mongo 2.20.1 → 2.21.0

data/lib/mongo/crypt/encryption_io.rb

@@ -73,47 +73,66 @@ module Mongo
       # filter
       #
       # @param [ Hash ] filter
+      # @param [ Integer ] :timeout_ms The operation timeout in milliseconds.
+      #    Must be a non-negative integer. An explicit value of 0 means infinite.
+      #    The default value is unset which means the feature is not enabled.
       #
       # @return [ Array<BSON::Document> ] The query results
-      def find_keys(filter)
-        key_vault_collection.find(filter).to_a
+      def find_keys(filter, timeout_ms: nil)
+        key_vault_collection.find(filter, timeout_ms: timeout_ms).to_a
       end
 
       # Insert a document into the key vault collection
       #
       # @param [ Hash ] document
+      # @param [ Integer ] :timeout_ms The operation timeout in milliseconds.
+      #    Must be a non-negative integer. An explicit value of 0 means infinite.
+      #    The default value is unset which means the feature is not enabled.
       #
       # @return [ Mongo::Operation::Insert::Result ] The insertion result
-      def insert_data_key(document)
-        key_vault_collection.insert_one(document)
+      def insert_data_key(document, timeout_ms: nil)
+        key_vault_collection.insert_one(document, timeout_ms: timeout_ms)
       end
 
       # Get collection info for a collection matching the provided filter
       #
       # @param [ Hash ] filter
+      # @param [ Integer ] :timeout_ms The operation timeout in milliseconds.
+      #    Must be a non-negative integer. An explicit value of 0 means infinite.
+      #    The default value is unset which means the feature is not enabled.
       #
       # @return [ Hash ] The collection information
-      def collection_info(db_name, filter)
+      def collection_info(db_name, filter, timeout_ms: nil)
         unless @metadata_client
           raise ArgumentError, 'collection_info requires metadata_client to have been passed to the constructor, but it was not'
         end
 
-        @metadata_client.use(db_name).database.list_collections(filter: filter, deserialize_as_bson: true).first
+        @metadata_client
+          .use(db_name)
+          .database
+          .list_collections(filter: filter, deserialize_as_bson: true, timeout_ms: timeout_ms)
+          .first
       end
 
       # Send the command to mongocryptd to be marked with intent-to-encrypt markings
       #
       # @param [ Hash ] cmd
+      # @param [ Integer ] :timeout_ms The operation timeout in milliseconds.
+      #    Must be a non-negative integer. An explicit value of 0 means infinite.
+      #    The default value is unset which means the feature is not enabled.
       #
       # @return [ Hash ] The marked command
-      def mark_command(cmd)
+      def mark_command(cmd, timeout_ms: nil)
         unless @mongocryptd_client
           raise ArgumentError, 'mark_command requires mongocryptd_client to have been passed to the constructor, but it was not'
         end
 
         # Ensure the response from mongocryptd is deserialized with { mode: :bson }
         # to prevent losing type information in commands
-        options = { execution_options: { deserialize_as_bson: true } }
+        options = {
+          execution_options: { deserialize_as_bson: true },
+          timeout_ms: timeout_ms
+        }
 
         begin
           response = @mongocryptd_client.database.command(cmd, options)
@@ -136,9 +155,12 @@ module Mongo
       #   to send on that connection.
       # @param [ Hash ] tls_options. TLS options to connect to KMS provider.
       #   The options are same as for Mongo::Client.
-      def feed_kms(kms_context, tls_options)
+      # @param [ Integer ] :timeout_ms The operation timeout in milliseconds.
+      #    Must be a non-negative integer. An explicit value of 0 means infinite.
+      #    The default value is unset which means the feature is not enabled.
+      def feed_kms(kms_context, tls_options, timeout_ms: nil)
         with_ssl_socket(kms_context.endpoint, tls_options) do |ssl_socket|
-          Timeout.timeout(SOCKET_TIMEOUT, Error::SocketTimeoutError,
+          Timeout.timeout(timeout_ms || SOCKET_TIMEOUT, Error::SocketTimeoutError,
             'Socket write operation timed out'
           ) do
             ssl_socket.syswrite(kms_context.message)
@@ -146,7 +168,7 @@ module Mongo
 
           bytes_needed = kms_context.bytes_needed
           while bytes_needed > 0 do
-            bytes = Timeout.timeout(SOCKET_TIMEOUT, Error::SocketTimeoutError,
+            bytes = Timeout.timeout(timeout_ms || SOCKET_TIMEOUT, Error::SocketTimeoutError,
               'Socket read operation timed out'
             ) do
               ssl_socket.sysread(bytes_needed)
@@ -160,38 +182,39 @@ module Mongo
 
