiple encrypted documents in collection'
-        context 'with limited connection pool' do
-          include_context 'limited connection pool'
-          it_behaves_like 'it performs an encrypted command'
-        end
-      end
-    end
-  end
+          let(:result) { encryption_client['users'].count(ssn: ssn) }
-  describe '#aggregate' do
-    shared_examples 'it performs an encrypted command' do
-      include_context 'encrypted document in collection'
-      let(:result) do
-        encryption_client['users'].aggregate([
-          { '$match' => { 'ssn' => ssn } }
-        ]).first
-      end
-      it 'encrypts the command and decrypts the response' do
-        result.should_not be_nil
-        result['ssn'].should == ssn
-      end
+          it 'encrypts the command and finds the documents' do
+            expect(result).to eq(2)
+          end
-      context 'when bypass_auto_encryption=true' do
-        include_context 'bypass auto encryption'
+          context 'with bypass_auto_encryption=true' do
+            include_context 'bypass auto encryption'
-        it 'does not encrypt the command' do
-          result.should be_nil
+            it 'does not encrypt the command' do
+              expect(result).to eq(0)
+            end
+          end
         end
-        it 'does auto decrypt the response' do
-          result = encryption_client['users'].aggregate([
-            { '$match' => { 'ssn' => encrypted_ssn_binary } }
-          ]).first
-          result.should_not be_nil
-          result['ssn'].should == ssn
-        end
+        it_behaves_like 'an encrypted command'
       end
-    end
-    it_behaves_like 'an encrypted command'
-  end
-  describe '#count' do
-    shared_examples 'it performs an encrypted command' do
-      include_context 'multiple encrypted documents in collection'
+      describe '#distinct' do
+        shared_examples 'it performs an encrypted command' do
+          include_context 'encrypted document in collection'
-      let(:result) { encryption_client['users'].count(ssn: ssn) }
+          let(:result) { encryption_client['users'].distinct(:ssn) }
-      it 'encrypts the command and finds the documents' do
-        expect(result).to eq(2)
-      end
+          it 'decrypts the SSN field' do
+            expect(result.length).to eq(1)
+            expect(result).to include(ssn)
+          end
-      context 'with bypass_auto_encryption=true' do
-        include_context 'bypass auto encryption'
+          context 'with bypass_auto_encryption=true' do
+            include_context 'bypass auto encryption'
-        it 'does not encrypt the command' do
-          expect(result).to eq(0)
+            it 'still decrypts the SSN field' do
+              expect(result.length).to eq(1)
+              expect(result).to include(ssn)
+            end
+          end
         end
-      end
-    end
-    it_behaves_like 'an encrypted command'
-  end
-  describe '#distinct' do
-    shared_examples 'it performs an encrypted command' do
-      include_context 'encrypted document in collection'
-      let(:result) { encryption_client['users'].distinct(:ssn) }
-      it 'decrypts the SSN field' do
-        expect(result.length).to eq(1)
-        expect(result).to include(ssn)
+        it_behaves_like 'an encrypted command'
       end
-      context 'with bypass_auto_encryption=true' do
-        include_context 'bypass auto encryption'
-        it 'still decrypts the SSN field' do
-          expect(result.length).to eq(1)
-          expect(result).to include(ssn)
-        end
-      end
-    end
-    it_behaves_like 'an encrypted command'
-  end
-  describe '#delete_one' do
-    shared_examples 'it performs an encrypted command' do
-      include_context 'encrypted document in collection'
+      describe '#delete_one' do
+        shared_examples 'it performs an encrypted command' do
+          include_context 'encrypted document in collection'
-      let(:result) { encryption_client['users'].delete_one(ssn: ssn) }
+          let(:result) { encryption_client['users'].delete_one(ssn: ssn) }
-      it 'encrypts the SSN field' do
-        expect(result.deleted_count).to eq(1)
-      end
+          it 'encrypts the SSN field' do
+            expect(result.deleted_count).to eq(1)
+          end
-      context 'with bypass_auto_encryption=true' do
-        include_context 'bypass auto encryption'
+          context 'with bypass_auto_encryption=true' do
+            include_context 'bypass auto encryption'
-        it 'does not encrypt the SSN field' do
-          expect(result.deleted_count).to eq(0)
+            it 'does not encrypt the SSN field' do
+              expect(result.deleted_count).to eq(0)
+            end
+          end
         end
-      end
-    end
-    it_behaves_like 'an encrypted command'
-  end