       # Adds a key_alt_name to the key_alt_names array of the key document
       # in the key vault collection with the given id.
-      def add_key_alt_name(id, key_alt_name)
+      def add_key_alt_name(id, key_alt_name, timeout_ms: nil)
         key_vault_collection.find_one_and_update(
           { _id: id },
           { '$addToSet' => { keyAltNames: key_alt_name } },
+          timeout_ms: timeout_ms
         )
       end
 
       # Removes the key document with the given id
       # from the key vault collection.
-      def delete_key(id)
-        key_vault_collection.delete_one(_id: id)
+      def delete_key(id, timeout_ms: nil)
+        key_vault_collection.delete_one(_id: id, timeout_ms: timeout_ms)
       end
 
       # Finds a single key document with the given id.
-      def get_key(id)
-        key_vault_collection.find(_id: id).first
+      def get_key(id, timeout_ms: nil)
+        key_vault_collection.find(_id: id, timeout_ms: timeout_ms).first
       end
 
       # Returns a key document in the key vault collection with
       # the given key_alt_name.
-      def get_key_by_alt_name(key_alt_name)
-        key_vault_collection.find(keyAltNames: key_alt_name).first
+      def get_key_by_alt_name(key_alt_name, timeout_ms: nil)
+        key_vault_collection.find(keyAltNames: key_alt_name, timeout_ms: timeout_ms).first
       end
 
       # Finds all documents in the key vault collection.
-      def get_keys
-        key_vault_collection.find
+      def get_keys(timeout_ms: nil)
+        key_vault_collection.find(nil, timeout_ms: timeout_ms)
       end
 
       # Removes a key_alt_name from the key_alt_names array of the key document
       # in the key vault collection with the given id.
-      def remove_key_alt_name(id, key_alt_name)
+      def remove_key_alt_name(id, key_alt_name, timeout_ms: nil)
         key_vault_collection.find_one_and_update(
           { _id: id },
           [
@@ -211,7 +234,8 @@ module Mongo
                 }
               }
             }
-          ]
+          ],
+          timeout_ms: timeout_ms
         )
       end
 
@@ -220,8 +244,8 @@ module Mongo
       # @param [ Array<Hash> ] requests The bulk write requests.
       #
       # @return [ BulkWrite::Result ] The result of the operation.
-      def update_data_keys(updates)
-        key_vault_collection.bulk_write(updates)
+      def update_data_keys(updates, timeout_ms: nil)
+        key_vault_collection.bulk_write(updates, timeout_ms: timeout_ms)
       end
 
       private
@@ -322,15 +346,21 @@ module Mongo
       #
       # @note The socket is always closed when the provided block has finished
       #   executing
-      def with_ssl_socket(endpoint, tls_options)
+      def with_ssl_socket(endpoint, tls_options, timeout_ms: nil)
+        csot = !timeout_ms.nil?
         address = begin
           host, port = endpoint.split(':')
           port ||= 443 # All supported KMS APIs use this port by default.
           Address.new([host, port].join(':'))
         end
+        socket_options = { ssl: true, csot: csot }.tap do |opts|
+          if csot
+            opts[:connect_timeout] = (timeout_ms / 1_000.0)
+          end
+        end
         mongo_socket = address.socket(
           SOCKET_TIMEOUT,
-          tls_options.merge(ssl: true)
+          tls_options.merge(socket_options)
         )
         yield(mongo_socket.socket)
       rescue => e