-  describe '#delete_many' do
-    shared_examples 'it performs an encrypted command' do
-      include_context 'multiple encrypted documents in collection'
-      let(:result) { encryption_client['users'].delete_many(ssn: ssn) }
-      it 'decrypts the SSN field' do
-        expect(result.deleted_count).to eq(2)
+        it_behaves_like 'an encrypted command'
       end
-      context 'with bypass_auto_encryption=true' do
-        include_context 'bypass auto encryption'
+      describe '#delete_many' do
+        shared_examples 'it performs an encrypted command' do
+          include_context 'multiple encrypted documents in collection'
-        it 'does not encrypt the SSN field' do
-          expect(result.deleted_count).to eq(0)
-        end
-      end
-    end
+          let(:result) { encryption_client['users'].delete_many(ssn: ssn) }
-    it_behaves_like 'an encrypted command'
-  end
-  describe '#find' do
-    shared_examples 'it performs an encrypted command' do
-      include_context 'encrypted document in collection'
-      let(:result) { encryption_client['users'].find(ssn: ssn).first }
-      it 'encrypts the command and decrypts the response' do
-        result.should_not be_nil
-        expect(result['ssn']).to eq(ssn)
-      end
+          it 'decrypts the SSN field' do
+            expect(result.deleted_count).to eq(2)
+          end
-      context 'when bypass_auto_encryption=true' do
-        include_context 'bypass auto encryption'
+          context 'with bypass_auto_encryption=true' do
+            include_context 'bypass auto encryption'
-        it 'does not encrypt the command' do
-          expect(result).to be_nil
+            it 'does not encrypt the SSN field' do
+              expect(result.deleted_count).to eq(0)
+            end
+          end
         end
-      end
-    end
-    it_behaves_like 'an encrypted command'
-  end
-  describe '#find_one_and_delete' do
-    shared_examples 'it performs an encrypted command' do
-      include_context 'encrypted document in collection'
-      let(:result) { encryption_client['users'].find_one_and_delete(ssn: ssn) }
-      it 'encrypts the command and decrypts the response' do
-        expect(result['ssn']).to eq(ssn)
+        it_behaves_like 'an encrypted command'
       end
-      context 'when bypass_auto_encryption=true' do
-        include_context 'bypass auto encryption'
-        it 'does not encrypt the command' do
-          expect(result).to be_nil
-        end
-        it 'still decrypts the command' do
-          result = encryption_client['users'].find_one_and_delete(ssn: encrypted_ssn_binary)
-          expect(result['ssn']).to eq(ssn)
-        end
-      end
-    end
+      describe '#find' do
+        shared_examples 'it performs an encrypted command' do
+          include_context 'encrypted document in collection'
-    it_behaves_like 'an encrypted command'
-  end
+          let(:result) { encryption_client['users'].find(ssn: ssn).first }
-  describe '#find_one_and_replace' do
-    shared_examples 'it performs an encrypted command' do
-      let(:name) { 'Alan Turing' }
+          it 'encrypts the command and decrypts the response' do
+            result.should_not be_nil
+            expect(result['ssn']).to eq(ssn)
+          end
-      context 'with :return_document => :before' do
-        include_context 'encrypted document in collection'
+          context 'when bypass_auto_encryption=true' do
+            include_context 'bypass auto encryption'
-        let(:result) do
-          encryption_client['users'].find_one_and_replace(
-            { ssn: ssn },
-            { name: name },
-            return_document: :before
-          )
+            it 'does not encrypt the command' do
+              expect(result).to be_nil
+            end
+          end
         end
-        it 'encrypts the command and decrypts the response, returning original document' do
-          expect(result['ssn']).to eq(ssn)
-          documents = client['users'].find
-          expect(documents.count).to eq(1)
-          expect(documents.first['ssn']).to be_nil
-        end
+        it_behaves_like 'an encrypted command'
       end
-      context 'with :return_document => :after' do
-        before do
-          client['users'].insert_one(name: name)
-        end
+      describe '#find_one_and_delete' do
+        shared_examples 'it performs an encrypted command' do
+          include_context 'encrypted document in collection'
-        let(:result) do
-          encryption_client['users'].find_one_and_replace(
-            { name: name },
-            { ssn: ssn },
-            return_document: :after
-          )
-        end
+          let(:result) { encryption_client['users'].find_one_and_delete(ssn: ssn) }
-        it 'encrypts the command and decrypts the response, returning new document' do