data/lib/mongo/crypt/explicit_encrypter.rb

@@ -35,7 +35,9 @@ module Mongo
       #   providers. Keys of the hash should be KSM provider names; values
       #   should be hashes of TLS connection options. The options are equivalent
       #   to TLS connection options of Mongo::Client.
-      def initialize(key_vault_client, key_vault_namespace, kms_providers, kms_tls_options)
+      # @param [ Integer | nil ] timeout_ms Timeout for every operation executed
+      #   on this object.
+      def initialize(key_vault_client, key_vault_namespace, kms_providers, kms_tls_options, timeout_ms = nil)
         Crypt.validate_ffi!
         @crypt_handle = Handle.new(
           kms_providers,
@@ -47,6 +49,7 @@ module Mongo
           metadata_client: nil,
           key_vault_namespace: key_vault_namespace
         )
+        @timeout_ms = timeout_ms
       end
 
       # Generates a data key used for encryption/decryption and stores
@@ -71,9 +74,11 @@ module Mongo
           master_key_document,
           key_alt_names,
           key_material
-        ).run_state_machine
+        ).run_state_machine(timeout_holder)
 
-        @encryption_io.insert_data_key(data_key_document).inserted_id
+        @encryption_io.insert_data_key(
+          data_key_document, timeout_ms: timeout_holder.remaining_timeout_ms!
+        ).inserted_id
       end
 
       # Encrypts a value using the specified encryption key and algorithm
@@ -111,7 +116,7 @@ module Mongo
           @encryption_io,
           { v: value },
           options
-        ).run_state_machine['v']
+        ).run_state_machine(timeout_holder)['v']
       end
 
       # Encrypts a Match Expression or Aggregate Expression to query a range index.
@@ -125,7 +130,7 @@ module Mongo
       #     {'$and' =>  [{'$gt' => ['$field', 10]}, {'$lt' => ['$field', 20]}}
       #   )
       #   {$and: [{$gt: [<fieldpath>, <value1>]}, {$lt: [<fieldpath>, <value2>]}]
-      # Only supported when queryType is "rangePreview" and algorithm is "RangePreview".
+      # Only supported when queryType is "range" and algorithm is "Range".
       # @note: The Range algorithm is experimental only. It is not intended
       #   for public use. It is subject to breaking changes.
       #
@@ -137,24 +142,25 @@ module Mongo
       # @option options [ String ] :key_alt_name The alternate name for the
       #   encryption key.
       # @option options [ String ] :algorithm The algorithm used to encrypt the
-      #   expression. The only allowed value is "RangePreview"
+      #   expression. The only allowed value is "Range"
       # @option options [ Integer | nil ] :contention_factor Contention factor
       #   to be applied If not  provided, it defaults to a value of 0.
       # @option options [ String | nil ] query_type Query type to be applied.
-      #   The only allowed value is "rangePreview".
+      #   The only allowed value is "range".
       # @option options [ Hash | nil ] :range_opts Specifies index options for
-      #   a Queryable Encryption field supporting "rangePreview" queries.
+      #   a Queryable Encryption field supporting "range" queries.
       #   Allowed options are:
       #   - :min
       #   - :max
+      #   - :trim_factor
       #   - :sparsity
       #   - :precision
-      #   min, max, sparsity, and range must match the values set in
+      #   min, max, trim_factor, sparsity, and precision must match the values set in
       #   the encryptedFields of the destination collection.
       #   For double and decimal128, min/max/precision must all be set,
       #   or all be unset.
       #
-      # @note The RangePreview algorithm is experimental only. It is not
+      # @note The Range algorithm is experimental only. It is not
       # intended for public use.
       #
       # @note The :key_id and :key_alt_name options are mutually exclusive. Only
@@ -170,7 +176,7 @@ module Mongo
           @encryption_io,
           { v: expression },
           options
-        ).run_state_machine['v']
+        ).run_state_machine(timeout_holder)['v']
       end
 
       # Decrypts a value that has already been encrypted
@@ -184,7 +190,7 @@ module Mongo
           @crypt_handle,
           @encryption_io,
           { v: value }
-        ).run_state_machine['v']
+        ).run_state_machine(timeout_holder)['v']
       end
 