-          expect(result['ssn']).to eq(ssn)
+          it 'encrypts the command and decrypts the response' do
+            expect(result['ssn']).to eq(ssn)
+          end
-          documents = client['users'].find
-          expect(documents.count).to eq(1)
-          expect(documents.first['ssn']).to eq(encrypted_ssn_binary)
-        end
-      end
+          context 'when bypass_auto_encryption=true' do
+            include_context 'bypass auto encryption'
-      context 'when bypass_auto_encryption=true' do
-        include_context 'bypass auto encryption'
-        include_context 'encrypted document in collection'
+            it 'does not encrypt the command' do
+              expect(result).to be_nil
+            end
-        let(:result) do
-          encryption_client['users'].find_one_and_replace(
-            { ssn: encrypted_ssn_binary },
-            { name: name },
-            :return_document => :before
-          )
+            it 'still decrypts the command' do
+              result = encryption_client['users'].find_one_and_delete(ssn: encrypted_ssn_binary)
+              expect(result['ssn']).to eq(ssn)
+            end
+          end
         end
-        it 'does not encrypt the command but still decrypts the response, returning original document' do
-          expect(result['ssn']).to eq(ssn)
-          documents = client['users'].find
-          expect(documents.count).to eq(1)
-          expect(documents.first['ssn']).to be_nil
-        end
+        it_behaves_like 'an encrypted command'
       end
-    end
-    it_behaves_like 'an encrypted command'
-  end
-  describe '#find_one_and_update' do
-    shared_examples 'it performs an encrypted command' do
-      include_context 'encrypted document in collection'
+      describe '#find_one_and_replace' do
+        shared_examples 'it performs an encrypted command' do
+          let(:name) { 'Alan Turing' }
-      let(:name) { 'Alan Turing' }
+          context 'with :return_document => :before' do
+            include_context 'encrypted document in collection'
-      let(:result) do
-        encryption_client['users'].find_one_and_update(
-          { ssn: ssn },
-          { name: name }
-        )
-      end
+            let(:result) do
+              encryption_client['users'].find_one_and_replace(
+                { ssn: ssn },
+                { name: name },
+                return_document: :before
+              )
+            end
-      it 'encrypts the command and decrypts the response' do
-        expect(result['ssn']).to eq(ssn)
+            it 'encrypts the command and decrypts the response, returning original document' do
+              expect(result['ssn']).to eq(ssn)
-        documents = client['users'].find
-        expect(documents.count).to eq(1)
-        expect(documents.first['ssn']).to be_nil
-      end
+              documents = client['users'].find
+              expect(documents.count).to eq(1)
+              expect(documents.first['ssn']).to be_nil
+            end
+          end
-      context 'with bypass_auto_encryption=true' do
-        include_context 'bypass auto encryption'
+          context 'with :return_document => :after' do
+            before do
+              client['users'].insert_one(name: name)
+            end
+            let(:result) do
+              encryption_client['users'].find_one_and_replace(
+                { name: name },
+                { ssn: ssn },
+                return_document: :after
+              )
+            end
+            it 'encrypts the command and decrypts the response, returning new document' do
+              expect(result['ssn']).to eq(ssn)
+              documents = client['users'].find
+              expect(documents.count).to eq(1)
+              expect(documents.first['ssn']).to eq(encrypted_ssn_binary)
+            end
+          end
-        it 'does not encrypt the command' do
-          expect(result).to be_nil
+          context 'when bypass_auto_encryption=true' do
+            include_context 'bypass auto encryption'
+            include_context 'encrypted document in collection'
+            let(:result) do
+              encryption_client['users'].find_one_and_replace(
+                { ssn: encrypted_ssn_binary },
+                { name: name },
+                :return_document => :before
+              )
+            end
+            it 'does not encrypt the command but still decrypts the response, returning original document' do
+              expect(result['ssn']).to eq(ssn)
+              documents = client['users'].find
+              expect(documents.count).to eq(1)
+              expect(documents.first['ssn']).to be_nil
+            end
+          end
         end
-        it 'still decrypts the response' do
-          # Query using the encrypted ssn value so the find will succeed
-          result = encryption_client['users'].find_one_and_update(
-            { ssn: encrypted_ssn_binary },
-            { name: name }
-          )
-          expect(result['ssn']).to eq(ssn)
-        end
+        it_behaves_like 'an encrypted command'
       end
-    end
-    it_behaves_like 'an encrypted command'
-  end
-  describe '#insert_one' do
-    let(:query) { { ssn: ssn } }
-    let(:result) { encryption_client['users'].insert_one(query) }
+      describe '#find_one_and_update' do
+        shared_examples 'it performs an encrypted command' do
+          include_context 'encrypted document in collection'
-    shared_examples 'it performs an encrypted command' do
-      it 'encrypts the ssn field' do
-        expect(result).to be_ok
-        expect(result.inserted_ids.length).to eq(1)
+          let(:name) { 'Alan Turing' }
-        id = result.inserted_ids.first
-        document = client['users'].find(_id: id).first
-        document.should_not be_nil
-        expect(document['ssn']).to eq(encrypted_ssn_binary)
-      end
-    end
+          let(:result) do
+            encryption_client['users'].find_one_and_update(
+              { ssn: ssn },
+              { name: name }
+            )
+          end
-    shared_examples 'it obeys bypass_auto_encryption option' do
-      include_context 'bypass auto encryption'
+          it 'encrypts the command and decrypts the response' do
+            expect(result['ssn']).to eq(ssn)
-      it 'does not encrypt the command' do
-        result = encryption_client['users'].insert_one(ssn: ssn)
-        expect(result).to be_ok
-        expect(result.inserted_ids.length).to eq(1)
+            documents = client['users'].find
+            expect(documents.count).to eq(1)
+            expect(documents.first['ssn']).to be_nil
+          end
-        id = result.inserted_ids.first
+          context 'with bypass_auto_encryption=true' do
+            include_context 'bypass auto encryption'
-        document = client['users'].find(_id: id).first
-        expect(document['ssn']).to eq(ssn)
-      end
-    end
+            it 'does not encrypt the command' do
+              expect(result).to be_nil
+            end
-    it_behaves_like 'an encrypted command'
+            it 'still decrypts the response' do
+              # Query using the encrypted ssn value so the find will succeed
+              result = encryption_client['users'].find_one_and_update(
+                { ssn: encrypted_ssn_binary },
+                { name: name }
+              )
-    context 'with jsonSchema in schema_map option' do
-      include_context 'schema map in client options'
+              expect(result['ssn']).to eq(ssn)
+            end
+          end
+        end
-      context 'with AWS KMS provider' do
-        include_context 'with AWS kms_providers'
-        it_behaves_like 'it obeys bypass_auto_encryption option'
+        it_behaves_like 'an encrypted command'
       end
-      context 'with Azure KMS provider' do
-        include_context 'with Azure kms_providers'
-        it_behaves_like 'it obeys bypass_auto_encryption option'
-      end
+      describe '#insert_one' do
+        let(:query) { { ssn: ssn } }
+        let(:result) { encryption_client['users'].insert_one(query) }
-      context 'with GCP KMS provider' do
-        include_context 'with GCP kms_providers'
-        it_behaves_like 'it obeys bypass_auto_encryption option'
-      end
+        shared_examples 'it performs an encrypted command' do
+          it 'encrypts the ssn field' do
+            expect(result).to be_ok
+            expect(result.inserted_ids.length).to eq(1)
-      context 'with KMIP KMS provider' do
-        include_context 'with KMIP kms_providers'
-        it_behaves_like 'it obeys bypass_auto_encryption option'
-      end
+            id = result.inserted_ids.first
+            document = client['users'].find(_id: id).first
+            document.should_not be_nil
+            expect(document['ssn']).to eq(encrypted_ssn_binary)
+          end
+        end
-      context 'with local KMS provider and ' do
-        include_context 'with local kms_providers'
-        it_behaves_like 'it obeys bypass_auto_encryption option'
-      end
-    end
+        shared_examples 'it obeys bypass_auto_encryption option' do
+          include_context 'bypass auto encryption'
-    context 'with schema_map client option pointing to wrong collection' do
-      let(:local_schema) { { 'wrong_db.wrong_coll' => schema_map } }
+          it 'does not encrypt the command' do
+            result = encryption_client['users'].insert_one(ssn: ssn)
+            expect(result).to be_ok
+            expect(result.inserted_ids.length).to eq(1)
-      include_context 'with local kms_providers'
+            id = result.inserted_ids.first