       # Adds a key_alt_name for the key in the key vault collection with the given id.
@@ -195,7 +201,7 @@ module Mongo
       # @return [ BSON::Document | nil ] Document describing the identified key
       #   before adding the key alt name, or nil if no such key.
       def add_key_alt_name(id, key_alt_name)
-        @encryption_io.add_key_alt_name(id, key_alt_name)
+        @encryption_io.add_key_alt_name(id, key_alt_name, timeout_ms: @timeout_ms)
       end
 
       # Removes the key with the given id from the key vault collection.
@@ -204,7 +210,9 @@ module Mongo
       #
       # @return [ Operation::Result ] The response from the database for the delete_one
       #   operation that deletes the key.
-      def_delegators :@encryption_io, :delete_key
+      def delete_key(id)
+        @encryption_io.delete_key(id, timeout_ms: @timeout_ms)
+      end
 
       # Finds a single key with the given id.
       #
@@ -212,7 +220,9 @@ module Mongo
       #
       # @return [ BSON::Document | nil ] The found key document or nil
       #   if not found.
-      def_delegators :@encryption_io, :get_key
+      def get_key(id)
+        @encryption_io.get_key(id, timeout_ms: @timeout_ms)
+      end
 
       # Returns a key in the key vault collection with the given key_alt_name.
       #
@@ -220,12 +230,19 @@ module Mongo
       #
       # @return [ BSON::Document | nil ] The found key document or nil
       #   if not found.
-      def_delegators :@encryption_io, :get_key_by_alt_name
+      def get_key_by_alt_name(key_alt_name)
+        @encryption_io.get_key_by_alt_name(key_alt_name, timeout_ms: @timeout_ms)
+      end
 
       # Returns all keys in the key vault collection.
       #
       # @return [ Collection::View ] Keys in the key vault collection.
-      def_delegators :@encryption_io, :get_keys
+      # rubocop:disable Naming/AccessorMethodName
+      # Name of this method is defined in the FLE spec
+      def get_keys
+        @encryption_io.get_keys(timeout_ms: @timeout_ms)
+      end
+      # rubocop:enable Naming/AccessorMethodName
 
       # Removes a key_alt_name from a key in the key vault collection with the given id.
       #
@@ -234,7 +251,9 @@ module Mongo
       #
       # @return [ BSON::Document | nil ] Document describing the identified key
       #   before removing the key alt name, or nil if no such key.
-      def_delegators :@encryption_io, :remove_key_alt_name
+      def remove_key_alt_name(id, key_alt_name)
+        @encryption_io.remove_key_alt_name(id, key_alt_name, timeout_ms: @timeout_ms)
+      end
 
       # Decrypts multiple data keys and (re-)encrypts them with a new master_key,
       #   or with their current master_key if a new one is not given.
@@ -257,12 +276,14 @@ module Mongo
           @encryption_io,
           filter,
           master_key_document
-        ).run_state_machine
+        ).run_state_machine(timeout_holder)
 
         return RewrapManyDataKeyResult.new(nil) if rewrap_result.nil?
 
         updates = updates_from_data_key_documents(rewrap_result.fetch('v'))
-        RewrapManyDataKeyResult.new(@encryption_io.update_data_keys(updates))
+        RewrapManyDataKeyResult.new(
+          @encryption_io.update_data_keys(updates, timeout_ms: @timeout_ms)
+        )
       end
 
       private
@@ -318,6 +339,14 @@ module Mongo
           }
         end
       end
+
+      def timeout_holder
+        CsotTimeoutHolder.new(
+          operation_timeouts: {
+            operation_timeout_ms: @timeout_ms
+          }
+        )
+      end
     end
   end
 end