-      it 'does not raise an exception but doesn\'t encrypt either' do
-        expect do
-          result
-        end.not_to raise_error
+            document = client['users'].find(_id: id).first
+            expect(document['ssn']).to eq(ssn)
+          end
+        end
-        expect(result).to be_ok
-        id = result.inserted_ids.first
+        it_behaves_like 'an encrypted command'
-        document = client['users'].find(_id: id).first
-        document.should_not be_nil
-        # Document was not encrypted
-        expect(document['ssn']).to eq(ssn)
-      end
-    end
+        context 'with jsonSchema in schema_map option' do
+          include_context 'schema map in client options'
+          context 'with AWS KMS provider' do
+            include_context 'with AWS kms_providers'
+            it_behaves_like 'it obeys bypass_auto_encryption option'
+          end
-    context 'encrypting using key alt name' do
-      include_context 'schema map in client options'
+          context 'with Azure KMS provider' do
+            include_context 'with Azure kms_providers'
+            it_behaves_like 'it obeys bypass_auto_encryption option'
+          end
-      let(:query) { { ssn: ssn, altname: key_alt_name } }
+          context 'with GCP KMS provider' do
+            include_context 'with GCP kms_providers'
+            it_behaves_like 'it obeys bypass_auto_encryption option'
+          end
-      context 'with AWS KMS provider' do
-        include_context 'with AWS kms_providers and key alt names'
-        it 'encrypts the ssn field' do
-          expect(result).to be_ok
-          expect(result.inserted_ids.length).to eq(1)
+          context 'with KMIP KMS provider' do
+            include_context 'with KMIP kms_providers'
+            it_behaves_like 'it obeys bypass_auto_encryption option'
+          end
-          id = result.inserted_ids.first
-          document = client['users'].find(_id: id).first
-          document.should_not be_nil
-          # Auto-encryption with key alt names only works with random encryption,
-          # so it will not generate the same result on every test run.
-          expect(document['ssn']).to be_ciphertext
+          context 'with local KMS provider and ' do
+            include_context 'with local kms_providers'
+            it_behaves_like 'it obeys bypass_auto_encryption option'
+          end
         end
-      end
-      context 'with Azure KMS provider' do
-        include_context 'with Azure kms_providers and key alt names'
-        it 'encrypts the ssn field' do
-          expect(result).to be_ok
-          expect(result.inserted_ids.length).to eq(1)
+        context 'with schema_map client option pointing to wrong collection' do
+          let(:local_schema) { { 'wrong_db.wrong_coll' => schema_map } }
-          id = result.inserted_ids.first
+          include_context 'with local kms_providers'
-          document = client['users'].find(_id: id).first
-          document.should_not be_nil
-          # Auto-encryption with key alt names only works with random encryption,
-          # so it will not generate the same result on every test run.
-          expect(document['ssn']).to be_ciphertext
-        end
+          it 'does not raise an exception but doesn\'t encrypt either' do
+            expect do
+              result
+            end.not_to raise_error
-        context 'with GCP KMS provider' do
-          include_context 'with GCP kms_providers and key alt names'
-          it 'encrypts the ssn field' do
             expect(result).to be_ok
-            expect(result.inserted_ids.length).to eq(1)
             id = result.inserted_ids.first
             document = client['users'].find(_id: id).first
             document.should_not be_nil
-            # Auto-encryption with key alt names only works with random encryption,
-            # so it will not generate the same result on every test run.
-            expect(document['ssn']).to be_ciphertext
+            # Document was not encrypted
+            expect(document['ssn']).to eq(ssn)
           end
         end
-        context 'with KMIP KMS provider' do
-          include_context 'with KMIP kms_providers and key alt names'
-          it 'encrypts the ssn field' do
-            expect(result).to be_ok
-            expect(result.inserted_ids.length).to eq(1)
+        context 'encrypting using key alt name' do
+          include_context 'schema map in client options'
-            id = result.inserted_ids.first
+          let(:query) { { ssn: ssn, altname: key_alt_name } }
-            document = client['users'].find(_id: id).first
-            document.should_not be_nil
-            # Auto-encryption with key alt names only works with random encryption,
-            # so it will not generate the same result on every test run.