data/lib/mongo/crypt/explicit_encryption_context.rb

@@ -39,27 +39,28 @@ module Mongo
       #   that will be used to encrypt the value.
       # @option options [ String ] :algorithm The algorithm used to encrypt the
       #   value. Valid algorithms are "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
-      #   "AEAD_AES_256_CBC_HMAC_SHA_512-Random", "Indexed", "Unindexed", "RangePreview".
+      #   "AEAD_AES_256_CBC_HMAC_SHA_512-Random", "Indexed", "Unindexed", "Range".
       # @option options [ Integer | nil ] :contention_factor Contention factor
       #   to be applied if encryption algorithm is set to "Indexed". If not
       #   provided, it defaults to a value of 0. Contention factor should be set
       #   only if encryption algorithm is set to "Indexed".
       # @option options [ String | nil ] query_type Query type to be applied
-      #   if encryption algorithm is set to "Indexed" or "RangePreview".
-      #   Allowed values are "equality" and "rangePreview".
+      #   if encryption algorithm is set to "Indexed" or "Range".
+      #   Allowed values are "equality" and "range".
       # @option options [ Hash | nil ] :range_opts Specifies index options for
-      #   a Queryable Encryption field supporting "rangePreview" queries.
+      #   a Queryable Encryption field supporting "range" queries.
       #   Allowed options are:
       #   - :min
       #   - :max
+      #   - :trim_factor
       #   - :sparsity
       #   - :precision
-      #   min, max, sparsity, and range must match the values set in
+      #   min, max, trim_factor, sparsity, and precision must match the values set in
       #   the encryptedFields of the destination collection.
       #   For double and decimal128, min/max/precision must all be set,
       #   or all be unset.
       #
-      # @note The RangePreview algorithm is experimental only. It is not intended for
+      # @note The Range algorithm is experimental only. It is not intended for
       # public use.
       #
       # @raise [ ArgumentError|Mongo::Error::CryptError ] If invalid options are provided
@@ -116,7 +117,7 @@ module Mongo
 
       def set_algorithm_opts(options)
         Binding.ctx_setopt_algorithm(self, options[:algorithm])
-        if %w(Indexed RangePreview).include?(options[:algorithm])
+        if %w(Indexed Range).include?(options[:algorithm])
           if options[:contention_factor]
             Binding.ctx_setopt_contention_factor(self, options[:contention_factor])
           end
@@ -125,20 +126,25 @@ module Mongo
           end
         else
           if options[:contention_factor]
-            raise ArgumentError.new(':contention_factor is allowed only for "Indexed" or "RangePreview" algorithms')
+            raise ArgumentError.new(':contention_factor is allowed only for "Indexed" or "Range" algorithms')
           end
           if options[:query_type]
-            raise ArgumentError.new(':query_type is allowed only for "Indexed" or "RangePreview" algorithms')
+            raise ArgumentError.new(':query_type is allowed only for "Indexed" or "Range" algorithms')
           end
         end
-        if options[:algorithm] == 'RangePreview'
+        if options[:algorithm] == 'Range'
           Binding.ctx_setopt_algorithm_range(self, convert_range_opts(options[:range_opts]))
         end
       end
 
       def convert_range_opts(range_opts)
         range_opts.dup.tap do |opts|
-          opts[:sparsity] = BSON::Int64.new(opts[:sparsity]) unless opts[:sparsity].is_a?(BSON::Int64)
+          if opts[:sparsity] && !opts[:sparsity].is_a?(BSON::Int64)
+            opts[:sparsity] = BSON::Int64.new(opts[:sparsity])
+          end
+          if opts[:trim_factor]
+            opts[:trimFactor] = opts.delete(:trim_factor)
+          end
         end
       end
     end

data/lib/mongo/crypt/kms/azure/credentials_retriever.rb

@@ -34,13 +34,16 @@ module Mongo
           #   request. This is used for testing.
           # @param [String | nil] metadata_host Azure metadata host. This
           #   is used for testing.
+          # @param [ CsotTimeoutHolder | nil ] timeout_holder CSOT timeout.
           #
           # @return [ KMS::Azure::AccessToken ] Azure access token.
           #
           # @raise [KMS::CredentialsNotFound] If credentials could not be found.
-          def self.fetch_access_token(extra_headers: {}, metadata_host: nil)
+          # @raise Error::TimeoutError if credentials cannot be retrieved within
+          #   the timeout.
+          def self.fetch_access_token(extra_headers: {}, metadata_host: nil, timeout_holder: nil)
             uri, req = prepare_request(extra_headers, metadata_host)
-            parsed_response = fetch_response(uri, req)
+            parsed_response = fetch_response(uri, req, timeout_holder)
             Azure::AccessToken.new(
               parsed_response.fetch('access_token'),
               Integer(parsed_response.fetch('expires_in'))
@@ -78,13 +81,16 @@ module Mongo
           #
           # @param [URI] uri URI to Azure metadata host.
           # @param [Net::HTTP::Get] req Request object.
+          # @param [ CsotTimeoutHolder | nil ] timeout_holder CSOT timeout.
           #
           # @return [Hash] Parsed response.
           #
           # @raise [KMS::CredentialsNotFound] If cannot fetch response or
           #   response is invalid.
-          def self.fetch_response(uri, req)
-            resp = do_request(uri, req)
+          # @raise Error::TimeoutError if credentials cannot be retrieved within
+          #   the timeout.
+          def self.fetch_response(uri, req, timeout_holder)
+            resp = do_request(uri, req, timeout_holder)
             if resp.code != '200'
               raise KMS::CredentialsNotFound,
                     "Azure metadata host responded with code #{resp.code}"
@@ -100,12 +106,22 @@ module Mongo
           #
           # @param [URI] uri URI to Azure metadata host.
           # @param [Net::HTTP::Get] req Request object.
+          # @param [ CsotTimeoutHolder | nil ] timeout_holder CSOT timeout.
           #
           # @return [Net::HTTPResponse] Response object.
           #
           # @raise [KMS::CredentialsNotFound] If cannot execute request.
-          def self.do_request(uri, req)
-            ::Timeout.timeout(10) do
+          # @raise Error::TimeoutError if credentials cannot be retrieved within
+          #   the timeout.
+          def self.do_request(uri, req, timeout_holder)
+            timeout_holder&.check_timeout!
+            timeout = timeout_holder&.remaining_timeout_sec || 10
+            exception_class = if timeout_holder&.csot?
+                                Error::TimeoutError
+                              else
+                                nil
+                              end
+            ::Timeout.timeout(timeout, exception_class) do
               Net::HTTP.start(uri.hostname, uri.port, use_ssl: false) do |http|
                 http.request(req)
               end

data/lib/mongo/crypt/kms/gcp/credentials_retriever.rb

@@ -29,14 +29,20 @@ module Mongo
 
           DEFAULT_HOST = 'metadata.google.internal'
 
-          def self.fetch_access_token
+          # Fetch GCP access token.
+          #
+          # @param [ CsotTimeoutHolder | nil ] timeout_holder CSOT timeout.
+          #
+          # @return [ String ] GCP access token.
+          #
+          # @raise [ KMS::CredentialsNotFound ]
+          # @raise [ Error::TimeoutError ]
+          def self.fetch_access_token(timeout_holder = nil)
             host = ENV.fetch(METADATA_HOST_ENV) { DEFAULT_HOST }
             uri = URI("http://#{host}/computeMetadata/v1/instance/service-accounts/default/token")
             req = Net::HTTP::Get.new(uri)
             req['Metadata-Flavor'] = 'Google'
-            resp = Net::HTTP.start(uri.hostname, uri.port, use_ssl: false) do |http|
-              http.request(req)
-            end
+            resp = fetch_response(uri, req, timeout_holder)
             if resp.code != '200'
               raise KMS::CredentialsNotFound,
                 "GCE metadata host responded with code #{resp.code}"
@@ -50,6 +56,25 @@ module Mongo
               raise KMS::CredentialsNotFound,
                     "Could not receive GCP metadata response; #{e.class}: #{e.message}"
           end
+
+          def self.fetch_response(uri, req, timeout_holder)
+            timeout_holder&.check_timeout!
+            if timeout_holder&.timeout?
+              ::Timeout.timeout(timeout_holder.remaining_timeout_sec, Error:TimeoutError) do
+                do_fetch(uri, req)
+              end
+            else
+              do_fetch(uri, req)
+            end
+          end
+          private_class_method :fetch_response
+
+          def self.do_fetch(uri, req)
+            Net::HTTP.start(uri.hostname, uri.port, use_ssl: false) do |http|
+              http.request(req)
+            end
+          end
+          private_class_method :do_fetch
         end
       end
     end