-            expect(document['ssn']).to be_ciphertext
+          context 'with AWS KMS provider' do
+            include_context 'with AWS kms_providers and key alt names'
+            it 'encrypts the ssn field' do
+              expect(result).to be_ok
+              expect(result.inserted_ids.length).to eq(1)
+              id = result.inserted_ids.first
+              document = client['users'].find(_id: id).first
+              document.should_not be_nil
+              # Auto-encryption with key alt names only works with random encryption,
+              # so it will not generate the same result on every test run.
+              expect(document['ssn']).to be_ciphertext
+            end
+          end
+          context 'with Azure KMS provider' do
+            include_context 'with Azure kms_providers and key alt names'
+            it 'encrypts the ssn field' do
+              expect(result).to be_ok
+              expect(result.inserted_ids.length).to eq(1)
+              id = result.inserted_ids.first
+              document = client['users'].find(_id: id).first
+              document.should_not be_nil
+              # Auto-encryption with key alt names only works with random encryption,
+              # so it will not generate the same result on every test run.
+              expect(document['ssn']).to be_ciphertext
+            end
+            context 'with GCP KMS provider' do
+              include_context 'with GCP kms_providers and key alt names'
+              it 'encrypts the ssn field' do
+                expect(result).to be_ok
+                expect(result.inserted_ids.length).to eq(1)
+                id = result.inserted_ids.first
+                document = client['users'].find(_id: id).first
+                document.should_not be_nil
+                # Auto-encryption with key alt names only works with random encryption,
+                # so it will not generate the same result on every test run.
+                expect(document['ssn']).to be_ciphertext
+              end
+            end
+            context 'with KMIP KMS provider' do
+              include_context 'with KMIP kms_providers and key alt names'
+              it 'encrypts the ssn field' do
+                expect(result).to be_ok
+                expect(result.inserted_ids.length).to eq(1)
+                id = result.inserted_ids.first
+                document = client['users'].find(_id: id).first
+                document.should_not be_nil
+                # Auto-encryption with key alt names only works with random encryption,
+                # so it will not generate the same result on every test run.
+                expect(document['ssn']).to be_ciphertext
+              end
+            end
           end
-        end
-      end
-      context 'with local KMS provider' do
-        include_context 'with local kms_providers and key alt names'
-        it 'encrypts the ssn field' do
-          expect(result).to be_ok
-          expect(result.inserted_ids.length).to eq(1)
+          context 'with local KMS provider' do
+            include_context 'with local kms_providers and key alt names'
+            it 'encrypts the ssn field' do
+              expect(result).to be_ok
+              expect(result.inserted_ids.length).to eq(1)
-          id = result.inserted_ids.first
+              id = result.inserted_ids.first
-          document = client['users'].find(_id: id).first
-          document.should_not be_nil
-          # Auto-encryption with key alt names only works with random encryption,
-          # so it will not generate the same result on every test run.
-          expect(document['ssn']).to be_a_kind_of(BSON::Binary)
+              document = client['users'].find(_id: id).first
+              document.should_not be_nil
+              # Auto-encryption with key alt names only works with random encryption,
+              # so it will not generate the same result on every test run.
+              expect(document['ssn']).to be_a_kind_of(BSON::Binary)
+            end
+          end
         end
       end
-    end
-  end
-  describe '#replace_one' do
-    shared_examples 'it performs an encrypted command' do
-      include_context 'encrypted document in collection'
+      describe '#replace_one' do
+        shared_examples 'it performs an encrypted command' do
+          include_context 'encrypted document in collection'
-      let(:replacement_ssn) { '098-765-4321' }
+          let(:replacement_ssn) { '098-765-4321' }
-      let(:result) do
-        encryption_client['users'].replace_one(
-          { ssn: ssn },
-          { ssn: replacement_ssn }
-        )
-      end
+          let(:result) do
+            encryption_client['users'].replace_one(
+              { ssn: ssn },
+              { ssn: replacement_ssn }
+            )
+          end
-      it 'encrypts the ssn field' do
-        expect(result.modified_count).to eq(1)
+          it 'encrypts the ssn field' do
+            expect(result.modified_count).to eq(1)
-        find_result = encryption_client['users'].find(ssn: '098-765-4321')
-        expect(find_result.count).to eq(1)
-      end
+            find_result = encryption_client['users'].find(ssn: '098-765-4321')
+            expect(find_result.count).to eq(1)
+          end
-      context 'with bypass_auto_encryption=true' do
-        include_context 'bypass auto encryption'
+          context 'with bypass_auto_encryption=true' do
+            include_context 'bypass auto encryption'
-        it 'does not encrypt the command' do
-          expect(result.modified_count).to eq(0)
+            it 'does not encrypt the command' do
+              expect(result.modified_count).to eq(0)
+            end
+          end
         end
-      end
-    end
-    it_behaves_like 'an encrypted command'
-  end
+        it_behaves_like 'an encrypted command'
+      end
-  describe '#update_one' do
-    shared_examples 'it performs an encrypted command' do
-      include_context 'encrypted document in collection'
+      describe '#update_one' do
+        shared_examples 'it performs an encrypted command' do
+          include_context 'encrypted document in collection'
-      let(:result) do
-        encryption_client['users'].replace_one({ ssn: ssn }, { ssn: '098-765-4321' })
-      end
+          let(:result) do
+            encryption_client['users'].replace_one({ ssn: ssn }, { ssn: '098-765-4321' })
+          end
-      it 'encrypts the ssn field' do
-        expect(result.n).to eq(1)
+          it 'encrypts the ssn field' do
+            expect(result.n).to eq(1)
-        find_result = encryption_client['users'].find(ssn: '098-765-4321')
-        expect(find_result.count).to eq(1)
-      end
+            find_result = encryption_client['users'].find(ssn: '098-765-4321')
+            expect(find_result.count).to eq(1)
+          end
-      context 'with bypass_auto_encryption=true' do
-        include_context 'bypass auto encryption'
+          context 'with bypass_auto_encryption=true' do
+            include_context 'bypass auto encryption'
-        it 'does not encrypt the command' do
-          expect(result.n).to eq(0)
+            it 'does not encrypt the command' do
+              expect(result.n).to eq(0)
+            end
+          end
         end
-      end
-    end
-    it_behaves_like 'an encrypted command'
-  end
-  describe '#update_many' do
-    shared_examples 'it performs an encrypted command' do
-      before do
-        client['users'].insert_one(ssn: encrypted_ssn_binary, age: 25)
-        client['users'].insert_one(ssn: encrypted_ssn_binary, age: 43)
+        it_behaves_like 'an encrypted command'
       end
-      let(:result) do
-        encryption_client['users'].update_many({ ssn: ssn }, { "$inc" => { :age =>  1 } })
-      end
+      describe '#update_many' do
+        shared_examples 'it performs an encrypted command' do
+          before do
+            client['users'].insert_one(ssn: encrypted_ssn_binary, age: 25)
+            client['users'].insert_one(ssn: encrypted_ssn_binary, age: 43)
+          end
+          let(:result) do
+            encryption_client['users'].update_many({ ssn: ssn }, { "$inc" => { :age =>  1 } })
+          end
-      it 'encrypts the ssn field' do
-        expect(result.n).to eq(2)
+          it 'encrypts the ssn field' do
+            expect(result.n).to eq(2)
-        updated_documents = encryption_client['users'].find(ssn: ssn)
-        ages = updated_documents.map { |doc| doc['age'] }
-        expect(ages).to include(26)
-        expect(ages).to include(44)
-      end
+            updated_documents = encryption_client['users'].find(ssn: ssn)
+            ages = updated_documents.map { |doc| doc['age'] }
+            expect(ages).to include(26)
+            expect(ages).to include(44)
+          end
-      context 'with bypass_auto_encryption=true' do
-        include_context 'bypass auto encryption'
+          context 'with bypass_auto_encryption=true' do
+            include_context 'bypass auto encryption'
-        it 'does not encrypt the command' do
-          expect(result.n).to eq(0)
+            it 'does not encrypt the command' do
+              expect(result.n).to eq(0)
+            end
+          end
         end
+        it_behaves_like 'an encrypted command'
       end
     end
-    it_behaves_like 'an encrypted command'
   end
 end